Last week’s British Computer Society Information Security Conference reopened a debate about the use of the term “Ethical Hacking”. A year ago, the BCS Security Forum issued a statement discouraging the use of the term. I contributed to that judgment and I support it. But not everyone agrees of course. Professor Lachlan Mackinnon, for example, who was also speaking last week, runs a course with this title at a Scottish university. He describes the BCS judgment as “bollocks”. It’s an understandable reaction from someone with an existing stake in the term. Does he have a point?
Lachlan argues that the term is an established one, used by respected researchers, and that the content of his course includes both ethics and hacking. That’s a fair comment. Ethics and hacker techniques are useful components of any security course. And ethical hacking is a widely used term. Practitioners like it because it’s glamorous-sounding and headline-grabbing. It’s also a “sticky” phrase, one that might come across as understandable, plausible and compelling to an ordinary business manager. But adopting a fashionable term and a teaching a selection of contemporary practices is not always appropriate in an information security profession that’s relatively immature, littered with bad practices and developed by self-taught individuals.
The reality is that ethics are rarely spelled out in customer specifications for security testing exercises, except in the context of having to operate within the constraints of the law and the organization’s codes of conduct. And that applies to all business activities, not just security tests. I strongly support the teaching of ethics to students. But it’s important to recognize that a course of ethics does not make people honest or capable of keeping secrets. For that we have to rely on vetting, contracts and supervision. And if we’re really serious about security we should also ensure that our programmers and system administrators operate to high ethical standards of behavior. Ethics are for everyone, not just for security testers.
The hacking association is also dangerous. It suggests that testers should assume the mindset and techniques of hackers. You can argue that the term is misrepresented by the media and simply refers to an enthusiastic programmer. Donn Parker used to promote that line, suggesting that we should use the term “cracker” for the bad guys. But few people see it that way. To the vast majority of people, hackers are the criminals that break into computers for selfish reasons. And as any psychologist will tell you, labels and perceived roles play a significant part in shaping behavior. If you use a dark sounding label you will inevitably attract a fair share of dark types and encourage a certain amount of dark behavior. You can certainly sense this from the war-stories recounted by so-called ethical hackers. They conjure up an image of spies, dirty tricks and creative anarchy, rather than of a disciplined, low profile business service.
In the real business world, vulnerability management has no need for drama, subterfuge and security theatre, except as a last resort demonstration to business management. It does of course require what Bruce Schneier would call a “security mindset”. But the execution has to be disciplined and controlled. Scanning, probing and penetration tests can all too easily hit the wrong target or bring down critical operational systems. I’ve seen it happen. They also introduce a new exposure from the demonstration of security vulnerabilities that cannot be rectified, for technical, financial or operational reasons. The presentation and handling of sensitive results should be managed in an exceptionally low profile manner.
And the remedial work needs to be addressed as part of the same discipline. It’s no good building a profession that merely presents a long list of exposures to a business unit strapped for skills, resources and cash. The discipline should set out to solve problems, not just highlight them. Practitioners often claim to uncover flaws that clients decline or fail to fix. That translates to a failure to address the underlying business problem. We need to discourage the temptation to carry out the easy task of finding a weakness and then moving on to a new target. We need to deploy our most creative experts on the resolution of security problems. From that perspective “ethical hacking” reflects a means rather than an end, and would be better replaced with a phrase such as “vulnerability management” which demands a more complete governance cycle included the actual resolution of flaws.