Introduction
The word “hacker” has developed a negative connotation. People hear the word “hacker” and instantly imagine a scrawny and disheveled man in a hoodie sitting in a dark basement lit up only by his screen. He types lines of code furiously before exclaiming, “I’m in,” and launching a denial of service attack on a website, bringing the whole site down.[1]
The current media landscape has done little to alter this negative perception. Just Googling the term “hack” yields thousands of news results, very few of which are positive.[2] Every new piece of technology is attached to some form of a hacking threat. For instance, since the rise of COVID-19, the video conferencing application Zoom has seen a massive increase in the total number of users.[3] However, with Zoom’s prevalence came the threat of “Zoombombing,” a form of hacking in which attackers join ongoing Zoom meetings and harass participants.[4] The media took this as an opportunity to question the safety of the new technology and its users.[5]
However, Zoombombing is not the most precarious hacker attack in recent history. Attacks on large financial institutions and data compilers like Equifax and OPM sparked fear across the country.[6] Millions of people had their Social Security numbers, addresses, employment histories, driver’s license numbers, and other information stolen by anonymous hackers in those incidents.[7] These attacks cost victims and the economy billions of dollars.[8]
These institutions’ attackers caused millions to suffer; they deserve to be punished. However, maintaining the theory that all hackers are on the level of those who attacked Equifax and OPM is unjustified.
Hacking is rumored to have begun at MIT’s Model Railroad Club.[9] Members of the club hacked the controls of a model train to increase its speed.[10] Hacking was initially motivated by a need to improve technology through new methods.
Corporations joined in on the Model Railroad Club’s academic developments when two engineers at Bell Labs hacked their computer systems to create the UNIX coding language.[11] UNIX quickly became the standard for all computing languages.[12]
Despite its innocuous beginnings, there have been many instances of people utilizing hacking for nefarious purposes, with consequences ranging from fines to imprisonment, to deter others from attempting the same. However, this methodology is inefficient and ineffective. Instead, the government should create a gig-based marketplace for hackers to participate. This marketplace would incentivize ethical hacking while discouraging bad hacking, thereby improving cybersecurity for participating firms.
The Subcategories of Hacking
In their article, The Economics of Computer Hacking, Dr. Leeson, and Dr. Coyne established unique subcategories of hackers.[13] They break down hackers into three groups: (1) good hacking; (2) hacking for fame; and (3) hacking for money.[14] Each of these groups hack for different reasons and outcomes.[15] This breakdown is a more accurate categorization of hackers than just the “good” versus “bad” dichotomy.
Good hackers act with altruistic intentions.[16] They use their experience and skills to find weaknesses in the cybersecurity of various platforms and companies.[17] These hackers anonymously report these weaknesses to the company or the general public.[18] For example, many posters on the “r/Hacking” subreddit use their skills to help others gain the most from the internet.[19] However, these hackers are rarely reported on in the news because there is no sensationalistic aspect for a media story.[20] Nonetheless, they are an important sector of the hacking population.[21]
Hacking for fame and hacking for money are the two subcategories that most people associate with hackers.[22] Hacking for fame focuses on hacker notoriety.[23] A famous example of this is Keanu Reeves’ protagonist role in The Matrix series, in which Reeves hacks government computers to gain notoriety in the hacking community.[24] These hackers do not necessarily attempt to gain financially from the hack; they are trying to gain hacking credibility.[25] Although, these hackers do occasionally end-up causing financial catastrophe for parties to gain this prominence.[26]
Hacking for money, on the other hand, is not driven by fame but instead greed.[27] This group is composed of both good and bad hackers.[28] Good hackers in this category are those who are employed by cyber-security teams and firms.[29] Accordingly, these hackers do not cause financial pain but are paid to find weaknesses in existing technologies to fix them.[30]
In comparison, bad hackers are similar to those who hacked Equifax and OPM to steal personally identifiable information.[31] These hackers make money through hacking and stealing data to sell.[32] These three subcategories of hackers describe a large part of the hacking community.[33]
Nevertheless, Dr. Leeson and Dr. Coyne’s categorization is incomplete. Their categorization touches on economic incentivization but does not account for the cross-breed between hacking for fame and hacking for money.[34] In modern society, it is not uncommon for hackers to hack to get a job.[35] Hackers participate in competitions and online groups to create new hacking tools and find cybersecurity systems’ weaknesses before releasing this information to legally invested parties .[36] Accordingly, these hackers deserve their own categorization as they are driven solely by neither money, fame, nor altruism, but a mix of the three.[37] These hackers will, hereinafter, be deemed to be hacking for jobs. These hackers’ primary motivation is to build a pseudo-portfolio to compete for jobs that they may otherwise seem unqualified.[38]
As presented here, a significant amount of hackers hack for economic reasons, not just to cause havoc. Thus, economics may be the best option for dealing with bad hackers.
