"It could be Russia but it could be China, it could be lots of people. It could be somebody that sits on their bed that weighs 400 pounds." These comments, made during a 2016 presidential debate, may be among the most high-profile and cringeworthy incarnations of what I call the Basement Hacker stereotype. But even years later, the Basement Hacker idea persists. This outdated stereotype and media trope characterizes threat actors as isolated, dysfunctional, lacking formal training or organization, and clothed exclusively in black hooded sweatshirts.
At its core, the Basement Hacker represents a fundamental and ongoing misunderstanding of the modern cyber adversary. As Sun Tzu wrote in The Art of War, "If you know yourself but not the enemy, for every victory gained you will also suffer a defeat." The Basement Hacker myth gives organizations of all sizes a false sense of superiority over threat actors, whom they perceive as untrained, benign, and weird. Gone unchecked, this sense of superiority can spur complacency among risk managers and executives who determine security budgets, leading to underinvestment in security teams, overreliance on automation, or both.
But the Basement Hacker stereotype is damaging in more subtle ways as well. Consider the perennial debate over the value of certifications and educational programs taking place among the large, vibrant, and forever-expanding community of aspiring cybersecurity professionals and the established industry players who market educational services and thought leadership to them. Industry veterans, emerging professionals, and cyber educators debate at length whether certifications are worth it, which ones to go for, and how to gain sought-after skills in the most economical way possible.
A recent social media post by a brand manager for a cyber training company asks rhetorically, "Why do you need a certification/degree to work in cybersecurity? The people who are exploiting your networks and applications don't have certifications or degrees." This post, and ones like it, receive robust engagement in the form of hundreds of reactions and dozens of comments and shares.
This message, firmly based on the Basement Hacker stereotype of an untrained and disorganized adversary, contains several elements of effective misinformation. It purports to boldly challenge the conventional wisdom (that cybersecurity employment requires a degree and/or certification) to build credibility. It uses sweeping generalizations to assert, falsely, that successful attackers lack formal training and credentials, a potentially attractive message to aspiring cybersecurity professionals who want to skill up for a job without breaking the bank. And it exploits natural human insecurity, that would drive a student to wonder, "Why am I spending all of this money on tuition or formal training when the truly elite hackers have neither?" The result? Perpetuation of the myth, as well as emerging professionals uninformed or under informed of the true nature of the threat.
In fact, organizations like the Mandiant Intelligence Center, FireEye, and the Department of Justice, not to mention academic cybercrime researchers, all have documented, formal training programs, organizational hierarchies, and specific skill categories required of the world's most dangerous adversaries. For example, in its 2016 report, Mandiant/FireEye found that "there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology. The majority of the 'profession codes' describing positions that Unit 61398 is seeking to fill require highly technical computer skills. The group also appears to have a frequent requirement for strong English proficiency."
In June 2021, Brian Krebs reported on the hiring process for the Trickbot malware gang, where applicants, "were asked to create various programs designed to test the applicant's problem-solving and coding skills."
As security professionals, we pride ourselves in knowing better than to buy into the outdated, harmful Basement Hacker stereotype. After all, we learned the hard way that our most dangerous adversaries are organized, well-funded, and highly trained. But despite the fact that the security professional community has mostly moved beyond the outdated Basement Hacker trope, the damage of its continued circulation threatens to further erode the security posture of organizations of all sizes at an already fragile moment in cybersecurity history.
If we counter the harm of the Basement Hacker stereotype, C-level leaders will more readily acknowledge that professionalized threat groups pose a security risk to organizations of any size and across all industry sectors. To achieve this outcome, we should avoid perpetuating the Basement Hacker idea wherever possible. We must also counter this narrative by disseminating a clear-eyed, comprehensive picture of modern threat groups.
Finally, more research is needed to understand the advanced persistent threat (APT) talent development pipeline. This research should include the educational programs, hands-on training, credentialing, and the nexus between military intelligence, private industry, and organized crime that feed these highly-trained and organized groups. Only then can we confidently claim an understanding of these sophisticated actors that operate (almost) entirely outside of the basement.