The title of this article alone contains two oxymorons. How can criminality be legal
and is there such a thing as ethical or moral hacking? Many IT professionals have disliked the
term of “Ethical Hacker”, preferring IT Security Expert or some other such term. Part of the
controversy may arise from the older, less stigmatized,
definition of Hacker, which has since become
synonymous with the computer criminal. Some consider
that there is no such thing as ethics in hacking. However,
to be sure, it seems to make sense to employ, even
temporary, a person or company with the in-depth
knowledge and skills of the hacker to test the security,
vulnerability and resilience of their systems against the
threat of malicious sabotage, data or information theft
or, in the case of financial systems, actual money. Instances of Hacking can not only be
damaging, but if the occurrence becomes publically known, a public relations nightmare could
result, as accusations of irresponsibility and the loss of public confidence in the victim
organisation. Publically well-known companies, and governmental departments for that
matter, should take these threats, real or imagined, seriously as the consequences could be
far reaching, and for some organisations, financially devastating.
“Channel 4 is the latest media organization fell victim to the Syrian Electronic Army hacktivist
that target western media organizations. Channel 4 is a British public-service television
service.” 7th August 2013 –
The Channel 4 website had been using an outdated version of WordPress.
“Pakistan Google Hacked in November 2012 - Top Level Pakistan Domains displayed a
defacement page including Yahoo, MSN, HSBC, EBay,Paypal and other sites. Apparently
Google Pakistan has been defaced by a Turkish Hacker group 'Eboz'. It's still quite hard to
believe that a Google server has been hacked.” –
These threats are real and as previously stated potentially devastating, if not
Another dilemma arises, with regards to employing an “expert” with the requisite
knowledge. For instance, in the CV does one list under work experience previous cybercrimes
successful committed? However, help is at hand. It is now possible to take specific courses in
“Ethical Hacking” offered by reputable organisations such as the International Council of eCommerce Consultants (, or you can employ individuals already certified as
Ethical Hackers (CEH). You can study at an ATC (Accredited Training Centre) or even through
a self-study course to become a qualified Ethical Hacker (CEH).
Large organisations, such as IBM, often employ teams of Ethical Hackers who are
trusted to attempt to penetrate their networks and/or computer systems, using the same
methods as the hacker, for the purpose of finding and fixing computer security vulnerabilities
such as penetration testing.
Experts in the field of preventing hacking are in great demand, as CEOs and Managing
Directors see the potential threat to their businesses as serious. And because senior
management of organisations often have little knowledge of the technicalities of ICT, will
frequently apply the FUD Factor (“Fear, Uncertainty and Doubt”). Of course, the less
scrupulous IT consultants will leverage this fear to their financial advantage.
For those of us in the IT Industry, during the run up to the year 2000, know all too well
the FUD phenomena (I was a Global IT Manager during this period). The media hype around
the “Millennium Bug” was never ending, with claims that planes would drop out of the sky,
and in fact many planes were grounded at the time. This was a drama created by the IT
industry, since after all the pending arrival of the year 2000 wasn’t exactly a secret, so why
was there little or no apparent preparation in software development and operating systems
beforehand in a timely manner? Nevertheless, the culprits of the “Year 2000 Dooms Day”
scenario, the IT Industry, made a fortune in consultancy fees and compelled companies to pay
for expensive immediate software upgrades.
Some individuals (or groups) with hacking expertise might consider that hacking
should be used as a tool or weapon against organisations they consider to be “bad”. They
moralise and justify their actions to be ethical. Such “attacks” might be by groups against
globalisation, “Whistle Blowers” or worse could be classified as “Cyber-Terrorists” (and
considered highly criminal by the authorities). In its simplest form, which strictly speaking is
not hacking, is “Denial-of-Service”, whereby server(s) are overwhelmed by timed and
coordinated mass internet requests for service, sometimes using automated systems.
Therefore, the threats to our ICT systems are complex, multifaceted and external and internal,
and are now no longer restricted to our servers, networks and computers, but extending to
hand-held mobile devices. With the advent of Cloud computing potential new threats emerge
as we delegate our data security to third parties which operate trans-globally and transnationally (remember Pakistan Google). Can we really trust them with our private and
commercial data? And more recently, following the revelations made by the American
Edward Snowden, we now know the extent to which national governments access and read
our emails (personal and business), but the latter shouldn’t really surprise us, with the
technology available now, the temptation for
governments to access our private
correspondence and data, in the name of
The role for IT Security Experts
national security, is simply too great for them
and Ethical Hackers is expanding
to resist. The question is then, is this form of
“official” hacking ethical, even if it might be
technically legal?
In conclusion, the role for IT Security Experts and Ethical Hackers is expanding, and will
not doubt create new sub-branches of expertise with specialities in network security (physical
and radio), mobile security, websites, laptops, tablets, “Smart” cars and houses, and so on.
This work will always be in demand, and experts in the field will be required to constantly
update and adapt their knowledge and skills as new technologies emerge and new uses are
Prof. N A Browne is the Director of
Victoria Higher Education Campus, 498 R.A. De Mel Mawatha, Colombo 03.
(Working in collaboration with the University of Greenwich).