On 19 April 2019, Marcus Hutchins pleaded guilty to authoring malware. It has caused the Information Security field to do a lot of soul searching about what it means to be white hat, black hat and just plain normal in our field. Like everyone who owns both a brain and a blog, I have an opinion. My opinion is not short and neat. There is no TL;DR.
I’m not going to dwell on the background. If you don’t know the story, you can read about how he stopped the WannaCry malware, the implications of his arrest on the field as a whole, what one investigation turned up, and his own personal statement after he entered a plea.
I remember learning how to round decimal numbers when I was a child. If it is 0.5 or higher, you round it up to 1. If it is less than 0.5, you round it down to zero. I remember being very frustrated at the seeming arbitrariness of it all. 0.5 is not 1. It is less. 0.49 is not nothing, it is something. In the case of Marcus Hutchins, I think a lot of people are trying to round him up or round him down and they are finding it difficult to do.
There are two approaches I disagree with:
- Insisting on rounding people. Insisting that people are either this or that rarely helps.
- Insisting others use the same rouding method that I do.
Marcus Hutchins is 0.5. How much of an infosec hero and positive part of the community is he? Much more than zero. How much crime has he committed? More than zero. We simply cannot escape both of those facts. What good does it do to round him off? Instead, embrace the whole and deal with floating-point numbers and all their messiness. Humans are floating-point, not integers.
Crime is a Tough Topic for Infosec
It seems like crime is something we struggle with as an industry. Plenty of people had run-ins with the law early in their career and ultimately became important pillars of the community. Some of us broke the law knowingly on priciple—fighting what we believed to be unjust laws. Others broke the law inadvertently or childishly. Still more broke the law deliberately to make a buck or to execute vigilante justice, but have since changed their mind or evolved their thinking. There are also plenty of well-known pillars of the community never broke the law at all.
I see a few lines of reasoning that I will paraphrase. Since I’m paraphrasing, I’m not going to link to someone’s tweet, because then they would say “that’s not what I said”. (Yes, I’m aware this is a strawman argument)
- “You can’t call Hutchins a bad person because he committed a crime. Lots of us committed crimes when we were young, and we’re not bad people.” (Don’t put us in the same bucket as him)
- “You can’t call Hutchins a good person because he committed a crime. Lots of us never committed any crime when we were young, and we’re good people.” (Don’t put him in the same bucket as us)
There are those who argue that all good infosec people probably committed some crimes. I saw one person argue the contrapositive: you’re probably not a good infosec person if you haven’t committed a crime at some point. Likewise there are plenty of people point out that they have risen to signficant positions of influence and are very important in the community and they have committed no crimes (discovered nor undiscovered) at all.
This isn’t unique to infosec
If you dig deep in any field, you will find this same issue. There are finance people who did sketchy things when they were young, and—having bootstrapped themselves financially—proceeded to have a successful and totally legal financial career. There are monopolist industrialists who were ruthless in building their early empire, and philantrhopic later with their wealth. You can find lawyers and medical researchers who do sketchy things early in their career, and then play by the straight and narrow the rest of their career. I’m not saying these facts are OK, or that this justifies crime or excuses anybody. I’m simply pointing out that because the issues of crime, ethics, and morals are not unique to infosec, we can look outside infosec for possible solutions. Far older communities than infosec have wrestled with crime, ethics, and morals and they found solutions. We don’t have to solve this tabla rossa.
Crime is Hardly the Only Divisive Topic
I can go on and on about the topics that divide Infosec. The fact that I can do so will make an important point. Consider the following statements where you will find significant numbers of people on both sides:
To be good at information security you have to know how to code
You’re gonna find huge populations on both sides of this: people who can barely write a syntactically valid python script, and people who write code that itself generates polymorphic code. This statement that you must know how to code to be a valid part of infosec is not true, but it’s a statement that people make sometimes. Making this statement puts a bunch of people on one side and a bunch of people on another side, but it doesn’t help us as a field.
To be good at information security you have to create and use real exploits
Again, there are people who have never written a buffer overflow or a SQL injection or whatever, but they are super valuable in the community. There are people who, on the other hand, thoroughly understand how to defend against malicious code because they know how to write malicious code. This is another statement that is not true and isn’t helpful.
It’s important in information security to have a recognised certification
Another divisive topic. People will argue vigorously that certifications mean nothing. Others will argue that they’re generally valuable. Still others will argue that some are pretty good, but others are rubbish. Categorical thinking with respect to this statement is not helpful. Sometimes it’s true, sometimes it’s false, sometimes it’s a matter of opinion. Arguing this one way or the other might make some people feel invalidated or unwanted, but it won’t improve the field.
So What Does it Mean?
When there are such large populations on both sides of the issues, that means the community is large and can’t be neatly divided into us and them. That’s also a good thing.
It is not important to be good at sorting people into buckets. It is important to be able to make good decisions without sorting people into buckets.
Back to Marcus Hutchins
Let me ask one final, divisive question. Fast forward into the future when he has served his time, paid his fine, or completed whatever punishment he is going to get:
Would you hire Marcus Hutchins?
I think plenty of people will answer “No way. He’s been convicted of a crime. I need people I can trust.” I would agree with some of those people and disagree with others.
I think plenty of people will answer “Absolutely. His debt is paid, and he has a track record that demonstrates a sincere desire to do good.” Again I would agree with those people and might disagree with some.
There are going to be some doors that are shut to him because of his track record. There are businesses, situations, and people for whom non-zero crime simply must be rounded up to 1. There are going to be lots of opportunities, though, where he will do fine—places where his non-zero positive contributions will be rounded up to 1 and will be given a chance to increase.
Infosec is a Big Place, and There is Room Enough for All of Us
Infosec is just one of many big places. The world is a big place. Our communities are big. Humanity is an infinitely large space. Dichotomous reasoning does not work well here. Tribalism is tearing the online English-speaking world apart.
There’s room enough under the tent for all of us. There is no need to gatekeep and try to keep people out of the tent. Pick the right people for the job, and not everybody is right for every job. Whatever we do, we as a community, must resist creating litmus tests. And we have to to do better than zero-tolerance and other black-and-white thinking about risk and security.
Image credit: question mark by Marco Bellucci