Editor’s note: This commentary is by Dave Porcello, of Montpelier, who is a cybersecurity consultant, ethical hacker, researcher, presenter and instructor.
[I] recently found myself in conversation with a computer science teacher who is looking to add cybersecurity to his curriculum. While excited to connect his students to this new topic, he shared some concern that he may not be able to discern between a future “cyber patriot” and a future “cyber terrorist.” He had previously found a student experimenting with a powerful software security testing tool and, while he considered the exploration innocent, he framed a more deliberate use of the tool as the digital equivalent of “bringing a gun to school.”
While I greatly respect this teacher, this was somewhat triggering for me. This student’s experience resonated with my own story as a misunderstood, mislabeled, and often-feared hacker geek. When people find out what I do, there’s too-often a raised eyebrow and a fear-based assumption that, if I know how to hack computers, I must be some sort of gray-hat cyber criminal. The follow-up questions are almost always insinuating: “Which side are you on?”
This story is shared by many of my peers, some of whom have been expelled from school, had their computers seized, or been detained by law enforcement, sometimes based solely on the hackery-looking stickers on their laptops.
Strangely, gun enthusiasts don’t seem to get this same treatment. If you know how to shoot a gun, there isn’t an assumption that you’re a murderer or criminal. Why is this? Despite their inherent danger, have guns simply been part of our culture long enough that we’re more comfortable with them? Why does hacking seem to trigger so much fear, uncertainty and doubt? As usual, I’m certain the problem here is ignorance and unchecked fears.
My belief is that we should not discourage, but instead carefully and mindfully encourage (with direction) the students who are naturally drawn to hacking. Without proper support and direction, I believe there are many brilliant souls who end up involved in criminal activity, drug abuse, and mental illness. Instead of labeling, discouraging, and isolating these students, I believe we need to direct them to a world where their unique skills are not only honored, but desperately needed in support of the greater good.
I believe that natural curiosity, and the desire to break things to see how they work, can be not only constructive but are in fact fundamental tenets of engineering and science. I believe discouraging this curiosity will result in a very predictable backlash that will only further push students toward a life of criminal activity. Saying “No, you can’t do that” is probably the most effective way of ensuring kids do even more of that very thing, but without any direction or advice on how to do it safely and as a means of learning, growing, and pursuing a fulfilling career path. Saying “don’t hack” is sort of the equivalent of preaching abstinence and shutting the door on open discussions of safe sex.
The over-generalized public perception of a “hacker” is largely skewed, assumptive, ignorant, and fueled by fear-mongering and mass media. The vast majority of offensive security professionals are not criminals. The public perception of the term “hacker” and how cybersecurity works is tremendously dated and in many ways detrimental to our society, to the degree that there are many well-funded organizations (EFF, No Starch Press Foundation) working to support ethical hackers, defend digital rights, and change laws to encourage innovation and put our future in better hands.
Ethical hacking (also known in the industry as “penetration testing”) is a legitimate, lucrative, and hugely needed career path. I see too many security professionals ignore the offensive side of security, and as a result cannot effectively defend what they’re protecting. I see way too many cases of security-by-green-check-marks, where penetration testers will show you how your green check marks are often wholly and entirely garbage. If we ever expect this country to get ahead of the curve in cybersecurity, our security professionals need to be well versed in both the defensive and offensive sides of infosec.
The importance of offensive security is now so widely recognized that penetration testing has been integrated into all major cybersecurity curricula (locally including Norwich University, Champlain College and Vermont Technical College), there are many industry standard pentesting certification paths (including SANS GPEN, Comptia Pentest+, and OSCP), and pentesting has become a requirement for most regulatory compliance programs (including PCI and NIST 800-171).
Instead of worrying whether our young hackers may get drawn into a life of cybercrime, I feel we should be asking some more useful questions: What can we do to support these individuals and give them some meaningful direction? What guidance can we provide to help them learn and apply these skills in a safe and supportive environment? How can we help these individuals find community and a sense of belonging?
So next time you overhear someone labeling a socially awkward or seemingly obsessive computer geek as a potential criminal or cyber-terrorist, I hope this helps re-frame the conversation. If not, please send them to me. I’d be happy to help. =)
