The Economics of Computer Hacking

The Economics of Computer Hacking*





Peter T. Leeson
Department of Economics
West Virginia University


Christopher J. Coyne
Department of Economics
Hampden-Sydney College





Abstract

This paper considers various classes of computer hackers, with a special emphasis on
fame-driven versus profit-driven hackers. We use simple economic analysis to examine
how each of these hacking “markets” work. The resulting framework is employed to
evaluate current U.S. policy aimed at reducing the threat of computer hacking and shows
that this policy is largely effective. We consider policy adjustments consistent with the
insights of the framework provided as a means of strengthening cyber security.












* We thank Peter Boettke, Tony Carilli and Tyler Cowen for helpful comments and suggestions. The
financial support of the Critical Infrastructure Project, the Earhart Foundation and the Oloffson Weaver
Fellowship is also gratefully acknowledged.

---

1 Introduction

In the digital age cyber security is perhaps the most important form of security
individuals must be concerned with. Banks, schools, hospitals, businesses, governments
and virtually every other modern institution you can think of stores and organizes its
information electronically. This means that all of your most sensitive information—from
credit card numbers and checking accounts, to medical records and phone bills—is
accessible for viewing, stealing, or manipulating to anyone with a PC, an Internet
connection, and some computer know-how. The increasingly computer-based world is
increasingly vulnerable to malevolent computer hackers.

While we know little about these shadowy hackers we have a very clear picture of
the damage they do. In 2003, hacker-created computer viruses alone cost businesses $55
billion—nearly double the damage they inflicted in 2002 (SecurityStats.com 2004). In
2000 the total cost of all hack attacks to the world economy was estimated at a staggering
$1.5 trillion (PricewaterhouseCoopers 2000). In a 2004 survey of American companies
and government agencies conducted by the Computer Security Institute, over half of
respondents indicated a computer security breach in the past 12 months and 100 percent
of respondents indicated a Web site related incident over the same period (CSI 2004).
If anything these figures probably understate the volume of hacker-related
security breaches. Firms, especially financial institutions, are extremely reluctant to
report hacker-related break-ins for fear of how this may affect customers’ and
stockholders’ impressions of their security. In the survey of American businesses
conducted jointly by CSI and the FBI, nearly 50 percent of firms that experienced system
intrusion over the last year stated that they did not report this intrusion to anyone. The

2

---

primary reason cited for this was the perceived negative impact on company image or
stock (CSI 2004: 13-14), and similar findings have been corroborated by others (see for
instance, United Nations 1994; Schell et al 2002: 40). What can we say about the
enigmatic community of computer hackers and what can we do about the cost these
hackers impose?

This paper uses simple economic analysis to try and better understand the
phenomenon of hacking. In particular we are interested in creating a framework for
analyzing hacking that is policy relevant. Towards this end we divide the community of
hackers into three classes separated by motivation. The first class consists of “good”
hackers. These hackers illegally break into computer systems but voluntarily share
security weaknesses with those in charge of these systems. The second class of hackers
is fame-driven. This class constitutes a dangerous subculture of unethical hacking in
which members seek infamy and the accolades of their cohort by breaking into the
electronically stored information of vulnerable parties and wreaking havoc. The third
group of hackers is “greedy.” These hackers are not motivated by considerations of fame
but are instead driven by profits. Profit-driven hackers can be “good” or “bad”
depending upon which type of behavior yields the greatest monetary return.

An economic analysis of these distinct hacker categories yields important insights
for policy aimed at reducing the security threat posed by computer hacking. In Section 2
we offer a brief history of hacking. Section 3 discusses good hackers, Section 4
examines fame-driven hackers, and Section 5 considers profit-driven hackers. Section 6
turns to the policy implications of our analysis and Section 7 concludes.


3

---

2 A Brief History of Hacking
The history of hacking can be traced to 1960s America where members of the Tech
Model Railroad Club at MIT “hack” the control systems of model trains to make them
run faster, more effectively or differently than they were designed to. Around the same
time MIT introduces its Artificial Intelligence Lab where some of the first large
mainframe computers are located. With an innate curiosity for how things work, several
club members are drawn to MIT’s AI lab. These computers—called PDP-1’s—are large,
slow and extremely expensive to operate. To overcome some of these problems the more
clever programmers created “hacks”—system shortcuts—that make performing certain
operations faster and easier.
MIT is not the only locus of hacking activities. Computing think tanks, like Bell
Labs, are at it too. In one of history’s most important hacks, in 1969 two AT&T Bell Lab
workers, Dennis Ritchie and Ken Thompson, create the forerunner of the open source
operating system, which they name UNIX. UNIX quickly becomes the standard
language of computing. In its first stages hacking has nothing to do with illicit activities
or cyber-crimes. On the contrary, access is consensual and hackers improve systems
rather than defacing them.

