Sign In

Communications of the ACM

Contributed articles

Why Computer Talents Become Computer Hackers


View as: Print Mobile App ACM Digital Library Full Text (PDF) In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Why Computer Talents Become Computer Hackers, illustration

Credit: Alicia Kubista / Andrij Borys Associates

The epidemic of computer hacking is a direct result of advances in computer-networking technologies like the Internet and the widespread use of computers throughout society, from personal entertainment to business transactions, social networking to scientific discovery, and managing personal lives to multinational organizations. Related illicit and often illegal activities have cost organizations and individuals billions of dollars directly and indirectly worldwide,17 with one estimate of $5.5 million per organization in 2011.18 An interesting but troubling aspect of the epidemic is that so much of it is committed by college-age young people.28 In a 2006 study of college students in three U.S. universities, Cronan et al.6 reported that 34% of their respondents admitted to committing some form of software misuse or piracy and 22% to committing data misuse. How and why would talented, computer-savvy young people who might otherwise aspire to productive careers in the computer and IT professions evolve into computer hackers, even into criminals? Rigorous academic studies of hackers, especially those involving empirical evidence, are scarce in the literature, despite some notable exceptions (such as Bachmann,2 Holt,11,12 Turgeman-Goldschmidt,26 and Young et al.29)

There are no consistent, widely accepted theories or theoretical frameworks in the literature as to why hackers emerge and evolve, and therefore no clear, effective guidance on what to do to prevent talented computer-savvy young people from becoming hackers or criminals. Here, we discuss our own study of six computer-hackers in China, addressing two main questions: How do hackers get started? and How and why do they evolve from innocent behavior (such as curious exploration of school computer systems) to criminal acts (such as stealing intellectual property)? Answers will help schools, universities, and society develop better policies and programs for addressing the phenomenon.

Back to Top

Key Insights

ins01.gif

Back to Top

Relevant Theories

Computer hacking is as old as digital technology but has not always had the negative connotations we see today. The term "hacker" was meant to describe a creative person who could alter computer programs and systems to do things beyond their inherent or intended design.28 However, once the potentially destructive power of computer hacking was unleashed, there was no turning back. Computer hackers gradually separated into two campswhite hats and black hatsdepending on motivation and objective. White hats are on a quest for knowledge, discovering and alerting security weaknesses in organizational systems and developing better, more secure computer systems; black hats go for revenge, sabotage, or outright criminal gain (such as to steal money, products, or services).19 In between are gray hats who hack for curiosity, fun, notoriety, or self-fulfillment but usually do not intend to harm their targets. Here, we focus on the gray and black hats, investigating their evolution.

Most academic research on computer hackers understandably takes a criminal view, using criminological theories as the lens of analysis. Citing the research literature, Yar28 in 2005 attributed two primary causes to the "youth problem" in hacking, as hackers tend to be young males and school dropouts in their mid-20s. The first is adolescence as a period of inevitable psychological turmoil, helping account for youthful participation in various forms of "delinquent" and "antisocial" behavior. The second is the apparent "ethical deficit" among adolescents disposing them toward law- and rule-breaking behavior. This argument is consistent with developmental psychology theory,10 which says juveniles, moving from childhood to adulthood, pass through stages of moral learning before "maturity" when they are finally able to fully appreciate and apply moral principles to regulate their own and others' behavior; juveniles are thus more likely to act on their hedonistic impulses with limited regard for their effect on others.

While the youth-moral-delinquency perspective attributes the root causes of hacker behavior among young people to social development and transition from adolescence to adulthood, it is inadequate for explaining why only a small percentage of the youth population is involved in hacking and related deviant behavior. Scholars have begun to examine the role of personal character in and propensity toward deviant behavior, as in computer hacking and abuse.2,13,14 Holt et al.13 and Bossler and Burruss4 focused on testing the applicability of a widely accepted criminological theoryself-control, by Gottfredson and Hirschi8to explain and predict hacking behavior. Scholars also use social learning theory,1 another widely supported theory in the criminological literature, to study hacking behavior alone14,20 or in conjunction with self-control theory.4,14 In addition to self-control theory and social-learning theory, various theoretical lenses have also been used in the study of computer hacking. Table 1 outlines five primary criminological theories used in hacker studies; Table 2 highlights representative studies on hacking and hacker behavior.

While the studies have produced compelling evidence of and insight into computer hackers and their behavior, they are constrained by the theoretical lenses and the perspectives used to examine the hacking phenomenon. As a result, some significant theoretical gaps persist in the literature regarding hacking. To better understand the gaps, we outline an evolutionary path taken by computer hackers (see Figure 1) based on findings in the literature, our own knowledge of computer hacking, and the evidence we gathered from our six research subjects.

