This report investigated whether hacking can be ethical. It also attempted to define what hacking means and how it relates to the various codes of conducts. In addition to that, this report looked into the legal definition of hacking and its perception beyond legislation.
There are three types of hackers white hat hackers, black hat hackers and grey hat hackers. White hat hackers are also referred to as ethical hackers, these individuals hack in order to test the vulnerabilities of a computer system Black hat hackers find vulnerabilities in a system and exploit them for personal gain. Finally grey hat hackers are often professionals who may violate laws however they are not as malicious as black hat hackers.
The computer misuse act identified the following as offences: Unauthorised access to computer material, Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. and Unauthorised acts causing, or creating risk of, serious damage. The ACM state's, “2.8 Access computing and communication resources only when authorized to do so.” and the IEEE state’s, “Be respectful of others”. Therefore if the above is followed whilst hacking it would be completely ethical.
Hacking has many interpretations in the computing industry. The question of whether hacking is ethical or not has been widely debated over the past two decades showing how unclear and vague it is in the industry. While some see it a helpful tool for cyber security, others consider it unethical and harmful (Quora, 2017).
The very basic meaning of Hack means to “cut with rough or heavy blows”, and if we apply that to a computer setting it would be hitting a computer program or website and either searching for flaws till one is found, or hitting the program or website hard till an error pops up (oxforddictionaries, 2017). If you were to look up hacking on the internet you may come across something similar to this, that Hacking is something that is done to gain access to confidential material, knowledge, or information in a system (Techopediacom, 2017). Alternately it could say that it is someone who has interest in programming on computers.
Now there is several types of hacking out there all with their own meanings. There is a few mostly relating to accessing information. Website Hacking, this is when a web server and its related software has been accessed by someone without permission. Email Hacking, this is getting access to an email account and using it without the consent of its owner (Tutorialspoint, 2017).
There is a few mostly relating to getting passwords and ID’s that are used to get information. Password hacking is about getting passwords that were stored somehow in a computing system. Computing hacking is about stealing ID’s and passwords from computers by using hacking methods (Tutorialspoint, 2017).
Network hacking is when information is gathered about a network using specific tools so that information can be used against the network and disrupt it. Ethical Hacking, this is the sort of hacking where it is to find weaknesses in computing related systems so the problem can be fixed (Tutorialspoint, 2017).
Now this is where the term can get confusing, there are several types of hackers according to the media, computing professionals and cyber criminals and how they are defined. Self-described hackers, these hackers often try to write new code and seeing what they can do with computers. Media-labeled hackers, these hackers try to get into systems to alter information, destroy it, or write viruses. Ethical hackers, these hackers try to find weaknesses or errors to help fix them in an attempt to make systems safer (Tutorialspoint, 2017).
The aim of this report is investigate whether hacking can be ethical. It will also attempt to define what hacking means and how it relates to the various codes of conducts. In addition to that, this report will also look into the legal definition of hacking and its perception beyond legislation.
In order to make the work process as effective and efficient as possible, shared Google Drive was created along with WhatsApp group. That allowed the ease of communication and simultaneous work process from different locations. All individual work and the final report were kept on shared Google Drive. In addition to that, flexible timetable was created to ensure that group meets the submission deadline. Group members were divided into teams of three to work on the report and poster. After two weeks groups swapped and then discussed how the work can be improved. The minutes were done every time we met up, to save time we used a template Christopher provided, these make sure we were working effectively or if we needed to change our work. The team made certain that someone was always ready to meet up on Wednesday and Friday, this ensured that if any member of the team wanted to meet someone to discuss problems in person that support was there.
The poster was created in Microsoft PowerPoint as we felt it was the best tool. Poster was split into four sections including: Introduction, Research Questions, Discussion and Results. This allowed to ensure everything required was covered in the poster. The main parts of the report were simplified it then implemented it into the poster. Images were also used to demonstrate some of the information. This was done in order to show a different approach to the coursework as opposed to writing paragraphs. It also made the poster more creative and interesting.
In order to conduct the research for the report secondary data was used as it is important to provide background information through already present academic literature (Proctor, 2005). Secondary research is a data that was collected by other researches for different purposes (Saunders, Lewis and Thornhill 2012). Although books provide a good basis, academic literature in books was limited. Thus, such secondary sources as academic journal articles and online newspapers articles were used. In addition to that, blogs, microblogs and magazines were used to look into the most recent information on the topic.
Hacking is defined as an individual or a group who hacks into computer network using such methods as brute force attack, data Modification, password-based attacks, denial of service attack, man in the middle attack, compromised key attack and many more. Criminals carry out hacking attacks against businesses or organisations because they want to break into a company's computer systems to cause trouble (Techtarget, 2017).
