Ethical hackers bring value to organizations by finding security loopholes before someone with malicious intentions find them. It seems only natural that they would be viewed with respect. However, things are not as simple as they seem. Ethical hackers can be subject to legal actions, even if they hack systems with good intentions.
Ethical hacking is deemed acceptable if it is solicited by organizations. But even then, it does not make such hacking immune to legal action. Most precarious is the position of those hackers who break into systems unsolicited but with good intentions. Laws governing ethical hacking are currently inadequate and vague. The issue of legal protection for ethical hackers needs serious focus. The scope of work and other legal provisions need to be determined.
What Is Ethical Hacking?
So-called ethical hacking is the practice of breaking into systems with the intention of finding security issues, but without any malicious intent. Ethical hackers tend to let the owners or stakeholders in the system know their findings. Ethical hackers can do their jobs either solicited or unsolicited. Organizations formally solicit hackers to test their systems, an arrangement known as penetrative testing. Hackers test the systems and usually provide a report at the end of the job. Unsolicited hackers, on the other hand, test systems for various reasons. Solicited hacking is potentially less hazardous for hackers than unsolicited hacking, mainly because unsolicited hackers lack formal approval. (Learn more about the positive side of hacking in 5 Reasons You Should Be Thankful For Hackers.)
Ethical hacking is a beneficial and preventive practice, and is frequently solicited. However, ethical hacking can still cause many different problems. For example, such hackers can still allow malicious intent to take over at some stage, and lack of legal agreements can lead to a messy situation.
Ethical Hacking and Law – A Case Study
Ethical hacking, on the surface, might seem a practice with good intentions that should invite only praise and gratitude – this has not always been the case. In 2013, a member of parliament (MP) in the Netherlands faced legal actions for pointing out a security flaw in a medical center website. The MP had logged into the medical center website with publicly available credentials and chanced upon a serious security issue. When the MP made his findings public, he was slapped with legal charges by the medical center. The incident opened many different questions about ethical hacking. The MP was not a professional hacker – far from it, he was not even computer-savvy. He accessed the website with credentials available on the internet, and unintentionally gained access to confidential records. To let the medical center know of his findings, he had to go through a bureaucratic process. Assessing the urgency of the situation, he got the news out through the media. It might seem both funny and ungrateful that instead of acknowledging his input and thanking him for pointing out the security flaw, the medical center instead decided to prosecute him. Obviously, there are many issues about ethical hacking that need resolution. (For more on hacking, see For the Love of Hackers.)
Is Ethical Hacking Really Ethical?
On the surface, ethical hacking is an ethical action that benefits organizations. There are many hackers who, solicited or unsolicited, have been finding security flaws in systems before someone else with bad intentions finds them. Ethical hacking is practiced in most organizations to different degrees internally or by hiring specialized hackers. However, software security is a vast and complex area and internal testing may not always reveal all flaws, especially in the case of large and complex applications handling sensitive data such as financial or defense data. In such cases, you need specialized hackers to find security flaws. Having said that, it is the hacker who determines how ethical the hacking will be. To understand this point, consider the following issues:
- What if the ethical hacker performs unethical actions during the course of the hacking job? For example, what if the MP in the Netherlands had sold the confidential data instead of pointing out the security flaw?
- A solicited hacker may exceed the scope of work and venture into software sections not allowed as per the agreement.
The above scenarios are not outside the realm of possibility, and they provide us strong reasons for implementing a strong legal framework governing ethical hacking.
Does Ethical Hacking Need Legal Protection?
There is no doubt that ethical hacking is beneficial for organizations. Instead of providing legal protection to ethical hackers, focused laws defining the scope of work, roles and responsibilities of both parties need to be passed. The laws should address the following issues:
- The definition of ethical hacking
- Should ethical hacking be done only when solicited formally? Even so, there will be many opportunities for unsolicited hacking. How will unsolicited hacking be viewed?
- Only formal and detailed agreements between the hacker and the organization will be treated as solicited hacking. The agreement should derive content from the broader legal framework.
- Time is a critical factor in addressing a security flaw. When a security flaw is identified, it may need an immediate fix to prevent unauthorized breaches. Will every organization facilitate swift acceptance of the issue description and necessary action? Bureaucratic procedures can delay action and leave an opening for unauthorized hackers unaddressed. Will unsolicited hackers be punished if they bypass bureaucratic procedures and use other information channels like the MP did in the Netherlands?
- The legal agreement between the hacker and organization should clearly state the ethical hacker's job scope.
- Definition of compensation and rewards for both solicited and unsolicited hackers
- How do you address the issue if the unsolicited hacker misuses the security flaw?
Ethical hacking has huge positive potential, if properly used. Probably one of the biggest challenges it faces is subjective interpretation. Therefore, it is necessary to have an objective, comprehensive and categorical legal framework in place. The framework should have a balance between unfettered powers to both hackers and organizations. Too much power can be disastrous, as it can either wreak havoc with the systems or with the confidence or intentions of the hackers. At the same time, the ethical hackers’ community may also ponder implementing a self-imposed code of conduct in addition to the legal framework.