“Ethical hacks” have become de rigueur for many corporate IT departments of late. Usually the term refers to a break-in attempt arranged by the company, or target, to test the mettle of its own security system. In a world in which real hacks make damaging headlines month after month, such precautions make perfect sense.
But as the concept of benevolent hacking becomes commonplace in American corporate culture, you can be sure that some companies and individuals will cross the line into unethical waters when performing what they consider to be an “ethical hack.” The potential for wrongdoing or confusion is very real, and businesses should be wary of the threat.
In most cases, ethical hacks, sometimes called penetration tests, play an important role in protecting computer systems. By simulating real attacks on computer systems, these pseudo break-ins assess the effectiveness of security controls. Measuring a computer system’s security without conducting an ethical hack, say many experts, is like trying to determine the seaworthiness of a boat without putting it in the water.
Ethical hacks generally are performed by one party on a target with which there is a pre-existing relationship. Often, the target of the hack has its employees or subcontractors perform the break-in. A company that has hired a service provider to perform services on its behalf that include safeguarding confidential and proprietary data, such as customer lists and financial information, may also require the service provider to agree to be the target of an ethical hack in their contract.
The parties involved normally agree ahead of time on whether the hack will be one that permits penetration of the security measures (a true hack) or whether the hacker will merely scan the security measures for weaknesses (a scan). A true hack provides more helpful results, but can damage the target’s system. The parties also agree on the span of time in which the hack could take place. Once the test has been conducted, the party performing the hack normally prepares a report.
Not all “ethical hacks” adhere to these standards, however, and not all are performed for the benefit of the target. What distinguishes an ethical hack from an unethical one? If an employee hacks without warning into his company’s system to reveal its weaknesses, has he crossed a line? What if a bank preemptively hacks into the system of a service provider that stores the bank’s proprietary information? Such instances are not rare, and in both cases, the hack may be considered an unethical hack and may lead to litigation.
The federal district court in Philadelphia may be tasked with helping to define the boundaries of an “ethical hack.” The issue before the court involves a Pennsylvania law firm that was representing the defendant in a commercial suit. In the course of its representation, the firm accessed archived web content belonging to the plaintiff. To get the pages, the firm allegedly broke into a third party’s online database. The plaintiff, in a new lawsuit, accuses the firm of a criminal hack and of copyright infringement. The firm insists its conduct did not constitute a hack at all and was perfectly legal.
What exactly the firm did or did not do to get the information is not clear. What is clear, though, is that in this case, and others like it, the computer security industry’s customs for “ethical hacking” appear to have been violated. The law firm did not have any pre-existing relationship with the third party; the firm did not notify the third party of its plans; and the firm did not prepare a report to help improve the security of the third party’s computer systems. The fact that the law firm is in litigation with the company whose web pages the firm was after is irrelevant; the rules of the court clearly provide a procedural process for the firm to follow to obtain the web pages without having to rely on an ethical hack.
The waters will be treacherous for those who perform what they believe to be ethical hacks while ignoring the customs within the security industry and the emerging law concerning this issue. Anyone who performs such a dubious hack may be subject to the same type of criminal and civil penalties that exist for those who hack with total disregard to ethics. These penalties are derived from both the common law (illegal trespass, breach of contract) and criminal law (Computer Fraud and Abuse Act).
With the proliferation of computer system security breaches that we have been reading about, many companies are rightly taking aggressive measures to secure their or their service providers’ systems. But if the anxiety over criminal hacks leads to over-zealous vigilantism on the part of corporations, litigation may well follow. Business owners who are looking to secure their data and computer systems should work with individuals who understand both the technical and legal aspects of such efforts before participating in “ethical hacks.”