You’re unlikely to receive a business card that reads honest accountant, moral lawyer or truthful estate agent. These words may describe the card holder perfectly, but most professions do not feel the need to assert their moral character. Meanwhile, without a hint of irony, we as offensive security professionals distinguish that we are ‘ethical’ hackers when we introduce ourselves to associates and clients. It’s a strange quirk of an industry that evolved from a hacking subculture built on pushing boundaries, which is still yet to gain the inherent trust of the public and legal institutions.
The need for reform
Unfortunately, there are elements of ethical hacking that exist in a legal grey area, and the actions of hackers are open to misunderstanding. A recent example from the US involved two penetration testers hired to assess an Iowa courthouse’s security. They were arrested, charged and jailed for physically entering the courthouse, despite it being a planned security test commissioned by the governing state. This case says a lot about how legal systems perceive and treat hackers – even qualified cyber security professionals. It is a situation akin to a pharmacist being arrested for drug possession, and it could have easily been avoided.
There is a prevailing school of thought championed by some in the cyber security industry, that governments should extend greater protections to ethical hackers to enable them to work without fear of reprimand. Lauri Love, a Security Consultant and British hacktivist previously wanted by the US for alleged hacking activities, recently spoke at a Redscan roundtable event arguing the need for ethical hackers to be recognized as a new class of citizen. Among his suggestions was that trained professionals could be granted special rights to assess and access systems, similar to the powers that the National Crime Agency Specials have.
Many parts of the British infosec community are also keen to see reforms to the now 30-year-old Computer Misuse Act, which, campaigners say, was originally designed to protect telephone exchanges and inadvertently criminalizes many modern cyber defense practices
Dispelling the stereotype
A good starting point to debate whether to extend protections to ethical hackers is to consider the vital work being done by the hacking community worldwide. Professional penetration testers, also known as ‘white hats’ are commissioned by millions of businesses every year to asses and improve security defenses.
The perception of all hackers as criminals - an image commonly perpetuated by mainstream media’s depiction of teenagers in dimly-lit bedrooms and on the fringes of society – is incredibly misguided.
While not seeking the defend the treatment of every convicted hacker (it’s right that those committing serious crimes are brought to justice), historically speaking, there are cases of young hackers being prosecuted for committing crimes unrelated to personal gain or cyber-terrorism. 90 percent of Computer Misuse Act convictions now result in a guilty verdict, higher than the average across all criminal offences (75-80 percent).
Rather than being quick to judge and punish young hackers for misdemeanors, perhaps a better approach is to focus on steering talent down the right path through better education and reform programs. Given that the current predicated global cybersecurity workforce gap is 4 million workers, we should be doing all we can to encourage young hackers to enter the industry rather than ostracizing them from it.
The case for extending protections
To do their job most effectively, ethical hackers must think outside of the box to identify and solve technical challenges. However, they must also be incredibly careful not to overstep the mark. A popular analogy is that they can ‘open the safe but not look inside’; an idea that holds up better in theory than it does in practice. In the process of assessing systems and networks, there is a risk that professional hackers may unintentionally access sensitive information that many people, including data subjects, would rather they didn’t. Is it right that hackers should be held accountable for such breaches simply by excelling at what they do?
In the same way that a police officer can investigate a person or location if they adjudge there to be reasonable grounds to do so, there is also an argument that trusted hackers should be able to inspect the security of websites and public-facing applications with more of a free reign. Currently, professional penetration testers will conduct assessments only with clear consent from the owner. But would it not be prudent that a security professional should be given more freedom to assess systems in the public domain and to disclose the weaknesses that pose a significant security risk without fear of reprimand?
Bug bounty and responsible disclosure programs do offer some protections to hackers that wish to apply and hone their skills in the real-world but, big tech companies aside, the vast majority of organizations do not operate such programs. The ones that do often have caveats; to receive payment for reporting vulnerabilities, hackers are often required to sign non-disclosure agreements. This can lead to some companies leaving weaknesses unpatched or not addressing them as quickly as they should.
The case against
One of the best arguments against granting ethical hackers greater protections and freedoms is that power is open to abuse.
Police powers have evolved over hundreds of years. Clear pathways for escalating powers have been developed over time, as well as being tried and tested in the real world. How would similar rules around ethical hacking be developed and applied? What grounds would a hacker need to justify testing a system or application?
Consider also that the techniques used by cybercriminals are constantly evolving. If we create new rules for what hackers can and cannot do, they would need to be frequently revisited.
Of course, an ethical hacker’s situation and intentions are also suspectable to change. Imagine a hacker with a great track record who gets into a bad financial situation; might there be a temptation to use their skills to commit a crime?
Deciding who is and isn’t eligible for legal protections would also be extremely difficult. No central organization exists today that could train and accredit ethical hackers in the same way that police authorities regulate their officers.
Hackers that do find themselves on the wrong side of the law have a long history of being alienated and misunderstood and often feel they have been failed by the system from a young age.
There undoubtedly exists a huge base of exceptionally talented individuals who could help society if encouraged and channeled in the right direction. Young, would-be hackers want respect as well as real opportunities and responsibilities.
Perhaps creating a new class of citizen for professionally trained ethical hackers is not practical in the short term, but with cybercrime continuing to increase rapidly across the world, maybe a more radical approach is needed if we are to make progress in the future.
In the meantime, it’s important that society’s perception of hackers continues to develop beyond the stereotype. Legal Institutions and regulators need to be accepting of the positive role that hackers play in protecting people and organizations and work closely with professional bodies in the security industry to improve frameworks and protections accordingly.
Mark Nicholls, CTO, Redscan