Entry Point—Ethical Hacking Goes Mainstream – Guest Post By Jennifer Arcuri

There’s a worldwide war underway, and without exception, every man, woman and child is under attack. Are you worried? Possibly, although it’s more likely that you’ll feel apathetic towards the vicious battle that surrounds you. Despite the prevalence, persistence, and devastating consequences of digital crime, as well as the constant peddling of a dystopian future on TV, radio, social media and film, many of us are happy – for now at least – to sleepwalk right through it. The speedy acceptance of the phrase “privacy is dead” sums up the collective apathy towards cyber security, a one-­‐way conflict that we are losing, badly.

It goes without saying that we – governments, corporates, and civilians – need to wake up. Binary constructs of ‘0’s and ‘1’s circulating in the cloud might appear innocuous, but in the wrong hands can severely damage, even obliterate, the very infrastructure upon which we rely for our day-­‐to-­‐day existence. Critical data, networking systems, security functions, can be deleted or changed in the momentary click of a return key.

We are living in a port driven society where almost every John and Jane in the first world, and much of the second, has a smart phone, PC, and tablet. All of these devices are connected in one single cloud, allowing each individual to function in their own telecoms network. But as technology becomes smarter, more connected, ever pervasive and proliferating, the risks to our personal security rise exponentially – it only takes one weak link in the chain for disaster to become a reality.

Are things really that bad?

Thankfully, people are starting to wake up to the fact that digital privacy and security is something to be valued and nurtured.

It may be that cyber crime is only just beginning to touch our everyday lives. For some reason, buried deeply in the human psyche, many of us think nothing of governments being hacked. Perhaps we believe it doesn’t really affect us. When familiar corporates, such as Target, eBay, PayPal, Anthem, get hacked, more people sit up and take notice – after all, these are companies we do business with everyday. Hacking is closer to home.

It’s not long before malicious hacks erase or manipulate normal citizens’ data. We live in a world that is increasingly driven by an online community. All of our devices link to an amorphous network. Our data is in the cloud. Health records, banking details, identities, all are vulnerable. Soon hacking victims will not only be those read about in the newspaper, but relatives, friends, work colleagues. You. Apathy has a price and the cost is becoming clearer.

In this new era of cyber crime, we’re all exposed, but most of us lack the appropriate protection or knowledge to combat the threat. When these networks get hacked (and they will be), the civilian population will get hurt, and governments, their agencies, and industry will be blamed.

Inaction is our worst enemy

Even as I write these lines, I find the subject of cyber security daunting to approach. But we can no longer be put off by great tasks or fear. The point of this essay must be made, and above all, heard.

I organise, manage and run tech events under the Innotech Summit brand. My team and I bring together leaders in the fields of technology, finance and politics to discuss the impact of a digital future and to action change. Content-­‐wise, it’s mostly awe-­‐inspiring, innovative, fun, and positive. But it’s not all good. There’s an undeniably nasty undercurrent of dread that goes hand in hand with technological progress – an anxiety that we can’t keep up with our own creations. People are concerned. And it’s not just the tech nerds and security agencies. The woman and man on the street are worried too.

That’s why cyber security is a recurring theme at all of my events. The fact that we can no longer hide from cyber threats is an open secret – but it’s getting late to address the issue.

We need an active defence strategy and soldiers on the front line – now. But the reality is that those with the power to employ skilled ‘soldiers’ and direct resources effectively are failing to do so. Is this inaction a manifestation of the paralysing fear of an encroaching cyber security doomsday? Perhaps. But my experience, gathered as a representative on numerous government trade missions and an attendee of some of the biggest international security events, tells me that it’s because those in power fear accountability for making the bold decisions necessary to take us towards a secure future.

A digital neighbourhood watch

My objective here is to highlight the importance of ethical hackers – of which there are many thousands around the globe – as well as hacking in general.

Hacking. A word capable of sending shivers down spines, disapproving looks across rooms, and eyebrows into furrowed foreheads. It’s a word that we need to revisit, because in an ethical context, hacking is capable of being the solution we so desperately need.

Let me explain.

There is great merit in empowering technically competent civilians to take notice of security threats, and a huge opportunity for the authorities to engage with them. But here lies the big misunderstanding – my experience of working with people on both sides of this divide demonstrates that all hackers are lumped into the same ‘vigilante’ category. Sadly, this means that the community spirit potential of a digital neighbourhood watch scheme is overlooked completely.

At a recent Innotech Summit event, Legislating Lulzsec, the ethics of hacking and what we are doing to better prepare the next generation of digital natives was discussed openly. The purpose was not to focus on the potential criminality of hacking, but to ask the question of whether we can use such skills to benefit and protect civilians, companies and governments. The resounding conclusion, unsurprisingly, was yes – that skilled individuals are the soldiers we need to work on the front line, helping people and organisations to identify and ‘patch’ (essentially, rectify) their cyber weaknesses in order to ensure a safe and secure digital presence.

The discussion then evolved into how we can engage, involve, and apply a network of digitally adept, ethically committed individuals to meet the skills deficit. And a deficit it most certainly is – the accelerating litany of security breaches in government and industry alike makes this clear and impossible to ignore.

We see the early signs now. Governments and branches of the military around the globe are recruiting elite cyber security troops. Unfortunately, they’re using the same approach that’s worked for the recruitment of Navy, Army and Air Force personnel — the mentality is that the ‘best of the best’ are corporate, conformist types that have graduated from MIT or Stanford.

