HOW TO BECOME A LEGALISED CRIMINAL “ETHICAL HACKING” The title of this article alone contains two oxymorons. How can criminality be legal and is there such a thing as ethical or moral hacking? Many IT professionals have disliked the term of “Ethical Hacker”, preferring IT Security Expert or some other such term. Part of the controversy may arise from the older, less stigmatized, definition of Hacker, which has since become synonymous with the computer criminal. Some consider that there is no such thing as ethics in hacking. However, to be sure, it seems to make sense to employ, even temporary, a person or company with the in-depth knowledge and skills of the hacker to test the security, vulnerability and resilience of their systems against the threat of malicious sabotage, data or information theft or, in the case of financial systems, actual money. Instances of Hacking can not only be damaging, but if the occurrence becomes publically known, a public relations nightmare could result, as accusations of irresponsibility and the loss of public confidence in the victim organisation. Publically well-known companies, and governmental departments for that matter, should take these threats, real or imagined, seriously as the consequences could be far reaching, and for some organisations, financially devastating. “Channel 4 is the latest media organization fell victim to the Syrian Electronic Army hacktivist that target western media organizations. Channel 4 is a British public-service television service.” 7th August 2013 – ehackingnews.com The Channel 4 website had been using an outdated version of WordPress. “Pakistan Google Hacked in November 2012 - Top Level Pakistan Domains displayed a defacement page including Yahoo, MSN, HSBC, EBay,Paypal and other sites. Apparently Google Pakistan has been defaced by a Turkish Hacker group 'Eboz'. It's still quite hard to believe that a Google server has been hacked.” – ehackingnews.com These threats are real and as previously stated potentially devastating, if not embarrassing. Another dilemma arises, with regards to employing an “expert” with the requisite knowledge. For instance, in the CV does one list under work experience previous cybercrimes successful committed? However, help is at hand. It is now possible to take specific courses in “Ethical Hacking” offered by reputable organisations such as the International Council of eCommerce Consultants (eccouncil.org), or you can employ individuals already certified as Ethical Hackers (CEH). You can study at an ATC (Accredited Training Centre) or even through a self-study course to become a qualified Ethical Hacker (CEH). Large organisations, such as IBM, often employ teams of Ethical Hackers who are trusted to attempt to penetrate their networks and/or computer systems, using the same methods as the hacker, for the purpose of finding and fixing computer security vulnerabilities such as penetration testing. Experts in the field of preventing hacking are in great demand, as CEOs and Managing Directors see the potential threat to their businesses as serious. And because senior management of organisations often have little knowledge of the technicalities of ICT, will frequently apply the FUD Factor (“Fear, Uncertainty and Doubt”). Of course, the less scrupulous IT consultants will leverage this fear to their financial advantage. For those of us in the IT Industry, during the run up to the year 2000, know all too well the FUD phenomena (I was a Global IT Manager during this period). The media hype around the “Millennium Bug” was never ending, with claims that planes would drop out of the sky, and in fact many planes were grounded at the time. This was a drama created by the IT industry, since after all the pending arrival of the year 2000 wasn’t exactly a secret, so why was there little or no apparent preparation in software development and operating systems beforehand in a timely manner? Nevertheless, the culprits of the “Year 2000 Dooms Day” scenario, the IT Industry, made a fortune in consultancy fees and compelled companies to pay for expensive immediate software upgrades. Some individuals (or groups) with hacking expertise might consider that hacking should be used as a tool or weapon against organisations they consider to be “bad”. They moralise and justify their actions to be ethical. Such “attacks” might be by groups against globalisation, “Whistle Blowers” or worse could be classified as “Cyber-Terrorists” (and considered highly criminal by the authorities). In its simplest form, which strictly speaking is not hacking, is “Denial-of-Service”, whereby server(s) are overwhelmed by timed and coordinated mass internet requests for service, sometimes using automated systems. Therefore, the threats to our ICT systems are complex, multifaceted and external and internal, and are now no longer restricted to our servers, networks and computers, but extending to hand-held mobile devices. With the advent of Cloud computing potential new threats emerge as we delegate our data security to third parties which operate trans-globally and transnationally (remember Pakistan Google). Can we really trust them with our private and commercial data? And more recently, following the revelations made by the American Edward Snowden, we now know the extent to which national governments access and read our emails (personal and business), but the latter shouldn’t really surprise us, with the technology available now, the temptation for governments to access our private correspondence and data, in the name of The role for IT Security Experts national security, is simply too great for them and Ethical Hackers is expanding to resist. The question is then, is this form of “official” hacking ethical, even if it might be technically legal? In conclusion, the role for IT Security Experts and Ethical Hackers is expanding, and will not doubt create new sub-branches of expertise with specialities in network security (physical and radio), mobile security, websites, laptops, tablets, “Smart” cars and houses, and so on. This work will always be in demand, and experts in the field will be required to constantly update and adapt their knowledge and skills as new technologies emerge and new uses are applied. Prof. N A Browne is the Director of Victoria Higher Education Campus, 498 R.A. De Mel Mawatha, Colombo 03. (Working in collaboration with the University of Greenwich).