If businesses are serious about reducing the risk of cyber attacks, they must work closely with hackers, says Lauri Love, the UK computer security expert who is facing extradition to the US, accused of computer crimes.
Mr Love, who lost his appeal against extradition in September, says more should be done to ensure young people with computer skills learn to use their talents in a positive way working for companies, rather than engaging in crime. The transition to cyber vandalism and worse often starts when a bright but socially awkward teenager is drawn into the wrong circles, he says.
“A lot of the mental make-up that can make you quite good at analysing computers and information systems tends to manifest with problems of social adaptiveness. People can find that they have trouble concentrating at school or problems with behaviour and authority,” Mr Love adds. “They don’t have the availability and means of getting into doing cyber security and developing their skills in the appropriate safe environment in a constructive way.
“The underworld doesn’t care how well-dressed you are or whether you can maintain eye contact. They just care if you have the skills. There is a perverse sense in which the criminal underworld is more meritocratic than society. Sadly, their agenda is different.”
Until last month, Mr Love was part of a social enterprise, Hacker House, which aims to give young computer enthusiasts a place to practise their hacking skills without causing damage — and to put them to use helping, rather than harming, businesses.
“We want to provide a place where people who have started down the path to being a little bit naughty can come. We can say, ‘OK, we will teach you how to hack, you can have all the fun, but you won’t be interfering with someone’s business and you won’t find yourself on the end of a difficult conversation with people with badges,’” he adds.
Companies could learn a lot from hackers, Mr Love says. Most businesses severely underestimate their risk from cyber crime. Hackers often penetrate their defences in very basic ways.
“There is a lot of code running on computers — some of it is kept up to date and patched against security vulnerabilities, some of it is not,” Mr Love says. “Hacking is mostly a case of persistence; it is not always a case of spectacular ability — just determination to keep looking until you find the one thing that wasn’t up to scratch.”
Hacking is mostly a case of persistence; it is not always spectacular ability
He compares looking at the back end of corporate systems to looking back in time. “Sometimes you end up going back to the 1990s and finding levels of security that we ought to have moved past,” he says. “You see the same mistakes over and over again.”
There is a tradition of ex-hackers going to work in corporate security. Kevin Mitnick, who was imprisoned in the US in the 1990s for hacking, runs his own corporate security consultancy. George Hotz, a hacker who faced litigation by Sony in 2011 for hacking the PlayStation 3 games console, has since worked for Facebook and Google.
Companies can also tap into the hacker community more broadly by setting up so-called “bug bounty” programmes, where hackers are rewarded if they discover and report serious security flaws.
“We can shape the rules of the game so people who find these things out have a way to come to the [company] and say, ‘I have found out this is insecure,’ without being afraid of being prosecuted or sued,” Mr Love says. “We can create an incentive structure to bring people onside. These are bug bounty programmes and people are just learning to do them.”
With a mischievous smile, Mr Love, who is accused of breaking into US military computers, adds: “In fact the Pentagon just ran its first bug bounty system. And so whereas some people in the world are in trouble for allegedly hacking the Pentagon, now the Pentagon is asking sometimes the same people to come and hack it.”
The FBI and US Department of Justice allege Mr Love stole thousands of files from the Pentagon and Nasa, as well as from other bodies, including the Federal Reserve and Environmental Protection Agency.
Mr Love’s lawyers have argued that he should face legal proceedings in the UK rather than the US, where they say his health could be affected by a lengthy jail term. Mr Love has Asperger syndrome, which his lawyers say could deteriorate and lead to a mental breakdown or even suicide.
In any case, Mr Love feels the current approach by the police and criminal justice system is not deterring hackers.
“The issue is that there are 7bn people connected to the internet and not all of them are in legal jurisdictions where computer crimes will be prosecuted. Even if you can scare all the people in the UK into not testing your security, that doesn’t affect the people that live somewhere where you don’t have extradition arrangements,” he says.
He is not arguing that computer breaches should be decriminalised, but he says there should be more differentiation between cases where hackers are going in to steal money or information, and cases where people are merely testing the system’s defences.
“When you damage a system, when you trespass, when you interfere with business operations — that is a crime and should remain defined as a crime. But the priority of the state shouldn’t be to try to frighten people into not testing security, we need security to be tested,” he says.
“I don’t think we should be heavy-handed with people, not when they haven’t adopted a criminal mindset. I’m hoping law enforcement can start taking more of a harm-reduction approach rather than this kind of traditional drugs-war approach of being very hard on it and trying to scare the kids straight — because the kids aren’t being scared straight.”
Mr Love’s case is due to considered by Amber Rudd, the UK’s home secretary, in mid-November. If she decides to authorise the US’s extradition request, Mr Love will have 14 days to appeal against the ruling.