Cybersecurity Ethics

Learning and understanding the proper ethics of cybersecurity is one of the most important aspects to learn when studying cybersecurity. Instructors and students should use the following links and essay to learn about the ethical concepts of cybersecurity.

Essay written by Jacob Corley

Information technology and its uses bring about many legal issues and ethical concerns. Many of the laws and regulations regarding information technology pertain to accessing, altering, or damaging a computer system without permission. This act of gaining unauthorized access to a computer system is often referred to as hacking. Despite the negative connotations, not all forms of hacking are malicious or illegal; in fact, ethical hacking is taught in many universities and entire professions are comprised of hacking. These law-abiding hackers are referred to as white-hat hackers whereas their malicious counterparts are called black-hat hackers. Professional white-hat hackers often have careers as penetration testers. A penetration test is a comprehensive test of an organization’s computer security. Therefore, a penetration tester, often called a pentester, is hired to perform an authorized attack against a computer system to find and report weaknesses in the system’s security. Given hacking’s dark side, ethical hacking and penetration testing present many ethical and legal dilemmas.

Teaching college students hacking skills is the source of many ethical concerns. Many scholars believe that teaching hacking skills to college students endangers society and encourages the students to conduct illegal activities (Pike, 2013). However, proponents argue that it is necessary to teach hacking skills to help students understand the tactics, techniques, and procedures of black-hats (Pike, 2013). This dichotomy is the source of much debate and criticism. To address this, proponents suggest using support systems to teach students the proper ethics of ethical hacking and steer them away from illegal activities (Pike, 2013). Instilling ethics in students who are learning hacking skills is paramount in any college ethical hacking course. According to one study, the number of students being arrested for illegal hacking activities is rising (Pike, 2013). There are several methods and institutions that are geared toward providing examples and situations where students can learn and practice ethics regarding information technology. For example, capture-the-flag competitions allow students to practice using hacking tools and techniques in an ethical way since the competitions provide systems and infrastructures for students to legally exploit (Pike, 2013). Providing college students with a strong ethical foundation is a crucial step in curtailing concerns regarding ethical hacking.

Ethical challenges are not limited to the education of ethical hacking, there are also many ethical dilemmas present in the professional ethical hacking world. While conducting penetration tests, often called pentests, professionals face many ethical dilemmas. Pentesters face ethical challenges throughout the penetration testing process, from agreeing to the rules of the test and deciding which tools, tactics, and procedures to use all the way through writing the penetration test report (Faily, McAlaney, & Iacob, 2015). Some of the ethical dilemmas confronted at the beginning of the penetration testing cycle are deciding on the rules of engagement for the test. For example, there are many ethical questions that must be answered, such as will social engineering techniques be used to dupe employees and will policy adherence tests that could de-anonymize offending employees be conducted. Ethical issues also arise when conducting the actual penetration test. When penetration testing, evaluating a security feature of a computer system may result in the disclosure of personal or confidential information to the pentester and organization management (Faily, McAlaney, & Iacob, 2015). For example, when testing the security of an organization’s upper-level management, a pentester may find information or files that conflict with the information sharing policy of the organization. Therefore, the pentester faces the moral dilemma of disclosing this information to the organization and possibly causing the manager to face disciplinary actions or just report on the security flaw that allowed access to the computer (Faily, McAlaney, & Iacob, 2015). Skilled pentesters also face the ethical dilemma of using their skills as a black-hat hacker (“What keeps white hat hackers from turning to the dark side?”, 2016). There are many skilled hackers who hack computer systems for large sums of money on the dark-web (“What keeps white hat hackers from turning to the dark side?”, 2016). One study found that one in four white-hat hackers would turn to black-hat hacking if given enough money (“What keeps white hat hackers from turning to the dark side?”, 2016). However, the other seventy-five percent of white-hats surveyed cited that strong ethics keep them from performing illegal hacking (“What keeps white hat hackers from turning to the dark side?”, 2016). To strengthen the ethics of pentesters, many industry organizations have developed ethical codes of conduct such as Systems Security Certification Consortium’s ethics guidelines and The Information Systems Audit and Control Association’s ethical rulebook (Faily, McAlaney, & Iacob, 2015). Clearly, ethical hackers are confronted with many ethical dilemmas when performing penetration tests.

Not only are ethical challenges faced by penetration testers, many legal issues arise during penetration tests. The purpose of a penetration test is to attempt to gain unauthorized access to a computer system or network to identify security vulnerabilities and risks. Under normal circumstances, breaking into a computer or network is illegal. Given the illegal origins of hacking, penetration testers face many legal challenges. One of the most important steps in a penetration test is to obtain a Rules of Engagement document from the owner of the computer system providing authorization for the pentester to perform attacks against the computer system (Murashka, 2017). This document is often referred to as a “get out of jail free” document because it provides legal permission for the pentester to hack into the computer or network (Murashka, 2017). Without this agreement document, a pentester could face serious fines or imprisonment for hacking into a system (Murashka, 2017). Additionally, penetration testers must understand and abide by the state, federal, or international laws that could pertain to a penetration test (Murashka, 2017). When performing a penetration test that crosses state or country borders, the pentester must be aware of the differences in cyber law between the jurisdictions (Murashka, 2017). For example, a company’s computer network might connect two offices, one in Georgia and the other in London, UK; therefore, the pentester must abide by both US and UK cyber laws regarding penetration tests. Although when done correctly, penetration tests are legal; there are many legal issues surrounding the profession of ethical hacking.

Throughout my research into the ethics and legality of ethical hacking, I have learned that the waters of ethical hacking are sometimes murky and the line between ethical and unethical actions is not always clear. However, with strong ethics and an understanding of cyber laws and jurisdictions, it is possible to ethically and legally navigate the world of hacking. Although teaching students computer hacking skills may lead a few students to consider becoming black-hats, the advantage of teaching students the tactics and techniques used by black-hats outweighs the risks to society. Additionally, there are many ways that education systems are combating the danger to society by teaching sound and strong ethics alongside hacking skills. When out of the classroom and into the workforce as penetration testers, ethical hackers continually face ethical challenges. Deciding where to draw the moral line when conducting penetration tests and staying ethically sound when confronted with large monetary gain for illegal activity are two major ethical dilemmas white-hat hackers encounter. There are also a multitude of legal challenges when performing a penetration test. From signing a Rules of Engagement document to abiding by various cyber laws, penetration testers meet legal issues throughout every step of the penetration testing process. As an EC-Council Certified Ethical Hacker, these issues are highly important to me. As an ethical hacker, I will be confronted with many ethical and legal challenges throughout my career and understanding how to handle these issues is crucial. As I continue working in the IT industry, I will carry with me the ethical guidelines I have learned as well as the hacking skills in order to better the security of any computer system I am responsible for protecting.

Resources

Faily, S., McAlaney, J., & Iacob, C. (2015). Ethical Dilemmas and Dimensions in Penetration Testing. Retrieved from Semantic Scholar: https://pdfs.semanticscholar.org/61ab/cca04328b9301a1f53c8a56099b65f4a5e6b.pdf

Murashka, U. (2017, November 14). Penetration Testing by Letter of the Law. Retrieved from Security Magazine: https://www.securitymagazine.com/articles/88489-penetration-testing-by-letter-of-the-law

Pike, R. E. (2013). The “Ethics” of Teaching Ethical Hacking. Retrieved from Journal of International Technology & Information Management, 22(4), 67–75.: http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=95589398&site=eds-live&scope=site

What keeps white hat hackers from turning to the dark side? (2016). CIO (13284045), 1. Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=113267417&site=eds-live&scope=site