How do you combine ethics and cybersecurity?
17 06 2020
Extraordinary responses to extraordinary times: in early March, hacker groups such as Maze, DoppelPaymer, Ryuk, PwndLocker and Ako announced a ceasefire during the Covid-19 health crisis. Despite this, on March 16, the US Department of Health and Human Services suffered a distributed denial-of-service (DDoS) attack. And on March 22, in France, while overcrowded hospital departments were being deluged with patients, the Assistance Publique-Hôpitaux de Paris in its turn fell victim to a violent cyberattack. These events raise the valid question of whether ethics are a consideration in hackers’ actions.
Answers to questions on hacker ethics are necessarily coloured by your own point of view, and by your own definition of what is – and isn't – ethical. Recently, two hacktivists offered their own partial definition of ethics. Citing individual data protection concerns as a motivation, French hacktivist Baptiste Robert (alias Elliot Alderson) undertook an in-depth analysis of personal contact tracking applications. Having detected and exposed flaws in India's Aarogya Setu application, he concentrated on the French version, StopCovid, and the Pakistani version, COVID-19 Gov PK. Last year, in a different genre, Phineas Fisher launched his own “bug bounty” as a reward to anyone launching politically motivated hacks leading to the disclosure of documents of public interest... while in related news, a Canadian organisation assisting young homeless people was hit by ransomware in early January 2020. In a complex, multi-faceted landscape, is there any room for ethics?
Ethics: an eminently subjective notion
First, a quick philosophical introduction. Jean-Jacques Nillès, founder of the French Socrates consultancy specialising in ethics, believes the question is not so simple: “Although the distinction between “legitimate” and “legal” is widely accepted, not everyone accepts it at face value. The relationship between law and ethics is a complex one, and there is a tendency to simplify it. Our laws are founded on ethics and ambitions. Some atypical cases reveal a dissonance between legal and ethical considerations; but once again, this is not entirely accurate... instead, these are ultra-rare cases in which a principle of law sees itself telescoped into a rule. The law does not provide clear-cut answers. What it does is to spell out a certain number of possibilities. And it is within this multiplicity of options that ethics finds its place. ” In short, the law defines a number of possibilities, and the role of ethics is to make a choice between these. For Alice Louis, the director of a project to establish the “Cyber-Ethics Fund for Digital Sovereignty”, “ethics is the thought of principles and values. In this respect, morals and/or “morality” tell us which actions are right, good or bad. In other words, and as stated by the likes of sociologist Max Weber: ethics is an act of empowerment which cannot be reduced to the mere expression of an opinion. ” This opinion is shared by Philippe Sanchez, a consultant and trainer at the Socrates consultancy: “Ethics is a subjective notion that can vary from one individual to another. It will always make its nest where a gaping hole is left by the law. Without rules, any of us could justify our actions by citing a liberal interpretation of ethics...”
Ethics is a subjective concept that can vary from one individual to another. It will always make its nest where a gaping hole is left by the law.Philippe Sanchez, a consultant and trainer at the Socrates consultancy.
Many among us would acknowledge an ethical dimension to the work of hackers operating in Tunisia during the Arab Spring movement… but it would be more problematic to accept the legitimacy of a group in the pay of the Kremlin, undermining the principle of non-interference in international law by infiltrating US Democrats during a presidential election. So is one man's cybercriminal another man's hacktivist? Maybe. Especially if we take the opposing view to that of the philosopher Emmanuel Kant by viewing ethics as a relative concept shaped by concepts specific to a given culture...
The codes of the hacker community
Hacker ethics are steeped in the cyberpunk subculture, a core value of which is protest. Characters in these novels are anti-heroes, often pawns manipulated within an imbroglio of secret societies, government departments and crime syndicates, all of them run to varying degrees by senior executives of multinationals which have become more powerful than states themselves, and whose leaders are often devoid of any morality. These anti-heroes are then presented as small pieces of grit in the machinery. A later development has been the addition of a search for knowledge and understanding of computer systems – and a desire to preserve the Internet as a place of absolute freedom from rules imposed by governments and corporations. For that reason, it is legitimate to infiltrate systems owned by various government, financial and military institutions in order to dissect their architecture. In 1984, the journalist Steven Levy, the author of Hackers: Heroes of the Computer Revolution, summed up the hacker ethic as follows: don't destroy the computer networks you infiltrate, don’t make a profit, and share information.
So does this hacker community have its own codes? Black Hat, White Hat, Grey Hat and even Blue Hat: there is a wide and diverse range of hacker profiles, each of which has its own codes. These codes differ according to hacker loyalties/allegiances, which may inspire varying degrees of confidence from a third-party standpoint: “A ‘grey hat’ like Baptiste Robert will publicly divulge the existence of a flaw that endangers users, while a ‘white hat’ will give information to the company they are working for. The white hat will never 'cross the line’ legally, even though others may follow different paths,” explains French hacktivism specialist Fabrice Epelboin.
