Chris Evans is CISO and chief hacking officer at HackerOne. He is also a hacker, “Absolutely. 100%.”
SecurityWeek’s Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their motivation.
A hacker
Evans’ definition of a hacker and hacking is nuanced and not mainstream. “A hacker is simply someone who uses creativity to overcome constraints or limitations,” he explains. He mentions ‘life hacks’. The specialist lifehacker[.]com site describes itself as offering ‘help [with] credible, practical, science-based life advice to help you live better.’ ’TECH’ is just one subsection among eight others within life hacking.
“These days, we’re all hackers,” he continues. “We use tips and tricks to creatively overcome limitations on our lifestyle.” All that differs is the subsection defining the type of lifestyle hack we’re conducting: a computer hacker is someone who creatively overcomes limitations and constraints within computers. Hacking, for Evans, is primarily the process of finding creative methods to improve life. Computer hacking becomes the creative process of improving computing.
He also has a strong conviction that most computer hackers naturally use their creativity for good, not harm. Computer hacking is almost by definition what we commonly label ‘whitehat’ hacking. Those who use their skills to steal or commit fraud shouldn’t be labeled as a different type of hacker (such as blackhat), they’re simply criminals.
This view is not unique among hackers but is less prevalent outside of the cybersecurity community. For Evans, the conviction is rooted in his own character, his personal history, and his employment history.
Neurodivergence and hacking
One of the questions we often ask is whether neurodivergence has played any part in the hacker’s ‘career’.
Statistics suggest there is a higher than usual ratio of neurodivergent characters working in cybersecurity, both adversarially and defensively. The possible causes are complex, and potentially affect two primary categories of the autistic spectrum disorder (ASD) – ADHD and Asperger’s syndrome. The effects are similar, and it is often difficult to distinguish between the two categories.
These effects include seeing and responding to problems differently than non-ASD people, and the ability for long periods of intense concentration. One potential personality difference is the Asperger’s side of ASD tends to be more introvert than the ADHD side. This can lead young Asperger’s people to spend a lot of solitary time with high intelligence and a computer, but without employment – and this may be relevant to the larger number of blackhat hackers being Asperger’s.
So, very loosely, we can suggest there is a tendency for ADHD people to find gainful employment in defensive security, while the attackers may tend toward the Asperger’s side of ASD. But – and this is a big ‘but’ – it is all unproven, possibly unprovable, conjecture. And this is why we ask the question: has neurodivergence played any part in your career?
Evans more easily defines his motivation as ‘intellectual curiosity’. “Neurodivergence? I don’t know. I’ve never sought a diagnosis. Maybe. I do know that when I approach a problem, I think about it differently to most people. I don’t know if that means I’m neurodivergent – you decide.”
Evolution
Evans grew up in the UK, at a time when the early home computers began to come home. His first computer was an Acorn Electron in the 1980s. “I was always tinkering with my computer rather than playing football. I wanted to know how it worked, but the manuals that came with it just weren’t enough to satisfy my curiosity. I’ve always been interested in the precise detail about exactly how something works, and interested in understanding something down to a very detailed level.”
These are the first two characteristics behind Evans the child hacker: deep curiosity, and a need for precise understanding. Computers provided what he enjoyed – an intellectual challenge. But this was pre-internet, and there were no online hacker communities that could lead a youngster into electronic mischief. In fact, the worst misuse of his learning that he remembers was making computer screens in his school’s computer room display unexpected messages to his friends.
“I found a way to send a message at an inopportune time – like when we were all supposed to be doing educational exercises – and interfering with someone’s screen with some silly message that I probably thought was incredibly witty at the time.”
Technically, this was hacking. He was using undocumented capabilities he had learnt by tinkering with a home computer to make school computers do something unintended. But it was never malicious. This is also fundamental to understanding Evans the hacker: he was never once tempted to use his growing understanding of information technology for nefarious purposes. As he matured (he studied chemistry at Oxford University) his sole interest has always been to convert the fruits of the intellectual challenge of computers into improving and securing everybody’s computer experience.
His career after Oxford never involved chemistry – it is a luminary path through major industries to the current position as CISO and chief hacking officer at HackerOne (see CISO Conversations for more detail on this). But he retained his interest and involvement in his own definition of hacking throughout his career.
Positivity
To the personality traits of curiosity, desire for precision in knowledge and a love of intellectual challenges, we can add one more characteristic: positivity. Evans is hugely positive about the hacking community and its power for good.
For him, hacking isn’t a choice; it’s more the effect of who and what you are. He doesn’t like labels for hackers, especially those labels that try to separate hackers into good and bad based on a personal gain motive. “I’ve been using my hacking skills for personal gain for the past 20-25 years via a career path I’ve enjoyed, and which has treated me reasonably well. But for ‘unethical’ personal gain? No. I hack for the intellectual challenge of not knowing if something is possible but trying to do it anyway. And sometimes succeeding and improving things – and that’s quite exciting.”
Improving what he hacks is an important motive. “As well as the intellectual curiosity and challenging myself, it’s something that benefits the security of people out there on the internet. I enjoy getting things fixed – that sense of progress when you leave something a little better than you found it. Hacking for me is about making people safer. I enjoy that along with the challenge of whether it is possible to do it.”
The labeling of hackers into different categories offends him. “You could do this series of hacker conversations for any profession. It could ask the same questions and would still be valid. My favorite would be bankers. Let’s say you want help with your retirement fund, so you go to a banker. But wait, do you look for a banker or an ethical banker? The point is that no-one runs around googling for an ethical banker, they just search for a banker.”
This reality has become twisted in the computer hacker world. We talk about ethical hackers when we should be just talking about hackers. People choose their own path in life. But Evans adds, “Most people in most paths end up using their skills productively, for good. Hacking is no different. Same with bankers and dentists and doctors and lawyers – most are trying to do good. Sure, there are a few bankers and others who do bad things, but we don’t invent a separate label for them: we just call them criminals.”
