From a sad hobby of lonely social dropouts, hacking has turned into a multi-billion-dollar industry and a real threat to global security.
Say the word 'hacker' and the image that jumps to mind is of a pimply teenager, sitting by himself in the basement of his parents' home, picking his nose and writing a 'Love Bug' virus. The 'hacker' stereotype is one of an anti-social technophile, motivated by mischief and malice. But while this particular cap may once have fit a sizeable proportion of virus writers, today it simply does not.
These days, millions of people are participating in a globalised hacker culture that has evolved from a narrow subculture of alphanerds into a highly collaborative 'industry', increasingly populated by seasoned professionals, many of whom are not even technologists.
This industry is enormous. Cybersecurity professionals and the US Federal Bureau of Investigation estimate that the global hacker criminal economy is currently worth at least $10bn annually, causes perhaps $100bn in annual damage, and sports an up to 30 per cent growth rate. With these kinds of profits at stake, hackers are increasingly disciplined and profit-motivated.
What's driving the growth and transformation of the hacker industry? In a word: globalisation - albeit of a deviant sort. Ten years ago, the Internet was an almost exclusively American domain, and computer skills were concentrated in the high-connectivity countries with well-educated populations. Since then, Internet access has exploded - with over a billion users now online - while technical skills have proliferated across middle- and low-income countries.
Economic opportunities commensurate with this connectivity and these skills have not kept up, however. In many countries, above all in the former Soviet bloc, skilled programmers can make more money developing malicious software (top earners garner hundreds of thousands of US dollars annually) than they can working in the legal local software industry.
The push by many governments and NGOs to bridge the 'digital divide' has, ironically, exacerbated the problem: without legitimate outlets for the technically skilled, a programme like 'One Laptop Per Child' translates all too easily into a "hacker in every home."
The motive and opportunity to hack has thus expanded exponentially, and as the barriers to entry have fallen, the hackers have responded by going pro. As security vendor Finjan concludes, "Profit-driven cybercrime has evolved into a booming cybercrime business, operating in a major shadow economy that closely mimics the real business world."
Even more ominously, in some countries, these hackers also represent an emergent reserve army of asymmetric cyberwarriors - a force whose potential is only now dawning.
The professionalisation of the hacker industry has been defined by a rapidly expanding range of products and services, designed to increase profit margins and reduce operational risks. As compared with five years ago, the hacker industry now offers a radically different mix of exploits, delivered not just as products but also as services. Innovation cycles within the hacker industry, moreover, appear to be accelerating.
Self-propagated worms and hard-drive munching viruses - the dominant computer security concerns of the late 1990s and early 2000s - have given way to intellectual property and identity theft, spamming, phishing, and denial of service (DoS) attacks. What distinguishes the new generation of malware from the older generation of worms and viruses is that they are all designed to be useful as tools for generating revenue. This shift has been facilitated by the creation of 'botnets' - collections of compromised computer - which are deployable not just for a variety of profitable purposes, but also as a tool of cyberwarfare.
Spear-phishing and the rise of the probes
Another significant change has been the scale of the attacks. As financial motivations have displaced publicity-seeking, hackers are designing their attacks to avoid the sort of police attention that German hacker Sven Jaschan drew by producing the large-scale Netsky and Sasser viruses in 2004.
Hackers have moved away from staging large-scale single events to engaging in repeated, multiple 'probes'. Attacks are kept intentionally small to stay below the radar of the security and law enforcement communities. In general, the only hackers getting caught by police today are the amateurs (like Jaschan) - a fact that has the unfortunate effect of perpetuating the misconception that hacking is still a game of the young and disaffected.
A third major change in the hacker industry is its increasing focus on social engineering. Financially-motivated hackers are looking for the easiest point of entry into systems, and are well aware that the biggest security hole is usually sitting between the keyboard and the back of the chair. Typical of the current generation of attacks is so-called 'spear-phishing', which uses knowledge of the personal characteristics of a specific individual to design tailor-made attacks.
Amidst the current financial crisis, for example, senior corporate executives have been an increasingly common target: the CFO receives an email, apparently from a law enforcement agency or an key subordinate, informing him that, "Your company has been indicted for stock fraud; click here for details" - and when the CFO clicks, a Trojan installs itself on his machine, allowing the attacker access to his data. Such tactics have been used to gain access to the machines senior executives at eBay, Booz Allen Hamilton, and the French government.
