Ethical hacking - a good or bad term?

Last week’s British Computer Society Information Security Conference reopened a debate about the use of the term “Ethical Hacking”. A year ago, the BCS Security Forum issued a statement discouraging the use of the term. I contributed to that judgment and I support it. But not everyone agrees of course. Professor Lachlan Mackinnon, for example, who was also speaking last week, runs a course with this title at a Scottish university. He describes the BCS judgment as “bollocks”. It’s an understandable reaction from someone with an existing stake in the term. Does he have a point?

Lachlan argues that the term is an established one, used by respected researchers, and that the content of his course includes both ethics and hacking. That’s a fair comment. Ethics and hacker techniques are useful components of any security course. And ethical hacking is a widely used term. Practitioners like it because it’s glamorous-sounding and headline-grabbing. It’s also a “sticky” phrase, one that might come across as understandable, plausible and compelling to an ordinary business manager. But adopting a fashionable term and a teaching a selection of contemporary practices is not always appropriate in an information security profession that’s relatively immature, littered with bad practices and developed by self-taught individuals.

The reality is that ethics are rarely spelled out in customer specifications for security testing exercises, except in the context of having to operate within the constraints of the law and the organization’s codes of conduct. And that applies to all business activities, not just security tests. I strongly support the teaching of ethics to students. But it’s important to recognize that a course of ethics does not make people honest or capable of keeping secrets. For that we have to rely on vetting, contracts and supervision. And if we’re really serious about security we should also ensure that our programmers and system administrators operate to high ethical standards of behavior. Ethics are for everyone, not just for security testers.

The hacking association is also dangerous. It suggests that testers should assume the mindset and techniques of hackers. You can argue that the term is misrepresented by the media and simply refers to an enthusiastic programmer. Donn Parker used to promote that line, suggesting that we should use the term “cracker” for the bad guys. But few people see it that way. To the vast majority of people, hackers are the criminals that break into computers for selfish reasons. And as any psychologist will tell you, labels and perceived roles play a significant part in shaping behavior. If you use a dark sounding label you will inevitably attract a fair share of dark types and encourage a certain amount of dark behavior. You can certainly sense this from the war-stories recounted by so-called ethical hackers. They conjure up an image of spies, dirty tricks and creative anarchy, rather than of a disciplined, low profile business service.

In the real business world, vulnerability management has no need for drama, subterfuge and security theatre, except as a last resort demonstration to business management. It does of course require what Bruce Schneier would call a “security mindset”. But the execution has to be disciplined and controlled. Scanning, probing and penetration tests can all too easily hit the wrong target or bring down critical operational systems. I’ve seen it happen. They also introduce a new exposure from the demonstration of security vulnerabilities that cannot be rectified, for technical, financial or operational reasons. The presentation and handling of sensitive results should be managed in an exceptionally low profile manner.

And the remedial work needs to be addressed as part of the same discipline. It’s no good building a profession that merely presents a long list of exposures to a business unit strapped for skills, resources and cash. The discipline should set out to solve problems, not just highlight them. Practitioners often claim to uncover flaws that clients decline or fail to fix. That translates to a failure to address the underlying business problem. We need to discourage the temptation to carry out the easy task of finding a weakness and then moving on to a new target. We need to deploy our most creative experts on the resolution of security problems. From that perspective “ethical hacking” reflects a means rather than an end, and would be better replaced with a phrase such as “vulnerability management” which demands a more complete governance cycle included the actual resolution of flaws. 

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi David, Just discovered your blog and read this artictle on use of the term 'Ethical Hacking' with some interest. Personally I'm unable to get too worked up about use of the term 'ethical', because it has been so catastrophically devalued by recent events. The website of every bank and other recently besieged organisation all tout their codes of ethical conduct, risk management policies, corporate social responsibility etc ad nauseum. But I find it hard to read these at the same time as seeing today's headlines. Instead, I find myself thinking of the word that our dear Prof Lachlan used so eloquently to oppose the BCS judgement regarding use of the term. If I were employing a pen tester, hacker, cracker or whatever we are calling these people today; I would more interested in things like contactual obligations, indemnity insurances, confidentiality agreements and supervision arrangements over what they are doing; rather than worrying too much over their job title. Call me cynical, but... on second thoughts, just call me cynical. Best wishes, Adrian Wright.
I'm not sure you can look that deeply into the term 'ethical hacking'. Hacking is what it is. There is a literal definition for it and you should take it at that. The work 'ethical' is prepended to it only to emphasize the 'good' intended nature of it. Whatever you expect of the person doing the tasks of an ethical hacker (or whatever you may wish to call it) has no bearing on what you actually call it. You mention that the term relects a means rather than an end. But, I beg to differ on that. The term doesn't reflect that, but rather your outlook toward the term does. I took a class labeled as ethical hacking and part of the class covered proper ways to disclose of vulnerabilities and how to go about ways to fix those flaws that were found. I don't know about you, but that doesn't sound like just a means, but it also sounds like a path of action towards a resolution. I think the term is what it is. Someone's outlook toward the term is only a reflection of their own experiences with it.
Regarding your comment, "Scanning, probing and penetration tests .. can... introduce a new exposure from the demonstration of security vulnerabilities that cannot be rectified, for technical, financial or operational reasons." What's wrong with exposing vulnerabilities if they can't be fixed? Management needs to be aware of all risk so that they can transfer, mitigate, or accept the risk. To not know that you have such a risk is not a good position to be in. Even worse is to know that you have a medium or high risk and ignore it (which is not the same as accepting the risk and its possible consequences). Also, while some terms like "ethical hacking" may have unfortunate connotations, I think the more important issue is how one conducts himself and provides business value. Terms can be and should be clarified in each context, but they shouldn't be a barrier in getting the needed work done.
about hacking stuff on there own. If you feel like being led then you are not a hacker, if you feel like taking the lead then your probably a hacker. I have never understood the motivation behind political activism nor hacktivism, to my mind politics along with activists have no play in hacking. If you are a politically motivated hacktavist then in my view you are an epic failure as a hacker. There is no get rich quick scheme to being a hacker. If your looking for one then you've come to the wrong place, most hackers are motivated by there own sense of self worth not that of other individuals and as such, they never play by your rules. Just $200.99 and you will have learned how to be a network engineer by sitting on this course. Pfft, they couldn't pay me enough to scout their network in the first place. We're all volunteers!