In this edition of Hacker Conversations, SecurityWeek talks to Kevin O’Connor, a high school hacker who went on to work for the NSA. He is now director of threat research at Adlumin.
Nature or Nurture? It’s a psychological – almost philosophical – question that will never be adequately answered. Take the hacker. Hacking is innate to most hackers: it is nature. But the boundary between blackhat and whitehat owes more to personal opportunity and moral compass: that is nurture. The origin and type of hacker may well be a nature/nurture composite – it’s a large part of what this series seeks to understand.
Kevin O’Connor knew he was a hacker by the time he was in Middle School. “A hacker is somebody who looks at things they aren’t supposed to look at; or likes to use things in ways they’re not designed or expected to be used.” ‘Repurposing’ legitimate tools is a common part of the hacker conversation. But notice that there is also no concept of morality or immorality involved; pure hacking is completely amoral. “Hacking is simply the practical application of knowledge,” he continued.
Becoming a hacker – and getting caught
O’Connor’s involvement with hacking began in middle school after he pestered his parents for a laptop, to help with his schoolwork. “I became a geek around the sixth grade. I just wanted to be cool. By the seventh grade I had figured out how to bypass the log-in for Windows. I was using the computers at school to show off to my friends – a way for a geek and nerd to show off, to gain popularity.”
As his skills progressed, his hacking was never done for serious immoral intent – more the lulz than anything else. “I was just deleting things like cached passwords and doing stuff to get access to the systems – I had a couple of bypasses I could use – after accessing the command prompt. I used to do it just to mess with the systems and things like that.”
Was he ever tempted to go deeper into the shady side of hacking? “Oh, for sure,” he said, “especially in my younger years. I was on the early internet, trying to scan up [gain access to] systems in foreign countries and access whatever data I could. I remember being in a chat room with Adrian Lamo at one time – I was still trying to be the cool kid.”
While in Middle School, like almost all curiosity hackers, he was busted. “I got caught,” he explains. “I accidentally bricked the five computers used by my language arts teacher. She was young, but close to the vice principal for my grade.”
Intervention and the boundary between black and white
He was caught but not punished. Instead, the school enrolled him in the MOUSE program. MOUSE stands for Media, Outreach, and Science Education, and mouse.org still operates today. It describes itself as “a nonprofit organization that empowers students to create with technology, solve real problems, and make meaningful change in our world.”
It would be pure conjecture to consider this a turning point in O’Connor’s development. But if he hadn’t been caught, what direction would his hacking have followed? If he had been put on formal probation, would he have become resentful? If he had been sent to a juvenile detention center, who would he have mixed with?
Instead, MOUSE taught kids how to use computers and run computer networks. “And they sent me and three other kids to Columbia University for a couple of weekends to learn how to help out and manage the school’s computer systems. I met this guy called Storm – a real hacker-type. When I got back to Middle School, I was like a second tier tech support, going around the classrooms and fixing computers.”
O’Connor has little doubt about the importance of the MOUSE intervention to his future approach to computing. “Sending a young kid to Columbia University to learn how to use computers at such a young age – that’s transformational.”
However, it would probably not have been enough, on its own, to tip the balance firmly away from the shady side of hacking. This almost invariably comes from the concept of the moral compass. Where the moral compass comes from is not easy to understand except that it is almost entirely down to nurture – or how one is raised. It may be easier with O’Connor: “My dad was a cop, my grandfather was a cop, both in New York City.”
Education and the NSA
After school, he went to Penn State University. He had an older brother who was very successful academically, and he was expected and wanted to follow in his footsteps. Originally, he planned to study biomedical engineering or aerospace – cybersecurity was not the mainstream career opportunity it is today.
“It wasn’t until my junior year that I really found my computer science passion. I started studying something that was a part of my personality, like hacking was a part of me, with the intent to make it my professional objective.”
