Among the many scandals that seem to be accompanying President-Elect Trump into office is the hacking of the United States election by Russian hackers. This event has caused a great deal of debate, and rightfully so, by prompting questions about the election and its results. It has also had the effect of reinvigorating ongoing debate regarding hacking and its many aspects. One of those aspects focuses on the ethical dimensions of hacking. While many hackers and their supporters characterize their work as for the “good of the people,” others assert that they are “exercising their freedoms.” Despite these descriptions, most jurisdictions within the United States have deemed hacking a criminal behavior which is punishable by stiff fines and jail time. The discrepancy between how the hackers and their supporters view hacking and how it is perceived legally raises several questions regarding the ethics of hacking which bear closer examination.
Many hackers argue that hacking is for the good of all people and organizations because hacking highlights flaws in computer security systems. Cross (2006) asserts that most hackers are seeking “to do creative things with technology” but are “often beset by controversy” because their activities involve “forbidden knowledge” (p. 37). This forbidden knowledge relates to the public’s “basic right to privacy, respect and freewill” which is why the public often has a strong reaction to the concept of hacking (Jamil & Ali Khan, 2011, p. 3758). The general public has, according to Cross (2006), “difficulty drawing a line between hackers who study computer security as a technical interest and criminals who break into computers” with intent to cause problems or obtain that forbidden knowledge (p. 37).
Use your promo and get a custom paper on
"Ethical Hacking".
Unfortunately, according to Jamil and Ali Khan (2011), the media’s focus on cyber crime has not helped the general public’s perception of hacking, whether it would be considered ethical or not. Jamil and Ali Khan (2011) note that the media seems to focus on inside hacking attacks, which comprise 90% of all hacking attacks. This raises concerns regarding “how easy it is to be working on the inside,” giving hackers a far easier route to accomplishing nefarious attacks (Jamil & Ali Khan, 2011, p. 3758). This can undermine public confidence in the ability of a corporation to adequately secure and preserve the public’s private information. In other words, if corporations are hiring legitimate professionals who also happen to be hackers, what prevents the hackers from taking advantage of their insider status to execute malicious attacks? How will the corporation guarantee that their employees will not take advantage of their status?
This situation becomes far muddier when one considers that hacking can be and is often taught to computer programming and security professionals. Individuals who teach such skills struggle with the idea that they are teaching potential malicious hackers better intrusion skills (Jamil & Ali Khan, 2011). Of course, there is always a risk involved in teaching anyone anything. As Jamil and Ali Khan (2011) observe, it can be difficult to understand or predict the intentions of any one particular student. A nursing instructor who teaches students to give injections teaches those students how to administer life-saving medications; they also teach them a means of injecting people with toxic or fatal substances. A police recruit who learns how to shoot a gun and gains an understanding of basic forensics is given a foundation with which to uphold law and order; they are also equipped with skills with which to commit crime. These are life-and-death skills whose proper use hinges on the willingness of the individual to make the socially acceptable choice – or not. As Cross (2006) states it, “Knowing how to do something that might be harmful is not the same as causing harm” (p. 39). While some may argue that hacking into email accounts to steal credit card information is not life-or-death, the fact remains that (1) people’s financial stability affects their lives significantly, and (2) perhaps it is only a matter of time before an unethical hacker attempts to and successfully infiltrates subway systems or air traffic control systems, leading to collisions and loss of life.
However, it is clear that there are hackers who behave ethically and legally; these are often referred to as white-hat hackers (Pike, 2013). Those who do not are referred to as black-hat hackers (Pike, 2013). One may liken white-hat hackers to nurses who abide by the Hippocratic Oath and cops who endorse the police motto of “to protect and serve.” Black-hat hackers may be likened to “angels of death,” healthcare professionals who use their skills and access to harm or kill patients, or cops who use their positions of authority to exploit citizens. This brings the discussion to the question of whether or not hackers actually do work for the good of all people. It seems that the answer to that question is yes – so long as one is talking about white-hat hackers. Such hackers are “committed to full compliance with legal and regulatory statutes as well as published ethical frameworks that apply to the task at hand” (Pike, 2013, p. 67). Those tasks may include activities similar to those of black-hat hackers but are undertaken with the agreement and knowledge of the parties involved. For example, an organization may hire a security company to test the integrity of the organization’s security system. The organization is aware that its borders will be tested and potentially breached, but the security company is doing so at the behest of the organization. The members of the security company are merely testing the borders; they agree not to extract data or resources from the organization. Such an undertaking can identify weaknesses in the organization’s security system which the organization can work on closing. This can improve the integrity of the information and data relating to the organization’s customers and clients, in essence improving privacy and security. Everybody benefits from such an endeavor and, as such, represents how hackers can work for the good of all people. Of course, this may affect how research in such areas is conducted and shared; after all, publishing how-to manuals with code might be somewhat irresponsible, especially if it puts the public at risk (Anon, 2010).