Published studies focus primarily on the middle stagegrowthof the evolutionary path of computer hackers, in which hackers organize into loosely connected groups and virtual or real communities, acquire technical skills through mentoring and sharing, and establish social orders, group norms, and individual and social identities. We thus have a fairly good understanding of who hackers are and what they do and why they do it. However, little research has targeted the first and last stagesinitiation and maturationof the evolutionary path, leaving many questions unanswered or with no clear answers, including: How and why do certain talented young people evolve into pathological computer hackers? and How and why do certain computer hackers become computer criminals? A comprehensive understanding of all stages of the evolutionary process is critical for effectively managing the hacking epidemic and how it can cause significant harm to individuals and organizations worldwide. Targeted remedies for the initiation stage could prevent young computer talents from becoming illicit hackers, and effective intervention in the maturation stage could redirect hackers to more productive use of their knowledge and skills.

Here, we report the findings of an exploratory case study we conducted from December 2009 to March 2010 involving six young hackers in China, hoping to shed light on the evolutionary paths hackers generally take. Our findings provide insight into how to guide and shape young, talented, yet highly malleable, individuals toward productive careers in computing and IT, instead of a treacherous path toward computer hacking and criminal behavior.

Back to Top

Case Study

In attempting to develop a better framework for understanding and managing hacker behavior among young people, we faced two significant challenges: On the one hand, there is a rich body of qualitative discussions about the technical, sociological, psychology, and cultural origins of computer hacking from various perspectives;15,16,19,24,25 on the other, the extant quantitative studies seem to have produced findings that are more diverse than congruent due to their differing theoretical perspectives.2,4,13,14,20,29 These challenges motivated us to conduct our own exploratory case study of computer hackers to address some of the critical elements not previously addressed. Our basic approach was to be informed by the extant literature but not constrained by the frameworks or theories. The only limit we adhered to was established methods of case-study research (see the online Appendix). We describe and discuss the most significant findings next, using pseudonyms for our six subjects to protect their identities.

Back to Top

Early Interest in Computers

In all but one case, our subjects developed an interest in computers early in life, some as early as elementary school, usually from ordinary circumstances (such as curiosity about how computers work and playing computer games), as with many other teenagers. "Adam" said his hacking began when he was in high school and took courses in computer programming. Though not very interested in computer games, he liked to disassemble and reassemble computers at home. "Eric" said he became interested in computers in third grade when his family bought its first computer. His primary interest then was playing computer games. Likewise, when describing how he began hacking, "Frank" said, "I got my first personal computer in the 1990s when I was in middle school. I bought the computer with antivirus software. I was curious how the software worked. So, in my first year of middle school, I was able to break into the software and understand how it worked."

Back to Top

Innocent Motives

Our interviews found these students typically started hacking due to innocent motives (such as wanting to know more about computers and going online with school computers). "Chris" said his first hacking followed his interest in a female student as a freshman in high school. He was too shy to ask where she lived, thinking the information must be stored in the school's registration system. He then learned hacking techniques from computer magazines and multiple sources on the Internet. After a semester of trial and error, he gained access to the school registration system and quickly found the information he was looking for.

Chris's story is typical of our subjects. "Brian" said his earliest hacking experience was in middle school when he wanted to continue playing computer games on the Internet and the teacher in charge of the computer lab cut access to the router to control access time. That motivated him to learn how to turn on access remotely so he could continue playing when the teacher would leave. Eric began hacking his own computer and computer games when he, too, was in middle school, modifying the computer and the games to install new games and give himself a better game experience, sometimes altering the balance in his online gaming accounts to be able to play without paying.

Back to Top

Minds Not Challenged

It appeared that all our subjects were exceptionally bright compared to their student peers and could have chosen to be the kind of A-students their teachers and parents expected and hoped for. Interestingly, as students with great academic potential, all appeared uninterested in being A-students, preferring to spend their time learning hacking skills instead of doing their coursework. Adam said, "Among my friends in college, none of them have good grades. While we were the smartest kids in high school, there is not much difference among the classmates in terms of intelligence at the top colleges. Some students want to devote most of their time to academic studies; others like to spend time on more interesting things. I spend a lot time in labs on complex computer networks, which have little relationship with my major. Many of the courses in my college curriculum are not very meaningful to me, so I don't have any motivation to achieve A's in these courses. Compared to other students, students of this type have stronger technical skills, spend less time on courses, and have more time to kill. We want to be different, have an interesting life, and develop unique characters. I use the time to hack and develop hacking tools, while among my friends, there is a variety of other interests. Some participate in student clubs (such as the debate club)."

Frank said his childhood dream was time travel and studying high-energy physics but ended up as an electrical engineering major in college. He was not interested in topics like magnetic fields taught in class, spending most of his time studying computer programming languages and learning computer hacking skills. He said, "I read through all of the books about computer hacking on the second floor of the college's library, as well as books on computer programming, during my first year in college. I learned every computer programming language I had access to."

