I started my cyber security career not as a writer, but as a hacker in the truest sense of the word. In the late 1980s and early 1990s I explored other people’s networks for educational, rather than criminal, reasons. I was keen to learn about the emerging online world and for me, hands-on experience was how I could do that most effectively.
Certainly, I strayed into the darker shades of grey when it came to my virtual travels, but I never set out to do harm or steal. Fast-forward 35 years or so and for most people, in my experience, hacking often conjures up one of four visions:
- The hoodie-wearing teenager installing malware, stealing data (or draining bank balances), defacing sites in the name of political activism, or hitting services with distributed denial of service (DDoS) attacks.
- Organized criminal gangs stealing data and/or extorting victims. Ransomware groups have become the focus of much of this attention today, but these are far from the only players in cyber crime.
- State-sponsored actors involved in commercial/industrial/political espionage.
- Law enforcement or government agencies carrying out surveillance or gathering information to build a case.
This commonality here is criminality and harm, apart from the fourth example which often sits in a grey area. To be honest, people are more likely to refer to the agencies performing these activities as spooks or spies than hackers.
But for me, a hacker doesn’t neatly fit into any of these molds. Someone who drives a car could do so with harmful intent, such as escaping a robbery or harming pedestrians, but you wouldn’t label all drivers as criminals. So why should the same logic not apply to hackers?
Some criminals hack, but not all hackers are criminals. Some hacking is harmful, but not all hackers cause harm. And some hackers, I would argue the vast majority in the 2020s, are highly skilled professionals and not criminals. Hacking is not a crime; criminal activity is a crime. Surely that’s not too hard to comprehend?
Why does it matter if hacking is legal?
Many people argue that these semantics don’t matter. But they are very wrong indeed. It matters how we describe hackers and hacking because that accepted public understanding of the terms informs a broader narrative that can have serious consequences. I’m not talking about feelings being hurt if someone on Facebook thinks you are a criminal rather than a skilled professional because you call yourself a hacker. This isn’t to belittle that hurt, as it can be very real within the cyber security profession where stress levels are already through the roof.
But for the purposes of this argument, I’m discussing issues that could impinge on an individual’s freedom in a worst-case scenario. The pejorative use of hacking has informed legal definitions and still does today. Let’s look at what the Crown Prosecution Service (CPS) has to say, shall we? In an explainer that defines various types of cybercrime, the CPS states that:
“Hacking is the unauthorized use of or access into computers or networks by using security vulnerabilities or bypassing usual security steps to gain access. Criminals may hack systems or networks to steal money or information, or simply to disrupt businesses.”
Tell that to the security professionals who earn their living as bug bounty hunters, who provide a service to vendors and users alike by finding previously unknown security vulnerabilities. And by doing so, enable vendors to patch them before users can be targeted by the actual criminals.
While it’s fair to argue that those working as part of a vulnerability discovery platform will have authorized access from the vendors, this isn’t the case for those discovering and disclosing vulnerabilities outside of such platforms. Is their work any less valuable because they were not authorized to find a security problem that could have impacted, in many cases, millions of users? Is their work to be painted with the brush of criminality rather than portrayed as the good deed it actually is?
There are certainly hackers who disclose such vulnerabilities in the hope of gaining financial rewards, but the majority of people I know working outside of vendor-confirmed platforms do so because they are passionate about making software and services more secure. Financial reward is often a secondary motivation for hackers.
All of this means the CPS definition would be far more accurate if it was preceded by one single word: criminal. Criminal hacking is all the things the CPS says. Hacking is demonized here unfairly. If I were to define the internet as being a place where criminals commit fraud without any further explanation, would that be acceptable? No, of course not. Yet the internet is used for those things by those groups, just as criminals use hacking for criminal activity.
The legal threat to better cyber security
Then there’s the Computer Misuse Act (CMA 1990). As the date attached to it rightly suggests, this originated in a very different time in terms of the impact the online and digital world had upon every aspect of life, both at work and home. I have previously argued that the CMA is a product of an era before the World Wide Web and that the limitations it places on cyber security professionals could be causing harm.