For Evans, the computer hacking community is “a huge community full of people using their skills to make things better. I think a computer hacker is someone with computer skills who will use those skills for good because that’s how most of us naturally orient our paths.”
But he is not unrealistic. Society does not always provide an innocent outlet for creative curiosity. “Back in the ’90s when computer hackers were just coming of age with new skills, there just weren’t that many obvious options or outlets for them to express and use that creativity,” he comments.
We’ve seen with other hackers in this series that curiosity with no outlet has led many young hackers to seek online communities (BBNs) of other curious people – often having to break the law to be able to afford the process.
“But now,” continues Evans, “when a hacker is growing up in today’s world and can afford to use the modern internet, there are just these obvious streamlined outlets that allow for intellectually challenging creativity, and even provide an economic reward.”
He is talking about today’s bug bounty programs. “I just wonder if needles have been moved as the world has changed over the decades.”
Opinion on the law
Anti-hacking laws are a complex issue for computer hackers, and perhaps an area where needles are slowly being moved. Laws in western societies are largely designed to protect the concepts of property and ownership. These concepts are fundamental to how we think and how we run our economy. It gets difficult where the property is intellectual rather than material, and the use of that property is not as beneficial as the property owner declares. Other members of the society can suffer from the property that the law protects.
Hackers are driven to improve the property for the users’ benefit. But the law exists to protect the property owner – which generally means the hacker must break the law to improve outcomes for the user, while improving the property for the owner. No owner enjoys the accusation that his product could be harmful, so has the natural inclination to deny and denigrate the hacker.
In the early days of computer hacking, intellectual property owners used the anti-hacking laws to silence the hackers. It is less common today. In the US the DoJ has recognized the difference between good faith (for the intended benefit of everyone) and malicious (for the intended benefit of the hacker alone) hacking. But it still happens, and independent hackers remain wary of the law.
Can the law ever solve this conundrum: protecting intellectual property while simultaneously allowing hackers to improve the quality and value of that property? “The short answer is yes, it’s possible,” says Evans.
“The longer answer,” he adds, “is the maturity of the law differs wildly from jurisdiction to jurisdiction. I think law usually trails society and must catch up from time to time. The law around computer hacking was written in an era of when we didn’t quite understand how things were going to develop – we didn’t understand that this variety of hacking was going to become a broadly acquired skill that was going to be used, by almost everyone with the skill, for good.”
When computer protection laws were first written (such as the CFAA in the US and the CMA in the UK) they were weak in defining the concept of ‘intent’. “The US is actually a little ahead of most other countries in this,” continues Evans. “The DOJ guidance on whether to apply the CFAA or not was updated a few years back, and it’s now very clearly intent-based. If you’re trying to do good, that’s good hacking. If you’re trying to steal someone’s money, that’s bad hacking, and you’ll get prosecuted. If we apply legal principles that exist in other laws to our hacking laws, including intent when assessing criminality, I think that is the path forward.”
The problem remains that this is simply guidance for prosecutors rather than something written into the law itself – on its own, it does not prevent bad faith vendors from suing good faith hackers. It is not common, but it still happens. The vendor is not likely to succeed, but the process can be costly and harmful to the hacker, and has a chilling effect.
This is one of the advantages of the bug bounty schemes run by organizations like HackerOne and Bugcrowd: the vendor invites the hacker to hack, and good faith (provided the hacker adheres to the disclosure rules) is clearly demonstrated.
Hackers and CISOs
Evans is both a CISO and a hacker (or maybe he is both a hacker and a CISO). This raises an interesting question: should CISOs, at heart, also be hackers? “I do see different types of CISOs. And I think the best CISOs I know have at least a hint of hacker about them,” he says.
“The CISO job is not an easy one. You must wade through a sea of almost infinite possibilities and work out which of those possibilities might, right here and right now, cause problems; and then know how to tackle those problematic possibilities. That’s a very intellectual problem and it’s not easy. To do this right, I think you must have the attitude of a hacker.”
He recalled his earlier definition. “A hacker is someone who can creatively overcome constraints and obstacles and I think as a CISO you’re spending a lot of your time doing just that. Firstly, you never have enough staff. That’s a constraint. There are a million things you could be looking into, but you must know which one is the correct one to investigate. That’s an obstacle. I think the best CISOs have a hint of the hacker about them; understanding and breaking down the nature of the problem and then applying creative solutions to solve them.”
It’s not a required criterion. “There are other ways to do this job. You can just follow a list of good practices and keep turning the wheel. But I think the best CISOs have got to be more creative about mapping what needs to be done overall onto what needs to be done now because of what’s happening now. The hacking mindset will get you further in accurately prioritizing what you need to be doing first.”
The CISO, he believes, benefits from being a hacker in mindset, and a computer hacker in specifics. “Having a better understanding of how your systems might fail (‘systems’ means people, processes and technology),” says Evans, “puts you in a better position to build the right safeguards to minimize the chances of these failures occurring.”
For Chris Evans, hacking is a way of life that can be applied to any profession rather than a skill to be acquired or a label to be used. And he has a firm belief that natural hacking is almost always used for good purposes.
Related: CISO Conversations: Chris Evans (HackerOne) and Nick McKenzie (Bugcrowd)
Related: Hacker Conversations: Ron Reiter, and the Making of a Professional Hacker
Related: Hacker Conversations: Kevin O’Connor, From Childhood Hacker to NSA Operative
Related: Hacker Conversations: Rob Dyke on Legal Bullying of Good Faith Researchers
Related: Hacker Conversations: HD Moore and the Line Between Black and White