Back to Top

Porous Security

The convergence of computers and networks in homes, schools, and organizations, along with connectivity provided by the Internet, poor-quality security mechanisms in major operating systems and application software, and Web servers based on the TCP/IP protocols was fertile ground for the talented and the curious to explore and exploit. Our six subjects demonstrated that with some fundamental understanding of computer programming and network protocols, along with tips and techniques from computer magazines and the Internet, they could penetrate almost any computer system, viewing and downloading documents at will, while still in high school.


The only thing separating him from being a computer hacker (gray hat) and being a computer criminal (black hat) is his moral values and judgment regarding such behavior.


They quickly discovered the situation was no better in college. Chris said, "When I arrived at this university, I went into the computer labs and tried to figure out if there were any security holes in the systems. Unfortunately, I found a lot. Unlike others, my interest was not in individual computers but in servers. Most of the individual computers had virtually no protection. I liked to be challenged with technical issues, so I targeted only servers and tried various approaches to penetrate them."

Similar discoveries were made by the others as well. Adam said, "In my first year at the university, I discovered there was a system for admissions. I was curious about whether a girl in my high school was admitted into the university, so I attempted to hack the system. I found the security of the system was very weak; a simple SQL injection allowed me to break in. I could have easily changed the admission records or the registration records."

Back to Top

Tolerated by Schools

The study subjects' participation in regional and national computer programming competitions brought accolades to their schools. They thus received special treatment and respect from their teachers and school officials. Asked whether they feared being caught and how it might affect admission to the top universities they sought, Adam said, "The teacher who was managing the systems was like a brother to us. Even if we were caught, he wouldn't punish us. We were winning prizes for him and the school, and he couldn't be more thankful to us."

Although clear that not all school computer administrators are indifferent to hacking, our evidence shows our student hackers were usually able to mend the relationship to avoid punishment after their hacking was exposed. Chris said, "There are two types of attitude toward student hackers in my school: One group thought we were troublemakers, and the other was more accommodating and admiring what we could do because they had some interest as well. Once you break into a system, the system administrators usually dislike you because you have made them look bad, because their job is to protect the system. But I eventually helped them redesign the security of the system, and we were safe after that."

Back to Top

Associated with Other Hackers

Our subjects said at some point in their hacking histories, they connected with others with like interests, significantly accelerating development of their skills and scope. Hackers and potential hackers seek each other through the Internet and online communities (such as QQ, a popular instant-messaging and online community platform in China) and college bulletin-board system sites, forming their own cliques and communities, sharing experiences, tools, and skills, and occasionally bragging about their accomplishments. Adam said his connections with peer hackers developed when he was accepted to a university and students from all over the country joined the QQ group to exchange ideas, learn skills, and even organize coordinated attacks on targets.

In some cases, student hackers would openly organize themselves into student clubs or special interest groups. Frank said, "When I was in college in 2006, I started a network security club consisting of only students, many of whom were victims of computer hacking (such as some who had their QQ passwords stolen or their computers invaded by Trojan malware). Some were just curious; others were interested in knowing how to steal QQ passwords. Gradually, some of the students started to steal exam files from professors' computers. Students in the club taught each other hacking skills. After I graduated, I went back to give lectures to the club, sometimes with 300-400 in attendance, covering topics ranging from how to identify and take advantage of security holes to how to defend against security attacks. We even set up a mobile server and let students compete to see who could get maximum control over it and grant themselves the most permission on the server."

Back to Top

Shifting Moral Values

Our subjects indicated that many college students were involved in computer hacking, though only a small number ever become hackers who commit crimes using their skills, in college or after graduation. Most will find jobs in top-tier IT companies and information-security firms. Frank said, "Many of the students in the hacking club went on to work for top IT companies like Baidu, Tencent, and Symantec. These students came from all majors, including management, foreign languages, and transportation engineering, and knew the information-security industry offered higher pay."


They are aided early on by tolerance and even reinforcement by parents, teachers, and school administrators, and later by sophisticated social networks and cliques.


There is no guarantee our subjects, as students or as future employees, would not continue to use their increasingly sophisticated hacking skills to do harm. The primary constraining factor seems to be their moral values and judgment about hacking. All insisted they had drawn a line they would not crossdo no harm to others. Brian described an episode in which he gained remote access to a teacher's desktop computer and found a document with his family's credit-card and bank-account information. He said he felt badly for the teacher for his poor awareness of computer security but did not take money from his accounts. Asked why not, he said, "My education from a very young age has been that it is shameful to take something without working for it. Fundamentally, I believe I can tell right from wrong. I did this because I just wanted to practice as a case study of what I read from a [hacking] guide. I have always been mindful of my moral bottom line." However, a few of our subjects acknowledged they might cross such a line under certain circumstances (such as for survival and for justice, not a very high bar in today's material world). Asked whether he had ever used his hacking skills to make a profit, Frank said, "I will not deny that I have sold the security holes I identified for money. But my basic principle is I will absolutely not sell the holes to individuals."