One example of a difference between hacking and not hacking is helping a friend to recover a forgotten password. If you have person’s permission to do so, it is not hacking. Otherwise, you are breaching the computer misuse act and thus, hacking. Nowadays hackers break into computer systems of organisations or businesses for motive and purposes such as money. Earlier this year hacking attack struck banks, hospitals and government agencies in more than 150 countries, exploiting known vulnerabilities in old Microsoft computer operating systems. The NHS is thought to be one of the first victims of the attack in May 2017, which started in the UK and Spain before spreading around the world. Staff as forced to cancel or postpone surgeries and appointments as a fifth of NHS trusts were targeted while hackers demanded a ransom. It was launched on Friday, May 12, and infected more than 230,000 computers demanding ransom payments in the cryptocurrency bitcoin in 28 languages. Another example is Equifax. Equifax had their customers’ data stolen between May and July 2017. Overall, over 14 million UK records were stolen. The huge data breach was part of an attack on the firm's world-wide customer records in which the personal details of 146 million people in the US were stolen, along with 8,000 Canadians. Given examples show that ransomware is the most popular method of hacking these days. Both companies have valuable and sensitive data in which hackers are interested because it can be sold for their own financial benefit. Companies should always look into improving and ensuring their security is up to date, up to the highest standards and they also need to know where they are vulnerable. 4.2 (Re)defining a hacker In a cyber security world, the person engaged in hacking activities or who is able to discover vulnerabilities in a system and managed to exploit it to accomplish a goal, referred as a hacker, and the process is referred as hacking. A lot of people think hacking is just unauthorized access into a computer or a network. The question of whether the term hacker should be redefined or not has been widely discussed. However, there is also an issue of not having a clear understanding of differences between hackers.
Hackers have extraordinary skills and knowledge that allow them to hack into computer systems or network and gather important information, but what do you call someone who hack to check their own security searching for security holes in computer hardware and software to make it more hack-proof? There are several types of hackers and understanding the difference between them is important (Techadvisory, 2017).
Script Kiddie are the users who use tools, scripts, methods and programs created by real hackers. They do not have the knowledge of how systems actually work, however they still are able to use the programs to exploit it with previously available tools. (Pctools, 2017)
The white hats or ethical hackers are employed by the organisations. Thus, they acquire the knowledge of hacking techniques from the industry training to know about organisation’s vulnerabilities in systems and how to provide protection against them. The security professionals are more likely to be trustworthy however, they are less likely to have low-level skills and inside information that only exists in hacking community (Duke, 2012). Linus Torvalds is a great example of a white hat hacker. After years of experimenting with the operating system on his computer, he finally released Linux, a secure open source operating system. (Techadvisory, 2017).
Black hat hackers attempt to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons. Black hat hackers create programs and campaigns solely for causing damage. They can cause major damage to personal computers or large companies by stealing personal financial information, compromising the security of major systems, or shutting down or altering the function of websites and networks. Black hackers also employ non-computer methods to obtain data, for example, calling and assuming an identity in order to get a user's password. (Techopedia, 2017) Alberto Gonzales is one of the many poster children for black hat hacking. In 2005, he organized a group of individuals to compromise poorly secured wireless networks and steal information. He is most famous for stealing over 90 million credit and debit card numbers from TJ Maxx over the course of two years (World, 2007).
Gray hat hackers are the ones who may violate ethical standards or principles, but without malicious intent like black hat hackers do. Gray hat hackers refer to the middle ground between white hat hackers, a common example is a gray hat hacker exploits a security vulnerability in order to spread public awareness, in this case, experts might say that the difference between a white hat hacker and a gray hat hacker is that the gray hat hacker exploits the vulnerability publicly, which allows other black hat hackers to take advantage of it. By contrast, a white hat hackers may do it privately in order to alert the company, without making the results public. While the gray hat hacker did not use their access for bad purposes, they compromised a security system without permission, which is illegal (Techopedia, 2017).
Another example was Marcus Hutchins, he is employed by cybersecurity firm Kryptos Logic. The US government believes he spent his free time creating the Kronos banking malware. Earlier this year Hutchins became an overnight superstar when he poked and prodded the WannaCry ransomware until he found a way to stop it (Security, 2017). 4.3 Difference between legal definition of hacking and how it is understood by people In the 60’s some programmers called themselves hackers as a sign of them being good with computers (gnu.org, 2017). However, in the 80’s the way of how people understood hacking changed due to how journalists were reporting about it (DuBois, 2011). They were talking about hackers as computer criminals. Today that has not changed and hackers are still seen as computer criminals that perform attacks against a computer.
