To protect her identity, let’s call her Dee.
Dee describes herself as an ethical hacker. She is young, attractive, speaks with an Eastern European accent and has fiery red-purple hair. She reminds me of Mila Jovovich in the sci-fi movie, The Fifth Element. We were eating lunch at the Hack-in-the-Box conference in Amsterdam.
“So what would it take to make you go black hat?” I asked. “Would you hack for a million dollars, if you knew you wouldn’t get caught?”
She responded immediately and firmly. “No. For me it is an ethical issue.”
“OK, how about a billion dollars?”
Now she paused.
Dee is one of three-dozen white hat hackers I interviewed over the last year, specifically on the subject of what keeps them on the right side. A white hat hacker is one who uses computer security skills in service of “good.” The white hat knows how to penetrate systems, but applies that knowledge to defend networks rather than attack them.
The interviews started informally among my colleagues when we were exposed to a vulnerability at a large retail financial firm. It occurred to us that someone with inside information could leverage the vulnerability to heist a substantial amount of money from the firm. Over lunch we discussed exactly how much money it would take. Not just to complete the heist, but to support ourselves for the rest of our lives, because after a job that big, there could be no going back as a white hat.
Like many professions, the white hat role goes unnoticed when all is well. But when there’s a high-profile data breach, it means the dark side has won the battle. Take the Sony Pictures breach in November 2014. In that hack, a group of black hats named GOP is said to have penetrated the Sony network and ex-filtrated terabytes of sensitive data. The white hats at Sony, if there were any, were clearly outmatched.
//“74% assert no amount of money could turn them.” The good news is 3 of 4 white hats would not turn to the dark side for any amount of money.
A talented white hat hacker could be a wealthy black hat hacker. So why aren’t they?
Of those that would turn, $10 million seems to be their self-admitted price. Money is a factor, but it isn’t the North Star that guides these white hats.
Ben, another Eastern European hacker, explains: “I hack for glory and self-satisfaction. Not for money.” But he claims a moral core as well, “If someone drops their wallet walking in front of you, it would be easy to grab it and walk away, but you do the right thing and give it back to them.”
In the world of hacking, the slope can be a slippery one. Take the example of noted hacktivist, and self-proclaimed American patriot, J3st3r, who claims responsibility for attacks on sites such as 4chan, WikiLeaks, Islamist recruitment pages, and others. According to cybersecurity expert Brian McHenry, “no one walks away clean. Is the J3st3r a black hat? He’s committed crimes, but for a cause he believes in…Is that a life worth leading?”
//“As a white hat, you stand to make decent money without any risk that comes along with the black hat. But I don't think this holds in all societies.” There are countries in the developing world where one can definitely make money as a black hat, but not as a white hat.
But there are other reasons people will turn besides money.
Dee could see herself as a hacktivist. But then, she grew up with a repressive government that stifled political speech. The respondents on the other side of the argument think defacement is puerile. “Political discourse should be out in public. Defaming or taking down a site is an act of cowardice.” A more typical response is simply that when it comes to defacing a website “the risk/reward is really not there.”
If the perpetrators of the Ashley Madison hack are to be believed, their motivation for the breach was a moral statement against the principles of the affair-enabling company. Ultimately the member list was leaked, though no one knows if the leak was on purpose. If it was a moral protest against Ashley Madison, it certainly was a costly one, resulting in divorces, at least three suicides and an estimated 400 church leader resignations (according to Christianity Today).
//One in four white hats would hack for revenge.
The rules of moral engagement change for many people when considering revenge. And that is the case for white hats as well - double the rate of theoretical hacktivists. Perhaps this is due to the personal nature of revenge versus the social nature of activism. JoeUnu could see himself hacking for revenge, but it would have to be a “strange revenge scenario where I'm avenging my family's death by hacking a rogue nation or unscrupulous billionaire.” Citing an extreme case is common for respondents.
But let’s step back for a second here. Most white hats have a moral core, but some of them are willing (in theory) to step over the line for political or personal reasons, or even if the reward was high enough. Are we eventually going to see a tide of them turning, like Jedi-knights becoming Siths?
Probably not, but as with any walk of life, it’s a matter of degree.
One anonymous white hat used their hacking skills to retrieve and view the financial statement of their boss. Is that black hat? Absolutely (invasion of privacy). It was years ago, they said, and they don’t really remember why they did it. Or that’s what they claim anyway.
Another admits to hacking more recently, “I’ve forcefully browsed many sites and programmatically downloaded files for personal use. This is what [white hat hacker and Reddit co-founder] Aaron Swartz was effectively prosecuted for.” They also shared, “I've probed retail sites for ways to compromise coupon and promo code fields, gaining discounts that were clearly unintended, and the product of business logic flaws in the web app.”
Ironically, the same respondent ultimately gained empathy with the teams that should have been better-protecting these resources:
//“I have a greater appreciation of the jobs of people who must attempt to secure that mess.”
As a society, we probably don’t have to worry about a mass-defection of white hats (at least in the industrialized world). Ultimately, white hats are probably just like any other group of tax-paying, job-holding citizens. Sure, they’re not angels, but most of them wouldn’t turn for any amount of money. Not even a billion dollars. Yes, there will be some apostates, but that’s true of any group: law-enforcement, intelligence agencies or organized religion.
So there you have it: a nice tidy morality tale about human decency, right?
Not so fast.
It turns out that the majority of white hats have, and continue to let off steam by hacking their friends and colleagues for laughs. That’s right, 56% of whitehats will prank for laughs.
There’s a white hat who sends his friends rude reminders to keep earpieces away when they’re not being used: “I have pranked a few friends by taking over their bluetooth earpieces and sending Daffy Duck audio files directly into their ears. “
//Share some support for the "good guys.”
In the end, the cyber security world is different than any other tech industry because of bad guys. The concept of battling malicious folks is so fundamental to the human experience that you can ask any 2 year old about bad guys and it’s clear they know all about the concept.
The cyber security world needs a lot more good guys. We’re looking at a generation deficit of white hats: a 25-year gap before we have enough good guys to battle all the bad guys. There are organizations and gatherings that can develop cyber skills for the young people who have the inclination to join the white hats: The Open Web Application Security Project (OWASP) is one of them, and there are chapters that meet all over the world.
Is there a larger truth that we can gleam from knowing the people defending us and our infrastructure are more likely to prank us than not? Actually we should probably take comfort in the fact that they’re only looking for laughs, and hope that between their day jobs and their pranking, they aren’t working on a billion dollar heist on the side.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.