Sturm und Drang and Hacking and Twitter
Last week, an article appeared in the Washington Examiner that contained a couple of quotes from me. The context of how the quotes were obtained is explained below.
Apparently, some people took exception to aspects of the article and/or my quotes. This was all manifested on Twitter, with outrage, some ad hominem attacks, bombastic comments about unfollowing me, and more. After all, it is Twitter, and what would Twitter be without outrage and posturing?
(Interestingly, despite some unfollows, my Twitter account as of Sunday has more followers than before this happened. Draw your own conclusions about that. As for me, I don't care much how many people follow or not -- I still post things there I decide I want to post.)
I decided it might be worth a short post on how the quotes came about and perhaps addressing a few things from the article.
How the Quotes Came to Be
Earlier in the week, I received a request to contact a reporter. This is not unusual. I regularly am asked by the press to comment on cybersecurity, privacy, cybercrime, and so forth. The university encourages that kind of outreach. I generally try to provide useful background to reporters.
I called the reporter. He told me he was working on a story but couldn't share details. He gave me a very vague description -- basically, that he had some evidence that someone working in cybersecurity for one of the presidential campaigns had a history of associating with racist organizations, trolling, and breaking into computers. He wanted to know what I thought of that.
As I expressed to him, if true, I thought that was a poor choice. I explained that generally speaking, someone in such a position should have been more thoroughly vetted. He then outlined how the person likely had a history of hacking into other people's accounts and asked me what I thought. I stated -- with that as context -- that people with that kind of history are usually a poor choice for positions of trust. A history of breaking the law suggests they may be (note: may) more likely to do it again, thus posing a risk to their employer. Furthermore, I noted that a past that is concealed from the employer opens up the possibility of extortion. Both of these imply an "insider" risk. Given the high stakes of this election cycle coupled with foreign interference, that seemed like a real problem.
My conversation with the reporter was over 20 minutes in length. He quoted two of my statements in the published article. This should not be a surprise to anyone who has ever spoken to a reporter...or to anyone who has written for the press. Lots of material isn't used, including material that may set useful bounds on what is published.
Unfortunately, "hacking" and "hacker" have divergent meanings. One usage means someone who explores systems and capabilities, often finding new and unexpected features or problems. A second usage means someone who breaks into systems without permission, illegally, often causing harm. This dichotomy has been a problem for over 30 years now, and we still haven't resolved it in general usage. There have been attempts to qualify the term ("white hat" and "black hat," terms which have other problems), and using labels such as "ethical hacking," which implies everything else is not ethical. These are not satisfactory solutions.
In the conversation with the reporter, he was continually using "hacking" in the pejorative sense, such as "hacking into other people's computers without their consent." My replies were to that usage and in that context.
To be clear, I understand the difference. I have taught and worked with people who are hackers in a positive sense. At one time, when I had more free time and less arthritis in my hands, I did my own share of system hacking. When performed with care and consent, the hobbyist/exploratory form of hacking is often fun and educational. Hacking of others' systems without consent, to cause damage or harm, is a bad thing.
The people who take umbrage over use of "hacking" should to pay close attention to context to moderate their blood pressure. Furthermore, they should realize that 30 years of use by journalists to denote unauthorized access means that the general public only understands that one definition of "hacking" no matter how they define it. It is now similar to any malware being labeled "computer virus" -- it is unlikely that the term will ever get a more precise definition for public use.
I have worked in the area of professional ethics for over 3 decades. I wrote one of the first articles on the ethics of computer intrusion and contributed to many textbooks in the area. I helped develop the last two iterations of ACM's Code of Professional Ethics. I am chair of ACM's Committee on Publishing Ethics & Plagiarism. I have lectured on the topic at major companies and government agencies. I teach aspects of ethics in classes. It isn't simply a word to me.
Professional ethics have a vital role in defining a profession. They help practitioners distinguish among choices. They help guide us in knowing the difference between what we can do and what we should do. Every major professional organization, across multiple professions, has some form of professional code of behavior.
In the context of this issue, breaking (hacking!) into other peoples' systems without permission is unethical. It is also usually illegal. Trolling people in the form described to me by the reporter is unethical and harmful. And being a bigot is wrong, although a too common evil in society today.
Those of us who work in computing -- and especially in security-related positions -- should be very concerned about how we are viewed by the public. If we want to be trusted, then we need to act in a trustworthy manner. Ethical behavior and knowledge of the law are important, and distinguish professionals from everyone else.
It is in this context that I made this comment: "People who are well respected don't come from trolling or hacking groups. There's been a culture shift there. Companies don't want to hire people with sketchy backgrounds." That is true. The companies I work with -- banks, aerospace, defense, telecommunications -- do not want people who have a history of breaking into systems (note the version of "hacking" here) or abusing others. It is a liability for them. It is also evidence of poor judgment and a willingness to do unethical things, at least at some time in the past. Those activities are grounds for termination from many positions. A history of those things is often an automatic disqualification from hiring -- and is questioned as a standard part of polygraph exams. (No, I'm not going to have a side conversation about polygraph exam accuracy here, but you can see one of my blog posts from 2006.)
Can people who did unethical things reform? Of course! Sometimes people do foolish things and later regret and repent. However, it is also the case that people who do foolish and illegal things usually deny they did them, or they claim to have reformed so they can get a shot at doing them again. Whether one accepts the apparent reformation of the individual is a matter of faith (religious or otherwise) and risk management. As I noted, "Somebody who shows up with red flags would not be allowed to occupy a position of sensitivity." Maybe this denies someone reformed and talented a position. However, it also is a matter of practical risk reduction and is part of the standard of due care by organizations dealing with information of great value.
The Person in the Article
I was never given the name or specifics of the person mentioned in the article during the interview. I only learned her name after the article appeared. To my knowledge, I have never met her. I have no personal knowledge of her activities. I made no statements attributing any activities to her. So, if you are a friend of hers and bent out of shape because of the article, you really shouldn't take it out on me.
TL;DR. People will bluster and posture on Twitter. I was quoted as saying some things that set a few people off, either because they don't pay attention to context, don't understand how insider threats are minimized, or perhaps because they are friends of the person the article is about. I guess it is also possible they don't like the venue or the political campaign. Whatever the reason, I don't care if people unfollow me, but if people are abusive in their comments I will block them. However, the people who want to try to understand the overall context may find the above useful.
Meanwhile, here is some reading for you: