Phrenology graphic

Cyber-psychopathy: what goes on in a hacker's head

What goes on inside the hacker mind? How are their thought processes shaped by social and technological change? And could techniques like Neuro-Linguistic Programming help to turn talented but misguided IT personnel away from a beckoning Black Hat career?

Hackers are a strange, often highly-talented, bunch of individuals. Born out of the phone 'phreakers' who emerged in the 1970s and 1980s, they tend to fall into two behavioural groups: 'White Hats' - self-styled vigilantes for justice and the technology consumer, seeking out flaws in IT systems and software, helping to solve them for the common good; and 'Black Hats' - possibly possessed of obsessive/compulsive personality profiles who have made an early stage lifestyle choice in their technology career.

A third category - the 'Grey Hat', 'cracker', or ethical hacker - is starting to emerge more prominently as organisations seek additional ways to test their defences.

While White Hats tend to fall into the same broad category as law enforcement agents - generally working for the common good - the behavioural characteristics of Black Hats tend to point to a different part of the psychological spectrum, where conditions such as obsessive-compulsive disorder are to be found. These disorders often come with an obvious 'addiction' to the sheer thrill of hacking, born of having found ways around the supposed ingenuity of 'invulnerable' cyber security defences.

By the nature of their actions, most Black Hats have a self-styled ethico-moral code, working to their own rules generally formulated against a backdrop of the 'us and them' mentality. Black Hats can indeed be dangerous as - unless their abilities are channelled in the 'right' direction - they will hack systems as they see fit until they are eventually detected, located and caught, or they relocate to work for cyber-crime gangs and operations located around the world, at which point they drop-off the conventional professional IT radar.

Much has been written about former Black Hat hackers, and the fact that they often seem to be beyond the reach of law. It should be remembered that the fact they have been - and continue to be - caught and, in most cases, prosecuted in some shape or form, may signal they are not as proficient as the more dangerous category of Black Hat hackers. They often work with criminals, even though they may delude themselves that they are working for 'the common good'. The resources at our disposal for tracking down such cyber criminals are also better than they were just a few years ago.

As well as tending towards being an obsessive/compulsive, Black Hat hackers seem subject to a form of IT 'addiction' - the continued repetition of a behaviour 'despite adverse consequences, or a neurological impairment leading to such behaviours'.

Arguably the most notorious hacker with these compulsive personality traits was Kevin Mitnick, who started as a phone 'phreaker' ('phreaking' is the activity of a culture of people who study, experiment with, or explore telecommunication systems - including equipment and systems connected to public telephone networks), and was convicted multiple times.

Mitnick first gained unauthorised access to a computer network when, in 1979, at the age of 16, a friend gave him the phone number for the networked system used by computer systems vendor DEC (Digital Equipment Corporation). He then copied DEC's software - illegally, of course - a crime he was eventually charged with (and convicted of) in 1988. He was sentenced to 12 months in prison followed by three years of supervised release.

Near the end of his supervised release, Mitnick famously hacked into the Pacific Bell voicemail computers, and went on the run for two-and-a-half years, during which time he hacked into multiple computer networks, using cloned analogue mobile phones to hide his location. When he was caught in February 1995, he was in possession of several cloned mobile phones, more than 100 cellular mobile codes, and multiple false identities. He was subsequently handed a lengthy term in prison. It's worth noting that the judge in Mitnick's 1988 computer fraud trial accepted a defence on the basis of personality disorders, ordering Mitnick to complete a course of therapy for his addictive condition.

These days Mitnick is billed on the keynote circuit as a hallowed 'ex-hacker', and also makes a living as a security consultant. In an address at the IP Expo conference in London in October 2013, he recalled his former life as a hacker. Back in the 1970s, he said, hacking was significantly different.

Today, cybercriminals use a hybrid mix of social engineering and client-side computer exploits to get at organisations' ICT systems. It is, he added, much easier to attack any given IT system than it is to defend it - and it does not matter what security software you have installed, because it just takes one person in the targeted organisation to make a bad business decision, and "it's game over".

Mitnick added: "Cyber-security is about people, processes and technology, and organisations need to bolster the weakest link - which invariably is the human element."

While public appearances by Mitnick and his ilk may fascinate (he is certainly not regarded as one of the 'bad guys' by the admirers who flock for his autograph), the fact that such events are something of a media circus can obscure more serious analysis of his personality traits and psychological profile. What happens when someone like the young Mitnick applies for a job with a conventional employer? Where does their motivation lie, and what can employers do if they suspect they've put a hacker on the payroll?

Social engineers = social misfits?

What makes a hacker tick? What principles (if any) are their psychological mainsprings, as it were, wound around? Some starting clues can be found in 'Ghost in the Wires: My Adventures as the World's Most Wanted Hacker', a 2011 book that Mitnick co-authored with Apple Computer co-founder Steve Wozniak.

