At what point do white hat hackers cross the ethical line?

If the intention is pure, does that make it ok?

In recent months the news of Chris Roberts alleged hacking of an inflight entertainment system and possibly other parts of the Boeing 737 have sparked a wave of controversy. Public opinion was originally on Roberts' side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live "pen-test" of a plane network in mid-air.

Whether this is true or not, it raises some valid concerns over the ethical implications of white hat hacking. In the case of Roberts, who, according to the affidavit, was able to steer the airplane off the intended course, the consequences could have been dire. It is not believed that Roberts had any intention of hurting either himself or any of the passengers, but if the affidavit is in fact true, the possibility was real.

Some believe it all comes down to intentions. If a white hat hacker intends to do no harm and has no malicious agenda besides testing the security of the system in question (possibly looking to responsibly disclose any vulnerabilities discovered), many security professionals believe it to be ethical. After all, no harm was done, no data was stolen, and vulnerabilities were possibly discovered and reported.

But at what point does a white hat hacker cross the line? Where should the line of ethics be drawn?

It appears the term white hat means different things to different people. On one hand, there are professionals in the cybersecurity business who built their entire career on being strictly white hat. These security professionals must have strong principles and never do as much as scan, probe, or check without prior request and approval. They follow strict rules to protect both their reputation and their future earnings.

The definition, however, drifts when you move away from professional practitioners. Many people who consider themselves to be white hats would have no issue with, let's say, checking to see if their bank has an open IPMI port, as long as their motive was to notify the bank. To them, it is ethically no different from checking to see if the door is locked at night at their local bank. After all, their motives are pure.

Herein lies the main issue. Pure intentions do not mean the actions are ethical. However noble their intentions, white hat hackers can still, fairly easily, cause unintentional harm. Not to mention that they would be committing a crime, according to the U.S. Code, Title 18, §1030. Take for example security assessments of SCADA systems and critical infrastructures. If white hat hackers are conducting a penetration test on a critical system, such as the emergency hotline 911 (even with authorized access), it needs to be understood that the security professionals performing the penetration test can guarantee the system will be safe and 100% operational.

If the assessment was performed by an individual with a disregard for safety like Roberts on that plane, it might translate into a major threat to the population. The same applies to a plethora of other scenarios, where an overly-eager security professional might forget (or ignore) certain precautions in search of flaws in the system they are testing.

Organizations such as Google, Facebook, Microsoft, and others offer white hat hackers a reward program for those who discover vulnerabilities. In fact, Google has recently announced a new program for public discovery of Android vulnerabilities, offering successful white hat hackers up to $40,000 for submitting a high-quality, reproducible bug in the system.

These companies are prepared for public penetration testing and presumably have a plan in place in case an accident happens and part of the system malfunctions. Or they are simply willing to take the risk and reap the benefits of crowdsourcing. For most organizations, however, this is not a viable model, and white hat hackers need to acknowledge and respect that. Not just because it is typically illegal, but because it's unethical and can put people's lives at risk.

Krehel is the Founder and CTO of LIFARS, LLC, and a partner at CyberUnited LIFARS. With over two decades of experience, Ondrej is considered a leading expert in cybersecurity. He has been quoted in numerous security stories by CNN, the Wall Street Journal, Forbes, and others. Andersen is the Founder and CEO of CyberUnited, a cybersecurity, big data and predictive analytics consultancy firm, and a partner at CyberUnited LIFARS. He is also the Chairman & Founder of CyberTECH, a global cybersecurity and IoT network ecosystem providing cybersecurity strategic programs and quality thought leader forums across the nation.


Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesboeingsecuritycloud securityfbi

More about AndersenCNNFacebookFBIGoogleMicrosoftPureRobertsWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ondrej Krehel and Darin Andersen of Cyberunited Lifars

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts