Hacker Hegemony

Last year, in a fit of revolutionary zeal, I read a book called The Hegemony How-To by Jonathan Smucker. It’s a book by one of the figures in the Occupy Wall Street movement, about what he learned from that movement and what he thought left-wing political movements overall could learn from previous movements’ successes and failures, including Occupy.

In particular, an early chapter of the book called the “Life of the Oppositional Group” really struck me. It talks about “the internal life of social movement groups” as a way to start to understand how they work and why they behave the way they do. I like knowing how things work and why they work that way - that’s why I feel such affinity to the “hacker” world: knowing how stuff works is big part of the security and hacker ethos. So, I felt like this chapter was going to be one of my highlights of the book. The thing is, as I read it, I got more and more uncomfortable. It’s not that I thought Smucker was wrong - I have no basis to say if he’s wrong about political groups - I felt like I was being psychoanalyzed. With a few judicious word changes he could have renamed this chapter “Life of the Hacker Community.”

Before I dive into this, a warning: If you read this book - and I do recommend it - be patient with Smucker’s word choices. This is a book aimed at people who are comfortable with academic political writing. That isn’t me, so I found it hard to read. If you fight through that, I think the reward is worth it.

One of the central points of the internal-life chapter is that political organizations can become more than just a group of people tied together by a political goal - the group becomes part of its member’s identities. As people get more involved in the organization, they stop seeing themselves as a regular person and start seeing themselves through the lens of the group itself. A peace-loving person would stop being “a regular person who doesn’t like war” and instead label themselves “an anti-war protestor”. Membership in the group becomes part of the participant’s identity, and when it does, people feel really good about it. For example, for members of the “Student Nonviolent Coordinating Committee” (SNCC):

Instead of filling a series of largely unrelated roles (parent, employee, citizen), they filled only one role: SNCC worker. Instead of balancing in their heads a multiplicity of values, all of them tentative, they had one, certain, absolute set of beliefs. The group provided a world order that is far more complete and stable than any that individuals could assemble for themselves.

The group becoming a person’s identity can happen for totally understandable reasons.

Alienated by the dominant culture, many people seek to live a different story, an alternative narrative, or simply to find a community to which they feel they belong. Participating in a collective struggle can be a deeply fulfilling and integrating way of accomplishing this.

This joy comes with a few problems, though.

The first problem it causes is that people whose identity is tied to the group will start taking actions to reinforce that identity, even if it doesn’t further the group’s stated goals. Smucker talks about working with protest groups in Washington, D.C., and how the protest actions gradually disconnected from their actual effectiveness and instead focused on how they reflected commitment to the group:

Coming to a protest was good. Taking an arrest was better. But the pinnacle of resistance was to physically hammer on part of the arsenal of empire. I reflected on how some people granted me more respect and attention … the further I traveled down this established tactical path. The effect was that newcomers were socially encouraged to imitate rather than to innovate and be critical.

Even as this happened, the group members weren’t considering how those actions looked to the people they were trying to actually influence (e.g., the general public), and whether their actions actually brought them closer to their goal.

Often the only people who learn of the actions are a small number of military personnel and the small, already-sympathetic readership of these communities’ newsletters and websites. … [D]ramatic and temporary disruptions of the dominant culture’s representations (e.g., smashing up a business district) have sometimes been reflected back to millions of people through the mass media, but the public’s perceived meaning of the action differs severely from the actor’s intended or self-understood meaning.

The second problem is that identity-based groups become very inward-facing, and may appear hostile to new members. This can also show up as gate-keeping and as special language or terms that the group insists on using differently than the rest of society. All of these behaviors lead to the group talking mostly to itself. Smucker quotes Frederick Miller:

members may develop such strong cohesion among themselves that outsiders become unwelcome. In prolonged interaction, a group may develop an ideology that is internally coherent but virtually unintelligible to recruits and outsiders who do not share all of the member’s assumptions. … [S]uch groups have little chance of growing or increasing their influence. Most strikingly, they may lose interest in such things, contenting themselves with maintaining their encapsulated existence.

As I read this chapter (especially this last section), I kept coming back to how strong I felt the parallels were to the security world. “Hacker” feels to me to be as much an identity as “anti-war protestor”, with all the positive (feeling of belonging, unity of internal and external identity, etc) and negative (talking to ourselves, taking actions that only the group cares about) aspects of that. Personally, part of the reason I keep coming to the smaller conferences like Shmoocon is the sense of community and “belonging” that come with the conference.

I was especially struck by this when talking with someone who was new to the industry. They were looking through the Infosec memes accounts on Twitter to try to get a feel for the industry and were absolutely baffled. They were struggling to understand what the jokes were even about, never mind why they would be funny. They felt like they needed 5 years of experience in the industry to even get the jokes. If it takes years of experience to even get the random shitposts on Twitter, how much of our industry conversation is just talking to ourselves? I think it’s probably quite a lot.

As for doing things that are counter-productive, but signal a lot to each other, that behavior is all over the place in security: penetration tests (unit test of security controls, but not how companies are actually hacked), vulnerability/CVE counts (rarely accurate), even Capture the Flag competitions (prioritises tech trivia knowledge over hacking skill or defensive skill). We have countless ways to say to each other “look how leet I am” that don’t make a single difference outside our industry.

So what to do? I don’t have advice for others, aside from the general recommendation that you grab the book and give it a think yourself. Personally, I’m going to be attempting a lot more outreach to folks who don’t necessarily have the technical background I do. This blog & site in general are part of my efforts in that direction. Once conferences start up again (as of this writing everything’s shut due to covid-19), I may also go to fewer security conferences and substitute general technical conferences instead - while I like belonging to the group, the only way to not be insular is to talk to people outside the group.