The Economics of Computer Hacking*

The Economics of Computer Hacking*

Peter T. Leeson Department of Economics West Virginia University

Christopher J. Coyne Department of Economics Hampden-Sydney College

Abstract

This paper considers various classes of computer hackers, with a special emphasis on fame-driven versus profit-driven hackers.  We use simple economic analysis to examine how each of these hacking “markets” work.  The resulting framework is employed to evaluate current U.S. policy aimed at reducing the threat of computer hacking and shows that this policy is largely effective.  We consider policy adjustments consistent with the insights of the framework provided as a means of strengthening cyber security.

* We thank Peter Boettke, Tony Carilli and Tyler Cowen for helpful comments and suggestions.  The financial support of the Critical Infrastructure Project, the Earhart Foundation and the Oloffson Weaver Fellowship is also gratefully acknowledged.

1    Introduction

In  the  digital  age  cyber  security  is  perhaps  the  most  important  form  of  security individuals must be concerned with.  Banks, schools, hospitals, businesses, governments and virtually every other modern institution you can think of stores and organizes its information electronically.  This means that all of your most sensitive information—from credit card numbers and checking accounts, to medical records and phone bills—is accessible for viewing, stealing, or manipulating to anyone with a PC, an Internet connection, and some computer know-how.  The increasingly computer-based world is increasingly vulnerable to malevolent computer hackers.

While we know little about these shadowy hackers we have a very clear picture of the damage they do.  In 2003, hacker-created computer viruses alone cost businesses $55 billion—nearly double the damage they inflicted in 2002 (SecurityStats.com 2004).  In

2000 the total cost of all hack attacks to the world economy was estimated at a staggering

$1.5 trillion (PricewaterhouseCoopers 2000).  In a 2004 survey of American companies and government agencies conducted by the Computer Security Institute, over half of respondents indicated a computer security breach in the past 12 months and 100 percent of respondents indicated a Web site related incident over the same period (CSI 2004).

If  anything  these  figures  probably  understate  the  volume  of  hacker-related security breaches.   Firms, especially financial institutions, are extremely reluctant to report hacker-related break-ins for fear of how this may affect customers’ and stockholders’ impressions of their security.   In the survey of American businesses conducted jointly by CSI and the FBI, nearly 50 percent of firms that experienced system intrusion over the last year stated that they did not report this intrusion to anyone.  The

primary reason cited for this was the perceived negative impact on company image or stock (CSI 2004: 13-14), and similar findings have been corroborated by others (see for instance, United Nations 1994; Schell et al 2002: 40).  What can we say about the enigmatic community of computer hackers and what can we do about the cost these hackers impose?

This paper uses simple economic analysis to try and better understand the phenomenon of hacking.  In particular we are interested in creating a framework for analyzing hacking that is policy relevant.   Towards this end we divide the community of hackers into three classes separated by motivation.  The first class consists of “good” hackers.   These hackers illegally break into computer systems but voluntarily share security weaknesses with those in charge of these systems.  The second class of hackers is fame-driven.   This class constitutes a dangerous subculture of unethical hacking in which members seek infamy and the accolades of their cohort by breaking into the electronically stored information of vulnerable parties and wreaking havoc.  The third group of hackers is “greedy.”  These hackers are not motivated by considerations of fame but  are  instead  driven  by  profits.    Profit-driven  hackers  can  be  “good”  or  “bad” depending upon which type of behavior yields the greatest monetary return.

An economic analysis of these distinct hacker categories yields important insights for policy aimed at reducing the security threat posed by computer hacking.  In Section 2 we  offer  a  brief  history  of  hacking.    Section  3  discusses  good  hackers,  Section  4 examines fame-driven hackers, and Section 5 considers profit-driven hackers.  Section 6 turns to the policy implications of our analysis and Section 7 concludes.

2    A Brief History of Hacking

The history of hacking can be traced to 1960s America where members of the Tech Model Railroad Club at MIT “hack” the control systems of model trains to make them run faster, more effectively or differently than they were designed to.  Around the same time  MIT  introduces  its  Artificial  Intelligence  Lab  where  some  of  the  first  large mainframe computers are located.  With an innate curiosity for how things work, several club members are drawn to MIT’s AI lab.  These computers—called PDP-1’s—are large, slow and extremely expensive to operate.  To overcome some of these problems the more clever programmers created “hacks”—system shortcuts—that make performing certain operations faster and easier.

MIT is not the only locus of hacking activities.  Computing think tanks, like Bell Labs, are at it too.  In one of history’s most important hacks, in 1969 two AT&T Bell Lab workers, Dennis Ritchie and Ken Thompson, create the forerunner of the open source operating  system,  which  they  name  UNIX.    UNIX  quickly  becomes  the  standard language of computing.  In its first stages hacking has nothing to do with illicit activities or cyber-crimes.   On the contrary, access is consensual and hackers improve systems rather than defacing them.

In the 1970s, however, things begin to change.  Hackers start to realize the potential of hacking for personal benefit.  In particular, hacking activities are increasingly directed at the telephone—an activity called “phreaking.”  In the early 1970s a Vietnam veteran named John Draper discovers that the free plastic whistle that comes in boxes of Captain Crunch cereal identically reproduces the 2600 Hz tone required to make long distance phone calls.   By blowing the whistle into the phone at the appropriate time

AT&T’s switching system believes that legitimate access has been granted to make a long distance call and the caller is granted the ability to do so without paying.

After his discovery Draper takes on the pseudonym “Cap’n Crunch” and quickly generates an underground following among hackers and phreakers for his creativity with long-distance calling.  Other hackers build on Draper’s innovation by constructing “blue boxes”  designed  to  aid  in  the  long-distance  phone  fraud  process.    Notable  hackers engaged in such phreaking at the time include Steve Wozniak and Steve Jobs—the future founders of Apple Computers.  In 1978, two hackers from Chicago start a computer to computer bulletin board, creating the first virtual meeting place for the growing hacker community where members can share tips, stolen credit card numbers and other information going into or coming out of their hacking activities.

