“Ethical hacker” is a fairly new term in the United States, and newer still in Japan. These individuals are sometimes called “white hat hackers” (ホワイトハッカー), “hackers of justice” (正義のハッカー), or “penetration testers.” But isn’t “ethical hacker” an oxymoron? Aren’t hackers the bad guys? As it turns out, not all of them are. In fact, the first so-called “computer hackers” of the 1980s were not criminals at all, but simply computer hobbyists. Today, many hackers do engage in malicious activities and are referred to as “black hats.” But white hats are the good guys. There are, in fact, whole certifying bodies for ethical hackers with complex qualifications. But, you can sum up the activities of an ethical hacker as being both legal and helpful to the target. On the other hand, malicious hackers engage in activities that are illegal and harmful to their targets.
Recently, Japan’s Ministry of Economy, Trade, and Industry (METI) announced its intention to form an extra-governmental body that will leverage these ethical hackers to defend Japan’s national infrastructure from cyberattack. The Industrial Cybersecurity Promotion Agency will facilitate the development and exchange of these human resources, in addition to informational resources stemming from sponsored research. Japan is smart to take this step toward protecting its networked physical infrastructure.
These ethical hackers will perform penetration testing for Japanese infrastructure managers. Usually, gaining unauthorized access to a network or to data is illegal. But, ethical hackers performing penetration testing receive permission to break into the network. So, it’s not illegal. In fact, the target is paying that ethical hacker to break into the network. And they know that the penetration tester will not actually harm their data or their network, because the tester is a certified ethical hacker.
The E-Commerce Council (EC Council) is one of several organizations that certifies ethical hackers and requires them to uphold a code of ethics. The code states, among other things, that they will protect, rather than harm, privacy, intellectual property, and networks. Ethical hackers who work in accordance with this code can help someone securing a network get an outsider’s view of their defenses. This new perspective is very useful for determining what parts of the network are most vulnerable.
This model of “trial by hacker” is new in cyberspace, but has a rich history in other fields. For example, in 1777, a locksmith named Joseph Bramah placed his most secure lock outside his shop, with a public challenge written on it. Anyone who thought they could defeat the lock could contact him and arrange to try. If the challenger was successful, Bramah would pay a monetary reward. He would also learn the lock’s weakness, so that he could later build a better lock.
This model of “trial by hacker” is new in cyberspace, but has a rich history in other fields.
In 1851, Bramah’s lock was successfully picked. Bramah payed up. The talented lock picker was Alfred Charles Hobbs, who made a living testing locks. In a sense, he was one of the first professional penetration testers. Hobbs went on to write about lock design and to manufacture locks of his own. Like Hobbs, today’s ethical hackers try to break into systems at the invitation of the system owner. They work with the understanding that they will provide complete details of what they did and how. This way, the system owner can prevent a malicious hacker from doing something similar.
Some modern companies even open themselves to penetration testing by the general public. Google, Facebook, and even the Pentagon offer “bug bounties,” where they pay for information about vulnerabilities in their websites or applications. This is a great opportunity, even for a self-interested hacker. Just like leaving a message on your laptop advertising a reward for its safe return, offering a bug bounty gives non-altruistic individuals an incentive to help you protect your stuff, even when a malicious actor wants your stuff too.
Eventually, hackers may need to be classified more precisely according to their actions and alignment, as with a personality profile
Aside from ethical and malicious hackers, there are also offensive government hackers, consulting criminal “hackers for hire,” chaotic neutral “grey hats,” and other hackers who don’t fall clearly into any one category. Most of these hackers deserve their own separate treatment. And, as the definitions of “legal” and “ethical” hacking change over time, more formal categories of professional hackers will emerge. Eventually, hackers may need to be classified more precisely according to their actions and alignment, as with a personality profile. For now, ethical hackers are quickly becoming an indispensable tool for any organization or government defending a network against aggressive outside attackers.