The book tells a fascinating story - largely because the most interesting segments are more to do with the psychology of hacking rather than the 'misuse' of technology techniques. Mitnick has now come to recognise - and even understand - that his actions were centred more on the dark science of social engineering (or 'hacking the human') than the actual misuse of computer technology - even though the 'misuse' element clearly played a major part in the execution of his hacking exploits and allied activities.

By his own admission, Mitnick classes social engineering as the art of convincing people to give up information they hold when they clearly should not do so. If, however, you exploit the human emotion of people wanting to help their fellow humans, then when you call-up the headquarters of a major company, name-drop a few key people within the organisation, and "chat-up the other person", it becomes relatively easy to extract nuggets of information that can be used as bait to persuade other people to reveal additional information.

From there, for example, people will then believe you when you say you are 'out in the field' and need access to a password that is sitting on your desk at the office. Mitnick, of course, finessed his actions constantly: this allowed him to gain access to everything from birth certificates to top-secret source code for the mobile phones of the 1980s and 1990s.

In many ways Mitnick was at the peak of his abilities in the 1980s, a decade when security technology and training to block social engineering scams - such as those carried out by Mitnick - were immature. A consideration of the hacker generation of the 1970s and 1980s suggests behaviours that appear driven by a mixture of arrogance plus an inability to easily distinguish right and wrong from good and bad, possibly co-existant with a degree of autism spectrum disorder (ASD).

Gary McKinnon, the so-called 'UFO hacker' who was a Scottish IT administrator accused in 2002 of perpetrating the 'biggest military computer hack of all time', has always maintained that he was searching for evidence of free energy suppression and a cover-up of UFO activity and other technologies that might've been potentially useful to the public. Whatever he was actually looking for, his ability to allegedly hack into nearly 100 United States military and Nasa computer systems, deleting critical operational files and rendering weapons systems inoperable, demonstrates notable technological acumen.

Subsequently the US government had accused him of causing in the region of $800,000-worth of damage. If he were to be convicted in the US, McKinnon - who has reportedly been diagnosed as having an ASD called Asperger syndrome - could have faced a prison sentence of up to 60 years. In October 2012 - around a decade after his original arrest - McKinnon, now in his mid-40s, was relieved to hear the UK Home Secretary Theresa May announce that the government was blocking his US-led extradition to the US on the grounds of his autism, and in the interests of compassion and his human rights, plus common sense.

Hacktivism and socio-history

Comparing and contrasting Mitnick and McKinnon can reveal the psychological differences between the two men. While Mitnick was - and arguably still is - the archetypal shy-boy-turned-extrovert-on-stage actor, McKinnon appears to remain relatively withdrawn - which is not surprising when you consider the pressure he was under for a decade. But while the two hackers - separated as they are by decades in their exploits - have their own distinct psyches, it is important when trying to better-understand hacker motivation to note the societal changes they have lived through.

Back in the 1970s and 1980s, hacking was viewed by the authorities as a kind of electronic joyriding - something that was reflected in Mitnick's 'Robin Hood' media coverage of the time - whereas the exploits of modern hackers are largely viewed as real and pretty inexcusable crimes against society in general. The fact that members of the public are now also victims of viruses and online banking hacks has been a game-changer.

This shifting in society's view of the different generations of hackers is not by coincidence, and is the deliberate evolution of the view of hacking that has been orchestrated - partly through the media - by successive governments and their agencies on both sides of the Atlantic.

This also demonstrates to a degree the 'psychological steerage' that governments have over the media and, through the press, reflect on to the public. However, the rise in the general level of understanding about computer hacking among the population - particularly in the UK - has been paralleled by a desire to 'expose' the government for its apparently covert activities; activities that to some run contrary to the culture of openness and transparency that characterise modern democratic government.

This trend has also given rise to the 'us and them' mentality, further triggered by more media jumping on the bandwagon, which has resulted in some hackers claiming their activities are carried out with good intention. This sentiment has spawned the 'hacktivist' - as witnessed by Anonymous and other such groups. Their abilities have been made more effective through the use of powerful utility software such as the Low Orbit Ion Cannon (LOIC) application, which allows a novice hacker to launch a sophisticated denial-of-service (DoS) attack on a target of the hacktivist leadership's choice.

Anecdotal evidence suggests that governments are well aware of the actions of hacktivist groups, and have infiltrated elements of such organisations in the UK, the US, and Europe. These undercover 'cyber agents' - whose psychological composure is likely to be highly complex, to say the least - are thought to have been instrumental in the arrest and prosecution of active hacktivists, as seen in recent prosecutions.

Subjective observations

In more than 25 years of tracking hacker issues, this writer has subjectively observed behavioural tendencies relative to ASD among many of the individuals involved.