Current Laws
The law currently punishes hacking under 18 U.S.C. § 1030, later amended to be the Computer Fraud and Abuse Act.[39] Initially ratified in 1984, this statute was intended to protect “federal interest” devices from unauthorized access that caused harm.[40] However, it was amended in 1994 to establish a cause of action for civil complainants and prohibit the unauthorized transfer of private information to any person.[41] Congress has since broadened the Computer Fraud and Abuse Act throughout the 1980s, 1990s and 2000s.[42]
However, this statute highlights an ongoing issue with the codification of bills. Namely, this codification is often slow and cumbersome.[43] It is often too limited to encompass the new issues surrounding technology and scientific advancement.[44] This statute is what is known as a “hard law.”[45] Hard laws are those which are created and ratified by the government through the legislature.[46] This method can take several years to produce laws or amendments to deal with ongoing issues.[47] Thus, amending the current statutes to resolve issues dealing with bad computer hacking may be unrealistic.
An alternative to hard laws will be more realistic when dealing with technological issues. In 1965, Gordon E. Moore, the co-founder of Intel, espoused his belief that computing power doubles every two years, while the cost of technology is halved.[48] It has been 55 years since this statement; however, recent statistics have shown that Moore’s Law is incorrect.[49] Rather, the speed and efficiency of technology are estimated to be doubling faster than Moore’s original forecast.[50] With the technological landscape continually evolving, soft laws may be more equipped to deal with technology.
Soft laws are unique from hard laws in that they are typically not codified.[51] Soft laws are rules and regulations espoused by members of the industry and the government bodies that regulate them.[52] The industry leaders and related government bodies have personnel specializing in these topics and are, thus, more suited to dealing with issues as they arise.[53] Accordingly, some form of soft law may be more appropriate for dealing with technological issues.
Positive Reinforcement vs. Negative Reinforcement
There are two forms of incentivization to do good: positive and negative reinforcement. Positive reinforcement entails providing support or encouragement whenever good deeds are done.[54] Consider, for example, handing a child their allowance following the completion of their chores or paying and tipping an UberEats driver after they deliver food. Alternatively, negative reinforcement is when a person or creature is punished or shown disapproval after committing immoral acts.[55] These can includes actions such as spraying a cat with water when it starts scratching the curtains or withholding a tip after an UberEats driver eats a slice of someone’s pizza.
There has long been a debate on which method of training and incentivization is the most effective.[56] However, a recent study has pointed out that no one method alone is perfect, but rather there should be a mix of the two.[57] In their study, researchers Marcial Losada and Emily Heaphy analyzed customer service feedback and how the customer service representatives were incentivized to do their work.[58] The researchers found that teams that received approximately six instances of positive reinforcement for every instance of negative reinforcement had the best track record with their customers.[59]
An issue arises, however, when one recognizes that our legal system only serves punishment. 18 U.S.C. § 1030 explicitly prohibits computer systems hacking and establishes punishment and liability for those who break the law.[60] The law acts as the singular instance of negative reinforcement that is required to reach optimal levels.[61] This law does not reward altruistic hackers and threatens them with punishment if they are discovered.[62] Thus, there needs to be a positive reinforcement system to reach ideal efficacy levels and allow altruistic hacking.