In the 1970s, however, things begin to change. Hackers start to realize the
potential of hacking for personal benefit. In particular, hacking activities are increasingly
directed at the telephone—an activity called “phreaking.” In the early 1970s a Vietnam
veteran named John Draper discovers that the free plastic whistle that comes in boxes of
Captain Crunch cereal identically reproduces the 2600 Hz tone required to make long
distance phone calls. By blowing the whistle into the phone at the appropriate time

4

---

AT&T’s switching system believes that legitimate access has been granted to make a
long distance call and the caller is granted the ability to do so without paying.
After his discovery Draper takes on the pseudonym “Cap’n Crunch” and quickly
generates an underground following among hackers and phreakers for his creativity with
long-distance calling. Other hackers build on Draper’s innovation by constructing “blue
boxes” designed to aid in the long-distance phone fraud process. Notable hackers
engaged in such phreaking at the time include Steve Wozniak and Steve Jobs—the future
founders of Apple Computers. In 1978, two hackers from Chicago start a computer to
computer bulletin board, creating the first virtual meeting place for the growing hacker
community where members can share tips, stolen credit card numbers and other
information going into or coming out of their hacking activities.

Partly spurred by the publicity given to hackers in the 1983 film War Games,
partly spurred by the new affordability of personal computers, and partly spurred by the
increasing presence of the online world (ARPANET during this time is becoming the
Internet), the prevalence of computer hacking rises yet again in the 1980s. Among the
most important hacking developments of this decade is the emergence of hacker “gangs”
like the Milwaukee area’s “414” gang that consist of hacker die-hards who live to gain
unauthorized access to outside computer systems and wreak havoc. The 414 gang is
among the first to be apprehended and punished by the law for their cyber-crimes, which
include illegally accessing the computer system at Los Alamos National Laboratory
where nuclear weapons are developed, and breaking into the system at Sloan Kettering
Cancer Center in New York. The 414’s are not alone in the new world of hacker crime.

5

---

The “Legion of Doom” and the “Masters of Deception”1—two leading, rival hacker
gangs—are also born in the 80s. In response to the growing number of hacker-related
crimes, in 1984 the U.S. government makes it a crime to gain unauthorized access to
computer systems.

But hacker activity is not limited to breaking into computer systems. In 1988 the
world witnesses the first of a new type of hacker act—the Internet worm, which is
inadvertently spread by its creator Robert Morris of Cornell University. Morris is
identified, fined $10,000 and sentenced to three years probation. The late 80s also see the
first cases of hacker action directed at government. Several members of the West
German hacker gang, the “Computer Chaos Club,” steal electronically stored information
from the U.S. government and sell it to the Soviet KGB.2

In the 1990s the growing trend of hacker activity prompts the U.S. government to
perform surprise raids on the locations of suspected hacker outfits in 14 cities across the
nation (“Operation Sundevil”). Although arrests are made and many inside the hacking
community turn on their cohorts in exchange for immunity, hacker activity continues.
No longer is hacking mostly about the pranksterish behavior of teenage boys or petty
crime. Now hackers turn their talents to much larger deals. In 1995 two Russian hackers
steal $10 million from Citibank. In response to more serious hacker activities like this
one, in 1998 the U.S. government unveils its National Information Infrastructure
Protection Center, designed to protect America’s telecommunications, transportation and
technological systems from hacker attacks.

1 For a detailed account of the Masters of Deception see Slatalla and Quittner (1996).
2 For a detailed account this story see Stoll (1989).

6

---

In the new millennium, hacking—an activity once largely restricted to Americans
and Western Europeans—is a worldwide phenomenon. The seriousness of the crimes
perpetrated by hackers increases again as well. Hackers design “denial of service” hacks
that crash the networks of companies like Yahoo!, eBay, Amazon, and others, costing
them millions in lost business. The potency and prevalence of damaging viruses also
continues to grow, culminating in May of 2000 with the “I LOVE YOU” virus, which is
estimated to have cost the global economy close to $9 billion, the most harmful hacker-
created virus to date (CEI 2002).

As its history indicates, “hacking” refers to multiple activities. It includes, for
instance, breaking passwords, creating “logic bombs,” e-mail bombs, denial of service
attacks, writing and releasing viruses and worms, viewing restricted, electronically-stored
information owned by others, URL redirection, adulterating Web sites, or any other
behavior that involves accessing a computing system without appropriate authorization.
Furthermore, although for the most part hacking is restricted to computers, it need not be
and may be extended to fraudulent activities relating to telephones (e.g., tricking phones
into authorizing free long distance calls, so-called “phreaking”), credit cards (for
instance, creating gadgets to “steal” the magnetic code stored on credit cards and copy it
on to others), subway passes (for example, adulterating passes or pass readers to enable
unlimited free rides), parking meters (rigging parking meters to allow unlimited free
parking) or virtually any other item with electronic components. We restrict our
discussion primarily to computer hacking, although the basic principles we elucidate may
be applied to other forms of hacking as well.

