Cyber and Human Vulnerabilities: Who Is the Ethical Hacker and Why Should We Care

Cyber and human vulnerabilities are mutually dependent and the so-called ethical hackers seem the best solution for firms and governments to cope with cyber threats. However, the hackers’ technical skills make them an elite group in terms of power-knowledge. This makes assessing the morality of their actions inherently difficult.


Malicious, misanthropic and awkward. Hollywood movies and pop culture in general keep on fueling the common image of hackers as a broad homogeneous category of social outcasts secluded in their own world: the cyberspace.

This widely held stereotype is flawed in at least two ways. First, since the 1990s, different scholars have understood the need to establish internal subcategories in order to analyze the hackers’ community, distinguishing various types of hackers by their intent. Significantly, these intents are difficult to discern for outsiders, because of the lack of appropriate knowledge of the hacker community and its techniques, which could allow us to assess them. Second, despite the perception of the cyber world as detached from the flesh-and-blood social sphere in which we are embedded, the dichotomy ‘cyber’ vs ‘real’ is more fictitious than concrete. The cyber space is rife with the human element and, exactly like the so-called ‘real’ world, it is filled with moral dilemmas. The main difference between the two spheres, however, is that, as the cyber context has developed only recently, the process of identification of its specific ethical dilemmas and their possible solutions is still at an embryonic stage. At the same time, the number of users who have access to the Internet is rapidly increasing; moreover, cyber-threats multiply and cybersecurity has been identified as a top priority on many national security agendas (Minnaar 2013). These developments require a reflection on the potential security implications that the behavior of the main actors in the cyberspace could have on our real lives.

Hackers are the undisputed stars of the cyber world. The term was born in the late 1950s at MIT and it identified university students who were particularly skilled in computer programming (Levy, 1984). As time passed by, individuals started to use their IT abilities for a wide range of purposes, from intellectual exploration to manipulation of sensitive information. At the beginning of the 1990s, the meanings of the verb “to hack” started to diversify, requiring a more articulated taxonomy of the various human categories that formed the self-recognized hacker community. Various scholars grasped the importance of focusing on the purpose of hackers' actions: very soon, new labels started to identify opposite groups of hackers, i.e., utopians vs cyberpunks (Young, 1993), traditional vs malicious (Denning, 1990), crackers vs moral (Baird & al., 1987). Today, the mainstream literature classifies hackers as either “black hat”, which represent the “dark side”, or “white hat”, the righteous side.

The origins of the distinction are blurred. In general, the terms come from early Western movies where, to make chasing scenes clear, white hats were given to the good and black hats to the bad guys (Palmer, 2001). Richard Stallman, an early observer of the movement and free software activist, described the members of the “dark side” as individuals who “typically had little respect for the silly rules that administrators like to impose, so they looked for ways around” (Stallman 2001, Williams 2012). On the other hand, the first historical case of white hat hacking involved the United States Air Force, which in 1974 tried to break into its own operating system to discover possible vulnerabilities (Karger and Scherr, 1974). This category became widely known thanks to an article in the New York Times, which, in 1981, recognized the activities of such hackers as “mischievous but perversely positive”. In any case, the main distinction between the two groups is normally made according to their intent when exploiting cyber vulnerabilities.

Being one of the most complex and intricate human creations, the cyberspace naturally inherited some core human characteristics, most importantly vulnerability. As a matter of fact, the cyberspace is imperfect. Its imperfections are, from both a technical and a philosophical point of view, vulnerabilities that both black hats and white hats hunt for different reasons. For the first group, vulnerabilities are prey to exploit for financial or personal gains. The second group, recognized as the “ethical” one, is composed of individuals who use their skills to identify cyber vulnerabilities before black hats do it, and then fix them. They use the exact same methods as the “unethical” hackers, but with the goal of enhancing rather than undermining overall cyber security.

Prima facie, the current situation seems pretty clear and straightforward: “good guys” and “bad guys” fighting each other in the cybersphere.

[Mark Stock]

Problems arise when one considers two features of hacker ethics. First, the ethics of white hat hackers, as they are internally understood by the hacker community itself, rely on principles that might be traced back to the six “planks” of hacker ethics described by Steven Levy in 1984 – a framework that is now generally considered outdated (Thomas, 2005). As a matter of fact, the foundations of hacker ethics remain blurred and are far from being standardized. The direct implication is that each white hat hacker has her/his own, individual morals, but the consequences of her/his actions could affect entire communities. Second, ethical hackers are now gaining a primary role in both the private and the public sector, due to the diversification of increasingly complex cyber threats, which neither industries nor states are able to tackle without “insiders” who know about black hats' technical resources and can understand their mental processes.

