We train people to hack. Should we?
Between hacktivists siding with Ukraine and going rogue against Russia, a single hacker taking down the entirety of North Korea’s internet in retaliation, and the new GoodWill ransomware virus that holds data ransom and demands good deeds in return, the complex world of cybersecurity demands a strong moral compass to govern the seemingly limitless opportunities for hacking, good or bad.
Hacktivism Against Russia
Since the early stages of Russia’s war with Ukraine, the cyber world has been bolting down the hatches in preparation for a storm of cyberwarfare, not only between the two nations but into other nations collaterally. Those early concerns have morphed into a reality of independent hacking groups choosing sides and acting accordingly.
One group, acting against Russia, said in an article from the Washington Post, “We pay for our own infrastructure and dedicate our time outside of jobs and familial obligations to this…We ask nothing in return. It’s just the right thing to do.” Later the article goes on to quote former cyber issue U.S. diplomat Christopher Painter: ‘“In the normal course of events, you don’t want to encourage vigilante hackers,” Painter said. But he then agreed, “We’re not in a normal course of events.”’
It’s an interesting argument, a mix of ‘desperate times call for desperate measures’ and ‘all’s fair in love and war.’ A primary concern for many is that encouraging vigilante hackers—even in a ‘just’ cause—could ultimately cause unintended damage and consequences, as seen with hacker group Anonymous’ attempts in Sri Lanka earlier this year. A foundational concern, or question, remains: who decides what the right side of the line is in cyberwarfare? Bugcrowd CTO and founder Casey Ellis makes a crucial point about hacktivism and vigilante cyberwarfare in CIO’s article: “one man’s freedom fighter is another man’s terrorist.” Not all causes that can be believed in should be believed in; who gets to make the call?
Lone Ranger Action Against North Korea
WIRED highlighted another example of cyber vigilantism in early February. A year after being hacked by North Korean nation-state actors, a man going by PS4 took down the entirety of North Korea’s internet.
Why? Because he didn’t feel that the US Government was taking appropriate action, and “it felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming…I want them to understand that if you come at us, it means some of your infrastructure is going down for a while.”
On an already slippery slope, this is just one more step into unregulated territory, however just the actions seem. University of Sheffield’s Dr. Ross Bellaby notes that “one of the key criticisms levied at hacker activity is that they are private actors carrying out their own political ends through the use of political violence” (p. 237).[i] Childhood classics like Robinhood and modern heroes like Batman assume a moral high ground, but real-life ethical dilemmas cannot afford to make assumptions about morality.
Not an Answer, but a Challenge
Ethical dilemmas are by nature difficult to answer. The obvious dangers of vigilantism is separating yourself from the protection of communal wisdom; isolation and moral deterioration go hand in hand. On a social level, Bellaby argues that:
“there is a broad social contract where individuals give up their absolute rights to carry out their own private wars or pursuit of personal justice in return for the comfort and protection provided by the state. The state therefore has the duty to ensure that individuals are protected, that rules are maintained, and differences are arbitrated. In return there is a prima facie obligation to obey the rules and mechanisms established (Markel 2011: 54). Hackers do not have any of this and, moreover, when they carry out harmful activities, they in turn break the agreement to not carry out private acts of violence, marking themselves as the threat to the social whole and the good found in the stability of the rule of law.”[ii]
However, Bellaby goes on to note that when the state fails in its duty to protect, the argument could also be made in the opposite direction: there is a moral obligation to protect the unprotected. None of this is intended to provide encouragement in either direction. Instead, it is intended to provide a picture of why cybersecurity professionals must think deeply about their ethical stances. Hackers—whether black, gray, or white hat—hold immense power socially, politically, economically, and morally. Those who train them have a responsibility to train in not only technical skill but the critical thinking, ethical framework, and modeled character necessary for a career in cybersecurity.
[ii] Ibid, p. 238.