Why the Basement Hacker Stereotype Is Wrong — and Dangerous
- Post Originally published at Dark Reading by Micah Babinski , sharing it as it was credited to my book Cybersecurity: The Beginner’s Guide at LinkedIn
“It could be Russia but it could be China, it could be lots of people. It could be somebody that sits on their bed that weighs 400 pounds.” These comments, made during a 2016 presidential debate, may be among the most high-profile and cringeworthy incarnations of what I call the Basement Hacker stereotype. But even years later, the Basement Hacker idea persists. This outdated stereotype and media trope characterizes threat actors as isolated, dysfunctional, lacking formal training or organization, and clothed exclusively in black hooded sweatshirts.
At its core, the Basement Hacker represents a fundamental and ongoing misunderstanding of the modern cyber adversary. As Sun Tzu wrote in The Art of War, “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” The Basement Hacker myth gives organizations of all sizes a false sense of superiority over threat actors, whom they perceive as untrained, benign, and weird. Gone unchecked, this sense of superiority can spur complacency among risk managers and executives who determine security budgets, leading to underinvestment in security teams, overreliance on automation, or both.
But the Basement Hacker stereotype is damaging in more subtle ways as well. Consider the perennial debate over the value of certifications and educational programs taking place among the large, vibrant, and forever-expanding community of aspiring cybersecurity professionals and the established industry players who market educational services and thought leadership to them. Industry veterans, emerging professionals, and cyber educators debate at length whether certifications are worth it, which ones to go for, and how to gain sought-after skills in the most economical way possible.
A recent social media post by a brand manager for a cyber training company asks rhetorically, “Why do you need a certification/degree to work in cybersecurity? The people who are exploiting your networks and applications don’t have certifications or degrees.” This post, and ones like it, receive robust engagement in the form of hundreds of reactions and dozens of comments and shares.
This message, firmly based on the Basement Hacker stereotype of an untrained and disorganized adversary, contains several elements of effective misinformation. It purports to boldly challenge the conventional wisdom (that cybersecurity employment requires a degree and/or certification) to build credibility. It uses sweeping generalizations to assert, falsely, that successful attackers lack formal training and credentials, a potentially attractive message to aspiring cybersecurity professionals who want to skill up for a job without breaking the bank.
And it exploits natural human insecurity, that would drive a student to wonder, “Why am I spending all of this money on tuition or formal training when the truly elite hackers have neither?” The result? Perpetuation of the myth, as well as emerging professionals uninformed or under informed of the true nature of the threat.
In fact, organizations like the Mandiant Intelligence Center, FireEye, and the Department of Justice, not to mention academic cybercrime researchers, all have documented, formal training programs, organizational hierarchies, and specific skill categories required of the world’s most dangerous adversaries. For example, in its 2016 report, Mandiant/FireEye found that “there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology.
The majority of the ‘profession codes’ describing positions that Unit 61398 is seeking to fill require highly technical computer skills. The group also appears to have a frequent requirement for strong English proficiency.”
In June 2021, Brian Krebs reported on the hiring process for the Trickbot malware gang, where applicants, “were asked to create various programs designed to test the applicant’s problem-solving and coding skills.”
As security professionals, we pride ourselves in knowing better than to buy into the outdated, harmful Basement Hacker stereotype. After all, we learned the hard way that our most dangerous adversaries are organized, well-funded, and highly trained. But despite the fact that the security professional community has mostly moved beyond the outdated Basement Hacker trope, the damage of its continued circulation threatens to further erode the security posture of organizations of all sizes at an already fragile moment in cybersecurity history.
If we counter the harm of the Basement Hacker stereotype, C-level leaders will more readily acknowledge that professionalized threat groups pose a security risk to organizations of any size and across all industry sectors. To achieve this outcome, we should avoid perpetuating the Basement Hacker idea wherever possible. We must also counter this narrative by disseminating a clear-eyed, comprehensive picture of modern threat groups.
Finally, more research is needed to understand the advanced persistent threat (APT) talent development pipeline. This research should include the educational programs, hands-on training, credentialing, and the nexus between military intelligence, private industry, and organized crime that feed these highly-trained and organized groups. Only then can we confidently claim an understanding of these sophisticated actors that operate (almost) entirely outside of the basement.
Cybersecurity: The Beginner’s Guide
Cybersecurity The Beginner’s Guide
Cybersecurity: The Beginner’s Guide More than 400 pages of a comprehensive guide to getting started in cyber + 100 pages of advice from Cybersecurity experts. You will find everything to excel your career in Cybersecurity, or help your Organization to close the Cyber Talent Gap.
It’s not a secret that there is a huge talent gap in the cybersecurity industry. Everyone is talking about it including the prestigious Forbes Magazine, Tech Republic, CSO Online, DarkReading, and SC Magazine, among many others. Additionally, Fortune CEO’s like Satya Nadella, McAfee’s CEO Chris Young, Cisco’s CIO Colin Seward along with organizations like ISSA, research firms like Gartner too shine light on it from time to time.
This book put together all the possible information with regards to cybersecurity, why you should choose it, the need for cybersecurity and how can you be part of it and fill the cybersecurity talent gap bit by bit. Starting with the essential understanding of security and its needs, we will move to the security domain changes and how artificial intelligence and machine learning are helping to secure systems.
Later, this book will walk you through all the skills and tools that everyone who wants to work as a security personal needs to be aware of. Then, this book will teach readers how to think like an attacker and explore some advanced security methodologies. Lastly, this book will dive deep into how to build practice labs, explore real-world use cases, and get acquainted with various security certifications.
By the end of this book, readers will be well-versed with the security domain and will be capable of making the right choices in the cybersecurity field
Things you will learn
- Get an overview of what cybersecurity is, learn about the different faces of cybersecurity and identify the domain that suits you best
- Plan your transition into cybersecurity in an efficient and effective way
- Learn how to build upon your existing skills and experience in order to prepare for your career in cybersecurity
To order the book :
Amazon: Order here
Google Books : Order here
Packt Publishing: Order here
- ISBN : 978 1 78588 533 2
- ASIN: 1789616190
- ISBN-13: 978-1789616194
Publisher: Packt Publishing
Date: May 24, 2019
Number of Pages: 390
I’ve been published by #DarkReading! I’ve been a fan of the site since learning about it in #Cybersecurity: The Beginner’s Guide, by Dr. Erdal Ozkaya. I hope you will take a moment to read the piece and let me know what you think.