At what point does a hacker decide which path to follow? And can their decisions be influenced over the course of their personal journey? In other words, is ethics a question of maturity? This series of questions leads us to consider the case of ‘script kiddies’, amateurish hackers driven by results rather than knowledge, and inspired by complex motivations. “The fundamental difference with script kiddies is their ignorance of the mechanisms involved. They will use ready-made solutions instead of developing their own code, which can sometimes cause them to underestimate the damage they're doing,” explains Davide Pala, Stormshield Pre-Sales Engineer in Italy. However, this doesn’t stop them from sometimes uniting under the banner of shared values in the name of ethical principles which – once again – are theirs and theirs alone. “For example, that's exactly what you find within Anonymous, Epelboin explains. Among their number are many script kiddies doing nothing more than pushing buttons. However, when viewed as a whole, the fact remains that they can represent a significant strike force. This crowd effect can also be employed for the ends of political machinations and digital crime, giving rise to bug bounties or ransomware, depending on the value systems of the specific individuals. ”
At the same time, it is clear that IT vulnerabilities have now spawned an economy in its own right. So, does ethics have a price? Because they can be associated with significant financial rewards in real or ‘dark’ markets, issues around vulnerability have for many years been attracting mafia organisations, large groups of shadowy hackers and also major state-sponsored groups. Each of these has its own objectives, and more importantly, its own abilities in terms of resources; initially financial, and later, human. The colossal financial muscle that can be flexed in this way – along with the promises of astronomical “easy” profits – can seduce some hackers and lead them to compromise some or all of their personal ethics. Especially considering that on the other side of the mirror, the “bug bounties” on offer and the salaries offered by institutions and companies hardly compare.
But to what extent can you trust a hacker? And what is a hacker's word really worth? There is no clear-cut answer to these two questions: it always depends on exactly who you're dealing with. Although some vestiges of the early hacker movement still remain, the landscape has become more diverse and the codes that govern the community no longer act as a clear rallying point. So, in an attempt to make this complex landscape easier to understand, the term “ethical hacker” has emerged. But it hasn’t been all that successful...
The ethical hacker: an empty phrase?
The need to combine these two terms suggests that they were somehow diametrically opposed at the start. Does that mean that “white hats” are the good guys, and “black hats” are the bad guys? “That’s completely wrong,” claims Epelboin. “Black hat, white hat, ethical hacker, cybersecurity engineer; these are just marketing labels that tell you very little, except that the media loves to simplify things.“ He believes that the only thing separating a “grey hat” from a “white hat” is the legal framework in which the latter operates, in the interests of maintaining cybersecurity. “In reality, the ethical hacker could be working for arms dealers, or for a company like Monsanto, and they would still be considered as ‘ethical’. But that has nothing to do with ethics, merely law. Obviously, a hacker can behave in a way that is both ethical and illegal; for example, when dealing with oppressive regimes...”
Black hat, white hat, ethical hacker, cybersecurity engineer; these are just marketing labels that tell you very little, except that the media loves to simplify things.Fabrice Epelboin, French specialist in hacktivism
Epelboin believes that binary distinctions between ethical and non-ethical hacking can never reflect reality. In his opinion, appearances can be deceptive. “Hacker culture doesn't really lend itself to a 9-to-5 lifestyle... One possible permutation is that you could be a white hat during the day to earn a living, but grey hat at night as you fight for your principles. To be honest, I don't know any hackers who've never crossed the red line, because it's such a small step from legal to illegal, and it's so easy to be anonymous. In addition, protecting users often means forcing companies to adopt secure practices, which can involve methods frowned upon by law. ”
Cyber-ethics: in search of a framework
Some see them as universal, while for others they're relative... but if we are to agree on the question of ethics, we need legal boundaries. Indeed, many platforms such as Yogosha, YesWeHack and HackerOne devote themselves exclusively to hunting down digital flaws through “bug bounty” programmes, while other companies such as Synacktiv specialise in penetration tests.
Such ethical hacking is then practised in very tightly-controlled environments. In this scenario, hackers adhere to the compliance requirements imposed by companies and governments, and sign up to certain codes specific to the environment: any detected flaws must be reported; the privacy of the organisation, its employees and users, and of third parties, must be maintained; and any breach that is created or exploited must be sealed. These principles, set out by the Forum of Incident Response and Security Teams, were re-stated in a recent article by the Kaspersky French team. Hackers who comply with these requirements can even obtain the title of “Certified Ethical Hacker”, awarded by the EC-Council body in the US.
Alice Louis concludes: “There are hackers who seek to operate within a legal framework, and thus align themselves with an ethical approach in the sense of normative ethics in general, and consequentialism in particular. This approach to ethics explains that the morality of an action must be assessed in terms of the consequences of that action. From this perspective, hackers become clear allies for organisations. Obviously, a certain number of precautions need to be taken, with checks made in advance, e.g. with trusted third parties, and ultimately, a rigorous set of contractual terms set to govern the work they do.” An essential foundation for a relationship built on trust...