reportJanuary 14 2022

Wearing Many Hats: The Rise of the Professional Security Hacker

Matt Goerzen
Gabriella Coleman

Wearing Many Hats: the Rise of the Professional Security Hacker chronicles the largely untold history of the hacker-turned-professional. Through this seminal work, researchers Matt Goerzen and Gabriella Coleman collaborate to chart the movements of the digital underground during the 1990s to reveal what underground technologists or “hackers”, did—technically, linguistically, and culturally—to establish their legitimacy as employable, trustworthy security experts. Over the course of a decade, hackers were able to legitimize their professional place in society by 1) negotiating full-disclosure security research practices in which hackers and technologists openly published security vulnerabilities; and by 2) reconfiguring their image through a combination of PR stunts, media collaborations, and rhetorical interventions that gave rise to the adoption by hackers of imaginary hats (black, white, and gray) that expressed one’s level of willingness to work inside or outside the law. Both efforts proved sufficient in transforming a fringe, underground subculture into a security-minded workforce whose members are now recognized as trustworthy security experts and legitimate employees of governments and corporations. 

Based on dozens of interviews and expert analyses of archival data, Goerzen and Coleman’s collection of this previously (mostly) untold history of the digital underground during the 1990s not only reveals a transformative period in which hackers transitioned from security risks to security professionals, but also provides insight into how many in the digital underground became outspoken advocates of both computer security and the public interest despite being characterized by government, private enterprise, and the media as anarchists and criminals. In doing so, hackers were foundational to the crystallization of a vision of what “computer security” even meant; some were instrumental in defining and pioneering core security protocols such as bug bounty programs. Alongside technical processes of vulnerability discovery, system auditing, and security-oriented engineering processes, that vision of computer security involved social mechanisms for information sharing, agenda setting, and policy. Together, those practices informed what we know today as cyber security.

Though the role of the hacker became securely professionalized, the classification between hackers (as black, white, and  gray hats) masks ongoing negotiations around ethical commitments in computer security, creating an open debate as to what counted as security—security for whom and from what. The 1990s professionalization of the hacker has set the stage for the next period of struggle over the concept of security in the modern world.