In fairness, moves are underway to update the CMA with regard to a statutory legal defense for ‘ethical hacking’. But these moves are incredibly slow and it is time for such potential amendments to be put to bed.
Casey Ellis is the founder of one of the biggest crowdsourced cybersecurity platforms, Bugcrowd, which incorporates both bug bounty platforms and penetration-testing-as-a-service. Ellis is concerned that the UK needs to mirror reforms around ethical hacking as has happened with the 1986 Computer Fraud and Abuse Act in the US. The deadline for submissions for anyone involved in the cybersecurity industry to add their views to the consultation process has now passed. Only time will tell if enough people have made a convincing argument to nudge the UK government into making changes. But a longer wait could be ahead if the snail’s pace at which the process has moved so far is anything to go by.
“Poor legal protection for ethical hackers could have the chilling effect whereby those who could contribute to making the internet a safer place become afraid to do so,” Ellis says as the consultation period draws to a close. “To be even clearer,” he continues, “people build software, people make mistakes, and mistakes create vulnerabilities. Amid the worldwide shortage of skilled cyber security professionals, Bugcrowd wants organizations and law enforcement to still benefit from ‘Neighborhood Watch for the internet’ by decriminalizing and encouraging anyone from the ethical hacking community to assist.
“Those ethical, well-meaning, and responsible researchers should not be put in a position where they may be at risk of legal jeopardy. The UK needs a revised Act that not only better defines the difference between the activities of malicious attackers who have no intent to obey the law in the first place and those who hack in good faith, discovering and disclosing vulnerabilities so they can be addressed before they are exploited.”
This illustrates just how important semantics, definitions, and words are when it comes to our understanding of hacking and the laws that apply to it. The CMA itself states that it exists to “make provision for securing computer material against unauthorized access or modification; and for connected purposes”.
This is as clear as mud and in effect makes the act of hacking the criminal offence, rather than acknowledging that malicious hacking and criminals that happen to hack are the real problems.
Valuable examples of ethical hacking
Positive hacking tales show both the value of hacking and how hackers can be well rewarded for their efforts without embracing criminality.
The latest and, in purely financial terms, the greatest Pwn2Own Vancouver competition has been and gone. This global hacking event was a must-watch fixture in the diary for those looking to and many others since it all kicked off back in 2005. Organized by the Trend Micro Zero-Day Initiative, Pwn2Own gathers together some of the best hacking brains, both as individuals and teams, which then compete against the clock and each other to “pwn” a given target.
Pwn is slang meaning to utterly defeat an opponent or in hacking terms successfully attack a victim using a zero-day exploit to execute remote code, escalate privileges, or access a system that should remain inaccessible. The targets this year included the likes of Adobe, Apple, Microsoft, Oracle, Tesla, Ubuntu and VMware. It should be noted that there was nothing illicit about Pwn2Own as each year the targets sign up to be part of the event and authorize the hacking attempts within certain parameters.
Those who successfully execute a zero-day exploit against each target are rewarded both in cash and kudos. This year, the total amount of prize money awarded was $1,035,000. That was divided between a handful of hackers and hacking teams, one of which also walked away with a Tesla Model 3. The kudos element is by way of points awarded for each exploit that rack up until one team is crowned “Master of Pwn” at the end of the event.
This year, it was team Synacktiv that dominated Pwn2Own on both counts, winning $530,000 and winning the kudos title with 53 points. In second place, to put the Synacktiv success in some perspective, was the STAR Labs team with $195,000 and 19.5 points.
All of this goes to show why hacking is such a force for good. All the exploits and their underlying vulnerabilities were immediately disclosed to the vendors so that they could be patched. The full technical disclosures aren’t made public until such a time that those patches are available and users have had time to update their software and systems.
This content originally appeared on ITPro’s sibling magazine PC Pro. For more information and to subscribe, please visit PC Pro’s subscription site.