Exploring the unlikely relationship between hackers and the state with Emily Crose

Emily Crose, a veteran cybersecurity professional at agencies including the CIA and the Department of Homeland Security, had a question: How did hackers become sought-after collaborators with governments?

In her efforts to find answers, she ended up writing a book, Hack to the Future, How World Governments Relentlessly Pursue and Domesticate Hackers.

Crose joined Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, on the Random nut Memorable podcast to chat about the history of hacker culture, the evolution of hackers’ relationship with the state, and the ethical complexities one should consider when working with government.

They also explore other topics like whether we’ll ever see hacker groups like Lizard Squad and LulzSec again. For insights like these and more, read the interview highlights below or listen to the full podcast episode.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey: Could you give us a bit of an origin story on your career and how you got here?

Emily Crose: I got into cybersecurity in the same way that a lot of other people do: childhood fascination, working with electronics and computers, figuring out how I broke what I broke, how to fix what I broke, and then breaking things intentionally next time.

MF: What did hacking look like back in the day? And what motivated hackers? Was it as cliché as movies and TV paint it to be?

EC: In some ways it was! Hackers have always been motivated by a curiosity about how complex systems work. We’ve had hackers throughout time. We tend to think from a clichéd perspective that modern hacking started during the phone-phreaker time (1960s). I tried to take a different approach in my book to answer the question of where hacking started by telling the story of Nevil Maskelyne, who was a magician and a competitor of Marconi in radio technology.

We can look at what we consider hackers to be today and compare them to this individual who, back in the early 1900s, sabotaged Marconi’s demonstrations with radio – doing a lot of the same sort of things that the modern-day hacking community would recognize.

“Complex systems change, but the hackers themselves really don’t over time."

Just to be clear, I don’t think that Nevil Maskelyne was the first hacker. It would be awkward of me to claim that I found the originator. What I’m saying is that those threads have always been there. We’ve always had that sort of curiosity and almost mischievousness. The complex systems change, but the hackers themselves really don’t over time. We’ve always been the same group of people for the most part.

MF: Has the motivation for hacking always been to gain access to things that people didn’t have access to? And has that changed over time with hacking’s role in politics?

EC: I think those are two separate questions.

How it’s changed: it’s become a geopolitical thing in the modern age, which is to say, since the 1990s. But even with Nevil Maskelyne, radio at that time was developing into a technology that was being used for geopolitics. They were starting to use radio to coordinate military efforts in different parts of the world, for example. That component of geopolitics has always been there and has a through-line in that story because of the way that the technology was being positioned on the world stage.

From Nevil Maskelyne’s perspective, I don’t think his motivation was getting access for the sake of getting access. The sabotage was actually to prove a point about who owned the technology and the sorts of business claims that Marconi was making.

There was a change that occurred in the 1990s. There’s motivation to get access to computers because computers are the thing now and people are stealing information for the purpose of making a geopolitical point or helping a movement as hacktivists. That’s a more modern motivation that we don’t really explore a lot in the book. It may be that there are some cases of that that you could find over time. The thrust of the book really is from the 1970s to about 2015.

MF: You write about events like the Morris worm and the Melissa virus. How did these incidents change the perception of hackers both in the public eye and also within government agencies?

EC: Around that time, viruses were starting to get more and more attention. From the Melissa virus perspective, I don’t know that Melissa had the same level of impact that Morris did. But the reason that Morris got as much attention as it did was in part because of the sheer speed that it moved. In 48 hours, it had gone from being released to finding its way onto Department of Defense computers, NASA computers.

It was so fast-moving, and it was so early in the, I guess what I would describe as the “wild” type of virus release. Before this time, viruses were being explored in very high-end laboratories and restricted settings. It isn’t until you get to the Morris era and the Melissa era of viruses where people outside of laboratories are starting to write viruses and release them. You start to see how the public reacts to those, because now it’s outside of a lab setting and everybody has to deal with this global impact.

That’s the first part of the Morris worm’s impact. The second part is that Robert Tappan Morris is actually the son of a very well-known national security agency crypto analyst and programmer at NSA. It also gained a lot of interest because of that connection. It turned the heads of the government establishment because there were a lot of questions about how it happened. Why would the son of an NSA crypto analyst write this piece of code and then release it? Was it purposeful? Was it accidental?

The public discourse about how this destructive virus made its way out into the public was pretty illuminating for government people at that time.

MF: I can imagine, and probably a bit professionally embarrassing for Morris himself to have something like this happen.

EC: It certainly was, with the FBI coming to visit him at his work! That also was the catalyst that created a more unified response from the government to virus incidents. Before this, we didn’t even have an organization that was centrally responsible for responding to virus outbreaks.

MF: The book explores the nuanced relationship between hackers and governments. How would you describe the evolution of this dynamic from adversarial to collaborative?

EC: Me trying to answer that question was actually the thrust of the book at the beginning. How did this weird group of outsiders become an accepted part of major government global policy?

