A question popped into my head while I read a story on the hacks on Facebook this weekend:
When did we stop talking about criminal hackers like they’re, well, criminals?
The story, a post on the New York Times Bits blog, is typical of the hacking coverage I’ve seen elsewhere in that the culprits aren’t really the hackers.
Look at the subtext in the story’s opening sentences:
Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software.
“Sophisticated” hackers. “Well-publicized” vulnerabilities. Much is said between the lines here and throughout the story. Hackers are powerful. Technology is weak. Who’s called out by name? The company that made the vulnerable software. No sentence even speculates on who the hackers are, where they are, or how they could be stopped.
The only mention of law enforcement comes in the second paragraph:
The company said that as soon as it discovered the malware, it cleaned up the infected machines and tipped off law enforcement.
There’s no more talk of investigations, law enforcement methods or even what charges could be involved. Nowhere else is prosecutorial language even used. This is a story about crime, but it doesn’t read anything like a crime story.
Why not? I think it’s because in the mainstream conversation we treat a criminal hack like it’s a natural disaster — inevitable, unstoppable, where all you can do is patch up the walls and pick up the pieces.
Go after the bad guys? Why bother, when they’re as elusive as wind?
Of course, the Times can’t report answers it doesn’t have. If someone is going after these hackers with impressive methods, and they’re not sharing them widely, it could be for a good reason.
But the more our conversations about hacking are about the attacks, but not the attackers, the less we’ll expect to find them — and the more afraid we could become. From the Times story:
Hackers have been attacking organizations inside the United States at an alarming rate. The number of attacks reported by government agencies last year topped 48,500 — a ninefold jump from the 5,500 attacks reported in 2006, according to the Government Accountability Office.
The article does not say how many of these attacks have been prosecuted or how many of the attackers have been caught and convicted.
If that’s because it’s not part of the story, we might need to ask why.
President Obama is calling for more attention to the problem of cyber threats. As a citizen of a world in which I benefit from living more and more of my life in spaces where criminal hackers can strike, I feel I need at least a sense that someone’s doing something.
Hackers aren’t hurricanes. They’re people. But they’ve succeeded in making themselves ghosts. Storms. Incurable viruses that come and go as they please. At least in the conversation.
And the conversation matters.
The conclusion to the Times story just gave me chills:
A common saying among security experts is that there are now only two types of American companies: Those that have been hacked and those that don’t know they’ve been hacked.
Hacking isn’t a victimless crime. It’s a criminal-less one.
Unless that changes, how can we hope to fight it?