The ethics of ethical hackers are discussed here in the context of professionalism/ professional practice in society. The ethics and values of professional ethical hackers as discussed here are based on research conducted in a uOttawa PhD in DTI thesis (2020). In-depth, semi-structured interviews were conducted with 14 interview participants (in addition to one participant who contributed via email) comprised of ethical hacking university experts, ethical hacking industry practitioners, and policy experts. Other data collection methods included organizational document reviews and literature reviews.
- Professional ethics
- The social context
- Professional ethical hacking is legal
- Ethical hackers are trustworthy
You may also be interested in The ethics of ethical hacking.
Professional ethics
Three interviewed ethical hacking university experts said professionalism, as in professional ethics or a professional code of conduct, guides the behavior of professional engineers and computer scientists (PPT11, PPT3, PPT10). As a professional engineer, says PPT3, he is “bound by a number of codes of practice, of ethics.” “As a professional engineer, I’m bound by the PEO code of ethics … I’m also bound by the software engineering code of ethics, the ACM code of ethics, the IEEE code of ethics, because I’m members of multiple societies that have codes.” PPT3 says he teaches “five different codes of ethics. They are all broadly the same, but I teach about them to students.”
That is in the course calendar descriptions and it’s also in our accreditation. We are accredited by CIPS, the Canadian Information Processing Society, and by the Canadian Engineering Accreditation Board, and both of those require us to teach students about ethics. (PPT3)
Emphasizing the importance of professional conduct for the industry/business side, PPT11 says, “It’s the professionalism that large organizations are looking for to take you seriously.”
Interview Participants by Area of Expertise
Key Codes of Conduct for Information Security Professionals (Adapted from Thomas et al., 2018, pp. 5-6)
| Code of conduct | Key directives |
| CREST Code of Conduct | CREST is a not for profit organization that originated in the UK. It has active chapters across Europe, the Middle East, Africa and India (EMEA), the Americas, Asia, and Australia, and New Zealand. CREST’s purpose is “to provide a level of assurance that organizations and their security staff have a level of competence and qualification in conducting security work such as penetration testing, threat intelligence or incident response (CREST, n.d.).” The CREST code of conduct “covers requirements such as ensuring regulatory obligations, adequate project management, competency, client interests, confidentiality, and ethics (CREST, 2016).” |
| EC-Council Code of Ethics | EC-Council is best known for its Certified Ethical Hacker (CEH) certification, which is recognized as a U.S. Department of Defence (DoD) 8570 cybersecurity certification. The EC-Council Code of Ethics requires “confidentiality of discovered information, ensuring that any process or software obtained is legal and ethical, ensuring proper authorization, adequate project management, continuing professional development, ethical conduct, and not being convicted of any crimes (EC-Council, n.d.).” |
| Global Information Assurance Certification (GIAC) Code of Ethics | GIAC provides several highly regarded certifications in the security industry which include penetration testing, security management, and digital forensic certifications. The GIAC Code of Ethics is comprised of four sections: Respect for the public, respect for the certification, respect for the employer, and respect for oneself. The code mandates that “professionals will take responsibility and act in the public’s best interests, ensure ethical and lawful conduct”; maintain confidentiality, competency, accurate representation of skills and certifications “and avoiding conflicts of interest (GIAC, n.d.).” |
| ISACA Code of Professional Ethics | ISACA was established in 1969 and focuses on IT governance. It has over 140,000 members worldwide (ISACA, n.d.). ISACA provides training and certification for information security and cybersecurity professionals. The ISACA Code of Professional Ethics mandates that compliance with standards and procedures, due diligence, legal conduct and confidentiality, competency, and continuing professional development are maintained (ISACA, n.d). |
| ISC2 Code of Ethics Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. | The International Information System Security Certification Consortium or ISC2 – more correctly, (ISC)² – is an international, not for profit organization with over 125,000 members in the information security profession (ISC2, n.d.). ISC2’s Code of Ethics Canons consists of four directives: 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; 2) Act honorably, honestly, justly, responsibly, and legally; 3) Provide diligent and competent service to principals; and 4) Advance and protect the profession. |
The social context
This area of ethical hacking instruction pertains to teaching the social science context of technology use and professional practice, and includes the sociopolitical and scientific values underlying the behavior of professional engineers and computer scientists and situating the role of ethical hacking practitioners in historical and theoretical context. The first point pertains to following and teaching the scientific values of society, including a scientific approach to knowledge management – and although not specifically cited by any of the interviewed participants, the second point pertains to teaching the sociopolitical values of society. PPT11 says the way to deal with the “greyness” in the academic discipline of ethical hacking is to teach following scientific values.
It’s kind of like when software engineering became an engineering discipline. There were a lot of coders that knew how to code, but they didn’t have the mindset to approach it as a systematic large problem. I think ethical hacking is a very similar thing. (PPT11)
PPT11 adds, ethical hacking “has become more of an engineering type of discipline now. There’s structure, there’s rigor, there’s tools out there that can be used for it … you need to systematically approach a problem, how to see if you can penetrate a system or not.” It is “that systematic nature that most of the underground ethical hackers, or the small people, don’t have because they’ve never had exposure to doing it in kind of an engineering mindset.”
Sociopolitical and scientific values
Sociopolitical and scientific values underlying the behavior of professional ethical hackers
Discussion of social values: Canadian identity as an academic idea.
The key social values are liberalism (classical liberalism), pragmatic ethics, knowledge making (Weick’s constructivism), and scientific (pragmatic philosophy).
Discussion of pragmatic ethics: The technoethics of Mario Bunge.
Bunge’s (1975) pragmatic technoethics serves as an overarching framework guiding the application of key societal normative ethical perspectives – deontology (duty), rights, virtue, and utilitarianism.
Discussion of key societal normative ethics: Ethical decision-making theories: Introduction to normative ethics.
Discussion of social scientific values: Scientific method in research.
Canadian society can be defined by two key scientific values that define it as a secular and trusting society, critical rationalism and pragmatism.
Professional ethical hacking is legal
The key defining characteristic of penetration testing as ethical hacking is the legal imperative: Ethical hacking is unambiguously legal. Ethical hackers need prior authorization, a legally binding contract with the computer network owners before attempting to breach a computer network (Bodhani, 2013; Palmer, 2001; Young, Lixuan, & Prybutok, 2007). Much of the discussion around the various hat color codes of hackers revolves around this point. While an ethical hacker is “authorised to break into supposedly ‘secure’ computer systems without malicious intent, but with the aim of discovering vulnerabilities in order to bring about improved protection,” a black-hat hacker is “someone who hacks with malicious intent and without authorisation” (Bodhani, 2013, p. 64). For Bodhani (2013), there is white, black, and a wide range of in-between ethical greys “who will search for vulnerable systems and inform the company but will hack without permission” (p. 65).
Bodhani (2013) presents 10 types of cyber hackers: White hats, black hats, grey hats, blue hats, elite hacker activist, script kiddies, spy hackers, cyber-terrorists and mobile hackers. But for Young et al. (2007), 9 of the 10 shades represent variations on the same theme: Illegal hacking. Computer hacking is either fully legal and authorized, or is an illegal activity. Presuming there is more than one type of acceptable hacking–authorized access–can give justification to illegal activity. Hackers often view themselves as modern-day Robin Hoods (Young et al., 2007). This Robin Hood mentality allows hackers “to deceive themselves and view their illegal activities as providing a service for the greater good. It also gives them cause to justify their activities should they be caught engaging in any illegal activities by blaming the victims” (p. 282).
The practices of professional ethical hackers are governed by a legal framework (Graves, 2010; Palmer, 2001). Ethical hackers have authorization to hack the target system. In recent years, hacking “is used most typically to describe a person who accesses computers and information stored on computers without first obtaining permission. Logan and Clarkson (2005) support that definition in describing hacking as accessing a system that one is either not authorized to access or one who accesses a system at a level beyond their authorization (Pashel, 2006). Hackers can be divided in to a number of groups some of which “are clearly ethical, others are clearly unethical, and still others exist in a gray area of sorts and whose ethics can be debated” (Pashel, 2006, p. 197). White hats use their ability “in a manner that most would clearly define as ethical. Examples are employees who, with permission, attack a company’s network in order to determine weaknesses, and law enforcement and intelligence agents who use their skill in the name of national security or to investigate and solve crimes.” They have a duty to use their knowledge in such a way as “to benefit other people” (Pashel, 2006, p. 197). Pike (2013) draws a sharp distinction between white and black hats. A white-hat hacker is defined as “a hacker who is committed to full compliance with legal and regulatory statutes as well as published ethical frameworks that apply to the task at hand.” In contrast, a black-hat hacker is “a hacker who either ignores or intentionally defies legal or regulatory statutes with presumably little interest in ethical frameworks” (p. 69). Logan and Clarkson (2005), Pashel (2006), Sharma and Sefchek (2007), Xu, Hu, and Zhang (2013), and Young et al. (2007) all more or less echo Pike’s definition–essentially placing hacking and hackers at either side of the law.
It should be noted, legal does not necessarily equate with ethical. What constitutes legal practice is a political verdict aimed at preserving (reflecting or embodying) the interests and values of those who drafted or ratified the rules. The use of technology to construct knowledge via open AI based intelligence gathering technologies by adversaries has much to do with the efficient and fair use of the technology in society, and in a global system, with the equitable access to the technologies, but is also subject to the pressures of realities (e.g., scarcity of resources) and human nature and its basic need for security above all else. For example, offensive realism in IR suggests that defensive measures taken by one nation are seen as threatening or as a threat by adversarial nations. Nation states seek regional and global hegemony as the only rational choice to ensure survival. Mearsheimer (2001) says conflict between great powers is inevitable. In the Liberalism perspective to IR, nations should come together as responsible stakeholders and regulate the use of a technology in a collaborative manner that respects the values and interests of each.