The UK’s legislation under the CMA (Computer Misuse Act) does not mention the word hacker or hacking. Therefore, it is hard to compare how people think of hacking and what the legal definition of hacking is. However, if one means hacker as a computer criminal, the CMA states the following three offences: · unauthorised access to computer material · unauthorised access with intent to commit a further offence · unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer (inbrief.co.uk, 2017)
Consider the following example: a student forgets to log off the computer after a lab and another student decides to save time and use the same account instead of logging off and logging into their account. According to the law that is a criminal activity because student has an “unauthorised access to computer material”. However, majority of the people wouldn’t see it that way.
The law can be weak or poorly defined and some countries do not have laws for the cyber criminality. Due to that a lot of crimes are performed digitally as it makes it harder for local justice systems to know which country is responsible for what attacks. 4.4 Hacking and codes of conduct. British Computing Society (BCS) One point in the British Computing Society’s code of conduct is “have due regard for the legitimate rights of Third Parties.” (BCS, 2017), this means that professionals in the BCS cannot take advantage of individuals who have a lack of knowledge when it comes to their rights in terms of computers (what is right and what is wrong) or anyone for that matter. Hacking (“Hacking is unauthorized intrusion into a computer or a network.”) (Techopedia Inc, 2017) comes under this point as individuals may not be aware their system is being hacked. They may not be aware of the signs. So if members hack the individuals it would be seen as taking advantage of the third parties who don’t necessarily have knowledge of their rights when it comes to computers.
Another point in their code of conduct is “reject and will not make any offer of bribery or unethical inducement.” (BCS, 2017). Hacking can be related to this point as a member may be bribed into hacking a system for someone. This would breach this code as it says that members should not make any offers.
“NOT disclose or authorise to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your Relevant Authority, or as required by Legislation” (BCS, 2017). This code relates to hacking as it basically says that they cannot use their position to take advantage. Hacking is seen as taking advantage as people can gain access to many things including bank details.
The point of not taking advantage of the lack of knowledge of individuals is again made in this code “NOT misrepresent or withhold information on the performance of products, systems or services (unless lawfully bound by a duty of confidentiality not to disclose such information), or take advantage of the lack of relevant knowledge or inexperience of others” (BCS, 2017). As I explained before, hacking is mainly carried out for personal gain and carrying out these malicious attacks would break many of the codes in the BCS’s code of conduct.
“carry out your professional responsibilities with due care and diligence in accordance with the Relevant Authority’s requirements whilst exercising your professional judgement at all times” (BCS, 2017). This code however, says that members must carry out what companies’ require. Some organisations may require ethical hacking in order to secure their computer system. Ethical hacking is when professionals try their best to hack systems (not maliciously) in order to test the security of a computer system. I f achieved then it would mean the system is not secure enough. If the hacking is unsuccessful it would mean the organisations system is safe and secure. This code also says that “due care and diligence” (BCS, 2017) must be taken, meaning the member must carry out tasks carefully, with the organisation being the priority (not taking advantage for self gain). It basically means that if the company asks you to test their system for any failures in security you can ethically hack their system but must not use this as personal gain.
Overall, members have the permission to hack ethically if that is the organisations wishes and requirement. However, members must not take advantage of individuals with lack of knowledge when it comes to their rights, in terms of IT. Members must also not accept bribes.
Association for Computing Machinery (ACM)
“1.2 Avoid harm to others.” (Association for Computing Machinery, 2017) This code relates to hacking as it states “This principle prohibits use of computing technology in ways that result in harm to any of the following: users, the general public, employees, employers.” (Association for Computing Machinery, 2017) This means that you may not use computers to hurt anyone including users. Hacking can be seen as harming individuals’ as it involves breaching their rights for personal gain. It would harm individuals as personal information could be stolen e.g. bank details.
“1.3 Be honest and trustworthy.” (Association for Computing Machinery, 2017) Being trustworthy is the main part of this code which directly relates to hacking. Trustworthy means you must be reliable. Hacking unethically will breach this code as organisations will no longer trust you, making you an unreliable member. This will also tarnish your name as a ACM member and you will no longer be trusted for further jobs.
“1.7 Respect the privacy of others.” (Association for Computing Machinery, 2017) Hacking will definitely breach this code as it is an act used usually to gain information of the individual for personal gain e.g. personal details, bank details. Which then means not respecting the individual’s privacy.
“2.8 Access computing and communication resources only when authorized to do so.” (Association for Computing Machinery, 2017) This point associates with the topic of hacking as if given authorization to use resources in order to ethically hack an organisation it would still be seen as complying with this code. Organisations may hire someone to ethically hack their system in order to test their security. If asked to do so members are allowed to complete this task while maintaining other codes for example, being trustworthy. This code also applies with this point “4.1 Uphold and promote the principles of this Code.” (Association for Computing Machinery 2017) This code basically means that members must always comply with all the codes of conduct whilst completing a task.
