Home Features On ethics, morals, and information security

On ethics, morals, and information security

The key difference between a black hat hacker and a white hat hacker is the moral compass. From countries with the maximum number of ethical hackers, to the perpetrators of series of nation-sponsored cyberattacks, we here discuss the basic difference between them all.

active directory
active directory

In the early noughties, the demand for IT professionals spiked in India. Becoming a software engineer and migrating to the United States was a goal for many. However, the recession in 2008 reduced the demand for human resources in the U.S., and many IT companies in India were not hiring because of low demand in its key market. With fewer enticing packages available, a breed of entrepreneurs emerged – especially in the tech space – laying the foundation for India’s startup culture. Space also opened up for information security, particularly ethical hacking, to become a sought-after career.

By Augustin Kurian, Senior Feature Writer, CISO MAG

Eventually, India surpassed several other countries and started producing more ethical hackers than anywhere else in the world, which led to India becoming the number one bug bounty collector, globally. Despite this boom, the old cycle emerged where working for a foreign country seemed to be a wiser choice. Other countries in the developing world have under-utilized pools of ethical hackers. A recent report on AFP pointed how Indian ethical hackers are rewarded everywhere but not in their country of origin. “It was a familiar tale for India’s army of “ethical hackers,” who earn millions protecting foreign corporations and global tech giants from cyber-attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted,” the report points out.

The report highlighted several young ethical hackers in India who have earned tens and thousands of dollars in bug bounties for the quick-responding technology tycoons like Facebook. When notified about a technical glitch, large, typically foreign companies respond positively and quickly. Similar encounters with Indian companies are ignored most of the time, or are met with the legal team of the company saying “What are you doing hacking our site?”

This lackluster attitude must explain why the country with the most ethical hackers was ranked 23rd in the last Global Cybersecurity Index. What’s even more staggering is the fact that the country’s immediate neighbor China is an example of the exact opposite situation.

What makes China different?

China is the country with the most internet users in the world. In 2014, the number stood at 640 million. But there is a dark side to all this surfing China accounts for 41 percent of global cybercrime, which was thrice that of countries like the U.S. Hacking continues to be one of the most lucrative business opportunities for information technology professionals in the region.

Unlike India, where contributions of hackers are not appreciated, China employs the creme-de-la-creme to work for the government for secret government missions. A former prominent Chinese hacker interviewed by the New York Times admitted: “I have personally provided services to the People’s Liberation Army, the Ministry of Public Security and the Ministry of State Security. If you are a government employee, there could be secret projects or secret missions.”

Aftermath of Stuxnet

Countries like Iran also have a similar perspective toward hackers. Iran has grown to be a hacker nation. The country is among the most wired nations in the Middle East, with over 70 percent of the population having access to the Internet. Since the Stuxnet attack, the country has increased its cybersecurity spending 12 fold. President Hassan Rouhani, immediately after taking office, increased the annual cybersecurity budget by roughly $20 million. Hacking is legal in the country if you are doing it for the government. Unlike most countries in the world, hackers in Iran have a rather public life and a celebrated job.

“Out of any country on the planet, I can’t think of a country that has been more focused than Iran from the high levels of government on cyber, and that includes the United States,” Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, told The Hill. The hacker community of Iran is not made up of college dropouts hacking computers from basements or dorm rooms. Hackers in Iran are highly educated, possessing master’s degrees and Ph.Ds. According to a Business Insider report, “Many Iranian professors are educated in the West and maintain close ties to institutions like MIT, Carnegie Mellon, Virginia Tech, and Northeastern University.” Apart from these, Iran itself has numerous great universities like Islamic Azad University, Yazd University, Sharif University of Technology, and Isfahan University. Most of these are top-notch schools with multiple specialization courses reaching the standards of Ivy League.

The Pariah Nation and its Cybersecurity Capabilities

Ethical hacking is defined differently in different nations. For a country that has been on the top of the notorious list like North Korea, the term ethical hacking might mean cyber warfare with other nations.

On November 22, 2014, the employees at Sony noticed skulls appearing on their screens with a message threatening to expose secrets from data obtained in a sophisticated hack. The team troubleshooter identified it as an attack. It wasn’t like any other worm or virus they had come across before. They had been targeted by nation-sponsored actors and this triggered a frantic alert. The computers were crippled and the employees were forced to work with pen and paper. The hacker group Lazarus was linked to the attack. An investigation by the Federal Bureau of Investigation went on to conclude that North Korea was behind the breach.

