My colleague, Ryan Kh of Smart Data Collective has published a number of articles on the role of machine learning in cybersecurity. While he has emphasized the benefits of Big Data in protecting against malicious hackers, he acknowledges that other defenses are still very much needed.
Ethical hackers are just as important in protecting against cybersecurity breaches as new technologies. Ethical hackers are usually employed by organizations to offer white hat services and their goal is to help a company identify its own security weak points, so that appropriate safeguards can be put into place. Their goal is to help make the internet safer for everybody.
Unfortunately, there are still some challenges that ethical hackers face. Some laws are poorly written, which means that white hat hackers that are acting in good faith could be inadvertently prosecuted for trying to help companies improve their security.
Ethical hackers are the unsung heroes of cybersecurity
The average person is ignorant about the hacking community. They believe that hackers are all rogue criminals.
However, as Hacker Moon points out, the majority of hackers are not criminals. There are actually more hackers that are working to help strengthen cybersecurity defenses. They cited a New York Times article, which made this point very clearly. The author raised the question:
“We’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyber-attacks, but are being held back by outdated rules and overly protective institutions… In other words: What if the problem we face is not too many bad hackers, but too few good ones?”
This is an issue that needs to be discussed. There are a number of factors that could be impeding ethical hackers, such as lack of certifications for them. We also need to realize that the unfair stereotype and draconian laws have actually discouraged ethical hackers, which may put all of us at greater risk of a cybersecurity breach.
Are ethical hackers at risk?
Legal protections for hackers are situationally dependent. Companies often hire these hackers directly to penetrate their own systems to discover security flaws. However, even though they have consent to access the systems, they might still be prosecuted.
The Department of Justice could make the argument that even though the company that hired the hacker to penetrate their own systems wasn’t a clear victim, customers, employees and other parties did not provide the same consent. The law is a bit murkier on this point, but it still does not guarantee perfect protections.
Protections are significantly weaker for ethical hackers that act without being hired by the company they are trying to help. The laws don’t allow for good faith intent. Even if a hacker could demonstrate that their only intention was to identify security flaws and report them so they could be fixed, they are still in violation of the law.
However, there is a movement change this. Reforming the laws could provide ethical hackers with the legal protections they may need.
Earlier this year, Derek Hawkins, a cybersecurity expert and contributor to the Washington Post wrote an article about the outdated laws surrounding ethical hacking. Hawkins pointed out that federal cybercrime laws don’t differentiate between hackers with malicious intentions and those that act in good faith.
He says this is worrisome, because organizations of all sizes depend on ethical hackers to identify security flaws, so that they can fortify them against malicious hackers.
The good news is that there is a new movement to provide better legal protections to ethical hackers that act in good faith and the public interest. Cybersecurity company Bugcrowd and the University of California have unveiled a new project called Disclose.io. This project intends to help change the legal framework of existing anti-hacking laws to shield ethical hackers from criminal and civil liability if their intentions are to help the organizations they analyze by reporting security flaws that need to be resolved.