Partly spurred by the publicity given to hackers in the 1983 film War Games, partly spurred by the new affordability of personal computers, and partly spurred by the increasing presence of the online world (ARPANET during this time is becoming the Internet), the prevalence of computer hacking rises yet again in the 1980s.  Among the most important hacking developments of this decade is the emergence of hacker “gangs” like the Milwaukee area’s “414” gang that consist of hacker die-hards who live to gain unauthorized access to outside computer systems and wreak havoc.  The 414 gang is among the first to be apprehended and punished by the law for their cyber-crimes, which include illegally accessing the computer system at Los Alamos National Laboratory where nuclear weapons are developed, and breaking into the system at Sloan Kettering Cancer Center in New York.  The 414’s are not alone in the new world of hacker crime.

The “Legion of Doom” and the “Masters of Deception”1—two leading, rival hacker gangs—are also born in the 80s.  In response to the growing number of hacker-related crimes, in 1984 the U.S. government makes it a crime to gain unauthorized access to computer systems.

But hacker activity is not limited to breaking into computer systems.  In 1988 the world witnesses the first of a new type of hacker act—the Internet worm, which is inadvertently spread by its creator Robert Morris of Cornell University.   Morris is identified, fined $10,000 and sentenced to three years probation.  The late 80s also see the first  cases  of  hacker  action  directed  at  government.    Several  members  of  the  West German hacker gang, the “Computer Chaos Club,” steal electronically stored information

from the U.S. government and sell it to the Soviet KGB.2

In the 1990s the growing trend of hacker activity prompts the U.S. government to perform surprise raids on the locations of suspected hacker outfits in 14 cities across the nation (“Operation Sundevil”).  Although arrests are made and many inside the hacking community turn on their cohorts in exchange for immunity, hacker activity continues. No longer is hacking mostly about the pranksterish behavior of teenage boys or petty crime.  Now hackers turn their talents to much larger deals.  In 1995 two Russian hackers steal $10 million from Citibank.  In response to more serious hacker activities like this one, in 1998 the U.S. government unveils its National Information Infrastructure Protection Center, designed to protect America’s telecommunications, transportation and technological systems from hacker attacks.

1 For a detailed account of the Masters of Deception see Slatalla and Quittner (1996).

2 For a detailed account this story see Stoll (1989).

In the new millennium, hacking—an activity once largely restricted to Americans and Western Europeans—is a worldwide phenomenon.  The seriousness of the crimes perpetrated by hackers increases again as well.  Hackers design “denial of service” hacks that crash the networks of companies like Yahoo!, eBay, Amazon, and others, costing them millions in lost business.  The potency and prevalence of damaging viruses also continues to grow, culminating in May of 2000 with the “I LOVE YOU” virus, which is estimated to have cost the global economy close to $9 billion, the most harmful hacker- created virus to date (CEI 2002).

As its history indicates, “hacking” refers to multiple activities.  It includes, for instance, breaking passwords, creating “logic bombs,” e-mail bombs, denial of service attacks, writing and releasing viruses and worms, viewing restricted, electronically-stored information owned by others, URL redirection, adulterating Web sites, or any other behavior that involves accessing a computing system without appropriate authorization. Furthermore, although for the most part hacking is restricted to computers, it need not be and may be extended to fraudulent activities relating to telephones (e.g., tricking phones into  authorizing  free  long  distance  calls,  so-called  “phreaking”),  credit  cards  (for instance, creating gadgets to “steal” the magnetic code stored on credit cards and copy it on to others), subway passes (for example, adulterating passes or pass readers to enable unlimited free rides), parking meters (rigging parking meters to allow unlimited free parking) or virtually any other item with electronic components.   We restrict our discussion primarily to computer hacking, although the basic principles we elucidate may be applied to other forms of hacking as well.

Some hackers object to calling many of the destructive activities mentioned above “hacking” and their perpetrators “hackers.”  These terms, they insist, should be reserved to the harmless (albeit often illegal) activities of computer enthusiasts who break into systems, look around to learn how things work and leave things undisturbed.  According to this view the name “cracker” should be applied to the malicious “cracking” behaviors enumerated above that are all to frequently conflated with harmless hacking.  While we recognize this difference we nonetheless opt to refer exclusively to hackers and hacking throughout our discussion.   On the one hand, in most cases, both hacking and “cracking” involve unauthorized access and so constitute security threats whether or not the individual breaking in uses her illicitly gained access to do harm.  Second, for better or worse, in the parlance of our day “hacking” refers to the activities that we describe and the general public does not have the nuanced appreciation of illegal computer activity that  members  of  the  hacking  community  do  to  merit  the  terminological  distinction

implored by some members of this community.3

3    Good Hackers

While the psychology of hacking is still in its nascent stages, initial research seems to have come to some consensus regarding what motivates hackers to hack.  Individual hackers and hacker gangs operate in the context of a larger underground social network or community consisting of similar individuals.  The best empirically grounded work that examines  the  hacker  mind  therefore  draws  primarily  on  interviews  and  surveys

3 As Dann and Dozois put it: “just about everyone knows what a hacker is, at least in the most commonly accepted sense: someone who illicitly intrudes into computer systems by stealth and manipulates those systems to his own ends, for his own purposes (1996: xii).

administered to members of this underground community.   We will briefly overview some recent findings of this small literature below.  Before doing so, however, we should point out that members of the hacking community are notorious for lying to journalists, researchers and others who approach them for information about how they and their associates work.  Many hackers seem to “get a kick” out of misleading scientists or generally giving others a false impression about their reasons for hacking (Platt 1997:

53).4   Of course, this fact must be kept in mind when considering the results of research

aimed at identifying hacker motives.  Nevertheless, this data is the best we have to date so we must make use of it unless we are to avoid empirical investigations of the subject altogether.

The most current and comprehensive data regarding hackers’ demographics, motives,  lifestyles,  etc.  is  that  collected  by  Schell  et  al  (2002).    These  researchers surveyed over 200 hackers who attended two of America’s largest hacker conventions (yes, there are annual hacker conventions in which hackers from across the globe get together to share tips ranging from the latest computer hardware to how to steal credit card numbers stored electronically) in July of 2000.  These conventions included the H2K convention in New York and the DefCon 8 convention in Las Vegas.  In addition to administering anonymous surveys, researchers randomly interviewed some hackers with in depth questions (again on the condition of anonymity) when hackers would agree to do so.

The total size of the hacking community is unclear, though by most accounts it is fairly small.  According to Sterling, “some professional informants . . . have estimated the

4 Taylor suggests that hacker manipulation of the media is partly in order to “revel in the subsequent notoriety” that stigmatizing themselves creates (1999: xiii).

size of the hacker population as high as fifty thousand.”  However, “This is likely highly inflated . . . My best guess is about five thousand people” (1992: 77).  While we know little about the total size of the hacking community we have a very good idea about its gender proportions.  Consistent with figures from others which suggest the population of hackers is overwhelmingly male, only 9 percent of those surveyed by Schell et al (2000) were female (see for instance, Taylor 1999; Gilboa 1996).  Also consistent with older findings, most hackers surveyed were under the age of 30, with a mean age of about 27, a mode of 24 and a median of 25 (see for instance, SRI 1994).

The  motivation  for  hacking  varies  but  a  significant  proportion  of  hackers surveyed indicated innocuous reasons for their behavior.  36 percent said they hack to “advance network, software, and computer capabilities,” 34 percent claimed they hack

”to solve puzzles or challenges,” and 5 percent said they hack to “make society a better place to live.”  If we can believe these numbers the overwhelming majority of hackers are harmless.  It is true, in gaining unauthorized access to computer systems they pose potential security threats.  But they do not themselves cause damage.  Of course, to the extent that they share security holes with other less responsible members of the hacking community they indirectly jeopardize computer users; but it is unclear to what extent

“good” hackers do this.5

Among these good hackers there is some part of the population that performs a questionably valuable service to computer users.  Some of these hackers report security holes  to  programmers  and  systems  operators  of  computer  systems  where  they  find

5  In the early 1980s an elite group of hackers calling themselves the “Inner Circle,” formed to pass new information gleaned from their hacking activities between one another without making this information available to unethical hackers who would abuse it.

security weaknesses.  This information can then be used to patch holes or strengthen vulnerabilities, preventing intrusion by less benevolent hackers.

Nevertheless, we say questionable here because the advice of these hackers (as well as the hack itself) is unsolicited.  According to one popular hacking analogy, it is a bit as if someone broke into your house, didn’t steal anything, but left you a note telling you that your alarm system is weak and your windows unprotected so you should look into having that fixed.   While in one sense you are better off because of it, in another sense you may be justifiably outraged.

Unfortunately, data on what proportion of the good hackers are benevolent in this way is not available.6   We do know that some such hackers exist because insiders at some companies have hinted that certain patches they have released are in response to “good hacker” tips like these.  Complicating the issue of good hackers is the fact that some good hackers  are  far  more  adamant  that  vulnerable  programmers  and  systems  operators respond to their advice than others.  Some good hackers not only inform organizations of security weaknesses but also threaten to release the hole they’ve found unless action is taken to correct the problem.  This is as if someone broke into your house and told you that if you don’t buy a better alarm they will inform the criminal community about how it

may plunder you.

Good hackers appear to be the most complicated to deal with because they are not motivated by “base” human desires like money or fame.  Fortunately, because they pose the weakest threat and are likely responsible for the least damage to individuals and businesses among the hacking community, we lose relatively little at least in terms of felt

6 Eight percent of those surveyed by Schell et al (2000) said that they hack to “expose weaknesses in organizations or their products.”  It is unclear from this, however, whether the reason behind this motive of these respondents is benevolent or malevolent.

costs by this dearth of understanding.  Far more important from the standpoint of security are bad hackers—those who perform damaging acts in order to gain peer recognition and those who perform such acts for personal profit.

4    Bad Hackers: Hacking for Notoriety

The survey conducted by Schell et al (2000) suggests that only 11 percent of respondents are malevolently motivated.  However small the proportion of bad hackers may be, they are the most important to consider because they are responsible for the costly damage inflicted by hackers each year.  Contrary to other work which suggests that a substantial proportion of hackers are motivated by fame or reputation inside the hacking community, none of those surveyed by Schell et al noted this reason as their motivation.  It is difficult to say why this is, but this result is evidently counter to other examinations of hacker motivation.     Fame  or  peer  recognition  ranks  among  the  most  prominent  hacker motivations cited by security experts and hacker alike, as well as in other discussions of hacker psychology (see for instance, Zoetermeer 1999; Blake 1994; Sterling 1991; Hannemyr 1999; Platt 1997; Thomas 2002; Verton 2002).7

As Denning has pointed out, “Although the stereotype image of a hacker is someone who is socially inept and avoids people in favour of computers, hackers are more likely to be in it for the social aspects.  They like to interact with others on bulletin boards, thorough electronic mail, and in person.  They share stories, gossip, opinions, and

7 Some other hacker motivations such as the “feeling of power” and “ability to share knowledge” can also be collapsed into considerations of fame.  For instance, the more notorious a hacker becomes, the greater her feeling of power.  Similarly, her ability to share knowledge will increase with the amount of new information she collects and disseminates, which will also increase her fame.

information; work on projects together; teach younger hackers; and get together for conferences and socializing” (1992: 60).