You have your phone-phreakers from the 1960s being pursued by state and federal authorities for basically ripping off the phone companies. The government considered it a form of toll fraud. People were being prosecuted for stealing money from the phone companies. That turned into prosecution for other reasons, like getting unauthorized access to high-end computer systems. You see a similar approach with other hackers from the 1980s era.

There’s an evolution. I describe it as a sort of land bridge from the phone-phreaker era to the computer hacking era. I know, these terms kind of make me cringe, but this is the best way to describe it. You start to see some of these early 1980s- and 1990s-era hackers going from phones to computers, and it wasn’t until the 1990s that you see the U.S. government start taking this group of people more seriously. We have a formalization of rules of the road for hacking come in the late 1980s. In 1986, the Computer Fraud and Abuse Act (CFAA) was signed into law. That created a legal establishment for this class of individuals, who’ve always been working with computers, to work within a more legalized framework.

“It wasn’t until the 1990s that you see the U.S. government start taking this group of people more seriously."

Once the law of the land was laid down, federal agencies started to take it more seriously as something that they would prosecute. It was in the late 1990s – around 1996 and 1997 – that you start to see the U.S. government say: “Okay, we know these people are here. We know that they have some amount of leverage over this growing technology that we’re all using now. Maybe we should start to look at ourselves and see how much impact they could have on us, and then, conversely, how much impact we can have on others.”

MF: In TVs and movies, hackers often commit a crime and are then caught by the government. An agent will then say to the hacker: “Well, we can commute your sentence if you’ll agree to work for us.” Does that happen real life?

EC: I think it’s about right that it has been a pretty common path. But I don’t know that it happens quite that way anymore. What we tend to see nowadays, because we have so many things like Capture the Flag (CTF) events, is that you have a lot of individuals who develop this skill within a legal framework by doing CTFs. They get discovered by government agencies that way. That’s the more modern recruitment pathway.

But yeah, certainly there are plenty of stories throughout the 1990s of hackers getting in trouble for something, and then eventually they evolve their skill into either a consulting business or working for the government directly. There’s definitely plenty of cases that you could point to where that has happened.

MF: You talk about how different agencies like NSA and NASA interacted with hackers. Were there any really noticeable differences between their approaches that you called out?

EC: There’s always been a signature way that different agencies deal with the reality of a breach. In talking to some hackers from that timeframe for this book, breaking into NASA has been described as a rite of passage for a lot of hackers. Even the Australian hackers in Melbourne would break into NASA just as a rite of passage to gain credibility.

“Breaking into NASA has been described as a rite of passage for a lot of hackers."

Also, I do Freedom of Information Act requests. The origin story of this book comes from asking questions to the government about how these breaches unfolded. In looking at those documents, you can kind of see how that response evolved over time. You go from a lot of handwritten notes by the FBI in the wake of a virus investigation – from the Melissa virus, for example, there are handwritten notes with interviews of people who interacted with it. And eventually in the late 1990s and early 2000s, you have formalized incident reports that have cost associations with them.

There’s also an evolution of formalizing a lot of the things that we see in breaches today, and the documentation of these things is a lot more robust now than it used to be.

MF: If we look at the hackers themselves, did you find any similarities or commonalities for motivations or life experiences across all of these folks? Any differences between folks who describe themselves as black-hat hackers versus white-hat hackers?

EC: I’m glad that you asked that question because there is something that I noticed in putting this material together.

I don’t know that I really call it out specifically in the book, but I know of a lot of folks who entered cybersecurity over the years, and those people I’m sure will know who they are when I mention this. Again, not all of them, but many of them experienced a period of homelessness, which I thought was really interesting. It’s an informal observation, and certainly not everybody who entered cybersecurity had that experience. I didn’t have that experience, for example. But I did think it was interesting that so many of my colleagues have experienced that in one form or another on their way into cybersecurity. I’m not really sure what accounts for that. It’s kind of an interesting thing that would be interesting to look into and see why that is the case.

Other things that you could tie to hacker ethos, I guess you could say, are things like curiosity, a good sense of humor, mischief. You see a lot of that throughout the years too, which is something that goes all the way back to, like I said, the Nevil Maskelyne, early 1900s era.

MF: With the rise of nation-state hackers (a lot of news coverage today talks about hacking groups as opposed to individual solo hackers or the romanticized lone genius hacker), do you think that individual hackers pulling off large feats is a thing of the past, or does it still happen?

EC: You’re referring to stunt hacking? Is that what you’re asking about?

MF: Yes! Where someone will pull off a massive hack and take credit for it, and it’s the act of a single person as opposed to a thing where some group has infiltrated some ransomware against some institution.

EC: There’s just too much money in it now. You used to see stunt hacking a lot in past decades because the business of cybersecurity hadn’t really developed to the point where you could make money as an individual. If you didn’t graduate from college, and if you’re on the younger side – as we know, young people are just as intelligent with computers and breaking them, as people have been doing this for many years. I’m rusty these days. But younger hackers are just as adept at doing this sort of thing and I think that they’ve found ways of monetizing it better than we used to be able to.

I think that era is over in the way that we remember it from the 2000s and the 2010s when these big, elaborate pranks grabbed a lot of attention. We still see some of that, but I don’t know that we’ll see another crew like Lizard Squad from the 2010s, or LulzSec, for example.