Likewise, Chris said he learned when he was young it is morally acceptable to benefit oneself as long as he did no harm to others. He said, "I often see in QQ groups that individuals are selling botnets (zombie networks with hundreds or thousands of computers infected with Trojan-horse malware enabling control of the computers by a single perpetrator) they controlled for money. I think that's a problem. This is like you are attacking an individual who has no means to protect himself. I feel that a true hacker should have some moral principles, that is, do not attack individuals' computers. I enjoy getting data from servers, but I won't alter or destroy data on the servers." However, when asked whether he would deviate from his principles if he were unemployed and needed money to pay rent or buy food and someone was offering to buy control over botnets, he said, "I feel that is entirely possible."

Back to Top

Discussion and Insight

The evidence we found that a perspective involving moral delinquency among young people does not adequately explain how our subjects became who they are today and why they do what they do. None were delinquent in many aspects of their adolescence nor did they appear to struggle with moral confusion or disengagement. On the contrary, all were viewed as outstanding students and treated with respect by their teachers. Their successful admissions into China's top universities represented the strongest manifestation of their academic success in high school.

Evidence of low self-control is mixed. While two subjects said they did not think much about long-term goals, the other four seemed thoughtful and goal-oriented. Their pursuit of increasingly complex hacking skills and control over what to target based on their own moral values appears inconsistent with the predictions of self-control theory.

On the other hand, we found many consistencies between what we learned and what is described in routine activity theory5 (RAT), social learning theory1 (SLT), and situational action theory27 (SAT). We submit that these theories together capture the essence of our main findings: how computer hacking emerges in young people; why talented computer students become hackers; and how gray hats become black hats. Here, we discuss these findings in light of the theories, proposing our own framework based on our findings.

Back to Top

How Does Hacking Emerge?

RAT informs us that for a crime to occur, three essential elements must converge in time and spacemotivated offender; appropriate target; and absence of able guardians5offering an adequate explanation of how computer hacking began among our subjects. The emergence of a middle class in China following significant economic development over the past three decades, coupled with the dramatic price decrease of personal computers and penetration of Internet connectivity, has enabled many millions of families to buy computers for their children and to provide their (usually) only children their own rooms. This socioeconomic environment created conditions similar to the emerging suburbanization around major U.S. cities in the 1950s, from which Cohen and Felson5 developed RAT of crime.

Although our subjects were not necessarily committing criminal offenses when breaking into their schools' computer labs or library systems, a logical analogy can be made between the behavior of middle and high school students and home invasions and robberies committed by street criminalsthe convergence in time and space of the three essential elements of computer hacking: a motivated young adult with the ability (talent and skills driven by curiosity and hormones); an attractive target (computer systems storing information they want or providing access to the Internet or computer games they want); and the absence of able guardians (innate security holes in many operating systems and application software, weak security protection provided by their owners, and basic tolerance by school authorities to hacking).

Back to Top

Hacker Evolution

Although RAT provides a reasonable explanation for how computer hacking emerged in our subjects, it cannot explain why innocent, curiosity-driven computer hacking evolves into more sophisticated, mission-oriented hacking. For hacking to occur, all three elements identified in RAT must be present, but they are only the necessary conditions. Imagine a young male college student wants to know which classes a particular female student has registered for, a common scenario described in our interviews. He is aware of the registration system where such information is located and has the skills to break into the system and access it. However, he also has other alternatives for getting the information (such as asking the student directly, following her around, or asking her friends), which may take more or less effort and be more or less risky than hacking into the registration system. Why he chooses one over the others is beyond RAT.

This is where SAT becomes salient, informing us that people are moved to action by how they view their options when confronting a particular situation; what they see and what they choose depend on their knowledge and skill, experience, morality, opportunity, and moral context.27 In the scenario of a boy following a girl our subject would most likely choose the hacking option for four reasons: his knowledge and skill concerning the computer system; his past success hacking with little or no adverse consequence; hacking as the easiest option compared to the alternatives; and his moral judgment telling him it is not wrong if he intends to only peek at the records.

Imagine this young man graduates and finds a job that pays a good salary. He needs more money to support his increasingly demanding lifestyle, but the salary alone is not sufficient. He now sees offers on an underground website to buy controls for botnets, with the price dependent on the number of computers in a particular botnet. He has the skills to quickly infect thousands of computers, he might have done it in the past just to see if he could, and he has access to the population of computers that are easy targets for such an operation. The only thing now separating him from being a computer hacker (gray hat) and being a computer criminal (black hat) is his moral values and judgment regarding such behavior. SAT rightfully focuses on the moral judgment and context of the particular setting as the lens through which the subject views his options.