Bigger,  more  difficult,  more  devastating,  or  new  types  of  hacks  bring  their creators  notoriety  among  members  of  their  underground  community.8      Word  of  a hacker’s exploits can be spread among community members in a number of ways.  First, hackers may spread this information by their own word of mouth, repeating it to fellow hackers or rival gangs who repeat this to other community members and so on.  Second, hackers  may  publicize  their  responsibility  for  acts  of  hacking  on  Websites,  bulletin boards, or on hacker e-mail lists like “BugTraq,”9 “rootshell,” “RISKS Digest,” and “VulnWatch.”   In these virtual spaces hackers take credit for damage done, make information or software that they have stolen available to other hackers, or share their newest methods of hacking or hacking programs they have created with other members of community so that these individuals may consume them.

In each of these cases hackers identify themselves as the individuals behind new hacks by posting information under their “handles”—pseudonyms chosen by hackers and hacker gangs to give them identity within the hacking community and yet retain their anonymity from authorities.10    Pseudonyms selected by hackers tend to the memorable and dramatic, for instance, “Dark Dante” (aka Kevin Poulsen), “Captain Zap” (aka Ian Murphy), “The Nightstalker” (a leading member of the influential hacker group the “Cult

8 We should also note that the general public’s fascination with the mysterious hacking underworld has helped to fuel fame for members of the hacking community as a whole.  Numerous popular movies, for instance, glorify hacking, contributing to this phenomenon.  War Games, The Net, Hackers, Sneakers and others all provide cases in point.

9 Interesting, BugTraq was recently purchased by the computer security firm Symantec for $75 million.

10 Not all hackers identify themselves by their handles all of the time.  Most hackers, however, do so most of the time.  The survey conducted by Schell et al (2000), for instance, indicates 63 percent of respondents

typically use their handles when hacking.  This finding is also corroborated by Meyer (1989).  Obviously, to some extent the use of handles will depend upon the illegality of the activity.  Bad hackers, it is safe to

assume, rely upon their handles more than good hackers do.

of Dead Cows”), etc.—a factor that aids hackers’ ability to generate notoriety within the community when they post new information.  The same is true of names selected by hacking gangs, for example, “World of Hell,” “Bad Ass Mother F*ckers,” “Circle of Death,” “Farmers of Doom,” and so on.11     The fame-based motivation of many bad hackers helps to explain why profane, absurd and overstated gang names and handles pervade the hacking underground.

Hackers and hacker gangs that generate celebrity status for their hacks can also set trends inside the hacking community.  For instance, two of hacking history’s most famous hacker gangs, the Legion of Doom and the Masters of Deception, sparked a trend whereby subsequent hackers and gangs created handles based on comic book characters. Similarly, the 414 gang—one of the first hacker gangs raided by authorities—set the trend of creating handles based on numbers (Schell et al 2000: 58).

The underground world of hackers also has its own popular media that publishes hacking-related books, newspapers, and magazines or e-zines.   Some examples of the latter include 2600: The Hacker Quarterly, Black Hacker Magazine, Computer Underground Digest, Phrack Magazine, Hack-Tic Magazine, The Hackademy Journal, Hacker Zine, H.A.C.K, Bootlegger Magazine, and Binary Revolution to name a few. Inside these outlets hackers publish “how to” articles (e.g., how to defraud an ATM machine) and share new information they have gleaned from their most recent hacking exploits.  Articles and books are published under the author’s handle and give well- published hackers access to large audiences who thus come to know certain hackers as the “best” in their area, increasing the author’s fame inside the community.  One of the largest of these publications—Phrack—even contains a section called “Pro-Philes” in

11 For examples of other hacker gang names see Platt (1997).

which famous hackers, retired legends, or rising stars in the hacking community are profiled and interviewed for readers, with special highlights on their biographies and most  impressive  hacks.    In  this  way,  outlets  like  Phrack  “served  as  the  means  to legitimate hackers for the underground . . . presenting them as celebrated heroes to the readers that made up the underground” (Thomas 2002: 140).

Becoming famous through these channels has its benefits for hackers who can generate stardom in the digital underground.  Some sub-communities within the hacking underworld will only allow relatively well-known hackers in.   One the one hand this gives famous hackers who are admitted greater exposure inside the hacking community, and on the other hand it gives them access to additional information that may only be shared within the group.  Peer recognition also enables hackers to enter elite hacker gangs that are well known and highly respected by other members of the community.  As one hacker put it: “Peer recognition was very important, when you were recognized you had access to more . . . many people hacked for fame as well as the rush.  Anyone who gets an informative article in a magazine (i.e., Phrack, NIA, etc.) can be admitted to bulletin

boards.”12

When done right, celebrity in the hacker underground can evolve into outright cult star status as other hackers seek to imitate a notorious hacker’s methods or view him as a leader within their community.  Such was the case, for instance, with Cap’n Crunch, whose name is forever linked to the practice of phreaking and whose big discovery has led to, among other things, one of the largest hacker publications—2600—which is named after his discovery.

12 Quote from a hacker’s email interview with Taylor (1999: 59).

“Condor,” aka Kevin Mitnick, obtained similar superstar status inside the hacking underground and generated a cult-like following of his own.  Mitnick, arrested numerous times for his hacking activities, not only gained notoriety within the hacking sub- community, but became well known to the outside world as well.  His picture and story appeared throughout the country in newspapers and magazines and Mitnick told his story on television’s 60 Minutes.  In addition to serving as the basis for numerous books, Mitnick’s hacking helped inspire use of the term “Cyberpunk” in popular culture, which was famously used partly in reference to Mitnick by authors/journalists Katie Hafner and

John Markoff (1991).13    Following Mitnick’s last arrest in 1995 a group of his hacker

community followers protested his trial in the late 1990s.  This group of hackers, which had organized itself into a gang called “Hacking for Girlies,” broke into the New York Times Web page and created a message the Times could not remove, exonerating Mitnick for all the site’s readers.

