Comments

White Hat Hackers

By David Swan

As a retired Army Intelligence Officer with a background in cybersecurity, I regularly get asked about ‘white hat’ hackers. Variations on this theme include: Are ‘white hat hackers’ a thing? Can I trust them? Don’t white hats try and protect us? Should there be laws protecting the work that white hat hackers do? What is a White Hat Certificate? What is the value of a White Hat Security Certificate? I have well developed opinions since I have held a security clearance since the 1970s and started working with computers in the late 1980s. What follows is are my observations, assessments and opinions on ‘white hat hackers.’ My opinions are my own and not based on the cybersecurity industry.  

            Pretty much everyone has encountered the term ‘hacker.’ For the bulk of the non-technical (or non-computer oriented) population, hacker equates to the bad people who attack other peoples’ computers. The Merriam-Webster definition is a good for clarity[1]:

hacker noun

hack·​er ˈha-kər

1: one that hacks

2: a person who is inexperienced or unskilled at a particular activity, for example a tennis hacker

3: an expert at programming and solving problems with a computer

4: a person who illegally gains access to and sometimes tampers with information in a computer system

            The computer industry prefers to portray hackers as ‘explorers, programmers who solve problems with computers.’ In the cybersecurity world, ‘hackers’ are often sub-divided into: ‘black’ hats, ‘white’ hats and sometimes ‘grey’ hats. Black hats are pretty much what you would expect, the bad guys.  ‘White’ hats are the good guys. Their activities include a wide range of activities from penetration testing (testing other peoples’ systems for vulnerabilities) to people who use their security smarts to protect/defend computer systems. ‘Grey’ hats can work as either black or white roles, sometimes doing both. Some grey hats advertise themselves as security advisors, they penetrate an organizations computer system, and then ask for remuneration for pointing out security issues – and how to patch them.

            And there is the problem with trying to classify ‘hackers.’ There are many hackers who perceive themselves as ‘good’/’white hats’ but they persist on exploring other peoples’ systems – without an invitation to do so.[2] These people insist they don’t break anything, destroy anything, claim a ransom or do anything bad, and many of them are trustworthy. Many people who perceive themselves as ‘white hats’ don’t see any issues in what they do and how they do it. The cybersecurity industry has codified ‘white hat’ behaviour, creating behaviour standards, courses and certification.

            Many ‘white hats’ see themselves as explorers, people who promote a better, more secure computer environment. My problem with their perception is I see the cyber world as highly analogous to the real world. Few regular people would ever consider checking all the windows and doors in a house to see what was unlocked. That is equivalent to ‘port scanning’ a standard security tool to the computer industry. Very few people would walk into an open door. I had the experience of sitting in a computer security course and watching the instructor find a computer with no firewall and commence ‘exploring’ what was on that computer. The line between ‘white’ and unauthorized access to someone else’s system is that simple.

            Unfortunately this experience has been repeated many times. For example, I was a participant in a conference call, developing a cyber security conference when a ‘reformed black hat’, now working for the FBI, was introduced. He was supposed to be under FBI ‘monitoring’ to ensure he remained on the side of the angels. I ended up quickly contacting my CEO to warn him away from doing anything with this individual. Less than six months later the accounting firm was no longer using that hacker’s name as a reference and his publicity vanished. The lesson I learned was that many ‘white hats’ are subject to temptation, they want that one score that will launch them onto success.

            The people I served with in the military saw themselves as being held to a higher standard.  I don’t see that in ‘white hats.’ I don’t understand why white hats think ‘computer’ or ‘cyber’ changes the fundamental rules of our society. I don’t have any sympathy for them. Either you can get a security clearance or a reliability check or you can’t. No white hat certification or security course will change that.

            It’s worth noting that the Chief Prosecutor of the International Court in the Hague apparently sees things the way I do. He has recently said that activities in the cyber world are more than analogous to the physical world, but that can also have real world impacts. On that basis he intends to investigate some cyberwarfare as ‘crimes against humanity’.[3]

            An extreme example, perhaps. It does suggest that that the principal I espouse is correct. Law, and by extension ethics, in the cyber realm are not different or distinct from what is practised in the physical world. I translate this based on my own experience as: you can pass a reliability check or you can’t. No course or certification will transform a pig’s ear into a silk purse or in this case, a hacker into a reliable security professional.

            This is my opinion and not that of the cybersecurity industry. The industry believes hackers and security personnel can be certified white hats by taking a course and passing the exam. Hire ‘white hat hackers’ at your own risk. Caveat Emptor.


[1]     Source: Merriam-Webster Dictionary. hacker

[2]     This is the more widely accepted definition of hacker. For a detailed breakdown see the Wikipedia definition: hacker

[3]     Source: Wired magazine. The International Criminal Court Will Now Prosecute Cyberwar Crimes

SWD Swan CD is a Cyber Security Consultant and former officer of the Canadian Armed Forces.  This work is the sole opinion of the author and does not necessarily represent the views of the Canadian Armed Forces, any department or agency of the Government of Canada or the Royal United Services Institute of Nova Scotia.  The author may be contacted by email at: RUSI(NS).

RUSI(NS) Staff

Editorial Staff at RUSI(NS). This work is the sole opinion of the author and does not necessarily represent the views of the Royal United Services Institute of Nova Scotia, Canadian Armed Forces, Canadian Department of National Defence or any other government department or agency.