Overall members must not hack individuals without permission (ethical hacking). Members must also always comply with all the codes in the ACM’s codes of conduct whilst carrying out tasks. If not given permission members must not use tasks as a way of gaining information about people for their own personal gain.
Institute of Electrical and Electronics Engineers (IEEE)
“Be respectful of others”(IEEE Board of Directors, 2014) This point in the IEEE’s code of conduct can associate with hacking as it states “will act in a professional manner while participating in IEEE activities.”(IEEE Board of Directors, 2014) Meaning that members must act professionally whilst completing tasks i.e. stick to the job in hand. This relates to hacking as members may use their tasks in order to gain advantage of a client’s computer system. “We will be respectful of the privacy of others and the protection of their personal information and data.”(IEEE Board of Directors, 2014)This point also backs up what I mentioned before.
“Avoid injuring others, their property, reputation or employment”(IEEE Board of Directors, 2014) This can also relate to hacking as members are not allowed to hurt others and their data. Hacking isn’t just about gaining personal information it also includes actions such as destroying someone’s files or data. “We will avoid injuring others, their property, data, reputation, or employment by false or malicious action.” This quote goes into more detail of this code of conduct.
The code “Rejecting bribery in all forms.”(IEEE Board of Directors, 2014) correlates with hacking as members may be bribed into hacking a system. Doing this will breach this code, in fact it would breach many of the codes in the IEEE’s code of conduct.
“We will comply with all applicable laws, rules and regulations governing IEEE’s business conduct worldwide.” (IEEE Board of Directors, 2014). This code can also correlate with hacking as it says that as long as members stick to the laws and rules they can complete the tasks. Organisations may ask for someone to ethically hack their system to ensure their system is safe and secure. This code will allow members to complete ethical hacking tasks whilst complying with all laws, rules and regulations.
Overall, the IEEE code of conduct allows their members to hack ethically but definitely does not allow members to carry out malicious attacks including hacking.
To conclude, all three computing institutes abide by similar codes of conduct. They all do not allow malicious attacks to be carried out. All three also allow ethical hacking to be done if asked to do so.
Computer Misuse Act 1990 (Information Technology: Legislation and codes of Practice 2008 SQA)
The law includes many acts when it comes to computing, the computer misuse act is just one. Offences of this law which apply to hacking are: “Unauthorised access to computer material.”, “Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc” and “Unauthorised acts causing, or creating risk of, serious damage.”(legislation.gov.uk 2017) Hacking breaks all of these points as hacking can also include someone damaging the victim’s files and data.
Copyright, Designs and Patent Act 1988 (Information Technology: Legislation and codes of Practice 2008 SQA)
This law also relates to hacking as “hackers” could steal victims’ data and files to use them as their own. Stealing someone’s files and using them as your own is copyright (Copyright Witness, 2017). 4.5 Can hacking at any time be legal?
With cyber-attacks on the rise, countries and organisations are seriously suffering from a lack of information security skills. There’s ample evidence that any organisation can benefit from the skills of ethical hackers. In 2011, NASA’s computer network was successfully hacked 13 times. According to congressional testimony on the breaches: “In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems” (Martin, 2012). Big organisations and agencies are not the only ones to suffer from cyber-attack. Smaller companies are targeted even more often since they are easier to access. Companies and organisations, especially in such sectors as finance, healthcare and government required to complete regular, rigorous security assessments. As a result, ethical hackers are becoming an essential part of an organisation’s network security armoury as the number and complexity of those attacks is growing (Caldwell, 2011).
As it was discussed before, there are three main categories of hackers: white hats, grey hats and black hats. All of them exploit weaknesses in computer systems and networks with the differences being their motivations. Such things as penetration testing which are carried out by ethical hackers are necessary to identify weaknesses and to help to determine how secure the company’s systems are (Conrad, 2012).
But is ethical hacking actually ethical? Such organisations as The International Council of Electronic Commerce Consultants (EC-Council) provide various certifications in IT security fields. According to EC-Council, a certified ethical hacker is “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective” (2017).
Most organisations believe that employing certified ethical hackers and authorising them to carry out various tests provides necessary legal protection and is enough to justify hiring a hacker and also to justify their questionable activities since they are acting in the company’s interests (Sutherland, 2013).
Nonetheless, the line between ethical hacking and malicious hacking is very thin. In 2012 a software development student hacked into several Facebook servers so he could point out the vulnerabilities to the Facebook security team. He had also been rewarded by Yahoo for locating vulnerabilities (Zorz, 2012). Despite having good intentions, he was sentenced to eight months in prison since he illegally accessed Facebook’s internal systems (Bruce, 2017).
While the question of whether hacking can be ethical if hacking is essentially illegal is widely debated, it is clear that in the current climate and with the rising number of cyber-attacks, ethical hacking is something that is necessary for the organisations to secure their systems and networks.