Hackers are increasingly writing not just code, but also offering technical support. Consider the Pinch Trojan, released in 2007, which offered a highly developed user interface for stealing email account passwords and snapping screenshots. The Russian hackers who created Pinch, Damrai and Scratch, didn't just release the Trojan, but also offered to create customised versions and to provide purchasers with technical support based on standard service level agreements. Pinch quickly became popular with less skilled hackers, who for a few thousand dollars could get a functional spy program that allowed them to run attacks without even understanding how they worked.
Finally, mirroring the way legal software is increasingly delivered as a Web service, hackers are increasingly offering 'malware-as-a-service'. Some malware-as-a-service sites have become so streamlined, for example, that customers can use a simple Web form to indicate which site they wish run a DoS attack against, or how many spam emails they wish to send. The implication of this transition is that the ability to launch a sophisticated attack is no longer limited to those who have technical knowledge - vastly increasing the potential universe of attackers.
In the future, commercialisation of crimeware may get to the point where criminals will simply get the feed of data from victims that interest them - perhaps completely unaware of the means by which the data is being obtained. The result is that it is increasingly difficult to delineate who counts as part of the hacker 'community'.
In the 1980s and 1990s, hackers were typically 'lone gunmen', or worked in small teams where the skill level was fairly uniform. While such individualist hackers still exist, today the vast majority of cyberattacks involve complex teams of people with functionally differentiated skill sets.
With the amount of money at stake, the management of the hacker industry has become increasingly sophisticated. As one security professional at a large bank put it recently, hacker organisations are better run and managed than many others: "They're properly funded, they have a clear goal, they're performance driven, focused on a single mission. It's like an MBA case study of success."
As in the legitimate software industry, the hacker industry consists not just of engineers, but also includes people with a variety of specialised skills, offering differentiated services - marketers, sales people, tech support, and so on. As often as not, it is non-techies who will use the stolen identities, credit cards, or bank accounts to purchase goods, withdraw money from bank accounts and launder it. These 'downstream' activities, crucial to the operations of the hacker industry, entail traditional criminal rather than technical hacking skills.
However, seen globally, the structure of the hacker organisation is distinct from its legitimate software industry counterpart. The majority of teams in the global hacker industry appear to operate in a less hierarchical fashion, with the functional roles brought together via a network of independent contractors. This networked managerial model reflects the burgeoning cross-border nature of the global hacker industry. In fact, attacks that cross physical borders are today the norm rather than the exception. As the Organisation for Economic Cooperation and Development notes, "While a certain amount of crime is always 'local', the vast majority of online crime crosses jurisdictional boundaries and international borders, thus reducing the criminals' risk of identification and prosecution. Rarely is the attacker located in the same geographic region as the attacking hosts."
Cyberwars and national security
Perhaps the most disturbing aspect of hacker professionalisation is what it may mean for national security. In at least two documented instances, professional hacker organisations appear to have been centrally involved in national security-motivated attacks.
In April and May 2007 a series of major DoS attacks, launched from botnets in Russia, crippled government and corporate websites in neighbouring Estonia. These attacks were apparently executed by Russian cybernationalists - whether at the behest of the Russian government or not - in response to Estonian plans to relocate a Russian Second World War monument located in Tallinn. It was later discovered that the botnets used in these attacks had originally been developed for profit-oriented criminal purposes, that is, for spamming, phishing, extortion and so on.
Likewise, during the 2008 Russo-Georgian war, it appears that the cyberattacks against the Georgian government were launched from known cybercrime servers in Russia and Turkey. These attacks appear to have been centrally facilitated, but executed at least in part by Russian nationalist volunteers. The Russian government denied involvement in the attacks.
What the Estonian and Georgian cases suggest is that botnets and other criminally-focused hacking technologies and services are 'dual use' ones. For this reason, it is crucial that those concerned with national cybersecurity pay close attention to developments in the criminal hacker industry, as innovations there may be the source of emerging national security threats. Cybercrime, in other words, is not just a law enforcement problem - it's a growing national security threat.