The bulk of cyber talent, however, does not fit into such a limited category. Many of the real geniuses are kids who never finished school or college, thrive in online rather than offline communities, and shudder at the thought of desk jobs. As a result, recruitment targets are being missed. Moreover, the police and non-­‐military branches of those same governments are hell-­‐bent on criminalising, prosecuting, and imprisoning these types of hackers. While it is right to punish crime, we must focus on creating a culture that recognises and understands the hacker mind-­‐set, and provides opportunities for such talent to be directed towards something good – ethical hacking.

Hacking – the good, the bad, and the just plain wrong

But before we can even begin to fill the skills void, we must define – and defend – ‘ethical hacking’. This requires all previous taboo-­‐like notions of ‘hacking’, most of which spring from media-­‐hyped stories that revolve around bad guys stealing information and disrupting networks, to be packed up and put away. Indeed, ‘to hack’, as a verb, means to break into something – an undeniably negative connotation. But it’s time to draw a line in the sand, for hacking is not the same as ethical hacking, a compound noun which has a completely different meaning.

Let’s break it down. ‘Ethics’ – the easy one – can be defined as the discipline dealing with what is good and bad in the context of generally expected societal behaviour, an established line in what defines moral obligation. Quite simply, ‘ethics’ defines what is ‘right’ in any given situation.

The ‘hacking’ extension is more complex. There are many reasons to justify the ‘breaking and entering’ implied by hacking, and it’s easy to understand why it is considered illegal and wrong. The notion that all information should be free and that there is no such thing as intellectual property is no basis for justifying hacking. The system in which we live, and from which the majority benefit, would break down without IP protection.

Defining ethical hacking is a little more complex, of course. Some hackers say that they do no harm – they don’t hack to cause damage but to ‘have a go’ at system security work. This, it could be agued, is okay to an extent. There is even some validity in the oft-­‐claimed hacker motivation of ‘keeping big brother at bay’.

However, hackers that make use of idle time on the computers of others, even without looking at private data, have crossed the line. Such behaviour is clearly theft – remote intruders are not in a position to qualify whether another person’s system is being under or over used.

The ethical minefield gets worse from here. For example, there is a fundamental argument that says some computer break-­‐ins are in the interest of the public or greater good, and therefore justified (if not ethical) in the eyes of the hacker. To them, if they fail to take action on security threats, the software developer or network will not act, leading to further vulnerabilities that would inevitably cause greater destruction down the line.

There is a degree of justification to this argument – patching is critical. However the proper authorities need to be involved to ensure that data protection ethics are controlled and enforced (the problems here are who is responsible for controlling these authorities, and what happens when the only way to beat the bad guys is to… but we’ll save that for another day).

What is ethical hacking?

I define ethical hacking as the authorised search for the source of a problem with a moral obligation to patch the security vulnerability in the best interests of a client or system.

An analogy I often use to explain this is of a thug stabbing an innocent victim with a stiletto (a hacker) and a surgeon cutting a patient open in an operating theatre (an ethical hacker). Malicious hacking is carried out on an unwilling victim and can cause untold damage to a system. Ethical hacking, on the other hand, is undertaken with full approval and is designed to locate the source of a problem, or potential problem, to fix it.

To extend this metaphor, just like the surgeon is qualified, licensed, and under a moral and ethical duty to defend a patient’s life, an ethical hacker, whose programming and coding ‘qualifications’ are best gained through experience, should have the avenues available to be licensed to secure and defend systems in the ever-­‐growing cloud – a cloud that no longer contains computers, but phones, cameras, door locks, light switches, baby monitors, glasses…(the impact of have one’s home hacked by the bad guys is truly terrifying).

Ethical hackers understand their place in a rapidly changing society and know that being part of the humanity collective requires being responsible for their actions and decisions on-­‐ and off-­‐line. They are best placed to protect us, since they understand better than anyone else what happens when everything is connected.

The solution is to promote ethical hacking and support ethical hackers, while encouraging a paradigm shift in the attitude toward it. We can only build and execute a defensive strategy to fight cyber criminals by being offensive, and this entails bringing in those who ‘do what the bad guys do’, but wear white hats while doing it. And public policy needs to embrace them, to give out the Sheriff’s deputy badge.

Your country needs you

Every computer has around 60,000 ports. Ports are like entryways and doors to a home. Some of which admit more traffic than others. Who has keys to the house? What happens when someone breaks in? Which doors are vulnerable? Can the house be made more secure by a home security expert or the police?

We urgently need ethical hackers to be on the look out for digital vulnerabilities (with complete authorised permission, of course) so that they can be patched before the bad guys get in. Those in government and industry must ensure that every civilian is aware of the threats that surround them, is educated in basic security and able to run system scans, and has access to ethical hackers.

This means that we need to raise, educate, and train generations of #digitalnatives –the momentum and intensity required to actively keep up with cyber security threats ensures that we have no option. The principles of ethical hacking must be taught to kids everywhere, in the same way that road safety is instilled from an early age. Universities and after school groups should be encouraged and incentivised to organise ethical hacker clubs – places where its cool to learn and practice ethical hacking. In short, public policy, security, and academic institutions need to promote, support, and enable ethical hackers.

We cannot give up the fight for cyber security. The lifetime efforts and struggles –career, family, savings, work – of everyday people can be wiped out in a moment without it. We must respect and value this information to the maximum extent possible within the data constructs. We continue to live in a society where the integrity of information is assured in order to maintain and encourage investment.

If we ignore the threat, we will soon be living in a society where concatenating disasters will drive hurried and urgent attention to cyber security knowledge as one of the pillars of education in a modern digital society. If we start now, we can smooth the path. Let’s start now. Let’s start training our digital natives to respect the Internet, the cloud, what’s visible in the browser… and what’s behind it.

Governments? Are you listening?


Jennifer Arcuri futureproof cyber securityJennifer Arcuri, Founder, The Hacker House