Ethical Hacking - Friend or Foe?

What is Ethical Hacking? 

Ethical hackers, also known as white hat hackers, are cybersecurity professionals who use their skills and knowledge to identify vulnerabilities in government systems, networks, and applications before malicious cyber criminals can exploit them for illegal purposes. In other words, they use hacking for good – not evil. But the clear difference must be communicated among governments, cyber professionals and citizens because the method can easily be interpreted as a threatening criminal act to those who aren't educated in how it works. 

It all came to a head in 2013 after a cybersecurity conference in the United States when many security researchers were enraged about the newly disclosed surveillance programs, which they said completely imposed on Americans’ privacy rights.  At this time, the US government failed to distinguish between ethical hackers and criminal hackers. But as of 2019, the difference was understood and 72% of cybersecurity experts surveyed said the relationship between government and ethical hackers had improved. Only in May 2022 did the US Justice Department announce a new policy change: good-faith security research should no longer be charged under the Computer Fraud and Abuse Act.  

The Pros and Cons: 

Pros:  

• By harnessing the skills and expertise of ethical hackers, government agencies can proactively identify vulnerabilities, strengthen defences, and safeguard national security interests 
• Possibility of reducing the potential costs associated with cyberattacks and data breaches after a hacker has successfully discovered a vulnerability 
• supports the development of a system that is resistant to hacker intrusion 

Cons: 

• Governments may face legal challenges or regulatory scrutiny if ethical hacking activities are perceived as intrusive or if they inadvertently disrupt critical systems or networks 
• Government systems in danger of being exposed to insider threats from ethical hacking activities if sensitive information or vulnerabilities are disclosed to unauthorised individuals. 
• The systems are often complex and interconnected, making it challenging to conduct thorough ethical hacking assessments without causing unintended consequences or disruptions 
• Reputational damage and loss of public trust the government would face after a security breach

Ethical Hacking in Action: 

Governments are now not only accepting of the cybersecurity approach, but they are also relying on it as an integral part of their overall strategy. The United States Department of Homeland Security contends that one of the best ways to protect government departments is to recruit hackers to attempt to hack into their own systems and networks.  

Nebraska state Sen. Loren Lippincott, R, is also following suit as he emphasised the need for proactive measures in cybersecurity: “If an organisation is responsible for securing sensitive data of any kind, they must think like the enemy…” so he has proposed a bill to recruit ethical hackers. 

Across the ocean in Germany, a white hat hacker recently demonstrated how a cybercriminal could perform an attack on Germany’s National Identity Card, potentially posing danger to the 10 million people using the system. If this hacker hadn’t informed Germany’s Federal Office for Information Security (BSI), the vulnerability would have most likely gone unnoticed until targeted by a true cybercriminal, and at that point the security of citizens’ data would be long gone.  

Australia’s ABC News also shared the story of the ethical hacker Jackson Henry, who, at 15, gained recognition from the United Nations discovering and reporting a misconfiguration in their system that exposed 100,000 highly sensitive UN staff records that could have been weaponised.  

Building Resilience: 

So while ethical hacking in government offers numerous benefits in enhancing cybersecurity measures, it also presents potential drawbacks and ethical considerations. Governments need to be aware of the grey area that exists in this approach which falls between ethical and criminal where the hacker may find vulnerabilities in a system and report them to the owner, but they may also use those vulnerabilities for personal gain without permission. And is it ethical to exploit vulnerabilities in a system for personal gain, even if you’re doing so with permission?  

In these cases it is essential that governments work with dependable programmers to (hopefully) avoid these grey areas altogether. Governments need to balance the benefits and risks of ethical hacking to maximise its potential to enhance cybersecurity while upholding principles of integrity, privacy, and accountability within government operations. Ethical hacking is one avenue to test and build resilience, but it clearly can't be solely relied upon (as our numerous cons suggest) and must be part of a suite of cyber tools in the battle against cybercrime.