The Rise of the Gig-Based Economy
Acclaimed law and economics educator and theorist Ronald Coase developed the Coase Theorem decades ago.[63] Coase Theorem focuses on transaction costs, arguing that an employer only seeks to contract with an employee when contracting and supervising an independent contractor is more expensive.[64] This theory has been a mainstay and justifying factor for millions of people’s employment over the years.[65]
However, with the prevalence of the internet and technology, transacting with non-employees has become cheaper.[66] Following the Great Recession of 2007, the world economy witnessed a shift in ordinary citizens’ work style.[67] Suddenly, people were forced to seek alternative employment or additional funds to begin rebuilding their lives.[68]
This was the beginning of the bloom in the “gig economy.”[69] The gig economy is characterized by many people working as independent contractors, either part-time or full-time.[70] Typically, these jobs do not follow a typical workday’s hours.[71] Additionally, the contractors are responsible for many of their operation costs, deciding when to work, and are not expected to contribute a specific amount of billable hours.[72] The prevalence of gigs has grown exponentially thanks to businesses like GrubHub, UberEats, Postmates, Fiverr, and TaskRabbit. In 2015, 40% of American workers were members of the gig economy.[73] Moreover, it is estimated that, by 2027, a majority of American citizens will take part in the gig economy.[74]
Establishing a Gig-Based System to Incentivize Good Hacking
Rather than attempting to establish new hard laws to strengthen current laws and entrap hackers, an alternative solution may be more effective. The government should establish a gig-based hiring platform for coders and computer scientists. Herein, this platform will be referred to as “Hackrabbit,” a pun and appropriation of the similarly situated “TaskRabbit.” This would be the best option for reducing the amount of hacking for fame or profit, increasing good hacking, and may provide various other positive economic side-effects.
Hackrabbit would be an online platform for hackers to seek compensation for their work on either a part-time or full-time basis. This could be accomplished in two pathways.
The first route, companies would be able to post specific tasks accompanied by distinct rewards for all hackers to use. Whichever hacker completes the project first and to the posting company’s satisfaction would receive the financial compensation and the possibility of a tip. This route would be based solely on the preferences of the hacker.
The second route is based solely on the preferences of the posting company. Similar to its tamer rival, TaskRabbit, each hacker would have a profile where they can list their specialties, languages, and other marketable capabilities. This profile would also feature all of the hacker’s projects on Hackrabbit and any reviews they could receive from companies. Companies would be able to look for the most qualified individuals to deal with more secretive or complicated hacks. Thus, this second route would entice companies to participate in this project as they can be assured that they will find the most qualified individual for their project.
How Hackrabbit Will Help
Hackrabbit would create a positive reinforcement that could bring cybersecurity to a near-optimal level. A system that rewards hackers for completing projects would act similarly to tipping an UberEats driver or paying a TaskRabbit for putting together furniture. Hackers would receive positive reinforcement for helping to improve the cybersecurity of major companies rather than just being punished for breaking the laws. Thus, Hackrabbit would help reach the optimal ratio of positive to negative reinforcement and create efficient and effective outcomes.
A sudden increase in work opportunities will also attract experienced hackers who will complete more hacks more effectively. This will lead to more opportunities for extra income for hackers, increasing ethical hacking as these hackers will now be financially incentivized to commit semi-altruistic activities.
Creating a new work environment for hackers will simultaneously decrease the amount of bad hacking. As stated before, some hackers hack to make a profit illegally.[75] Millions of dollars have been generated through the illegal sale of private information through the dark web.[76] By creating Hackrabbit, those who hack for profit will have a legal outlet to do so. They will no longer have to fear the possibility of legal repercussions from their actions because this will be lawful hacking.