People with Asperger syndrome can find social situations difficult. They may not know what to say or how to initiate small talk, although they also can have a propensity to approach someone and start talking about something factual that they have read - or are interested in - without any introduction or pre-amble. This is a curious phenomenon perhaps most noticeable at events such as the Black Hat conferences in Amsterdam and Las Vegas, as well as the annual Chaos Computer Club meetings in Germany.

This is in no way to say that all hackers have a degree of Asperger syndrome, or indeed that people with that condition have a predeliction to cyber-criminality. The observation is made in support of the view that typically the hacker outlook has some characteristics in common with the Asperger syndrome pattern of symptoms.

While many experienced IT practitioners, given enough time and effort, could hack into the IT system of a competitor company, they implicitly understand that it is wrong. Even the amoralists among them know such acts would result in potentially severe penalties, ranging from irrecoverable career damage through to criminal prosecution.

Incidents of IT professionals who 'go rogue' should not be equated with the periodic industry reports that some IT staff admit to 'data snooping' on corporate networks: this sort of unprofessional conduct is more often down to nosiness than a concerted desire to cause damage, or to filch data that could be resold.

Hacking in the workplace

One of the potentially major problems for line managers and human resources (HR) personnel tasked with monitoring their IT colleagues is how to deal with early - or more evident - hacker-like behaviour in the workplace. Hackers of 'ability' are not created overnight - they develop their hacker mind-set and allied skill sets progressively, often setting themselves hacking challenges that they think will prove harder than the one before.

In light of these observations, and in a world where the forces of cyber security and cyber-crime are locked in daily combat, the question arises: how can organisations - and other interested parties - control, and even prevent, hacker-like behaviour occurring among individuals in their workforce, especially among the growing ranks of IT staff? Furthermore, is it possible to detect any signs of what might be seen as a 'cyber-psychotic' tendency at an early stage - and even possibly convert it into more positive behaviours that could actually benefit the organisation?

These are speculative questions, but ones that, arguably, enlightened organisations should already be placing under consideration. Provided hacker-like tendencies are dealt with at an early-enough stage, it's not unrealistic to believe that their moral compass and consequent negative behaviour can be steered in a healthier direction.

It will become increasingly important not to single-out individuals who have been seen to indulge in hacker-like behaviours such as attempting to break passwords to protected data sets, or copy or delete files that they are not authorised to, just because of the public profile hacking has now acquired.

Anyone caught misappropriating copies of equivalent paper documents, for instance, would probably not be subjected to the same disciplinary action as their digitally-minded counterparts. Another emerging potentiality is that, where possible and practical, attempts be made to rehabilitate potential hackers, rather than dismiss them.

This may sound rather perverse given the general climate of all-out cybercrime offensive; but if the loss of correct moral direction is the root cause of behavioural traits that may be damaging, but that also expose aptitudes that might be useful to an employer - IT skills trainers have people on waiting lists for their ethical hacking courses - why not explore another way of making positive use of them?

In practice this process is best achieved using the age-old workplace process of mentoring, where more experienced - and equally technically aware - technical managers takes an interest in the novice employee's welfare.

Looking after potential hackers

Long hours spent in front of a personal computer outside of work time are not always the best thing for an employee, particularly when they have the same experience in the office. While some HR experts might assert that activities that are not carried out during work hours are nothing to do with the employer, there is a clear duty of care involved, especially in the IT and engineering professions.

Mentoring the employee and steering an individual away from hacker-like past-times when outside of the workplace - as well as ensuring minds are occupied with positive, IT security-related tasks at work - can go towards helping to ensure a better-rounded individual emerges. This might sound a rather arduous course of action given that lean and mean enterprises in the present day are already stretched resource-wise; but, arguably, scope exists for ethical hacker skills to become part of an extended apprenticeship programme. Over time this would underpin promotion to more senior cyber-security governance responsibilities.

Another point in favour of this strategy is the compelling fact that the need for security-smart IT staff is not one that is likely to abate anytime soon due to a glut of suitably skilled applicants. The availability of supplementary IT skills on the security front is to be welcomed.

Attention obviously needs to be taken to ensure close liaison with respective human resources representatives in this regard, as the employee must not feel that they are being singled out for 'special treatment', for obvious reasons, or that any engagements that they enter into come with strings attached or are, indeed, in contravention of the agreed terms and conditions of their contract of employment.

There is an approach to behavioural change that spans elements of defined psychological science and the relatively new discipline of business best practice. Discussed elsewhere in this feature, Neuro-Linguistic Programming (NLP) centres on the technique of using language to achieve a given aim.

Steve Gold is a journalist specialising in IT security and healthcare technology. As an editor he has worked on IT Security Pro, Infosecurity, and SC Magazine.

Further information

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles