Mónica Guzmán

A question popped into my head while I read a story on the hacks on Facebook this weekend:

When did we stop talking about criminal hackers like they’re, well, criminals?

The story, a post on the New York Times Bits blog, is typical of the hacking coverage I’ve seen elsewhere in that the culprits aren’t really the hackers.

Look at the subtext in the story’s opening sentences:

Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software.

“Sophisticated” hackers. “Well-publicized” vulnerabilities. Much is said between the lines here and throughout the story. Hackers are powerful. Technology is weak. Who’s called out by name? The company that made the vulnerable software. No sentence even speculates on who the hackers are, where they are, or how they could be stopped.

The only mention of law enforcement comes in the second paragraph:

The company said that as soon as it discovered the malware, it cleaned up the infected machines and tipped off law enforcement.

There’s no more talk of investigations, law enforcement methods or even what charges could be involved. Nowhere else is prosecutorial language even used. This is a story about crime, but it doesn’t read anything like a crime story.

Why not? I think it’s because in the mainstream conversation we treat a criminal hack like it’s a natural disaster — inevitable, unstoppable, where all you can do is patch up the walls and pick up the pieces.

Go after the bad guys? Why bother, when they’re as elusive as wind?

Of course, the Times can’t report answers it doesn’t have. If someone is going after these hackers with impressive methods, and they’re not sharing them widely, it could be for a good reason.

But the more our conversations about hacking are about the attacks, but not the attackers,  the less we’ll expect to find them — and the more afraid we could become. From the Times story:

Hackers have been attacking organizations inside the United States at an alarming rate. The number of attacks reported by government agencies last year topped 48,500 — a ninefold jump from the 5,500 attacks reported in 2006, according to the Government Accountability Office.

The article does not say how many of these attacks have been prosecuted or how many of the attackers have been caught and convicted.

If that’s because it’s not part of the story, we might need to ask why.

President Obama is calling for more attention to the problem of cyber threats. As a citizen of a world in which I benefit from living more and more of my life in spaces where criminal hackers can strike, I feel I need at least a sense that someone’s doing something.

Hackers aren’t hurricanes. They’re people. But they’ve succeeded in making themselves ghosts. Storms. Incurable viruses that come and go as they please. At least in the conversation.

And the conversation matters.

The conclusion to the Times story just gave me chills:

A common saying among security experts is that there are now only two types of American companies: Those that have been hacked and those that don’t know they’ve been hacked.

Hacking isn’t a victimless crime. It’s a criminal-less one.

Unless that changes, how can we hope to fight it?

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline


  • Guest


    Yes. Those involved are usually prohibited from sharing details, either by our employers or the law enforcement you mentioned. Companies don’t want to look bad and law enforcement doesn’t want to compromize their investigations. The fourth estate doesn’t need to follow the party line their given. Why does it?

    • http://moniguzman.com Monica Guzman

      I think there also isn’t a great deal of demand in the mainstream for more information. Again – why?

  • Mike_Acker

    this is an excellent article . from what i read all too often a “sophisticated” attack is delivered via a “Common Vulnerability/Exposure” (CVE) .

    the underlying problem is the original philosophy that it should be easy to modify a computer to make it run any program

    we all watch the news and see the consequences of this philosophy every week as hacking has pretty much become an everyday thing

    we could significantly reduce our risk in this by selecting software that is designed to be secure: Linux .

    the trouble with taking the decision is re-training — and interoperability

    i think that we can restructure our intranets and home offices and simply remove vulnerable systems from public facing application

    the new LibreOffice 4.0 suite provides better interoperability with the OOXML formats (docx, xlsx … ) . compatibility is still not what it needs to be (based on my testing). the developer of OOXML managed to obtain ISO status for its OOXML format . compatibility between vendors then should not be a problem but it is an area that should be tested by anyone interested in rebellion.

    speaking of rebellion using .pdf format should be favored rather than transmitting the editable formats when possible .

    but the Bottom Line is : some kind of rebellion will be needed to effect the sort of “Sea Change” that is needed to move us all from a circus to an era of proper business computing .

    • http://moniguzman.com Monica Guzman

      There seems to be a huge awareness and knowledge gap relative to the reach and severity of criminal hacking and what it can do. People are particularly scared of what they don’t understand. Especially when the people behind attacks, and their motives, are so mysterious.

      • Mike_Acker

        =”People are particularly scared of what they don’t understand. Especially
        when the people behind attacks, and their motives, are so mysterious.”

        the “Trade Press” should work actively to dispell the darkness.

        By tearing away the “sophisticated attack” obfuscation you will expose fundamental problems in the IT industry that require correction . this will not endear you to some of your clients . do you have the courage to proceed or do you let them get away with their obfuscation?

  • Guest

    In the information age, my personal information (persomation) is extraordinarily valuable to me. I place my persomation into Facebook’s secure vault just as I place my hard-earned money into my bank’s vault. I don’t worry about my money because the government backs my bank. I do worry about my persomation because an army of 20-something sociopaths believes they know how to protect it.

    They don’t, Mónica. Not at all.

    As a result, when my persomation is breached, it is a disaster. When SuperStormSandy breached my home in New York, it was a disaster not because there was a lot of wind and rain, but rather because the city had a poor disaster response plan. Just as SuperStormSandy exposed bureaucratic flaws through physical action, so too does the breach of my persomation show that Facebook has a very, very long way to go to earn my trust as a safe place in which I may store my persomation.

    • http://moniguzman.com Monica Guzman

      I see how the analogy of a natural disaster can describe the results of hacking. But when it works to describe the causes, there’s a problem.

  • Denis DuBois

    I agree stories like this should include the criminal aspect. And there should be ample coverage later of those who are convicted. But please, let’s stop short of glorifying the criminals.

    • http://moniguzman.com Monica Guzman

      I think missing the criminal aspect is part of what glorifies the criminals. It makes them seem above the law.

  • Elroy

    I agree not enough emphasis is being placed on the criminal aspects of these high-profile security breaches. Most articles seem to blame lax security rather than the criminals. And while a lot of companies are lacking, even the best companies are rarely 100% secure. The authorities seem either uninterested or incapable of dealing with this problem, which frankly is unacceptable. The Internet is now like the “wild west”, where the authorities show up well after the criminals are gone and the trail is cold, and only because someone called them.
    I lock the doors and windows of my house and I have an alarm system. It’s not perfect security, but it is good enough because the criminals know when the alarm goes off that the police will be arriving soon. However, on the Internet, there are no police and the prowlers roam around stealing whatever they find until the homeowner shows up and desperately stuffs his remaining belongings into a safe and convinces the prowler to leave.
    I think most people seem to accept that the Internet is an inheritedly insecure place, but accept the risks because they figure they don’t have a lot to lose. However, as more of our everyday lives become dependent on the Internet, this laissez-faire attitude will have to change. Our national security and critical infrastructure is already at risk because of it.

Job Listings on GeekWork