Ethical hackers bring value to organizations by finding security loopholes before someone with malicious intentions find the same. It seems simple that they will be viewed with respect. However, things are not as simple as they seem. Ethical hackers can be subject to legal actions even if they hack systems with good intentions. And there have been such examples. Ethical hacking is deemed acceptable if it is solicited by organizations. Even then, it does not make such hacking immune to legal action. Most precarious is the position of those hackers who break into systems unsolicited but with good intentions. Laws governing ethical hacking are inadequate and vague. The issue of legal protection to ethical hackers needs serious focus. The scope of work and other legal provisions need to be determined.
What is ethical hacking?
The so-called ethical hacking is the practice of breaking into systems with the intention of finding security issues without any malicious intent. Ethical hackers tend to let the owners or stakeholders in the system know their findings. Ethical hackers can do their jobs both solicited or unsolicited. Organizations formally solicit hackers to test their systems, an arrangement known as penetrative testing. Hackers test the systems and usually provide a report at the end of the job. Unsolicited hackers, on the other hand, test systems for various reasons. Solicited hacking is potentially less hazardous for hackers than unsolicited hacking mainly because unsolicited hackers lack formal approval. Ethical hacking is a beneficial and preventive practice and much-solicited. Organizations often hire hackers to do such jobs. However, ethical hacking can still cause many different problems. For example, such hackers can still allow malicious intent to take over at some stage and lack of legal agreements can lead to a messy situation.
Also Read – Cyber Threats to Small Businesses
Ethical hacking and law – a case study
Ethical hacking, prima facie, might seem a practice with good intentions that invites only praise and gratitude. It has not always been the case. In 2013, an MP in the Netherlands faced legal actions for pointing out a security flaw in a medical center website. The MP had logged into the medical center website with publicly available credentials and chanced upon a serious security issue. When the MP made his findings public, he was slapped with legal charges by the medical center. The incident opened many different questions about ethical hacking. The MP was not a professional hacker – far from it, he was not even computer-savvy. He accessed the website with credentials available on the internet and had access to many confidential records. To let the medical center know of his findings, he had to go through a bureaucratic process. Assessing the urgency of the situation, he got the news out through the media. It might seem both funny and ungrateful that instead of acknowledging his inputs, the medical center slapped legal charges. Obviously, there are many issues about ethical hacking that needs resolution.
Also read – Role of Big Data in User Authentication
Is ethical hacking ethical?
Prima facie, ethical hacking is an ethical action that benefits organizations. There are many hackers who, solicited or unsolicited, have been finding security flaws in systems before someone else with bad intentions finds them. Ethical hacking is practiced in most organizations in different degrees internally or by hiring specialized hackers. However, software security is a vast and complex area and internal testing may not always reveal all flaws, especially in the case of large and complex applications handling sensitive data such as financial or defence data. In such cases, you need specialized hackers to find security flaws. Having said that, it is the hacker who determines how ethical will hacking be. To understand this point, consider the following issues.
- What if the ethical hacker performs unethical actions in the middle of the hacking job? For example, what if the MP in the Netherlands had sold the confidential data instead of pointing the security flaw out?
- A solicited hacker may exceed brief and venture into software sections not allowed as per the agreement.
The above scenarios are not impossible, and they provide us strong reasons for implementing a strong legal framework governing ethical hacking.
Must read – Companies Are Taking Proactive Stances Against Cyber-crime
Does ethical hacking need legal protection?
There is no doubt that ethical hacking is beneficial for organizations. Instead of providing legal protection to ethical hackers, focused law defining the scope of work and roles and responsibilities of both parties needs to be passed. The law should address the following issues:
- Ethical hacking definition.
- Should ethical hacking be done only when solicited formally? Still, there will be many opportunities for unsolicited hacking. How will unsolicited hacking be viewed?
- Only formal and detailed agreements between the hacker and the organization will be treated as solicited hacking. The agreement should derive content from the broader legal framework.
- Time is a critical factor in addressing a security flaw. When a security flaw is identified, it may need immediate fix to prevent unauthorized breaches. Will every organization facilitate swift acceptance of the issue description and necessary action? Bureaucratic procedures can delay action and leave the opening for unauthorized hackers unaddressed. Will unsolicited hackers be punished if they bypass bureaucratic procedures and use other information channels like the MP did in the Netherlands?
- The legal agreement between the hacker and organization should clearly state the job scope of the ethical hacker.
- Compensation and rewards for both solicited and unsolicited hackers.
- How do you address the issue if the unsolicited hacker misuses the security flaw?
Also read – New Cyber-Security Threat is “Brainjacking”
Ethical hacking is a huge promise, if properly used. Probably, one of the biggest challenges it faces is subjective interpretation. Therefore, it is necessary to have an objective, comprehensive and categorical legal framework in place. The framework should have a balance between unfettered powers to both hackers and organizations. Unfettered powers can be disastrous as it will either wreak havoc with the systems or with the confidence or intentions of the hackers. At the same time, the ethical hackers’ community may also ponder over implementing a self-imposed code of conduct in addition to the legal framework.