Bad Actors Begat Bad Habits

On the tipping point of the next tragedy of the commons.

by / February 3, 2004
When $205 billion in damage is caused by an act of nature, it is declared a national disaster. When caused by an arsonist, terrorist or corporate cheater, it is called a crime. When caused by self-styled cyber-vigilantes, we become more ambivalent. Indeed, not so long ago, hacking was the stuff of celebrity -- complete with book deals and legendary status in the hacker community (a term used loosely and advisedly). Even today, they enjoy reputations as giant killers -- "wicked smart" and more than a little dangerous.

Yet $205 billion is the tally for their handiwork in 2003 alone, according to the British security intelligence company mi2g. Include all incidents since the turn of the century, and the total balloons to $360 billion in economic damage from overt and covert cyber-attacks.

If enforcement efforts are any indication, the staggering financial toll has not been enough to propel malicious code cutting to the level of serious crime. Perhaps it is because lawmakers do not believe the damage is as real as that from arson, natural disasters and the like. Perhaps it is because the IT community (also used advisedly) lacks the tools, techniques and discipline to detect and defend against intrusions. Perhaps it is because we drank the Kool-Aid too, and have accepted the logic of vigilante policing.

The rationale was that monolithic software companies would not pay attention to fixing flaws in their products unless publicly embarrassed. From that premise, hacking as revenge; hacking as a path to fame (or infamy); and hacking as sport for the bored and embittered can all be dressed up as hacking-as-public-service.

Malware sites are crowded with hackers bent on demonstrating (a) their intellectual superiority among code cutters and (b) the weaknesses of commercial software, even at considerable cost to legions of noncombatants who are just trying to get something done.

The biggest target became the prime target. Even Microsoft executives commonly referred to the company's installed base as the largest attack surface in the world.

If Microsoft raised the ire of hackers because of the closed and proprietary nature of its products, it would follow that an open, community-developed computing platform would be free of malicious code.

That was part of the Linux promise, the rising popularity (and increased commercialization) of which has now put it in the crosshairs of the disgruntled. Consider a separate mi2g study indicating that Linux has eclipsed Microsoft as the largest attack surface worldwide. Over a 12-month period, Linux servers were the targets of 51 percent of all attacks, compared to 23 percent for servers running a Microsoft operating system.

Thanks to the vigilantes, the wider community of software developers appears to have turned on itself and began eating its young.

The logic of vigilante policing is having a similarly corrosive effect on the debate over the integrity of electronic voting technologies. Not content to let whistleblower complaints or the court process work themselves out, activists inadvertently set in motion a chain of events that compromised an otherwise sobering analysis of one company's e-voting source code. Also compromised was the reputation of the study's lead researcher who failed to disclose a financial interest in a competitor. As the guerilla campaign intensified, it also turned criminal. According to the Associated Press, the competitor later reported a "politically motivated" hack of its internal systems to the FBI. Perfect.

Public trust remains the coin of the realm in government -- and in a networked world -- but you wouldn't know it by how we're spending it.
Paul W. Taylor Contributing Writer

Paul W. Taylor, Ph.D., is the editor-at-large of Governing magazine. He also serves as the chief content officer of e.Republic, Governing’s parent organization, as well as senior advisor to the Governing Institute. Prior to joining e.Republic, Taylor served as deputy Washington state CIO and chief of staff of the state Information Services Board (ISB). Dr. Taylor came to public service following decades of work in media, Internet start-ups and academia. He is also among a number of affiliated experts with the non-profit, non-partisan Information Technology and Innovation Foundation (ITIF) in Washington, D.C.