Ethical hackers are trustworthy
Harper et al. (2011) are an important authority on what constitutes ethical hacking. We do not have to agree with them wholeheartedly, but their conception of ethical hackers underscores the centrality of trust in ethical hacking work. The title of their book, Gray Hat Hacking: The Ethical Hacker’s Handbook, is a giveaway to their view, which is that white hat hackers are in fact grey hat hackers by necessity, by virtue of their practices. Ethical hackers need to understand an adversary’s tactics and recognize the grey areas in security, they argue.
Many times, while the ethical hacker is carrying out her procedures to gain total control of the network, she will pick up significant trophies along the way. These trophies can include the CEO’s passwords, company trade-secret documentation, administrative passwords to all border routers, documents marked “confidential” held on the CFO’s and CIO’s laptops, or the combination to the company vault. The reason these trophies are collected along the way is so the decision makers understand the ramifications of these vulnerabilities … as soon as you show the CFO his next year’s projections, or show the CIO all of the blueprints to the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,” they will all want to learn more about the importance of a firewall and other countermeasures that should be put into place. (Harper et al., 2011, p. 11)
Andrasik (2016), and Thomas et al. (2018) make the same point as do Harper el al. (2011), that ethical hackers will sometimes unavoidably access privileged information. Andrasik (2016) adds that organizations hiring ethical hackers need to talk to references first:
If a pen-test group is going to actively try to breach your defenses, you want to know their ethics are beyond reproach. That knowledge should come from somewhere other than a well-crafted website or canned testimonials—it should come from conversations with companies that have experienced a pen test by the group in question.
Thomas et al. (2018) argue that naturally “and to be effective, ethical hacking involves trying to gain access to a system to access confidential and sensitive information. This means, that a certain level of trust needs to be established between the ethical hacker and the party engaging them” (p. 3). The authors point out a fact that admittedly complicates the discussion. Ethical hackers have to reckon with a dilemma: To do their job effectively, they may need to break the rules:
an ethical hacker needs to keep their knowledge of exploits up to date, and they will likely need to go “underground” to gain this knowledge (Conran 2014). Because ethical hackers may even utilize questionable means to gain intelligence it may result in a question of their professional ethics. (p. 4)
In contrast to a cracker, who is a malicious hacker, an ethical hacker “is someone who employs the same tools and techniques a criminal might use, with the customer’s full support and approval, to help secure a network or system” (Walker, 2017, p. 29). According to the International Council of Electronic Commerce Consultants (EC-Council), an ethical hacker is “an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker.” A Certified Ethical Hacker (EC-Council) is, “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of the target system(s).” EC-Council emphasizes that ethical hackers use the same knowledge and tools as a malicious hacker but in a lawful and legitimate manner, and that ethical hackers are trustworthy professionals who are employed within business and industry organizations to perform security testing processes.
Graves (2010) and Palmer (2001) agree on the three attributes of trust, honouring the integrity of a client’s system, and seeking prior permission from a client. Graves refers to these traits as professional. Palmer adds that ethical hackers have drive and patience. First and foremost, ethical hackers “must be completely trustworthy” (Palmer, 2001, p. 771). Ethical hackers should gain the trust of clients. During an evaluation, “the ethical hacker often holds the ‘keys to the company,’ and therefore must be trusted to exercise tight control over any information about a target that could be misused” (p. 771). Second, ethical hackers should take “all precautions to do no harm to their systems during a pen test” (Graves, 2010, para. 1). Ethical hackers “neither damage the target systems nor steal information. Instead, they would evaluate the target systems’ security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them” (p. 770). A third key component of professional ethics is the imperative to obtain permission before attempting to access the computer network – the practices of professional ethical hackers are governed by legal frameworks (Graves, 2010; Palmer, 2001). Ethical hackers should address both systemic vulnerabilities as well as preventive measures (Harris, 2007; Palmer, 2001). Several codes of conduct for information security professionals and ethical hackers exit. They are all voluntary and only applicable to individuals who are members or certified professionals of the respective association. The codes of ethics may contain similar directives but they are all different and include different levels of detail.
Table 10: Professional Ethical Hackers Coding Table
Figure 2: Profiles of Hackers Graph (see PhD thesis, 2020, p. 230)
Related content
Canadian identity as an academic idea
Ethical assessment of teaching ethical hacking
Ethical decision-making theories: Introduction to normative ethics
Professional ethical hacking body of knowledge
The ethical teaching of ethical hacking
The ethics of teaching ethical hacking
The technoethics of Mario Bunge
Back to DTI Courses