7

---

Some hackers object to calling many of the destructive activities mentioned above
“hacking” and their perpetrators “hackers.” These terms, they insist, should be reserved
to the harmless (albeit often illegal) activities of computer enthusiasts who break into
systems, look around to learn how things work and leave things undisturbed. According
to this view the name “cracker” should be applied to the malicious “cracking” behaviors
enumerated above that are all to frequently conflated with harmless hacking. While we
recognize this difference we nonetheless opt to refer exclusively to hackers and hacking
throughout our discussion. On the one hand, in most cases, both hacking and “cracking”
involve unauthorized access and so constitute security threats whether or not the
individual breaking in uses her illicitly gained access to do harm. Second, for better or
worse, in the parlance of our day “hacking” refers to the activities that we describe and
the general public does not have the nuanced appreciation of illegal computer activity
that members of the hacking community do to merit the terminological distinction
implored by some members of this community.3

3 Good Hackers
While the psychology of hacking is still in its nascent stages, initial research seems to
have come to some consensus regarding what motivates hackers to hack. Individual
hackers and hacker gangs operate in the context of a larger underground social network
or community consisting of similar individuals. The best empirically grounded work that
examines the hacker mind therefore draws primarily on interviews and surveys

3 As Dann and Dozois put it: “just about everyone knows what a hacker is, at least in the most commonly
accepted sense: someone who illicitly intrudes into computer systems by stealth and manipulates those
systems to his own ends, for his own purposes (1996: xii).

8

---

administered to members of this underground community. We will briefly overview
some recent findings of this small literature below. Before doing so, however, we should
point out that members of the hacking community are notorious for lying to journalists,
researchers and others who approach them for information about how they and their
associates work. Many hackers seem to “get a kick” out of misleading scientists or
generally giving others a false impression about their reasons for hacking (Platt 1997:
53).4 Of course, this fact must be kept in mind when considering the results of research
aimed at identifying hacker motives. Nevertheless, this data is the best we have to date
so we must make use of it unless we are to avoid empirical investigations of the subject
altogether.

The most current and comprehensive data regarding hackers’ demographics,
motives, lifestyles, etc. is that collected by Schell et al (2002). These researchers
surveyed over 200 hackers who attended two of America’s largest hacker conventions
(yes, there are annual hacker conventions in which hackers from across the globe get
together to share tips ranging from the latest computer hardware to how to steal credit
card numbers stored electronically) in July of 2000. These conventions included the H2K
convention in New York and the DefCon 8 convention in Las Vegas. In addition to
administering anonymous surveys, researchers randomly interviewed some hackers with
in depth questions (again on the condition of anonymity) when hackers would agree to do
so.

The total size of the hacking community is unclear, though by most accounts it is
fairly small. According to Sterling, “some professional informants . . . have estimated the

4 Taylor suggests that hacker manipulation of the media is partly in order to “revel in the subsequent
notoriety” that stigmatizing themselves creates (1999: xiii).

9

---

size of the hacker population as high as fifty thousand.” However, “This is likely highly
inflated . . . My best guess is about five thousand people” (1992: 77). While we know
little about the total size of the hacking community we have a very good idea about its
gender proportions. Consistent with figures from others which suggest the population of
hackers is overwhelmingly male, only 9 percent of those surveyed by Schell et al (2000)
were female (see for instance, Taylor 1999; Gilboa 1996). Also consistent with older
findings, most hackers surveyed were under the age of 30, with a mean age of about 27, a
mode of 24 and a median of 25 (see for instance, SRI 1994).

The motivation for hacking varies but a significant proportion of hackers
surveyed indicated innocuous reasons for their behavior. 36 percent said they hack to
“advance network, software, and computer capabilities,” 34 percent claimed they hack
”to solve puzzles or challenges,” and 5 percent said they hack to “make society a better
place to live.” If we can believe these numbers the overwhelming majority of hackers are
harmless. It is true, in gaining unauthorized access to computer systems they pose
potential security threats. But they do not themselves cause damage. Of course, to the
extent that they share security holes with other less responsible members of the hacking
community they indirectly jeopardize computer users; but it is unclear to what extent
“good” hackers do this.5

Among these good hackers there is some part of the population that performs a
questionably valuable service to computer users. Some of these hackers report security
holes to programmers and systems operators of computer systems where they find

5 In the early 1980s an elite group of hackers calling themselves the “Inner Circle,” formed to pass new
information gleaned from their hacking activities between one another without making this information
available to unethical hackers who would abuse it.

10

---