“I don’t know that we’ll see another crew like Lizard Squad."

Those types of groups, they harken back to a time where the bar to entry for exploitation was a lot lower than it is right now primarily because of how much money is involved in it. It’s really hard to turn down the type of money that’s being thrown around for a really good exploit these days. And then there’s the legitimacy that you can get by accepting that money and then building a career off of it. And then just the sheer complexity of hacks these days. The cybersecurity industry has really raised the bar in the past 20 years, and the turnaround time for remediation or response for a severe bug has just become so much better than it ever was before. We are absolutely not living in the same era of security that we were 20 years ago. I really have to give a pat on the back to everybody who’s made that a reality.

“The cybersecurity industry has really raised the bar in the past 20 years."

I should remark that stunt hacking has moved from the public stage to Capture the Flag exercises. Pwn2Own (hacking contest) is where a lot of stunt hacking happens these days. You see a lot of it happening in that scene. It’s not something that’s completely disappeared, but there’s just more legitimate pathways to showcasing those types of hacking skills.

MF: What lessons do you think other governments and private citizens can learn from the way the U.S. has domesticated hacking culture?

EC: That’s one thing I mention in the book: that there are so many books that cover the history of the United States and how the United States responded to hackers. I also wanted to take a look at how other countries tracked their own pathway through their relationship with hackers.

One example of the way that you do it wrong is what France did in the 1990s. France did a sting operation against hackers in their own country. They ended up burning a lot of bridges very early on between the French government and hackers that I think they are, to some extent, still feeling the effects of today. They may be improving it, but 20, 30 years is a really long time to burn bridges with your own localized communities. The lesson that you take away from that is, it’s better to be constructive with these individuals – not lenient – but at least understanding enough of the gray area that a lot of hackers operate within to work with them rather than against them.

There are plenty of examples that I mention in the book where government agencies, like the Secret Service, went about doing stings in really destructive ways that ended up hurting that relationship more than helping it. You see that relationship repair over the span of maybe 15 to 20 years where they build those bridges back up with hackers by attending the conferences, bringing hackers into the fold, listening to the responses of what’s reasonable to prosecute, what types of activities may require a softer approach. I think those are the lessons that governments should look at as examples of a productive relationship with their technical talent rather than being adversarial all the time.

MF: This question might seem a little crass, but what does cyber war actually look like? What are the risks, not only for the governments, countries, and citizens involved, but the hackers themselves?

EC: Cyber war is one of those things that has come up many different ways over the years, and the way that people think about it has evolved over time.

We used to think of cyber war as countries attacking other countries and getting access to information that could be used to attack other countries with. That idea changed to, can a government turn off the lights in another country, for example? We’ve seen a lot of examples of that type of behavior in different theaters around the world. The ones that I’m thinking about specifically predate the current conflict in Ukraine or were an extension of this current conflict in Ukraine, when Russia attacked the Ukrainian territory by turning off the lights in Kiev. It was a component in that attack. It was a bit ominous or predictive of a conflict that would come later.

What we have to start thinking about in terms of cyber conflict is, is cyber war its own discreet thing or is it a component of a more robust military engagement? From a policy perspective, we have to start thinking of cyber war and cyber conflict as a part of armed conflict. In the same way that airplanes changed the battlefield, this will change the battlefield in a commensurate way.

“We have to start thinking of cyber war and cyber conflict as a part of armed conflict."

Whether it will be a major or a minor part of conflict in the future, I think is an open question. But we can’t look at cyber warfare as something that happens once, and that’s the end of it. We can look at it as a component of a larger conflict, or as a component of more robust information warfare or an influence campaign. Those are two very diverging ideas that these days we conflate, but the activities associated with each and the responses to each are very different.

I think we have to evolve our thinking and stop being worried about one or the other. It’s all of the above and we need policy that can govern both.

MF: In the book you talk about the ethical complexities of working with the government. Do you have any advice for cybersecurity professionals or ethical hackers who might be wary of getting involved in this way and are aware of those ethical complexities?

EC: The ethical complexities are just something that you can’t avoid. This goes beyond being a hacker; it’s true for anybody who works with the government. Not to get too political, but any time that you’re working with the government, that’s always going to be a question: Am I doing the right thing? It just happens to be, I think, more heavier with certain jobs. Within the military, for example, ending somebody’s life on the battlefield – that can be one of those ethical considerations that people do have to consider their role in.

“Follow your own ethics and morals."

The best thing that I can say is, follow your own ethics and morals on that pathway. You don’t have to work with the government if you don’t feel like it’s a project that’s worthy of your attention.

MF: Where can people go to find the book and perhaps even learn a bit more about you?

EC: My website is one place that you can go to learn more about me: hexadecim8.com. There’s also links there to different places where you can buy the book and get a hard copy if you’d like. Also, I’m excited to announce that we are going to have an audiobook version coming on February 25. So, if you prefer to consume your long-form content in audio form, it should be available on all major audiobook retailers as well.

Jenn Marshall

Contributing Writer