Select hackers get the reputation among their cohorts as “elite”—the cream of the underground.  These individuals are often gang leaders like “Lex Luther” (former head of the Legion of Doom), or “Phiber Optik” (a former leader of the Masters of Deception) who was even heralded by New  York  Magazine  as one of the city’s “smartest 100 people.”  These hackers are the most innovative in the underground and are responsible for making hacking programs publicly available to the hacking community at large. Hacking programs can be downloaded from hacker bulletin boards, for instance, and used with minimal knowledge and effort to hack various systems.

13  William Gibson, credited with coining the term “cyberspace,” helped spawn the science fiction genre now called “cyberpunk” in the 1980s (see for instance, Gibson 1984).  Some believe that this genre contributed significantly to the shape of hacking culture by glorifying cyber anti-heroes (see for instance, Thomas 2002).

Most hackers, of course, do not reach this level of fame.   Their inferior programming skills prevent them from creating effective hacking programs, and instead most of their energies are devoted to finding and reporting relatively small or already known security holes to fellow hackers, or simply downloading information and prefabricated  programs  like  “Trin00,”  “Tribal  Flood  Network,”  or  “Stacheldraht,”

developed  by  superior  hackers  and  using  these  to  attack  systems.14      These  “script

kiddies,” as they are called, are unlikely to gain fame in the larger hacker community for their hacking skills, but some may gain notoriety for the damage they cause using the programs  and  information  created  by  more  elite  hackers.    It  requires  little  hacking prowess to crash Amazon.com, for instance, as was demonstrated by “Mafiaboy,” the 15 year-old script kiddie whose hacking antics cost some of the Internet’s largest vendors

$1.7 billion February of 2000.

Most  fame-driven  hackers  explicitly  eschew  monetary  gain  as  part  of  their hacking expeditions.  They have contempt for profit-driven hackers who operate or work for computer security companies, or other large computer-related corporations, as though these individuals were beneath them.  Fame-driven hackers even have a special, derisive name for these hackers—they call them “Microserfs.”  This negative reaction to profit- driven hacking has much to do with the cultural norms of the fame-driven hacking community, which in large part believes that big businesses are unscrupulous and views

14 Other examples of programs created by hackers that can be downloaded and used by virtually anyone to hack systems include “Black Orifice” created by the Cult of Dead Cows and “L0phtCrack” created by L0pht , and “WinNuke”—all used to hack Microsoft Windows.  A similar program called “AOHell” can be used to hack AOL.  In 1995, Dan Farmer and Wieste Venema released their “Security Administrator Tool for Analyzing Networks,” aka SATAN, an automated program to be used by systems administrators to find flaws in their security.  This program could also be used, however, by low-level hackers to hack vulnerable systems, and thus there was great concern it would lead to many problems.  To date, it has not caused the harm expected by many.

such entities as subordinating the creative skills of the hacker to the greedy corporate world.

4.1   The Economics of Fame-Driven Hacking

The fame-based drive of many hackers has particular implications for how this segment of the “hacker market” looks.  The “coin of the realm” for fame-driven hacking is, of course, fame.  How we model this “market” therefore differs from traditional markets in which money drives production and price adjusts to equilibrate suppliers and demanders. The fame-driven hacking “market” considers the relationship between fame and the quantity of hacking.  It maps supply and “demand” (which as we will see below, is not demand in the conventional sense) in fame/quantity of hacking space.

On one side of this “market” are the producers of hacks who desire fame.  The supply schedule for these hackers has the conventional positively sloped shape.  When hackers stand to become more famous or better known within the hacker community for hacking, they supply a greater quantity of hacking (which may be expressed in terms of the inventiveness of hacks, the severity of hacks, etc.).  When they stand to receive less fame or notoriety for hacking, they are willing to supply less.

The position of this supply curve is determined largely by the cost of hacking. Hackers face a moderate initial fixed cost of hacking, which in most cases comes down a computer, a telephone line (or cable), and a modem.  For more sophisticated attacks fixed costs may also include training in basic programming and computer languages, though many  kinds  of  devastating  hacks  require  little  specialized  training  at  all.    Hackers’ variable costs consist primarily of the cost of electricity.

The other primary determinant of the supply curve’s position is the number of hackers in the industry.  This population is constrained significantly by the number of people who desire fame in the hacker underground (your sister, for instance, is probably capable of hacking but does not desire to be famous among hackers and so does not), which is relatively small.  This factor—the population of individuals who desire to enter the “Hacker Hall of Fame”—ends up being the limiting factor determining the position of the supply curve for hacking.  Thus although virtually anyone can cause a lot of damage as a hacker because it is so cheap, very few do so because very few desire the reward it offers—fame among hackers.

The other side of this “market” is unusual in that it does not consist of demanders in the usual sense.  When hackers supply more hacks the rest of the hacking community becomes happier.   This may be because it gives them access to new information, new hacking methods, and software, which they may value for the purposes of undertaking their own hacking activities or because they view these things as goods in and of themselves.  Members of the hacking community may view acts of hacking as expressive of their stand against corporate entities or their belief that all information ought to be

publicly available and “free.”15  Others may simply be malicious and enjoy seeing the

security of big corporations, for instance, jeopardized, or they may view hack attacks as indirectly serving their political ends.16

15 A core component of the hacker “code” ascribed to by so many hackers is that access to computers and all information should be unlimited and free.  For a more detailed description of this code see Levy (1994).

