Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

At what point do white hat hackers cross the ethical line?

Ondrej Krehel and Darin Andersen of Cyberunited Lifars | Aug. 17, 2015
If the intention is pure, does that make it ok?

This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

In recent months the news of Chris Roberts alleged hacking of an inflight entertainment system and possibly other parts of the Boeing 737 have sparked a wave of controversy. Public opinion was originally on Roberts' side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live "pen-test" of a plane network in mid-air.

Whether this is true or not, it raises some valid concerns over the ethical implications of white hat hacking. In the case of Roberts, who, according to the affidavit, was able to steer the airplane off the intended course, the consequences could have been dire. It is not believed that Roberts had any intention of hurting either himself or any of the passengers, but if the affidavit is in fact true, the possibility was real.

Some believe it all comes down to intentions. If a white hat hacker intends to do no harm and has no malicious agenda besides testing the security of the system in question (possibly looking to responsibly disclose any vulnerabilities discovered), many security professionals believe it to be ethical. After all, no harm was done, no data was stolen, and vulnerabilities were possibly discovered and reported.

But at what point does a white hat hacker cross the line? Where should the line of ethics be drawn?

It appears the term white hat means different things to different people. On one hand, there are professionals in the cybersecurity business who built their entire career on being strictly white hat. These security professionals must have strong principles and never do as much as scan, probe, or check without prior request and approval. They follow strict rules to protect both their reputation and their future earnings.

The definition, however, drifts when you move away from professional practitioners. Many people who consider themselves to be white hats would have no issue with, let's say, checking to see if their bank has an open IPMI port, as long as their motive was to notify the bank. To them, it is ethically no different from checking to see if the door is locked at night at their local bank. After all, their motives are pure.

Herein lies the main issue. Pure intentions do not mean the actions are ethical. However noble their intentions, white hat hackers can still, fairly easily, cause unintentional harm. Not to mention that they would be committing a crime, according to the U.S. Code, Title 18, §1030. Take for example security assessments of SCADA systems and critical infrastructures. If white hat hackers are conducting a penetration test on a critical system, such as the emergency hotline 911 (even with authorized access), it needs to be understood that the security professionals performing the penetration test can guarantee the system will be safe and 100% operational.


1  2  Next Page 

Sign up for MIS Asia eNewsletters.