Back to Top

Aiding the Transition

While RAT and SAT are insightful theories to help explain the emergence and transition of computer hackers, their focus is mainly on individuals, in this case the lone hacker, in terms of what they see, how they evaluate their situations, and why they take certain actions. However, as suggested by our case evidence and the literature, though hackers may act alone most of the time, their evolutionary processes almost never happen in isolation but are fostered and sustained by salient elements in their social environments. They are aided early on by tolerance and even reinforcement by parents, teachers, and school administrators, and later by the sophisticated social networks and cliques from which they learn and share techniques, brag of accomplishments, form social orders and identities, and perpetuate the hacking subculture.11,12,15,26 This is where SLT offers a salient explanation. Developed as a general theory to explain criminal behavior, SLT maintains that the probability an individual engages in criminal behavior will increase when the individual chooses to associate with others who commit criminal behavior and imitate their actions, is exposed to definitions (attitudes, norms, and orientations) that justify or rationalize the behavior, and has previously received differential reinforcement rewarding similar behavior.1

Imagine a young hacker beginning to explore the weaknesses in school computers and networks in order to look at student records or extend the time he is able to access the Internet. Had teachers and school administrators not tolerated such behavior, enforced disciplinary measures, and provided venues to challenge his mind and instill the right ethical and moral values, he would have likely become a talented computer science or engineering college student like many others. Now he is in college armed with computer skills, motivated by curiosity, and emboldened by past experience, finding himself surrounded by like-minded and equally or even more talented peers, along with social groups and cliques, social networking tools that diminish physical distance and amplify the sense of community, and seminars and clubs that appeal to every interest. Immersed in this environment, he faces the challenge of differential association, or the individuals or groups he will identify with. Such groups or cliques will have a significant influence on what he does and how he views the world and computer hacking. The six subjects in our study and those studied in the literature11,12,15,26 decided to associate themselves with hacker groups and communities for acceptance, learning, support, and identity. Their evolutionary paths from talents to hackers illuminate the hallmarks of SLT.

Back to Top

A Framework for Understanding Hacking

While routine RAT, SLT, and SAT offer insight into most of what we observed about computer hackers, an integrative view of the evolutionary process of hacker motivation, skill, experience, moral values, and behavior is clearly in order. As the evidence shows, our six subjects began hacking due to essentially innocent motivations. However, they gradually transitioned into more serious ones when they went to college and fell in with other hackers.

Likewise, their knowledge and skills improved in college due to social networking tools and student clubs connecting talented, like-minded students, enabling them to learn from one another, share their experiences, and exchange ideas. Perhaps most important, their moral values were also evolving. Hacking high school computer systems was mostly for fun, spurred by curiosity. But when hacking university registration and admission systems, professors' computers, and foreign government and military systems, the motivation was much less innocent and the consequences much more serious. In such circumstances, their moral values and judgment played a significant role in regulating their behavior.

Since they were rarely caught and disciplined, they formed the moral value that as long as they do no harm to others, it is not wrong to benefit themselves. On the rare occasions they were caught, they were enlisted to help the schools identify weaknesses in their systems, reinforcing the value that it is not only okay to hack computer systems, it may be justified if it helps the targeted organization improve its security. However, the moral bottom linedo no harmmay be less constraining than our subjects reported. When a situation is viewed as doing justice or taking revenge (such as in the Chinese-American cyber war in 20013,21), the line was readily crossed by at least one of our subjects, with others indicating they, too, would have participated without hesitation. Likewise, when survival is at stake, the guideline of do no harm would impose little moral constraint on our subjects, based on what they said to us.

In order to incorporate the adaptive and evolutionary nature of hacker motivation, skill, moral values, and behavior into RAT, SLT, and SAT, we propose an integrative process framework to explain the evolution of computer hacking among young people (see Figure 2). In it, the three stages of hacker evolution in Figure 1 are further supported through specific activities, enablers, and constraints. We also marked the locations where each of the three main theoriesRAT, SLT, and SATis most salient in explaining the dynamics of hacker evolution.

We submit that the transition from innocent young talent to exploitive hacker begins with benign motivations (such as interest in computers, curiosity about people, and inner drive for knowledge and skill). Aided by three external enablersbountiful opportunity due to porous security in computer systems and applications, tolerance of hacking by schools, and association with other hackersand constrained primarily by moral values and judgment about computer hacking, such young talents gradually transition from curious exploration to purposeful exploitation. It must be pointed out that the constraining effect of moral values and judgment can be weak or strong and transitory, depending on the individual and his shifting values, as suggested by our case evidence.


Since they were rarely caught and disciplined, they formed the moral value that as long as they do no harm to others, it is not wrong to benefit themselves.


