Don’t call it a “hack”
“Hack” confuses what is useful, clever, and resourceful, with what is aggressive, dangerous, illegal, and close to an act of war.
Writing for the Columbia Journalism Review, Lorenzo Franceschi-Bicchierai recently published a guide, How to report on a data breach. As the piece mentions, data breaches are increasingly common, and consumers almost always learn about these events from news sources. Journalists must cover cybersecurity incidents accurately, and with an eye toward spurring proactive action for the reader.
In that spirit, we at CLTC offer one further suggestion for journalists covering cybersecurity incidents: don’t call them “hacks.”
Every time a major company or government agency suffers a network intrusion or a data breach, the headlines announce that this or that organization has been ‘hacked’. The intruders — whoever they are — are called ‘hackers’. And sometimes this question is posed: should somebody retaliate by ‘hacking back’?
Calling perpetrators in crimes like this “hackers” has become common, and that’s too bad. It has allowed criminals to co-opt a word that has been fundamental to the growth of innovation in the U.S. It’s time we take “hack” back.
When the pioneers of computer science used the word “hack,” the word captured what these programmers admired in one another — resourceful tinkering, driven by intrinsic curiosity. A hack was a way of thinking through challenging problems by approaching them in unexpected ways. The goal was to get things to ‘just work’ in ways that make them better and more useful.
Children are natural hackers, in a good way. Many kids’ first hack is walking in the wrong direction on an escalator. That’s not the way it’s designed to be used, but can you make it work? It’s fun and slightly mischievous. It’s practice for a core skill of innovation: seeing the non-obvious possibilities in a technology and experimenting in a low-cost, playful way. And, nobody gets hurt.
The word “hack” deserves a positive connotation. We owe to hacks many of the innovations we’ve come to rely on. To hack is to ignore convention and maximize ingenuity in the service of doing something that people need and want.
Using the word “hack” to describe the theft of bank records, medical data, and even foreign interference in US elections isn’t just a misreading of history. It confuses what is useful, clever, and resourceful, with what is, aggressive, dangerous, illegal, and close to an act of war.
Here are some examples. In 2016, digital criminals stole over 100 million dollars US from the Bangladeshi central bank’s accounts in the virtual vaults of the New York Fed. In 2017, criminals or possibly spies gained access to the sensitive personal information of 148 million people in the Equifax security breach. In 2019, a family in California was terrorized by their Nest security camera, which had been taken over by a digital intruder to issue a seemingly legitimate warning about an intercontinental ballistic missile en route from North Korea.
Headlines described all of these incidents as “hacks.” That perpetuates a collective misunderstanding of cybersecurity, imbuing the attacks with inappropriate and misleading connotations of cleverness and ingenuity. These perpetrators are not Robinhood and his Merry Men. They are criminals and spies.
Misleading language is one of the reasons we are losing ground to the cyber-attackers — and it’s one of the easiest fixes.
If a burglar found a clever way to break into your house and steal your wallet and your jewelry, and put your family at risk, would the police report say that your front door was hacked? Of course not. It would be labeled unambiguously as a crime and the person who did it, a criminal. The more innovative the attack, the more evil and despicable it would be. There is nothing cool or roguish or clever about it.
A cyber attack — from election interference to ransomware — is the same: not magic, not wizardry, not a “hack”. It is a crime, or worse. The intent is the same, and the actions no less reprehensible.
Misleading language is one of the reasons we are losing ground to the cyber-attackers — and it’s one of the easiest fixes.
We need to deploy better words for describing the nefarious side of skilled computation. When criminals invade people’s privacy, hold financial information hostage, or otherwise break the law, we need to paint a clear picture of what they are doing.
Crime. Invasion. Espionage. Stalking. Harassment. Theft.
These words capture the impacts of the crimes. They respect the suffering of victims.
Language matters in technology as much as anywhere else. Being precise about illegal and malicious actions will help policymakers, industry leaders, and the media to clarify the risks and harms. We need to raise the emotional and cognitive awareness of the seriousness of digital threats. There should be no confusion when it comes to our safety.
Computer scientists know that words, like software code, serve as tools for thought: first for changing awareness and then for changing behavior. When it comes to harmful, antisocial, and criminal behavior online, we need to start calling things as they are — to arm the public with a real understanding of the risks and potential harms. Increased awareness will allow people to see their own vulnerabilities and to advocate for better security practices.
We need a new vocabulary that is more accurate and action-oriented. Call it a crime, or an attack, or perhaps a digital assault, but don’t call it a hack. This simple language move will help to shift the conversation on cybersecurity and motivate more determined, informed, and collaborative action that will make the digital world a safer place.