Hackrabbit will also reduce bad hacking motivated by fame. Those who hack for notoriety only do so to add to their resume of “impressive” and complicated hacks.[77] However, as stated above, Hackrabbit will allow hackers to create profiles that list their most impressive (legal) hacks, special skills, and unique characteristics. Hackrabbit partners will create a safe space for these hackers to commit impressive hacks while being legally protected.
Why Companies Will Want to Use Hackrabbit
The most significant positive impact of Hackrabbit is its outcome. Hackrabbit will allow institutions to find flaws in their cybersecurity and online presence. Financial institutions will hire capable and willing hackers to identify weaknesses in their systems, thereby protecting their customers and the general consuming public. This will prevent costly future hacks like those which were committed against Equifax and OPM. Thus, while simultaneously decreasing the risks of bad hacking and increasing the benefits of good hacking, it will also increase the general public’s confidence in large institutions.
This increase in trust will have positive effects on the overall economy. Stock prices are general indications of the confidence investors have in firms and their business strategy.[78] Subsequently, companies will be further incentivized by the possibility of more profitable stock issuances in the future as investors become more confident that the firm is adequately protected. Meanwhile, investors will reap this new system’s rewards by profiting from the economic rise that the market will generate. Thus, the economy, in its entirety, will benefit from this system. Therefore, firms will be adequately incentivized to use Hackrabbit.
How the Government Will Benefit from Hackrabbit
The cost of enforcing laws is high.[79] The government must pay lawyers, judges, and other entities to prosecute people. Then, the government pays anywhere between $14,000 to $69,000 per prisoner per year.[80] By reducing the number of hacker prosecutions, the government and the taxpayers will save this money.
Furthermore, the government will be able to increase its annual tax revenue. Every year millions of dollars are exchanged through the dark web for various reasons.[81] Much of this money comes directly from hacking.[82] By creating a market for hackers to do bounty-like jobs, the government is also establishing a new way to tax. This will increase the amount of taxes generated by the IRS, thereby increasing funding for various programs.
Additionally, Hackrabbit presents a more realistic solution to international hackers. Following the Equifax hack, investigators were able to identify the possible hackers as Chinese army officials.[83] However, due to their statuses as members of the Chinese army, many worried that their indictment would hurt American-Chinese relations.[84] Investigators wasted time, resources, and money to identify people who may never be punished. Additionally, Hackrabbit could potentially prevent hacking from happening in the first place, by helping to strengthen cybersecurity and providing new resources to track down those selling stolen data.
Conclusion
The creation of Hackrabbit is the most efficient and practical way to solve ongoing issues with hacking. 18 U.S.C. § 1030 is not sufficient to preempt future hacks; it is only used to punish past hacking incidents.[85] Supplementing this statute with Hackrabbit will increase good hacking and proactively prevent future hacks by strengthening cybersecurity. Although this program will not be mandated for all firms in the country, the use of Hackrabbit will likely lead to many positive financial outcomes for all parties and firms. Thus, the government should consider creating Hackrabbit.
[1] See e.g., Mr. Robot, (USA Network June 24, 2015).
[2] “Hack” Search, Google News, https://news.google.com (follow “News” hyperlink; then search the word “hack”) [hereinafter Hack].
[3] Supantha Mukherjee et al., Zoom Participant Numbers Top 300 Million Despite Growing Ban List, Shares Hit Record, Reuters (Apr. 22, 2020), https://www.reuters.com/article/us-zoom-video-commn-encryption/zoom-users-top-300-mln-despite-growing-ban-list-shares-hit-record-idUSKCN22420R.
[4] Taylor Lorenz & Davey Alba, ‘Zoombombing’ Becomes a Dangerous Organized Effort, N.Y. Times (Apr. 7, 2020), https://www.nytimes.com/2020/04/03/technology/zoom-harassment-abuse-racism-fbi-warning.html.
[5] See, e.g., Paige Hooder, How to Protect Your Online Calls from ‘Zoom-Bombing, The Mich. Daily (Oct. 15, 2020), https://www.michigandaily.com/section/academics/how-protect-you-online-calls-zoom-bombing.
