Watch any Hollywood spy thriller. Or political drama. Or speculative sci-fi film. It doesn’t matter who it stars, from Tom Cruise or Dwayne ‘the rock’ Johnson.
You will see one inaccurate media trope, appearing all over the place, and seemingly never changing. This trope is that of the ‘hoodie hacker’.
The ‘hoodie hacker’ sits alone in a darkened basement, surrounded by empty energy drink cans, the blue light of their monitor slightly illuminating their face from beneath their black (and it’s always black) hoodie.
Isolated, dysfunctional, and almost always a lone wolf, the hacker misrepresents threat actors as individuals, acting alone out of personal and professional grudges, instead of meticulously organised and formally trained groups that are driven by financial gain.
This trope also trivialises the complexity and difficulty of what threat actors do, via the terrible movie portrayal of ‘hacking’.
Hackers rapidly smash out a line of lime green code into the black screen of their monitor and in mere seconds find themselves into “the mainframe”. Expect dialogue about “bypassing the firewall”, “securing the access codes” and “corrupting the files” that the screenwriters who wrote it wouldn’t be able to explain.
In so many other forms of representation, we call for realism. Realistic portrayals of communities, professions and places. So that we as audiences are not misinformed in the way we interact with individuals and society.
The cyber criminal is one figure we just haven’t discussed in these terms, and we really should.
The internet and world have changed so much since the 90’s - but we portray online threats now in the same way we did then. This is a serious problem considering their growing prevalence and difficulty to combat.
Images like the “hoodie hacker” invite complacency among executives and risk managers, putting their security in jeopardy. They may rely too much on automation or underinvest in security teams or even both. Their security strategies are influenced by a misunderstanding of the modern cyber adversary, as weird, untrained and benign. In reality, threat actors are calculating, experienced and one of the biggest threats modern businesses face.
The hoodie hacker stereotype is not only damaging however to executives and business leaders but also to aspiring cyber security professionals.
There are endless debates on the value of certifications and education programs amongst cyber security professionals. Industry veterans, educators and emerging professionals debate if certifications are worth it, and if they are, which ones. These debates are a good thing, and should always be encouraged.
However, what shouldn’t be encouraged is an outright rejection of the necessity of cyber security certifications on incorrect grounds.
Consider for example a post that was done by a brand manager for a cyber training company, which asserts you don’t need a certification to work in cybersecurity, because “The people who are exploiting your networks and applications don't have certifications or degrees."
This post which received hundreds of comments, shares and reactions, relies on the sweeping false assumption and generalisation that successful cyber criminals receive no formal training or credentials.
This is deeply false. Organisations like the Department of Justice, FireEye and the Mandiant Intelligence Center in conjunction with cyber security researchers have documented organisational hierarchies, skill categories, formal training programs and member expectations in dangerous cyber criminal groups.
In June of this year, Brian Krebs reported that the Trickbot Malware gang had a hiring process where potential applicants were asked to "create various programs designed to test the applicant's problem-solving and coding skills."
FireEye reported in 2017 that threat actor Unit 61398 recruits new members from the Science and Engineering departments of universities like Zhejiang University and the Harbin Institute of Technology. They, in their recruitment process, emphasise they want members with strong English proficiency and highly technical computer skills.
With research like this speaking to the training and qualifications these threat actors require from their members, there’s only one explanation for the assumption they lack them, the stereotype of the hoodie hacker.
This misrepresentation serves to exploit the insecurity of prospective cyber security professionals, who start to wonder why they are spending money on training or tuition when the ‘elite’ hackers have neither.
Subsequently, more cyber security professionals are going into the profession uninformed and unprepared, not just of the true nature of cyber security threats, but also of what qualifications and training they will need to neutralise them.
Whilst the security professional community has arguably moved beyond the outdated hoodie hacker trope, its cultural circulation continues to pose a threat to the security posture of businesses and organisations. With the existing tendency of many business leaders to dismiss and minimise the cybersecurity threats their business faces, this poorly portrayed archetype only fuels this process.
The solution to the harm the hoodie Hacker stereotype has caused is not just to remove their presence from political dramas, action movies and spy thrillers going forward. To do this, would erase the ongoing serious threat that cyber criminality represents to politics, governance and business, a threat which we all must confront.
What we need is a comprehensive, accurate and well-researched representation of modern cyber criminals instead. The BBC's 10-part Podcast 'The Lazarus Heist' which focuses on a group of North Korean hackers succeeds at doing this. But this podcast is non-fiction, and we need to see such representations in fiction too.
We need mass media to say goodbye to the ‘hoodie hacker’ and reflect the sophistication, intelligence and danger these groups pose, so more take it seriously.
In addition to this, countering the hoodie hacker stereotype requires the eradication of the generalised idea that hackers in criminal groups lack formal training. Research is needed on the advanced persistent threat (APT) talent development pipelines these groups use to recruit. This research should reach the networks of educational programs, private industry, military intelligence, hands-on training and organised crime which feed these groups.
It’s about time we as a culture took the hoodie off and stared the reality of cyber crime in the face.