When you google the term ethical hacking, what comes up is a list of universities and colleges offering the course. You can easily get a brief description of the term, a breakdown of what the course entails and how to go about it, steps to follow and finally, you can become an accredited ethical hacker. The process seems simple enough if you have what it takes to enroll for the course! But is it really that easy?
When the word hacking was coined in the 1960s, it meant manipulation of systems to make them perform better than they were designed to . For example, if a train was designed to run at 30km/hr., a hacker could hack it to make it run at 60km/hr, consequently people arrived at their destinations faster saving on time. Then came the definition we know today, hacking as the manipulation of systems to access information without permission and for malicious purposes.
The latter definition of hacking necessitated the creation of countermeasures, hence the emergence of ethical hacking also known as white hat hacking or system penetration testing. Those who practice this kind of hacking are tasked with intruding company systems or networks to find vulnerabilities, but instead of using the findings for malicious purposes, they report the vulnerabilities to the organization management and have them fixed. This prevents the compromise of data and the organization’s resources.
Ethical hackers operate by answering questions such as, in the case of intrusion, what would the intruder see on the system? What can the intruder do with the information? And can anyone from the company notice the intrusion attempt? On answering these questions through a series of tests, an organization may be a step closer to being secure.
The Lacuna in the Law and Challenges facing ethical hacking
In Kenya, the Computer Misuse and Cyber crimes Act, section 14 illegalizes unauthorized access to a computer system, section 15 illegalizes unauthorized access to commit an offense and section 16 illegalizes unauthorized interception. These forms of unauthorized access are done through hacking. Therefore, the law is quite clear on its stand on hacking.
The gap comes in with the fact that there is no provision for authorized hacking i.e. ethical hacking. As a result, there are no set parameters on the dos and don’ts involved in penetration testing. This has led to inconsistent approaches that at times end up being detrimental for both the organizations and the ethical hackers.
Case scenario 1: A hacker who has not been authorized stumbles on a vulnerability in a company’s system, instead of using this knowledge for malicious purpose, gets in touch with the company and informs them of their discovery. Should the company sue this hacker or reward them? In case the company does not act on the information to address the vulnerability, should the hacker make the vulnerability public to push the company to act on the threat? If they do so, are they supposed to be sued?
Case Scenario 2 A white hacker is authorized to penetrate a specific part of a system to check for vulnerabilities, in the process, he notices a bigger breach that goes deeper than the specific system he was supposed to be penetrating. Is he obligated to inform the organization of the other vulnerabilities? Will he be in breach of his agreement which had provided for him to access the singular system? Does the company have an obligation to act on all the vulnerabilities presented? Can the organization sue the hacker? Is the hacker obligated to make public the other vulnerabilities in the case the organization decides not to act on them?
Case Scenario 3: A white-hat hacker is contracted to check for system vulnerabilities, he discovers them and reports to the organization but the organization decides not to act on the information. Is the hacker obligated to make his findings pubic to force the organization to act? What if the organization turns hostile ad blames the vulnerabilities on the hacker, what recourse does he have to protect himself?
Case Scenario 4: An organization contracts a hacker to check for vulnerabilities, the hacker finds the vulnerabilities but instead of reporting the findings, they decide to sell it to the highest bidder, what recourse does the organization have?
These case scenarios are just but a few challenges an ethical hacker or an organization may encounter. With no law to provide guidance, the hacker, the organization or both may be taken advantage of. This would, in turn, lead to system insecurity and compromise of user data among other confidential information.
There is therefore an urgent need for creation of a guideline/policy or law to protect the ethical hacking profession as well as organizations that contract them.
The law should provide for among others:
-Definition of ethical hacking
-Instances when hacking is legal
-The parameters for ethical hacking
-Compensation for authorized and unauthorized ethical hacking
-Actions against organizations for not acting on vulnerabilities
-Recourse for breach of hacking agreement
Ethical hacking is a step closer to having secure networks and systems in organizations. Having a clear legal framework will ensure it is positively utilized for the benefit of all.