[6] See Garrett M. Graff, China’s Hacking Spree Will Have a Decades-Long Fallout, Wired (Feb. 11, 2020), https://www.wired.com/story/china-equifax-anthem-marriott-opm-hacks-data/.
[7] Peter T. Leeson & Christopher J. Coyne, The Economics of Computer Hacking, 1 J.L. Econ. & Pol’y 511, 511-12 (2005).
[8] Matthew J. Schwartz, Equifax’s Data Breach Costs Hit $1.4 Billion, Bank Info Sec. (May 13, 2019), https://www.bankinfosecurity.com/equifaxs-data-breach-costs-hit-14-billion-a-12473.
[9] Leeson & Coyne, supra note 7 at 512.
[10] Id.
[11] Id. at 513. (UNIX was one of the first operating systems ever developed and was the predecessor to today’s open source operating systems).
[12] Id.
[13] Id. at 512.
[14] Id.
[15] Id.
[16] See id. at 516.
[17] Id. at 516-18.
[18] Id.
[19] Hacking: security in practice, https://www.reddit.com/r/hacking/ (last visited Apr. 26, 2020).
[20] See Hack, supra note 2.
[21] See Leeson & Coyne, supra note 7 at 517 (“We do know that some such hackers exist because insiders at some companies have hinted that certain patches they have released are in response to “good hacker” tips like these… Some good hackers not only inform organizations of security weaknesses but also threaten to release the hole they’ve found unless action is taken to correct the problem.”)
[22] Are All Hackers Bad?, McAfee, (Sep. 2, 2014) https://www.mcafee.com/blogs/consumer/identity-protection/are-all-hackers-bad/.
[23] Leeson & Coyne, supra note 7, at 518.
[24] The Matrix (Warner Bros. Pictures 1999).
[25] Leeson & Coyne, supra note 7, at 517-22.
[26] Id.
[27] Id. at 524-26.
[28] Id.
[29] Id.
[30] Id.
[31] Id.
[32] Id.
[33] See id. at 512.
[34] See generally id. at 511-531
[35] See Luke Stephens, How to Get Your First Job as a Hacker, Medium (Apr. 10, 2018), https://medium.com/s/story/how-to-get-your-first-job-as-a-hacker-7c1f5c4bf4b3.
[36] See id.
[37] See Leeson & Coyne, supra note 7.
[38] See e.g., Stephens, supra note 35.
[39] 18 U.S.C.A. § 1030.
[40] Laura Bernescu, When is a Hack not a Hack: Addressing the CFAA’s Applicability to the Internet Service Context, 2013 Univ. Chi. Legal F. 633, 638-639 (2013) (quoting 18 U.S.C. § 1030(a)(4)).
[41] Id. at 639-41 (explaining that Congress expanded the list of computer crimes in 1986, created a private right of action for individuals harmed by certain violations in 1994, and expanded the list of “protected computers” throughout the 1990s and 2000s to include any computer that may affect foreign or interstate commerce or communication).
[42] Id. at 641.
[43] Ryan Hagemann et al., Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future, 17 Colo. Tech. L.J. 37, 63 (2018).
[44] Id.
[45] Id. at 42-45.
[46] Id. at 42.
[47] Id. at 127.
[48] Christopher S. Yoo, Moore’s Law, Metcalfe’s Law, and the Theory of Optimal Interoperability, 14 Colo. Tech. L.J. 87, 90 (2015).
[49] Carla Tardi, Moore’s Law, Investopedia (Sept. 5, 2019), https://www.investopedia.com/terms/m/mooreslaw.asp.
[50] Id.
[51] See Ryan Hagemann et al., supra note 43, at 42-45.
[52] See id. at 41-42.
[53] Id.
[54] Marcial Losada & Emily Heaphy, The Role of Positivity and Connectivity in the Performance of Business Teams: A Nonlinear Dynamics Model, 47 Am. Behav. Scientist 740, 745 (2004).