The value of this framework is two-fold: improve our understanding of how talented young people become hackers from an evolutionary perspective, and, perhaps more important, provide guidance as to how the hacking epidemic among talented young people could be better managed. Schools and universities can do little about initial motivation (mostly legitimate and normal) and behavior (usually too late to change). Likewise, schools and universities can do little about opportunities due to porous computer security, as well as the ability to associate with and learn from other hackers in today's social networking environment.

However, schools, universities, and society in general can manage two critical enablerstolerance and shifting moral valuesto tame hacking. The moral values and judgment involved in computer hacking are shaped in part by the attitudes and actions of schools and universities toward hacking, as shown by our case evidence. So if schools and universities adopt an attitude of zero tolerance toward hacking, along with early intervention to address identified hacking activity (such as offering courses in computer ethics, organizing competitions involving defense of computer security, and setting up computer security services for organizations), these students might develop stronger moral values against illicit hacking, significantly influencing their later behavior in college. Eliminating tolerance and strengthening moral-value constraint appear to be the only manageable options in resisting hacking today. SAT and SLT would provide insight for policymakers at multiple levels.

Back to Top

Conclusion

We investigated how and why talented, computer-savvy young people become computer hackers through a case-study approach based on interviews with six known computer hackers in China. While RAT helps explain how hacking begins, SAT explains why talented young people take the road toward computer hacking, even when presented with many alternatives, and SLT calls for attention to environments that sustain hacking behavior and subculture. However, none of these theories explains the evolution of certain critical elements in the hacker process: motivation, knowledge and skill, opportunity, moral values and judgment, and the environment.

Based on our case evidence and the literature, we developed a framework for understanding and managing hackers and hacking behavior from an evolutionary perspective. The framework's most significant contribution is its explication of the enablers and constraints influencing hackers, providing guidance for managing the hacking epidemic by schools, universities, and throughout society. This framework calls for zero tolerance for hacking in schools and early intervention (such as through courses in computer ethics in middle and high schools, supervised competitions in defending computer security, and organizing computer security services for organizations) to strengthen the moral values of students against hacking and channel their interest in computers in a positive direction.

We also note a few caveats that may limit the generalizability of our findings and recommendations. The hacker subjects in our study were all from China. While this fills a significant gap in the hacking literature, some factors may be unique to the cultural and economic context; for instance, tolerance of student hacking by teachers and school administrators that appeared prevalent in our cases may not be the same in other countries; and the fact that all our subjects were the only children in their families due to China's birth-control policies may have some influence on their desire, ability, and ways of socializing with their peers and social groups, as well as on their character development related to self-control, moral values, and other relevant personality traits. Overall, however, their profiles, activities, and evolutionary paths are fairly congruent with what has been reported in the hacker research literature based primarily on Western cultures and countries.

Back to Top

Acknowledgment

This research is supported in part by grants from the National Natural Science Foundation of China (71272076 and 70972048).

Back to Top

References

1. Akers, R.L. Social Learning and Social Structure: A General Theory of Crime and Deviance. Northeastern University Press, Boston, 1998.

2. Bachmann, M. The risk propensity and rationality of computer hackers. International Journal of Cyber Criminology 4, 1-2 (combined issue, Jan.July and July-Dec. 2010), 643656.

3. Becker, E. F.B.I. warns that Chinese may disrupt U.S. Web sites. The New York Times (Apr. 28, 2001); http://www.nytimes.com/2001/04/28/world/fbi-warns-that-chinese-may-disrupt-us-web-sites.html?src=pm

4. Bossler, A.M. and Burruss, G.W. The general theory of crime and computer hacking: Low self-control hackers? In Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, T.J. Holt and B. H. Schell, Eds. Information Science Reference, Hershey, PA, 2011, 3867.

5. Cohen, L.E. and Felson, M. Social change and crime rate trends: A routine activity approach. American Sociological Review 44, 4 (Aug. 1979), 588608.

6. Cronan, T.P., Foltz, C.B., and Jones, T.W. Piracy, computer crime, and IS misuse at the university. Commun. ACM 49, 6 (June 2006), 8490.

7. Gibbs, J.P. Crime, Punishment, and Deterrence. Elsevier, New York, 1975.

8. Gottfredson, M. and Hirschi, T. A General Theory of Crime. Stanford University Press, Stanford, CA. 1990.

9. Green, D.P. and Shapiro, I. Pathologies of Rational Choice Theory: A Critique of Applications in Political Science. Yale University Press, New Haven and London. 1994.

10. Hollin, C. Criminological psychology. In The Oxford Handbook of Criminology, M. Maguire, R. Morgan, and R. Reiner, Eds. Oxford University Press, Oxford, U.K., 2002.