Ethical hackers now seem the best solution for firms and governments to cope with cyber threats: they are the only ones who have the needed knowledge and skills. However, the downside is that the technical competences required of ethical hackers make them an elite group at the top of the cyber-knowledge pyramid. This makes assessing the morality of their actions extremely difficult, if not impossible, for those without a strong understanding of the cyberspace. This is due to the fact that the majority of the population is unaware of the possible threats deriving from the cyberspace as well as the possible defensive mechanisms, making them vulnerable and in need of protection. Therefore, both non-hackers and public institutions must rely on threat-assessment processes created by skilled hackers who are willing to cooperate to increase overall security: white hat hackers. The logical consequence is that for the entire span of time in which a white hat hacker is working to identify, assess, and fix a cyber-vulnerability, human-vulnerabilities increase, as overall security will be preserved or undermined depending solely on the moral fortitude of the ethical hackers.

This inability to identify a shared set of values among ethical hackers, paired with their increasing responsibilities, leaves non-hackers vulnerable and thereby puts our whole cyber-dependent society at the mercy of white hat hackers' actions. Cyber vulnerabilities and human vulnerabilities appear mutually dependent: while the former descend from the inevitably imperfect nature of human creations, the latter stem from the inherent disastrous effects that can originate from unsuccessful attempts to correct these flaws.

Is there a solution to this dilemma?

In the last chapters of Discipline and Punish, Michel Foucault, described current society as characterized by ubiquitous, pervasive, mutual control. According to the author, the maintenance of a disciplined society is possible thanks to the circular process that mutually reinforce power and knowledge. The former is exercised through a strict yet discrete surveillance of the individuals, while the latter, if possessed by a select group of people, allows oppression.
In this sense, a perfectly Foucaultian society would dissuade ethical hackers from exploiting their powers by making them increasingly self-disciplined individuals who – as in Bentham’s Panopticon – do not necessarily require external constraints as long as they perceive the omnipresence of control. This idea, though, is in contrast with the very nature of the cyberspace, which originally emerged as a place of freedom, creativity and anarchy: a labyrinthine space without any surveillance, diametrically opposed to the rationality and symmetry that characterize the Panopticon.

The IT-dependent nature of contemporary societies, however, requires, the establishment of a plan to preclude ethical hackers from abusing their powers and deviating from their responsibilities, thus preventing security issues from arising. To deter our best allies from becoming our worst enemies, it is of the utmost importance to raise awareness and shed light on the responsibility and power ethical hackers are gaining through their position at the top of the cyber knowledge pyramid.

In our contemporary societies, knowledge is power; therefore, we should be concerned with how and by whom this power is exercised:

He who is subjected to a field of visibility, and who knows it, assumes responsibility for the constraints of power; he makes them play spontaneously upon himself; he inscribes in himself the power relation in which he simultaneously plays both roles; he becomes the principle of his own subjection.
 
— Michel Foucault, Discipline and Punish: The Birth of the Prison (1985): 202-3.

References

Baird, J., Baird, L. L. Jr., and Ranauro, R. P., (1987). The moral cracker? Computers and Security, 6(6):471–478.

Denning, D. (1990). Concerning hackers who break into computer systems. In 13th National Computer Security Conference.

Foucault, M. (1985). Discipline and Punish: The Birth of the Prison. Harmondsworth: Penguin.

Levy, S. (1984). Hackers: Heroes of the Computer Revolution. London: Penguin.

Minnaar, A. (2013). Information security, cybercrime, cyberterrorism and the exploitation of cybersecurity vulnerabilities. Acta Criminologica: Southern African Journal of Criminology 26(2)

Thomas, J. (2005). The moral ambiguity of social control in cyberspace: a retroassessment of the ‘golden age’ of hacking. Publications London, Thousand Oaks, CA and New Delhi Vol7(5):599–624 [DOI: 10.1177/1461444805056008]

Young, L.F. (1993). Utopians, cyberpunks, players and other computer criminals. In IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society.

Karger, P. A., Scherr, R. R., (June 1974). Multics security evaluation: vulnerability analysis (Report).

McLellan, V., (1981). Case of the purloined password, The New York Times.

Palmer, C. C., Ethical Hacking. IBM Systems Journal, Vol 40 No 3, 2001, pp. 769-780.

Stallman, R. (2001) Science Must Push Copyright Aside, online at gnu.org

Williams, S. (2012) Free as in Freedom: Richard Stallman’s Crusade for Free Software, Sebastapol: Oreilly.

Acknowledgments

Cover image: Tomás Saraceno. "Semi social musical instrument SXDF-NB1006-2 : built by four Cyrtophora citricola-eight weeks", 2015. Courtesy the artist. © Photography by Studio Tomás Saraceno, 2015.

Inline: Kelvin-Helmholtz instability rendered using a two-dimensional fluid simulator, by Mark Stock (CC).

Inline: “Gray hats” in London's 1604, Gunpowder Plot conspirators, engraving by Crispijn van de Passe the Elder - National Portrait Gallery: NPG 334a, wikimedia.org

(C) Tomás Saraceno