16  Many hackers tend to be strongly left leaning and are adamantly against “commodifying” information. This partly stems from their roots in the “Yippie” movement of the 1960s and 1970s, which in addition advocating phreaking was largely anchored in the leftist political environment among young people of this

time (see for instance, Sterling 1992).

In the fame-driven case the hacking community does not pay for more hacking with a higher price.  The producers of hacks do not seek money and, as we noted previously,  often  explicitly  reject  monetary  reward.     They  seek  fame.     This,  in conjunction with the fact other members of the hacking community value additional hacking, leads them to cheer more, so to speak, when additional hacking occurs. Additional cheering is translated into additional fame for the suppliers of hacks.  Rather than demanding the output of suppliers in the usual sense, the other side of the fame- driven “hacker market” consists of individuals (the hacking community) who respond to the supply of hacking with greater or lesser applause.  In the language of economists, the hacking community has a reaction function, which specifies how this community reacts with fame to various quantities of hacking that are supplied by hackers.  More hacking is rewarded with more applause and less with less applause.  The hacking community’s reaction function is therefore positively sloped like the supply of hacking itself.  The interaction  of  the  supply  curve  for  hacking  and  the  hacking  community’s  reaction

function creates two possibilities, depicted in Figure 1 and Figure 2.

F                                     SH                                           F                                     RF

RF                                                                                               SH

F*                                                                       F*

Q*H           QH

Q*H           QH

Figure 1.                                                             Figure 2.

In Figure 1 hackers’ supply curve is less elastic than the hacking community’s fame reaction function.  In Figure 2 the reverse is true.  This means that in Figure 1 the producers  of  hacks  are  more  responsive  (sensitive)  to  changes  in  fame  than  the community of reacting hackers, and in Figure 2 the community of reacting hackers is more responsive to changes in fame than are producers of hacks.  These two possibilities have very different (and in fact, contradictory) implications for policy aimed at reducing the  quantity  of  hacking  in  the  fame-driven  hacking  industry.    It  is  therefore  very important to carefully consider the impact of existing policy in each case and, if possible, identify which case is more likely to prevail. We address these issues in Section 6.

5   Greedy Hackers: Hacking for Profit

A third class of hackers is driven by the profit potential of hacking activity.   These hackers are concerned with dollars not fame and may come from either pool of hackers, good or bad.  From the bad pool are hackers who engage in activities such as credit card fraud, stealing from banks, selling sensitive information stolen from one company to another, or those who are hired by other criminals to do their bidding for a fee.

From the good pool are hackers who work for or operate computer security firms. In 2001 this was a $1.8 billion industry in the United States alone (Wingfield 2002). These hackers sell their skills at finding security weaknesses in computer systems and programs to governmental institutions and private businesses that want to strengthen their security.  These organizations hire security firm employees to engage in simulated hacker attacks on their systems and then report vulnerabilities so that they may be corrected. Some of the security experts employed by or running these firms are reformed hackers—

individuals who used to hack illegally and either gave it up voluntarily or were caught and  punished  for  their  former  crimes  and  so  turned  to  legitimate  hacking.    Some examples of this include the now defunct, Comsec Data Security operated by four former members of the Legion of Doom, and Crossbar Security operated by Mark Abene (aka Phiber Optik) a former leader of the Masters of Deception.    Successful examples of reformed hacker-run security firms include, for instance, ShopIP, run by John Draper (aka  Cap’n  Crunch)  which  now  has  made  available  a  new  firewall  it  calls  the

“Crunchbox,” and Ian Murphy’s (aka Captain Zap) IAM Secure Data Systems, Inc.17

Out  of  mistrust,  many  businesses  are  reluctant  to  hire  reformed  hackers  to improve their security.  This was ultimately responsible for why Comsec went out of business.   Many other organizations, however, are especially drawn to this feature of some security firms because these firms provide the most realistic hack attacks on their systems.  Hackers are said to possess a unique way of thinking that leads them to find inventive ways into systems that normal hired hands could not.  Major corporations such as American Express, Dun & Bradstreet and Monsanto, have all hired so-called “tiger teams” to test their systems for vulnerabilities (Roush 1995: 6).

The markets for both good and bad profit-motivated hackers look conventional. Since producers seek money, the supply and demand for hacking are expressed in traditional price/quantity space and price equilibrates the behavior of suppliers and demanders.  Both markets exhibit positively sloping supply curves and negatively sloped demand curves.  In both cases hackers will provide a larger quantity of hacking if they are paid more and less if they are paid less.   Similarly, both criminals and legitimate

17 Former notorious hacker Kevin Poulsen (aka Dark Dante) is now an editorial director for Security Focus, an on-line information network for computer security.

businesses that hire profit-driven hackers for their purposes demand smaller quantities of hacking when hackers charge more and demand greater quantities when hackers charge less.

The price elasticities of these curves are determined by the standard factors and there is no reason to think that they will be extreme for either the supply of or demand for hacking.    Similarly,  the  position  of  the  these  curves  are  determined  by  the  typical elements in each case, with the exception of the fact that cost of hacking for bad hackers is higher than it is for good hackers because the former involves the possibility of legal punishment while the latter does not.   It is therefore reasonable to think that the equilibrium price of hacking in the market for bad profit-driven hacking will be higher than it is in the market for good profit-driven hacking.  To the extent that for-profit hackers are willing to supply their services to the highest bidder, the rates of return on bad versus good profit-driven hacking will determine the flow of hackers between these two industries that compete for their labor.

This can be a good thing or a bad thing from the perspective of computer security. If good for-profit hacking is more profitable than bad for-profit hacking, society wins on two fronts from the standpoint of security.   The number of bad hackers shrinks endogenously and exogenously.  On the one hand more hackers will be employed in activities that do not involve illegally breaking into others’ systems, thus reducing the number of potentially harmful hackers out there.  Not only this, but the supply of profit- driven hackers no longer employed in harmful hacking is actually employed in fighting the attempts of bad hackers attempting to cause trouble.   If, however, bad for-profit

hacking is more lucrative, the opposite is true.  The supply of hacker threats rises as the best and brightest for-profit hackers are recruited to the dark side.

6    Policy Implications

The primary federal law in the United States designed to deal with computer hackers is the Computer Fraud and Abuse Act, originally created in 1984 but modified in 1996 by the National Information Infrastructure Protection Act.  Originally this law applied only to government computers but it has subsequently been extended to include any computer involved in interstate commerce.  This act prohibits under penalty of law: accessing a protected computer without authorization (or exceeding authorized access), accessing a protected computer without authorization and acquiring information, transmitting a program, information, code or command, and as a result of that conduct, intentionally causing damage to a computer system without authorization (computer viruses), trafficking in computer passwords or other such information through which a computer may be accessed without authorization, and interstate threats for the purposes of extortion to cause damage to a protected computer (Raysman and Brown 2000).  The act also prohibits accessing a protected computer without authorization with the intent to defraud where as a result of such action the hacker causes damage in excess of $5,000 over a one- year period.

Most violations of this law can result in up to five years in prison and $250,000 in fines for the first offense and up to ten years in prison and $500,000 in fines for the second offense.   Any violation of this law results in a sentence of at least six months. The Computer Fraud and Abuse Act also allows any person who suffers damage as a

result of its violation to bring civil charges against the perpetrator for damages. Additionally, since some hacks involve the violation of copyrighted materials, the Digital Millennium Copyright Act punishes those who attempt to disable encryption devices protecting copyrighted work.

In a nutshell, the present law punishes computer hackers, be they good or bad, with stiff fines and jail sentences.  It is hoped that through these punishments, hackers will be deterred from hacking.  What can our analysis say about this policy?

6.1   Policy and Profit-Driven Hacking

In  the  case  of  profit-driven  hackers,  present  policy  achieves  its  desired  end.    By increasing the cost of bad for-profit hacking through making this behavior criminal, current policy reduces the supply of bad for-profit hacking.  The effect of this legislation is two-fold.  First, it raises the equilibrium wage of producers who remain in the bad for- profit hacking industry, and second it reduces the quantity of bad for-profit hacking supplied. These effects of current legislation are depicted in Figure 3.

W

W’’

S’’ S’

W’

D

Q’’BH

Q’BH

QBH

Figure 3.

Although present policy that criminalizes bad profit-driven hacking effectively reduces the quantity of this hacking, this is not all that policy can do towards this end.  As we noted earlier, the relative rates of return on working as a bad versus a good for-profit hacker determine which of these markets will garner the best and largest number of profit-driven hackers in general.  If it becomes more profitable to be a good profit-driven hacker  who  owns  or  works  for  a  legitimate  firm,  profit-driven  hackers  currently employed in bad for-profit hacking will be lured out of this industry and into the good profit-driven hacking industry.  As we already noted this has two positive effects on computer security.  First, it reduces the number of bad profit-driven hackers and second, it recruits them to the “good side” in the fight against bad hackers.

One way of making good for-profit hacking look relatively more attractive to for- profit hackers is to raise the cost of bad for-profit hacking, which existing legislation prohibiting this activity does.   Another way to increase the competitiveness of good profit-driven  hacking,  however,  is  to  increase  its  return  vis-à-vis  bad  profit-driven hacking.  To do this, government could subsidize laborers and businesses in the good for- profit hacking industry via outright transfers or through tax breaks and other preferential treatment that results in raising the incomes of those in this industry.  The effects of this policy are depicted in Figure 4.

W

S’           S’’

W’

W’’

D

Q’GH

Q’’GH

QGH

Figure 4.

6.2   Policy and Fame-Driven Hacking

Although current legislation is appropriate for profit-driven hacking, it may not be effective in reducing the quantity of hacking for fame-driven hackers.   Recall from Section 4 that the fame-driven hacking industry may look one of two ways.  In the first case the supply schedule for hacking is less elastic than the fame reaction function for hacking, and in the second case the opposite is true.  We also noted in Section 4 that these differing cases have contradictory implications for the effectiveness of present policy.  To see why this is so, consider Figures 5 and 6.

S’’H

F

S’H                                         F

RF

S’’H

F’’

RF

F’                                                                        F’

S’H

F’’

Q’’H

Q’H            QH

Q’H

Q’’H    QH

Figure 5.                                                             Figure 6.

As with for-profit hacking, current legislation that generically punishes hacking activity raises the cost of fame-driven hacking as well.  This leads to a reduction in the supply of hacking, which in Figures 5 and 6 is illustrated by a leftward shift in the supply of hacking from S’H to S’’H.  Note the disparate impact this policy has in each case above. In Figure 5 where the supply of hacking is less elastic than the fame reaction function of the community of hackers, current policy has the desired affect—the equilibrium quantity of hacking drops from Q’H to Q’’H.  Where the supply of hacking is more elastic than the reaction function of the hacking community, however, the reverse is true.  In Figure 6 policy has a perverse effect.  Legislation that raises the cost of hacking counter-intuitively leads to more hacking, not less.  Specifically the quantity of hacking rises by the amount Q’’H  – Q’H.  Perhaps strangely, the stiffer the penalty for hacking imposed by law, the greater the increase in fame-driven hacking.

In light of policy’s contradictory effects in each of these cases the important question thus emerges: Which of them most likely characterizes the actual fame-driven hacking industry?  The “fame elasticity of supply” depends heavily upon hackers’ ability to meet increased demand for hacking with additional hacking.   Because the marginal cost of hacking is positive and increases with additional output, it is reasonable to think that the supply of hacking is fairly inelastic over at least some range of output.