[55] Id.
[56] See generally Hukam Dad et al, Comparison of the Frequency and Effectiveness of Positive and Negative Reinforcement Practices in School, 3 Contemp. Issues in Educ. Rsch. 127 (2010) (discussing the positive and negative effects of using strictly positive or negative reinforcement). See also 100 Humans: Pain vs. Pleasure (Netflix Mar. 13, 2020) (showing experiment that argued that positive reinforcement is more effective).
[57] See Losada & Heaphy, supra note 54.
[58] Id.
[59] Id. at 747.
[60] Daniel Q. Posin, The Coase Theorem: Through a Glass Darkly, 61 Tenn. L. Rev. 797, 802 (1994).
[61] 18 U.S.C. § 1030
[62] See 18 U.S.C. § 1030
[63] See Ronald H. Coase, The Nature of the Firm, 4 Economica 386, 392 (1937).
[64] Michael L. Nadler, Independent Employees: A New Category of Workers for the Gig Economy, 19 N.C. J.L. & Tech. 443, 457 (2018).
[65] See id. at 456.
[66] See id. at 454.
[67] Nicholas Kacher & Stephan Weiler, Inside the Rise of the Gig Economy, REDI Reps. (Apr. 2017), https://www.libarts.colostate.edu/redi/wp-content/uploads/sites/50/2017/02/REDI-Gig-Economy-1-NK.pdf.
[68] Id.
[69] See id.
[70] Margaret Rouse, Gig Economy, TechTarget (May 23, 2016), https://whatis.techtarget.com/definition/gig-economy.
[71] Dani Blum & Laura Vanderkam, The Gig Economy Offers Parents Options and Obstacles, N.Y. Times (Feb. 18, 2020), https://www.nytimes.com/2020/02/18/parenting/gig-economy-part-time-work.html.
[72] Id.
[73] Alex Kirven, Whose Gig is it Anyway? Technological Change, Workplace Control and Supervision, and Workers’ Rights in the Gig Economy, 89 Univ. Colo. L. Rev. 249, 257 (2018).
[74] Press Release, Upwork, Freelancers Predicted to Become the U.S. Workforce Majority Within a Decade, With Nearly 50% of Millennial Workers Already Freelancing, Annual “Freelancing in America” Study Finds (Oct. 17, 2017).
[75] Leeson & Coyne, supra note 7, at 524-26.
[76] See, e.g., Sudais Asif, Dark Web Hackers Selling 400,000 South Korean & US Payment Card Data, HackRead (Apr. 25, 2020), https://www.hackread.com/dark-web-hackers-sell-south-korea-us-card-data/.
[77] Leeson & Coyne, supra note 7, at 517-22.
[78] See Lynn A. Stout, The Unimportance of Being Efficient: An Economic Analysis of Stock Market Pricing and Securities Regulation, 87 Mich. L. Rev. 613, 669 (1988).
[79] See Priscilla Hunt et al., Estimates of Law Enforcement Costs by Crime Type for Benefit-Cost Analyses, 10 J. of Benefit-Cost Analysis 95 (2019).
[80] Prison Spending in 2015, Vera, https://www.vera.org/publications/price-of-prisons-2015-state-spending-trends/price-of-prisons-2015-state-spending-trends/price-of-prisons-2015-state-spending-trends-prison-spending (last visited Apr. 26, 2020).
[81] Aditi Kumar & Eric Rosenbach, The Truth about the Dark Web, Int’l Monetary Fund (Sept. 2019), https://www.imf.org/external/pubs/ft/fandd/2019/09/the-truth-about-the-dark-web-kumar.htm.
[82] See Asif, supra note 57.
[83] Brian Barrett, How 4 Chinese Hackers Allegedly Took Down Equifax, Wired (Feb. 10, 2020), https://www.wired.com/story/equifax-hack-china/.
[84] Id.
[85] See 18 U.S.C.A. § 1030