11. Holt, T.J. Lone hacker or group cracks: Examining the social organization of computer hackers. In Crimes of the Internet, F. Schmallenger and M. Pittaro, Eds. Pearson, Upper Saddle River, NJ, 2009, 336355.

12. Holt, T.J. The attack dynamics of political and religiously motivated hackers. In Cyber Infrastructure Protection, T. Saadawi and L. Jordan, Eds. Strategic Studies Institute, New York. 2009, 161182.

13. Holt, T.J., Bossler, A.M., and May, D.C. Low self-control, deviant peer associations, and juvenile cyberdeviance. American Journal of Criminal Justice 37, 3 (Sept. 2012), 378395.

14. Holt, T.J., Burruss, G.W., and Bossler, A.M. Social learning and cyber-deviance: Examining the importance of a full social learning model in the virtual world. Journal of Crime and Justice 33, 2 (2010), 3161.

15. Jordan, T. and Taylor, P.A. Sociology of hackers. The Sociological Review 46, 4 (Nov. 1998), 757780.

16. Jordan, T. and Taylor, P. Hactivism and Cyber Wars. Routlege, London, 2004.

17. Mercuri, R.T. Analyzing security costs. Commun. ACM 46, 6 (June 2003), 1518.

18. Ponemon Institute. 2011 Cost of Data Breach Study. Ponemon Institute LLC, Traverse City, MI, Mar. 2012; http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide_CODB_US

19. Schell, B.H., Dodge, J.L., and Moutsatsos, S.S. The Hacking of America: Who's Doing It, Why, and How. Quorum Books, Westport, CT, 2002.

20. Skinner, W.F. and Fream, A.M. A social learning theory analysis of computer crime among college students. Journal of Research in Crime and Delinquency 34, 4 (Nov. 1997), 495518.

21. Smith, C. The first world hacker war. The New York Times (May 13, 2001); http://www.nytimes.com/2001/05/13/weekinreview/may-6-12-the-first-world-hacker-war.html

22. Sutherland, E.H. Principles of Criminology. J.B. Lippincott, Philadelphia, 1947.

23. Sykes, G.M. and Matza, D. Techniques of neutralization: A theory of delinquency. American Sociological Review 22, 6 (Dec. 1957), 664670.

24. Taylor, P. Hackers: Crime in the Digital Sublime. Routledge, London, 1999.

25. Thomas, D. Hacker Culture. University of Minnesota Press, Minneapolis, 2002.

26. Turgeman-Goldschmidt, O. The rhetoric of hackers' neutralizations. In Crimes of the Internet, F. Schmallenger and M. Pittaro, Eds. Pearson, Upper Saddle River, NJ, 2009, 317335.

27. Wikström, P.H. Linking individual, setting, and acts of crime: Situational mechanisms and the explanation of crime. In The Explanation of Crime: Contexts, Mechanisms, and Development, P.H. Wikström and R.J. Sampson, Eds. Cambridge University Press, Cambridge, U.K. 2006.

28. Yar, M. Computer hacking: Just another case of juvenile delinquency? The Howard Journal of Criminal Justice 44, 4 (Sept. 2005), 387399.

29. Young, R., Zhang, L., and Prybutok, V.R. Hacking into the minds of hackers. Information Systems Management 24, 4 (Dec. 2007), 281287.

Back to Top

Authors

Zhengchuan Xu (zcxu@fudan.edu.cn) is an associate professor in the Department of Information Management and Information Systems in the School of Management at Fudan University, Shanghai, China.

Qing Hu (qinghu@iastate.edu) is Associate Dean for Graduate Programs and Union Pacific Professor in Information Systems in the College of Business at Iowa State University, Ames, IA.

Chenghong Zhang (chzhang@fudan.edu.cn) is a professor in the Department of Information Management and Information Systems in the School of Management at Fudan University, Shanghai, China.

Back to Top

Figures

F1Figure 1. Evolutionary path taken by hackers.

F2Figure 2. Integrative framework.

Back to Top

Tables

T1Table 1. Primary criminological theories in hacker research.

T2Table 2. Representative academic studies on hacking behavior.

Back to top


©2013 ACM  0001-0782/13/04

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from permissions@acm.org or fax (212) 869-0481.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.


Comments


Rafael Anschau

I think this text is absolutely unjust with hackers. Who said "putting hackers on the line"
is desirable ? Yeah, stifle curiosity, stifle their desire to do things their own
way, mold them to the political economical machine! I wonder what would have been of Bill Gates and Steve Wozniack had they been subjected to such attitude. Often, the capacity to do things your way is more beneficial to people on the long term than any preconceived, imposed career path.


