The Moral Questions Behind Certified Ethical Hacker

by QuickCert on May 17, 2011

Certified Ethical Hackers

We’ve all watched the movies. Some computer geek typing feverishly at his keyboard… heartpounding… adrenaline pumping… and then… bingo!  He’s in. The audience gasps in unison as thatsame geek subverts the unbreakable security system, and hits pay dirt. He’s the hero now, in some strange way. A sort of anti-hero.

And we all wanted to be that guy.

Let’s face it: the idea of being a hacker was cool to more than one. Cool enough for Hollywood to bankroll dozens of movies about them. Hackers are outlaws, breaking into protected computer systems for profit or practice. And most folks secretly admire outlaws.

You see, being an outlaw… ignoring authority and living by your own rules… has always had an allure to it.
But the downside is, well, you know, jail. Something most folks aren’t too keen on.

That’s what makes the certified ethical hacker so interesting, in our opinion. The job title is something like the Wyatt Earp of the security professional. An outlaw with a badge. They do exactly what the normal hacker does, but with the full blessing (and financial backing) of the company their breaking into. It’s like being paid to be a bank robber… by the banks themselves.

And that parallel isn’t too far off. Certified Ethical Hackers – also known as “white hats” or penetration testers – are trained and certified under the tutelage of the International Council of e-Commerce Consultants. They learn how to find vulnerabilities in computer systems, and how to exploit those weaknesses.

Once the ethical hacker is certified, private companies will “consult” with the hacker for a respectable fee.  And by consulting, we mean that they pay the hacker to do anything they can to break into their systems.  The company benefits by finding system vulnerabilities before somebody not on the payroll does. The hacker benefits because he gets to be an outlaw, and get paid for it.

This is obviously a unique form of security professional. But the job description itself brings up some valid questions of morality.

For one, some might see the job arrangement as a reward for dubious behavior.  It’s of little argument that some ethical hackers come from the “real” hacker world.  They cut their chops by “working gratis”.  And now, after going through a course and passing a test, they’re christened with an official title and a good salary.  It’s almost like sanctioning their past behavior by saying to all current hackers, “well, this is the pot of gold at the end of the rainbow”.

Secondly, hiring reformed hackers opens up a sort of Pandora’s Box when it comes to reasonable methods of soliciting business.  The hack of the Plenty of Fish website in early 2011 comes to mind.  As the story lays, the “security professional” broke into their system, downloaded some of their database and them emailed the owner to tell them about the vulnerability.  They then offered to fix the vulnerability for a modest fee… and complete access to the Plenty of Fish system.

This is an extreme example, for sure, but the picture is clear.  It could be argued that awarding ethical hackers with certifications and salaries opens the door for current hackers to attempt extortion in the name of prospecting.
And how does QuickCert feel personally?  We think there’s a place for certified ethical hackers just like there’s a place for former counterfeiters to join the Treasury department.  If you want to beat a crook you have to think like one, or have somebody on payroll that does.

You’ll also be funneling a source of creativity normally used nefariously towards something productive.  This is a no-lose situation in our book.  We think it would be more immoral to leave these guys without a purpose or positive aim, because they’ll find one of their own.  And it probably won’t be a good one.