The course was largely focused on risk analysis, and he majored on security and risk analysis. “The program at Penn State,” he added, “was almost a feeder program for analysts at agencies like the CIA, so a lot of it was focused on early intelligence analysis. We had folks like General Hayden come and talk to us about cases the agencies had worked on.” O’Connor progressed to work as an intern with the NSA while he was at Penn State.
At one point, three NSA staff visited the university to talk about the NSA and what it does. “I recognized one of these guys was a hacker through and through,” said O’Connor. “We use the word grok – we spoke the same language. He showed me a business card from the late Kevin Mitnick. It was metal and had lockpicks that you could poke out of the business card. I thought that was cool, and the hacker and I really hit it off.”
He thinks this relationship was partly why the NSA came back to him after university. “I started working there. The first summer wasn’t the most exciting, but it was a great foot in the door – I worked on things like Common Criteria. After that I joined a development program to rotate throughout the agency. I got to go to the Naval Postgraduate School, and then focused on cybersecurity defense and secure architectures. I got to develop tablets for senior executives in the US government, and did a lot of work on developing systems to handle and transmit top secret data.”
Then he got back to his roots. “In one of my rotations I got back to my real passion – the hacking stuff. I worked for the Computer Network Operations group. These are the folks who go out and collect foreign intelligence for the government – we were the US Government hacker team.”
O’Connor is proud of being an NSA hacker. “I don’t care what people’s opinions are on the intelligence community or the NSA – the people working there are some of the most talented and dedicated individuals you’ll meet.”
O’Connor’s hacking days had come full circle, from starting as a child hacker doing it for the lulz to a professional hacker doing it for his country.
Nature vs nurture
So, what does the Kevin O’Connor history tell us about ‘nature versus nurture’ in the development of the hacker? Almost all hackers say they were born hackers. O’Connor is no different — hacking is part of his psyche. It was not something he wanted to be, but something he realized he was. There is little doubt that almost all hackers are born hackers.
One complicating factor is neurodivergence. Statistically, a large proportion of hackers are neurodivergent. O’Connor is neurodivergent, with ADHD. He believes the rapid multitasking symptom, ‘the mind of a butterfly’, associated with ADHD is a boon to hacking. But again, is neurodivergence innate or developed? Many believe it is nature that can only be ameliorated or worsened by nurture (the parent calling a divergent child ‘lazy’ is no help; the prescription of medication can be a help).
It would be a stretch to say that neurodivergence creates hackers, but it is probably a factor in their development. Possibly more so with the second major neurodivergence (short of full autism): ASD, fka Asperger’s syndrome. ASD comes with two common symptoms: social difficulties and an ability to hyperfocus on a subject or problem.
An innate hacker with a computer and the ability to hyperfocus, but with limited social skills and a tendency to be alone, is the meme of the blackhat. If both the hacking tendency and the neurodivergence are innate, should we say that blackhats are the product of nature?
It’s tempting, but from birth onward, nurture becomes more important to developmental progress. It is nurture that develops a person’s moral compass, and it is the personal moral compass that guides hackers away from immoral toward moral hacking. O’Connor gained his moral compass from his family. He readily owns that 9/11 had a deep effect on him — he realized he wanted to use his skills to fight ‘evil’ rather than for any personal gain.
“Terrorist events like 9/11 had a dramatic impact on me. I think later joining the NSA was my way of supporting our country in the global war on terror — using the skills and the passion that I had developed when I was younger.”
He also benefited from another nurturing event: positive intervention. The MOUSE program was a beneficial alternative to punishment for the child hacker. In his own words, it was ‘transformational’.
Hackers exist. They will probably always exist. But they need not become blackhats. Encouraging the development of a strong moral compass, through family, schools, and social workers, and supporting this through positive intervention, can help make the hacker a power for good rather than bad.
But beware of generalizations. All hackers and their histories are different. You could almost say it takes a hacker to know a hacker –they have this ability to recognize each other even on first meeting. They grok each other.
Kevin O’Connor started off a little shady. Positive intervention and the emergence of his moral compass shifted his direction. He is now director of threat research at Adlumin.
Related: Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat
Related: Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
Related: Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter
