It is well known that today we live in an unprecedented time with rampant cybercrime. And now that the COVID-19 pandemic has created unparalleled challenges including worldwide unemployment and a massive financial crisis, ironically one of the industries that has flourished is the $5.2 trillion economy of cybercrime. As the rise of commercial cybercrime has outpaced the traditional security team, we have put out a 2020 report called “Inside the Mind of a Hacker 2020,” which casts new light on the next generation of hackers utilizing human ingenuity to solve difficult cybersecurity problems. This report also presents a timely overview of career hackers amid a growing digital crisis, highlighting how they are working together to help organizations defend their attack surface.
We discovered that globally distributed good-faith hackers are increasing in number and offering organizations the power to proactively prevent a malicious cyberattack — which can cost companies nearly $3.92 million dollars if gone unchecked, according to a recent report. While artificial intelligence (AI) has a role to play in reducing cyber risk, companies also need to integrate crowd-sourced security if they hope to outmaneuver cybercriminals.
The ITMOAH report analyzes 3,493 survey responses from working hackers between May 1, 2019 and April 30, 2020. In addition, the report incorporates data from 1,549 programs and 7.7 million platform interactions to provide an in-depth view of emerging trends among bug bounty, penetration testing, attack surface management and vulnerability disclosure programs.
The word “hacker” conjures up some negative stereotypes, but this could not be farther from the truth. The report’s findings break down these negative images and present a truer picture of these career hackers, with new data about where they come from, what motivates them, which skills they have and how they see themselves.
Here are some key highlights from the report:
COVID-19 is Increasing Demand for Career Hackers
The FBI reported a 400% rise in cybercrime after COVID-19 was declared a pandemic. As such, organizations are investing more in bug bounty programs. More than half of hackers (61%) have noticed an increase in available bug bounty programs to participate in due to widespread remote working conditions related to COVID-19.
Like the larger security industry, career hackers also noted concerns about COVID-related fraud. Forty-eight percent of the hackers believe the healthcare industry is the most vulnerable to cybercrime during the unfolding crisis, followed by education and community support (17%) and government and military (16%).
Additionally, as the government faces the potential impact of COVID-19 on the upcoming 2020 U.S. Presidential election, 72% of hackers independently reported that they do not trust alternative polling methods, such as electronic polling or mail-in ballots.
AI-Powered Cybersecurity Solutions Are not Enough to Outmaneuver Sophisticated Cyberattacks
The report found that 78% of career hackers surveyed said AI-powered cybersecurity solutions alone are not enough to outmaneuver cyberattacks over the next decade. In addition, nearly nine out of 10 hackers, 87%, reported that scanners cannot find as many critical or unknown assets as humans.
The case for adding human ingenuity to a security program is telling. For instance, while 2019 was a record year for data breaches, the report found that hackers working on the Bugcrowd platform prevented $8.9 billion of cybercrime in 2019 and earned 38% more than they did in the previous period. In the next five years, hackers on the Bugcrowd platform are projected to prevent more than $55 billion in cybercrime for organizations worldwide.
Career Hackers Live on Six Continents and Reside in More Than 100 Countries Worldwide
The report found that career hackers reside in more than 100 countries worldwide, including emerging markets; however, research shows they still possess the same quality of education that organizations have come to expect in developed countries like Australia and the U.S. For example, universities in India, such as the Indian Institute of Science, are internationally recognized for providing some of the highest standards of engineering education.
As such, the report also observed an 83% increase in the number of respondents who report living in India. This uptick has caused a thought-provoking shift in the average geographic distribution of security researchers, with further expansion also seen in Australia and the U.K.
Most security researchers reside in metropolitan areas, but 11% report living outside of built-up areas in villages, farms and other isolated dwellings.
Hackers Speak Multiple Languages, Enhancing Cognitive Abilities
Studies show that speaking more than one language enhances cognitive abilities such as memory, concentration, problem-solving and critical-thinking skills. Unsurprisingly, these cognitive strengths make multilingual people uniquely suited to work as career hackers because they generally possess superior creativity and logical flexibility. Data also suggests that decisions made by security researchers in their auxiliary language are more likely to be reason driven.
Many career hackers reported that they attribute their “computer skills” to multilingualism. One of the hackers even mentioned that learning new languages felt the same as learning a new syntax, as it is the same thought process.
The Next Generation of Hackers Are Younger and Neurologically Diverse
The report found that 53% of hackers are under the age of 24; and 13% are neurodiverse. It stands to reason that hacking as a profession is lucrative and highly attractive to young people.
When people think about diversity, things like race and gender typically come to mind, but another quality also diversifies ethical hackers: neurodiversity. The attribute is worth considering given that 13% of security researchers report experiencing distinct neurodevelopmental conditions that include dyspraxia, dyslexia, attention deficit/hyperactivity disorder (AD/HD), dyscalculia, autistic spectrum and Tourette syndrome. According to Dr. Devon MacEachron, a psychologist specializing in twice-exceptional and gifted learners, neurodiversity is a genetic property related to the evolution of humans as a species. Consequently, these differences are not flaws, but instead natural variations in the human genome that can provide unique advantages in contexts like hacking.
For example, experts say individuals with AD/HD thrive in environments of rapid change and variety that reward creativity and out-of-the-box thinking. These qualities underpin ethical hacking, making them highly suited to work as a security researcher.
Hacking for the Social Good and for Personal Development
Sixty-one percent of security researchers say they hack for reasons of personal development, such as realizing new talents, facilitating employability and enhancing their quality of life.
On a related topic, the report uncovered a growing social responsibility trend among hackers, with 93% of security researchers hacking out of care for the well-being of organizations. In terms of how these career hackers learned their trade, we found that most learned using online resources, while 36% report being entirely self-taught. Only 13% completed academic or professional coursework related to cybersecurity, highlighting their preference for online resources and community support.
Likewise, 70% of career hackers are highly skilled in web application testing. According to a report from Avast, the attack surface is growing faster than it has at any other time; despite web applications being at an increased risk, organizations still find themselves needing to secure more than 400 of them. Fortunately, 70% of security researchers are highly skilled in web application testing and can unburden internal teams so that they can remediate risk earlier in the development lifecycle.
The report findings showed that human ingenuity and creativity still remain the most powerful tools in cybersecurity. While AI and machine learning serve as useful levers, they will not replace humans for a long time to come. This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their security strategy with crowdsourcing, the most efficient and practical approach to finding the right talent for the right problem.
The only limits for how organizations can leverage hackers are the limits of their imagination. Accordingly, we predict that organizations will leverage hackers in never-before-seen ways in the year ahead.