Anonymous

they did forget at least one key motive for hackers. Specifically relating to piracy, society and marketing targets young people and yet at the same time, they forget that young people have limited finances. This means that the psychological methods employed by advertisers for various media create hungry consumers without the resources to fulfill their desire through the means that are condoned by the system. These pirates then turn to other methods of satisfying the desires instilled in them by the creators of the content, such as piracy.


Anonymous

The study lumps a lot of things under one roof. There is a difference between "pirating" a song and cracking into a company system to extract industrial information.

Also, I suspect there are some real cultural differences here. The US and China are very different societies, and any assumed similarities must be taken with care.

Further, the PLA and other parts of the Chinese government look for these kids. See
http://www.techrepublic.com/blog/security/what-the-mandiant-report-reveals-about-the-future-of-cyber-espionage/9112
and
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
which explicitly fingers PLA unit 61398 as the unit that has been actively stealing from US countries.


Anonymous

I think part of the problem is that these people are geniuses, and they don't want to work in a scenario where the ones in charge are far, far, far from genius. The non-geniuses also lack the ability to remain objective, so when a genius tells them that they can't get 5 from 2 and 1 just because they used 2 last time to get to 5, they're offended. So geniuses are not desired, and sometimes their reputations are ruined. I'm no genius, but this is a constant theme in my life.


Anonymous

There are some major flaws with this study. First off the range in differing environments was far too small. Since much of what people learn is from their environment people in different areas may respond differently to the events that you have tested. Also six subjects seems like too few to draw an accorate conclusion. I think before any school decides to implement any changes to their policy based on this expirement they should try to first recreate the expirement and see if they get the same results.

Also please use the term cyber criminals instead of hackers when you are referring to criminals. Not all hackers are criminals and it is offensive to put them all under one category.

I do appericate the fact that someone is actually looking into this though and hope that your research will inspire further research.


CACM Administrator

The following letter was published in the Letters to the Editor in the July 2013 CACM (http://cacm.acm.org/magazines/2013/7/165490).
--CACM Administrator

Exploring the malicious hacker problem, Zheng-chuan Xu et al.'s "Why Computer Talents Become Computer Hackers" (Apr. 2013) overlooked many motivations for computer talents becoming computer hackers, due, possibly, to cultural differences between China and the West, as suggested in the article, or just to the authors' limited findings, which were based on interviews with only six known computer hackers in Shanghai. Moreover, the article did not distinguish between hackers who ethically go to extremes of computing and malicious hackers willing to do harm to achieve their goals.

My own research at SRI International, 19711995, funded by the U.S. National Science Foundation, U.S. Department of Defense, and U.S. Department of Justice, involved interviews with more than 100 notorious malicious computer hackers in the U.S. and Western Europe. That work was documented in case studies in my books Crime by Computer (1976) and Fighting Computer Crime (1983), both published by Charles Scribner's Sons, Inc. Malicious hacking is still motivated in much the same way as it always has been, starting with phone phreaking in the 1960s.

One significant motivation the article clearly overlooked is that some young hackers are looking for shortcuts to a high-paying career in information technology without first undergoing a formal education. Such an irrational strategy typically concentrates on learning from manuals, the Web, personal experimentation, and experienced hackers, as noted in the article, believing that if they engage in sufficiently outrageous but brilliant conduct, with ends justifying means, as was done by some highly publicized malicious hackers before them, they will be noticed by their victims and hired at high pay to protect society from further harm.

My own interviews revealed many kinds of deviant behavior associated with ready access to the powerful, pervasive, vulnerable, fragile information technology at the heart of almost every organization's and user's operations, including negativism, delusions of grandeur, infantile ideals, grandiose, overt behavior, frequent regressions, compensatory mechanisms, peer pressure, fragile ego, irrationality, antisocial behavior, poor grooming and personal habits, unhealthy diet, use of alcohol and drugs, squalid living, disrespect for authority, deception, thievery and burglary, piracy, extortion, endangerment, misuse, abuse, negligence, sabotage, espionage, misrepresentation, intimidation, physical and mental violence, bullying as subject and object, autism, idiot-savantism, sibling rivalry, reaction to parental aberrations and broken homes, hero worship, sexual excess, attention deficit disorder, and more.

I agree with the findings in the article as far as they went, that "...hacker candidates encounter porous security, are tolerated by some academics, and are encouraged by like-minded individuals." They are also sometimes inadvertently encouraged by naive reformers at hacker conferences and by the early success of a few malicious hacker heroes (such as "Cap'n Crunch," "Fiber Optic," and Kevin Mitnick). These hacking mentors and others are described in my books, as well as in others, including Hackers, Heroes of the Computer Revolution by Steven Levy (Anchor Press/Doubleday, 1984), The Hacker Crackdown by Bruce Sterling (Bantam, 1992), and The Fugitive Game by Jonathan Littman (Little, Brown and Company, 1996).

Donn B. Parker
Los Altos, CA


Displaying all 6 comments