Artificial intelligence (AI) doesn’t stand a chance of being able to replicate the human creativity needed to become an ethical hacker, but it will disrupt how hackers conduct penetration testing and work on bug bounty programmes, and is already increasing the value of hacking to organisations that are prepared to engage with the hacking community rather than dismiss it outright.
This is according to the hackers who contributed to the latest edition of Inside the mind of a hacker (ITMOAH), an annual report from crowdsourced penetration testing firm Bugcrowd, which sets out to offer an in-depth look at how hackers think and function, and why they do the things they do. This year unsurprisingly leans into AI in a big way.
When it came to the existential questions around whether or not AI could outperform the average hacker or render them irrelevant, 21% of respondents said AI was already outperforming them, and a third said it will be able to do so given another five years or so.
The vast majority, 78%, said AI would disrupt how they work on penetration testing or bug bounty programmes some time between now and 2028, with 40% saying it has already changed the way people hack, and 91% of hackers saying generative AI either has already, or will in future, increase the value of their work.
Outperforming a human doing repetitive, sometimes monotonous, work such as data analysis is one thing, but hacking as a vocation also encourages creativity of thought, and it is here that the community seems to feel humans will continue to have an edge, with 72% saying they did not think AI will ever be able to replicate these qualities.
“I’ve done a fair amount with AI, and as impressive as it is, I don’t think it will be replacing humans for quite some time, if ever,” said one respondent, a 20-year cyber security veteran who hacks on the Bugcrowd platform using the handle Nerdwell.
“AI is very good at what it does – pattern recognition and applying well-known solutions to well-known problems,” he said. “Humans are biologically designed to seek out novelty and curiosity. Our brains are literally wired to be creative and find novel solutions to novel problems.”
Bugs and issues
Another Bugcrowd hacker, who goes by the handle OrwaGodfather, added: “AI is great, but it will not replace me. There are some bugs and issues, just like any other technology.
“It can have an effect on my place in hacking, though. For example, automation has huge potential to help hackers,” said OrwaGodfather, who started hacking in 2020 and when away from his keyboard works as a professional chef.
“It can make things easier and save time,” he said. “If I find a bug when performing a pen test and I don’t want to spend 30 minutes writing a report, I can start by using AI to write descriptions for me. AI makes hacking faster.”
How are hackers using AI?
Whatever their gut feelings may be, Bugcrowd’s hackers are scrambling aboard the AI train, with 85% saying they had played around with generative AI technology, and 64% already incorporating it into their security workflows in some way – a further 30% said they planned to do this in the future.
Hackers who have adopted or who plan to adopt generative AI are most inclined to use Open AI’s ChatGPT (a Bugcrowd customer) – cited by 98% of respondents – with Google’s Bard and Microsoft’s Bing Chat AI at 40%.
Those that have taken the plunge are using generative AI technology in a wide variety of ways, with the most commonly used functions being text summarisation or generation, code generation, search enhancement, chatbots, image generation, data design, collection or summarisation, and machine learning.
Within security research workflows specifically, hackers said they found generative AI most useful to automate tasks, analyse data, and identify and validate vulnerabilities. Less widely used applications included conducting reconnaissance, categorising threats, detecting anomalies, prioritising risk and building training models.
Many hackers who are not native English speakers or not fluent in English are also using services such as ChatGPT to translate or write reports and bug submissions, and fuel more collaboration across national borders.
What is a hacker?
Over the past decade, Bugcrowd’s annual report has also served a secondary purpose, that of helping to humanise the hacking community and disrupt negative and unhelpful stereotypes of what a hacker actually is.
This is particularly important given that, in spite of years of pushback and attempts to educate, many people who should know better readily and intentionally conflate the term hacker with the term cyber criminal.
“We’ve taken on the responsibility of helping the market understand what a hacker actually is,” Casey Ellis, Bugcrowd founder, chief technology officer and report co-author told Computer Weekly at the recent Infosecurity Europe cyber trade fair.
“I think when we started, everyone assumed it was a bad thing,” he said. “Some 10 years on, we’re now at a point where people understand that hacking is actually a skill set. Like most skill sets, it’s dual-use. It’s like lockpicking. If you’ve got that skill, you can become a locksmith, or a burglar. There’s nothing wrong with lockpicking – it’s how you’re actually using it. Hacking is the same.”
Are the kids all right?
The 2023 ITMOAH report shows how some fundamental shifts in hacker culture and demographics look set to shake up the cyber security landscape in the coming years.
For the first time, the report reveals, the majority of active hackers, between 55% and 60%, are now members of the Generation Z cohort currently in their teens and early 20s, while between 33% and 36% are Millennials aged from their late 20s to early 40s.
And despite hacking’s cultural roots in the 1980s, only 2% are members of Generation X, those born between the mid-1960s and approximately 1980, the youngest of whom are now about 45 years old.
So, are the stereotypes of teenage hackers actually proving accurate, and more pertinently, are the kids all right? “We’re seeing a pretty rapid acceleration of participation from people that are under 18,” said Ellis. “It’s still a very small population, only 6%, but it’s up from 3% year-on-year, which is a big shift.”
He said this trend will become increasingly relevant because today’s teenagers think about technology in a fundamentally different way to those born even a few short years earlier.
“I’ve got a 15-year-old daughter and the way she interacts with technology is completely different to me,” said Ellis. “Her introduction to technology was all about the interface – mine was all about the plumbing. We just think about the internet in a fundamentally different way.
“Now, I know stuff that she’ll never know because I grew up with the nuts and bolts, but she’ll think about the interface in a way that I probably never will because I’m so consumed with the nuts and bolts.
“You talk about Millennials as digital natives, but Gen Z and younger are actually digital natives,” he said. “They’re able to wander through that environment in an intuitive way that we can’t really understand. I can try to empathise with that, and I can get most of the way there, but I recognise the fact I’ll never fully understand because it’s not my experience.”
This generation is also proving adept at challenging the mores and assumptions of their elders that have often been built into technology, and Ellis said this gives them an advantage in figuring out what is coming next, and where future vulnerabilities may lie.
The other part of this trend is that today’s teens are more politically and socially motivated, and more diverse, in ways that older people are not. This factor is already changing the cyber landscape and will certainly continue to do so.
Take Lapsus$, the teenage-run cyber extortion collective that attacked the systems of ride-sharing service Uber in 2022 for no particular reason other than they didn’t care for Uber’s ethics.
“One of the big things that I’ve been saying since Lapssus$ is that as defenders, we’re not ready for a chaotic act,” said Ellis. “We’ve been thinking about cyber criminals, nation states, threat actors as having a symmetric motivation.
“A nation state wants to advance the nation, cyber criminals want money. They’re predictable. And there is symmetry in what they’re doing. Folks that come in with more of an activism bent, you don’t really know what they want. And in the case of Lapsus$, it’s like … we just want to make a mess because those guys suck. How do you defend against that? We haven’t really been thinking in that way since Lulzsec, which was probably the last example of a group that did that.”
Of course, the teens on Bugcrowd’s platform are not attacking organisations in the same sense as Lapssus$ did, but in its story there is a lesson for the hacking community, and the defenders, and clearly the potential to channel activity that might otherwise be expended on malicious acts into legitimate security work is immense.
The full report, which can be downloaded to read in full from Bugcrowd, contains a wealth of additional insight into hacker demographics – the gender gap is increasing, likely due to the extra pressure the Covid-19 pandemic put on many women – motivations to hack, what hackers think ordinary security teams need to do better, and more besides.