Nevertheless, until the legal system changes its stance, hacking remains a criminal activity. Obviously, white-hat hackers, as long as they comply with regulations, are protected from prosecution (Pike, 2013). But clearly there are hackers who do not; they seek to benefit from their actions and take advantage of others in ways which are criminal. As such, one must consider what punishment fits the crime. Currently, hackers who are caught are subject to monetary fines and jail sentences. The most sensible way of determining the most appropriate punishment is the way in which punishment is determined now – that is, based on its impact and the level of premeditation. It would be unfair and unjust to prosecute a white-hat hacker who had been legally hired to test borders and simply retrieved data agreed upon by the hacker and the organization that hired him as evidence of the hacker’s success in breaching the borders. However, a black-hat hacker who infiltrated an organization’s patron databases and stole credit card data has committed theft and, as such, should be prosecuted and punished in the same way that a person who steals a credit card from someone’s wallet is prosecuted and punished. Someone who steals one credit card is punished at one level of intensity, one might say, while someone who steals several credit cards is punished at another level. The fact that these crimes are committed using a computer seems irrelevant; the outcome is the same: someone has their identity and/or resources stolen from them.
One can argue that someone who takes advantage of their insider status to execute black-hat crimes should be punished more severely. They have betrayed the trust of their employer and their clients/customers. They have deliberately taken advantage of that trust in order to enrich themselves. Not to be too dramatic, but one might say this is like a pedophile who takes a job in a daycare to gain access to children to assault or abuse. The pedophile takes advantage of the children’s trust in them, their employer’s trust in them, and the parents’ trust in them in order to serve their own needs. This seems even more despicable than just snatching a child at the park, since the pedophile exploits their position of trust and authority for their own needs. A black-hat hacker who gets a legitimate job at an organization then uses that access to gain sensitive information which they then use to enrich themselves (or damage someone else) has misrepresented themselves; this seems like fraud. It should be punished like fraud, in addition to theft.
Of course, the actions of a hacker sometime lead to network security breaches at major corporations, such as the one that occurred at Target around Christmas of 2013. While under the current law the hackers who carry out the attacks are accountable, there is also the question of whether or not organizations that experience security breaches ought to be held accountable as well. After all, they have an obligation to their customers and clients to preserve the security and integrity of their information. But when they fail, there is some question as to who should be held accountable within the organization when such hacking-based breaches occur. Some organizations which have experienced such breaches, like Target, take action; they inform their customers, they offer compensation of some sort, and they take action to close gaps and improve security. They do this ostensibly because they have a legal obligation to do so, but also because they value the relationships with their customers. The breaches can undermine their credibility with their customers (Anon, 2010); the organizations should do what they can to mitigate the damage such breaches can do and to re-establish public confidence in their ability to protect and preserve privacy and security.
But in re-establishing that confidence undoubtedly people will look for a scapegoat. Or they will want to know how the breach occurred and who is responsible. Stakeholders like investors will also want to know if their investments are secure; business partners will worry that they will suffer damage to their reputation or become vulnerable to attacks. The ripples associated with hacking attacks can spread far and wide. So the question of who would be held accountable is a legitimate one. It seems that it is a chain of command question; if information technology (IT) security specialists do their very best and take all possible measures to secure networks, it seems hardly appropriate to fire them over the breach. Policemen who do their best to prevent crimes are not fired every time a house gets broken into or a driver who is speeding does not get a ticket. If the IT people have done their part with hardware and software, as well as training non-IT employees about network safety, it seems that holding them accountable is unjust. If the IT people have identified issues which they cannot rectify without the resources and endorsement of higher management and management fails to provide IT with those resources and endorsement, then management should be held accountable. However, if it is obvious that IT security specialists have not done all that is reasonable to protect the network, it seems obvious who should be held responsible. In cases where an insider has exploited the network, it seems most appropriate to hold that insider accountable for the attack.
Hacking may be a contentious issue. Some liken the ability to hack systems effectively on par with the ability to produce biological weapons or engage in other terroristic behaviors (Cross, 2006). But hacking, like many things, involves choice. White-hat hackers are clearly an asset; they can benefit from formal training and legitimate work, as well as the freedom to conduct research that helps them to do their jobs (Anon, 2010; Cross, 2006). Such hackers engage in ethical hacking, unlike black-hat hackers.
- Anon 2010, ‘Security ethics’, Nature, 463, 7278, p. 136, Psychology and Behavioral Sciences
Collection, EBSCOhost, viewed 7 January 2017. - Cross, T 2006, ‘Academic freedom and the hacker ethic’, Communications of the ACM, 49, 6, pp.
37-40, Science & Technology Collection, EBSCOhost, viewed 7 January 2017. - Jamil, D & Ali Khan, M 2011, ‘Is ethical hacking ethical?’, International Journal of Engineering
Science and Technology, 3, 5, pp. 3758-3763/ Directory of Open Access Journals, EBSCOhost, viewed 7 January 2017. - Pike, RE 2013, ‘The “Ethics” of Teaching Ethical Hacking’, Journal of International Technology & Information Management, 22, 4, pp. 67-75, Business Source Complete, EBSCOhost, viewed 7 January 2017.