Joe Tidy – the BBC’s Cyber-security Correspondent reports on the stereotyping of computer hackers.

What does a hacker look like? If you were playing Family Fortunes I bet a large amount of Bitcoin that ‘our survey says’:

‘Boy in hoody in his bedroom up to no good’

If you asked Google images you’d definitely get that result. Complete with matrix-style code of 1s and 0s floating down the screen. Some might even have a Guy Fawkes mask now synonymous with the Anonymous collective.

But not all hackers are a part of Anonymous and not all hackers are teenage boys wearing hoodies.

Since I started my full-time specialist role at the BBC I made a promise to myself – never illustrate my stories with hackers in hoodies.

I’m glad to report I’ve largely succeeded. I don’t want to say 100% as I’m sure there are some occasions (I know of one!) where a producer has snuck in a ‘hacker in a hoody’ after I filed my report with a different picture. Apparently my picture was “not dramatic and iconic enough”!

I get it. Those pictures of hackers in hoodies with their faces obscured are scary and do the job of getting readers or viewers interested. But they are also often inaccurate and are helping to perpetuate a huge misconception with cyber crime.

There is no ‘one look’ for hackers. It’s like saying there is one look for a criminal. It’s like using a cartoon of some guy in white and black stripes with a swag bag to illustrate all stories about robberies or burglars.

I’ve interviewed dozens of hackers of many different stripes. It is fair to say that a lot of them have been teenage boys (minus the hoodies), but the types of cyber crime they are accused or guilty of is often akin to low level theft or vandalism. For example, when I was at Sky News I interviewed one of the teenagers who took PlayStation Network offline at Christmas in 2014: https://www.youtube.com/watch?v=fPX8yCBdIZ8

I’ve also interviewed other teenagers for the BBC who were making thousands of pounds from stealing Fortnite accounts or creating cheats for other video games. The list goes on.

But then there’s ‘Comedi’ from Anonymous.

He was a father of 2 (or 3 – he never confirmed!) living in Texas and using his hacking skills to attack the terrorist group ISIS once he’s put his kids to bed. He and his team, all likely in their 30s or 40s worked late into the night to take Islamic State websites offline or post Viagra adverts on the terror group’s websites.

Yes he wore a hoody for our interview – but even he – a member of Anonymous, didn’t actually have a Guy Fawkes mask so had to improvise with some of his wife’s tights!

https://news.sky.com/story/anonymous-more-help-needed-to-take-is-offline-10336814

It’s true to say that the perception of hackers is changing and the rate of change has accelerated in the last couple of years. Stories of hackers paid for by nation states are now routinely in the news thanks to some public naming and shaming from US, UK and EU intelligence operations.

If we were playing Family Fortunes, I’d like to think a small proportion would have answered something like:

“Russian man in a balaclava.”

I find this one particularly funny as I was once talking to some hackers about a major operation they were planning and asked for a ‘proof of concept’ video. They sent me this: https://youtu.be/sUtoxEZvPyY

So even the hackers themselves seem to play up to the image!

But joking aside, these nation state hackers are not playing.

Critical infrastructure like water and power are routinely being targeted by these well-funded and patient hackers. In some cases lives have been put at risk. All the most serious cyber attacks have originated from these types of government-backed hackers.

Teenage hackers in hoodies they are not. These are often military-minded staff who work in well-organised teams 9am-5pm and go home to their wife and kids. They have targets and appraisals and tea breaks.

It’s not just Russia of course but we know North Korea, Iran and China employ these types of hackers extremely effectively to spy, steal valuable trade secrets or disrupt their adversaries.

And yes the UK and the US have similar operations. In fact the UK only this month announced that a formal name and designation to so-called ‘offensive cyber-operations’ that they’ve been doing for over a decade – the National Cyber Force.

Then of course there are the criminal gangs who will stop at nothing to milk large victim companies out of as much money as they can. These are the hardest hackers to picture.

Often all we know about these hackers is the strange words that are left inside the code of their malicious software. These words are what leads cyber security researchers to come up with odd names that the gangs are known by. Names like ‘R:Evil, Gand Crab, Ragnar_Locker, Egregor’.

We might not be able to picture them but it’s a safe bet they are not teenage boys in hoodies. These are well-run and dangerous criminal organisations with programmers, money launderers and expert negotiators.

As someone from the National Crime Agency recently put it – these are organised crime networks that just happen to specialise in hacking.

So does it really matter what images we use to illustrate our stories about hacking? I think it does. Oversimplifying the image of cyber crime oversimplifies the dangers and can lead to complacency and misunderstanding.