In contrast, the hacking community’s fame reaction function is likely to be relatively elastic.  The logic here is simple.  The marginal cost of providing fame is extremely low, if not zero, for the hacking community.  Unlike giving up money, which involves sacrificing successively more important alternatives as the price paid rises, providing  fame  is  essentially  costless.    Increasing  the  amount  of  fame  the  hacking

community will “pay” to producers of hacks is very inexpensive.  As Cowen points out, “fame remains positive-sum at its current margin.  Although fame is growing in supply, it is not close to being so plentiful as to lose its exclusive flavor and its power” (2002:

114).  While the number of famous individuals may grow, fame is not a winner take all, negative-sum game.  This is especially true as technologies progress that allows fans to monitor an increasing number of “artists.”   Increasing fame therefore remains a cheap way to induce more hacking.  This means that fame bestowed upon hackers by other members  of  their  community  is  relatively  responsive  to  changes  in  the  quantity  of hacking supplied.  Taken together with the fact that the supply of hacking is relatively inelastic, this implies that the fame-driven hacking industry we actually confront most likely corresponds to the case depicted in Figure 5 where raising the cost of hacking does not have a perverse effect.  This is good news from the perspective of present policy because  it  suggests  that  current  legislation  is  effectively  decreasing  the  quantity  of hacking in the fame-driven hacker industry rather than increasing the problem, as it would if the relative elasticities were reversed.

While it is desirable to retain current legislation—which affects the hacking industry through the supply side—demand management could also be effectively used to fight fame-driven hackers.  Policies that make it more costly to make the producers of hacks famous—those that reduce the level of fame the hacking community is willing to offer producers for any given quantity of hacking—will further reduce the quantity of fame-driven hacking.  Such policies shift the hacking community’s reaction function rightward instead of shifting producers’ supply curve leftward.

There are at least a few measures that might be taken in this direction. Unfortunately, the most obvious measures towards this end involve violations of basic civil liberties that many will be opposed to.  For instance, as we discussed previously, one way by which members of the hacking community give fame to inventive hackers is by publishing them in hacker magazines and books.  Prohibiting these publications would not prevent the hacking community from giving fame to hackers, but it would likely force them to find more costly avenues of applauding fame-seeking hackers.   The same measures might be taken against hacking community bulletin boards and e-mail lists. Prohibiting hackers from posting hacker programs, tips, etc., it will make it more costly for members of the hacking community to award fame to innovative hackers.  Again, for obvious and good reasons, steps like this one are likely to be unpopular.  Still, they may remain effective means of reducing the quantity of fame-driven hacking.

7    Conclusion

While computer hackers constitutes a major security concern for individuals, businesses and  public  institutions  across  the  globe,  hacking  and  hackers’  underground  culture remains much of a black box for both lawmakers and those vulnerable to hacker attacks. The mystery that surrounds much of hacking prevents us from arriving at definitive solutions to the security problem it poses; but our analysis provides at least tentative insights for dealing with this problem.

Analyzing computer hacking through the lens of economics gives rise to several suggestions in this vein.  First, it is critical to recognize that are different kinds of hackers characterized by disparate motivations.   Because of this, the most effective method of

reducing the risk posed by hackers in general will tailor legislation in such a way as to target different classes of hackers differentially.  We looked at fame-driven and profit- driven hackers and showed how punishment appropriate for one may actually worsen the problem generated by the other.  Current policy directed at reducing hacking by affecting the supply side effectively reduces the quantity of bad profit-driven hacking.  Fortunately, there are also good reasons to think that this policy effectively reduces the quantity of fame-driven hacking.  If, however, there were strong reasons to think that the elasticities characterized in Figure 6 prevailed over those in Figure 5, supply management that raises the cost of hacking would exacerbate instead of reduce the quantity of fame-driven hacking.   We have suggested why we believe this is unlikely to be the case.   Still, because of its contradictory policy implications it is important to investigate this issue further.

Our analysis has only touched upon the many and complicated issues regarding computer hacking.  In particular, we have not given adequate attention to good hackers who  are  driven  neither  by  fame  nor  money,  but  who  voluntarily  report  security weaknesses to vulnerable computer operators.  While the behavior of these hackers is still illegal, it may play an important role in helping to prevent the attacks of more malicious hackers.

We have also not paid sufficient attention to the potential impact that tailoring hacking-related punishments to the age group of the perpetrator may hold for reducing the security threat posed by computer hackers.  We noted that most hackers are relatively young—under the age of 30.  While this demographic generally cuts across fame-driven

and   profit-driven    hacking    groups,    there    is    some    evidence    suggesting    that    a disproportionate number of profit-driven hackers are above this age threshold.

The different ages of the individuals in these two different groups suggests that punishments designed to hit each age group where it hurts will be more effective in reducing hacking than a one-size-fits-all approach that may deter the members of one group who are older, but do little to deter the other class of hackers who are younger.  In other words, we may want to punish fame-driven hacking, where hackers are younger, with one kind of punishment that deters younger individuals, and punish bad profit- driven hacking, where hackers are older, with another kind of punishment.  This seems relatively simple and yet to our knowledge has not yet been addressed in policy discussions.  Presumably 14 year-old script kiddies and 50 year-old men value different things, so effective deterrence will mean differential punishments.

If even after considering these issues it is decided that a uniform punishment for all types of hacking (fame or profit-driven) is desirable, it will still be wise in developing legislation  for  dealing  with  hackers  to  take  into  consideration  the  fact  that  it  will inevitably apply primarily to young men.  This suggests that effective punishment might be unconventional even if it is uniform across types of hacking.   We leave issues like these for future research.