At what point do white hat hackers cross the ethical line?
- 15 August, 2015 07:10
In recent months the news of Chris Roberts alleged hacking of an inflight entertainment system and possibly other parts of the Boeing 737 have sparked a wave of controversy. Public opinion was originally on Roberts' side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live "pen-test" of a plane network in mid-air.
Whether this is true or not, it raises some valid concerns over the ethical implications of white hat hacking. In the case of Roberts, who, according to the affidavit, was able to steer the airplane off the intended course, the consequences could have been dire. It is not believed that Roberts had any intention of hurting either himself or any of the passengers, but if the affidavit is in fact true, the possibility was real.
Some believe it all comes down to intentions. If a white hat hacker intends to do no harm and has no malicious agenda besides testing the security of the system in question (possibly looking to responsibly disclose any vulnerabilities discovered), many security professionals believe it to be ethical. After all, no harm was done, no data was stolen, and vulnerabilities were possibly discovered and reported.
But at what point does a white hat hacker cross the line? Where should the line of ethics be drawn?
It appears the term white hat means different things to different people. On one hand, there are professionals in the cybersecurity business who built their entire career on being strictly white hat. These security professionals must have strong principles and never do as much as scan, probe, or check without prior request and approval. They follow strict rules to protect both their reputation and their future earnings.
The definition, however, drifts when you move away from professional practitioners. Many people who consider themselves to be white hats would have no issue with, let's say, checking to see if their bank has an open IPMI port, as long as their motive was to notify the bank. To them, it is ethically no different from checking to see if the door is locked at night at their local bank. After all, their motives are pure.
Herein lies the main issue. Pure intentions do not mean the actions are ethical. However noble their intentions, white hat hackers can still, fairly easily, cause unintentional harm. Not to mention that they would be committing a crime, according to the U.S. Code, Title 18, §1030. Take for example security assessments of SCADA systems and critical infrastructures. If white hat hackers are conducting a penetration test on a critical system, such as the emergency hotline 911 (even with authorized access), it needs to be understood that the security professionals performing the penetration test can guarantee the system will be safe and 100% operational.
If the assessment was performed by an individual with a disregard for safety like Roberts on that plane, it might translate into a major threat to the population. The same applies to a plethora of other scenarios, where an overly-eager security professional might forget (or ignore) certain precautions in search of flaws in the system they are testing.
Organizations such as Google, Facebook, Microsoft, and others offer white hat hackers a reward program for those who discover vulnerabilities. In fact, Google has recently announced a new program for public discovery of Android vulnerabilities, offering successful white hat hackers up to $40,000 for submitting a high-quality, reproducible bug in the system.
These companies are prepared for public penetration testing and presumably have a plan in place in case an accident happens and part of the system malfunctions. Or they are simply willing to take the risk and reap the benefits of crowdsourcing. For most organizations, however, this is not a viable model, and white hat hackers need to acknowledge and respect that. Not just because it is typically illegal, but because it's unethical and can put people's lives at risk.
Krehel is the Founder and CTO of LIFARS, LLC, and a partner at CyberUnited LIFARS. With over two decades of experience, Ondrej is considered a leading expert in cybersecurity. He has been quoted in numerous security stories by CNN, the Wall Street Journal, Forbes, and others. Andersen is the Founder and CEO of CyberUnited, a cybersecurity, big data and predictive analytics consultancy firm, and a partner at CyberUnited LIFARS. He is also the Chairman & Founder of CyberTECH, a global cybersecurity and IoT network ecosystem providing cybersecurity strategic programs and quality thought leader forums across the nation.