Through the years, North Korea has been linked to series of cyber-attacks, either to display its cyber prowess or just to fund their activities. One of the most brazen attacks occurred in February 2016 when hackers tried to steal $101 million from a Bangladesh Central bank account at the New York Federal Reserve and move it to Sri Lanka. Only a spelling error caused the banks to realize they were under attack. Un’s minions got away with nearly $81 million––most of which is yet to be recovered. “Security researchers later established that similar tactics had been used to attack banks in Ecuador, the Philippines, and Vietnam. But that was only part of the picture: Researchers at cybersecurity firm Kaspersky Lab said in April Lazarus also attacked financial institutions in Costa Rica, Ethiopia, Gabon, India, Indonesia, Iraq, Kenya, Malaysia, Nigeria, Poland, Taiwan, Thailand, and Uruguay,” according to CNN. “The Lazarus hackers carefully routed their signal through France, South Korea, and Taiwan to set up their attack server, according to Kaspersky. But researchers noticed one mistake: A connection that briefly came from North Korea.”

The Center of The Earth

On the other hand, there is Israel, a country where a huge number of its soldiers are trained in the art of cyber-warfare. Many of them continue in jobs that protect their businesses and infrastructure once they leave the military, supplying the country with a steady stream of cyber experts.

Singapore is another example of a country that has made huge strides toward keeping cyber threats at bay. The Global Cybersecurity Index rated Singapore as the best country as far as its approach to cyber security, outperforming many richer nations. A recent example of the country’s commitment to information security is when the Singapore government was deciding whether to establish cybersecurity standards with the Association of Southeast Asian Nations (ASEAN) to strengthen the protection of critical information infrastructure. Several government officials highlighted the urgent need for stronger safeguards against cyber-attacks and called on the ASEAN to cooperate in the cross-border protection of internet-based systems. The Singapore Parliament has also passed the Cybersecurity Bill in which owners of key bodies like national security, defense, foreign relations, economy, public health, public safety, or public order, which the bill calls critical information infrastructure (CII), will have to comply with the standards and regulations mandated by the bill. The bill also mandated CIIs to conduct cybersecurity audits and risk assessments, and routinely participate in cybersecurity exercises.

The Westworld

In the Global Cybersecurity Index survey, the U.S. came second. Estonia ranked highest of the European economic area (EEA) countries at number five, while France came ninth, Norway came eleventh, just ahead of the UK in 12th position overall. One trends in all this data is that many of the top-ranked countries were small or developing nations. The survey also pointed out how nearly 50 percent of countries did not have a national security strategy. “There is still an evident gap between countries in terms of awareness, understanding, knowledge and finally capacity to deploy the proper strategies, capabilities and programs,” the survey said.  “Cybersecurity is an ecosystem where laws, organizations, skills, cooperation and technical implementation need to be in harmony to be most effective. The degree of interconnectivity of networks implies that anything and everything can be exposed, and everything from national critical infrastructure to our basic human rights can be compromised.”

Cybersecurity varies in a myriad of ways from country to country, and so does the knowledge and awareness and very definition of ethical hacking. The gap between nations and their cybersecurity prowess among countries and their ecosystem also differs. “To set up a cybersecurity process, it is important to identify correctly the assets and resources that need to be protected, so as to accurately define the scope of security needed for effective protection. This requires a global approach to security, one that is multidisciplinary and comprehensive. Cybersecurity does not sit well with a freewheeling world that places a premium on permissiveness. What is required is a set of core principles of ethical behavior, responsibility and transparency, embodied in an appropriate legal framework and a pragmatic body of procedures and rules. These must be enforced locally, of course; but they must also be applied across the international community and be compatible with the existing international directives,” suggests ITU in its report titled Cybersecurity Guide for Developing Countries.

What should be learned?

Countries like India with the most ethical hackers have shown some sour results when it comes to protecting its infrastructure, while there are several nations that has information security oddly misplaced on their moral grounds like in the case of North Korea, where a sizable cyber infrastructure is involved in clandestine cyber warfare. What is considered ethical in one country isn’t in another and moral relativisim plays into the definitions of an entire industry. The world has come to a point where it is imperative for countries to differentiate between hacking and ethical hacking, as keeping a higher moral ground is the key here. The world needs more hackers, more white hat hackers.

Augustin KurianAbout the Author

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.