What color hat are you wearing today? Are you happy with your life and the way things are around you?
Deciding, for research sake, do you wear a grey colored hat today or are you angry and vengeful, deciding to go with a darker colored black hat? Does anyone care about the hats anymore?
It may seem like a trivial question, but I do remember some time back reading or hearing a reference that basically stated: If you give public attention to your adversary, the stronger they get by giving them recognition.
We keep using terms like “Hacker” and “Black Hat”; and, I understand the need to continue to classify the behavior. However, are we inadvertently giving individuals too much inherited power by recognizing them in context and connotation?
I’ll admit I’ve been having a very tough time finding my own words to express this thought. In my head it’s very black and white. You’ve either committed a crime, or you have not; meaning: Just because you’ve thought about getting back at your old boss does not make you a bad person, nor does successfully completing a pen test make you a wanted criminal; but, the raw act itself, what did you, or a group of individuals do? Did you break the law, or did you not?
It seems is so much simpler to look at it in those terms: black and white. I think the ecosystem of cyber security is simply moving in that direction naturally; so, I’d like to give it another nudge.
I can’t remember the last time that I read an article that specifically stated a group of “Black Hat Hackers” broke into a bank’s infrastructure and stole a large sum of money. Rather, most articles seem to simply state: “a group of individuals broke into a bank’s infrastructure and stole a large sum of money”.
But what would be gained by changing the language, and what would simply change by changing the language used to describe cyber security? Would you no longer like your job because you’ve lost the romantic espionage side? Would you come to work if you couldn’t claim that you were a hacker? Would changing the language change the overall surface of behavior in the ecosystem itself? Would hacktivists continue to hack into systems if they were no longer given a name like “hacktivists”?
From my understanding, if you go back to the manifesto and other literature, the term “Hacker” simply meant someone who liked to tinker with things and make them do things that they were not designed to do; and, they enjoyed the journey of discovery.
I can hear it now, large cyber security vendors shouting, “They are Hackers! Evil, malicious, and devious people who wish to overthrow your empire!” All of that just to protect their profits. I mean, if you took out all the fearful language, what would you have left? Would you buy something where the advertisement sounded like this:
“Are you experiencing broken headers that are affecting your overall network performance? Do you have emails that are sending users to destinations they do not want to go to? Then get our new shiny network traffic manager”
Even though we are pretty much talking about a layer 7 firewall, there really doesn’t seem to be a need to rush out and protect myself from “Hackers” trying to forge headers and send in phishing emails to redirect users to malicious sites.
So what can we deduce from this random thought? For starters, language truly drives the industry. Whether out of fear, profit, or protection, it is clear that the language used has a way of drawing in customers to spend their money on your products and services.
Secondly, the new question arises: would changing the language change the behavior of the ecosystem? Would people take their vetted up frustrations and run out to join a “Hacktivist” group if there were no banner to rally behind? Where would they go?
So it is very clear that the language we use has a very direct affect to the ecosystem we work within. The real quest will be in choosing what to say.
