Can Ethical Hacking reduce Cyber threats?

Publish date:

We are becoming a more connected world and this is set to increase dramatically over the coming years.  Our dependency on technology is at an all-time high and the scale of disruption to our society due to cybersecurity breaches can now have catastrophic consequences.

Could a change in the way we look at ethical hacking be the catalyst to a more comprehensive attitude to cybersecurity?  Would this secure our nation’s assets?  Recently, I took a look at the Worldwide Threat Assessment of the United States for 2017[i]. This is an annually published document that details high level unclassified assessments of the US Intelligence Community for the year.  It is released by the Director of National Intelligence (Dan Coates for 2017) and as such is an important barometer regarding global threats.  This report regularly includes threats such as terrorism and weapons of mass destruction.

At the very top of this year’s report it reads:

CYBER THREAT

Our adversaries are becoming more adept at using cyberspace to threaten our interests and advance their own, and despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years.

Cyber threat has been on this list every year since 2011.  In pointing to cyber attacks or data breaches as a global threat, there is an accord with a World Economic Forum survey for global threats of 2017[ii] and a similar report by the Pew Research Center[iii].

If we overlook the small to medium scale cyberattacks on a global level, this year has still seen the WannaCry ransomware attack that hit the NHS[iv] , the Petya ransomware attack[v] that hit firms and infrastructure across Europe as well as the Equifax[vi] and Uber[vii] data breaches.  In the UK we have been hit with a significant number of cyberattacks[viii] over the past year alone.  Could we be due a far more crippling larger scale attack, such as the attack on the Ukraine[ix] that disrupted the country’s power?  If so, how should we as individuals and as a nation defend ourselves?

In response to the growing threat, the UK government announced a National Cyber Security Strategy[x] in 2016 to make Britain “secure and resilient in cyberspace”.  The vision for 2021 is that “the UK is secure and resilient to cyber threats, prosperous and confident in the digital world”.

The difficulty in the production of such a strategy is that the digital landscape will be dramatically different in 2021.  The strategy document acknowledges that the expansion of the Internet into ‘smart’ systems extends the threat of remote exploitation to a host of new technologies. As the systems that underpin our daily lives, such as power grids, air traffic control systems, satellites, medical technologies, industrial plants and traffic lights – are connected to the Internet, they are therefore potentially vulnerable to interference.  It is nigh on impossible to understand what the technological infrastructure of the country will look like in five years’ time.  Given the fact that IoT, blockchain, connected cars, AI etc are due to be making an appearance over this time, could we be underestimating our potential vulnerabilities?  It is genuinely difficult (if not nigh on impossible) for those who work in IT to keep up to date with all of the developments that affect our areas of specialism.  How then would it be possible to mitigate threats to ensure that ‘the UK is secure to cyber threats in 2021?’

Ethical Hacking?

Prevention, as they say, is better than cure.  So, could a general culture where we are more aware of cybersecurity be better for our national infrastructure?

Ethical hacking might hold the key to this.  It is a non-destructive, “white hat” form of hacking, where all means at one’s disposal are used to gain access to a system.  So, for example, social engineering techniques and phishing might be used to gain access to credentials.  It also includes standard penetration testing techniques, such as port scanning and checking for known operating system vulnerabilities.Penetration testing is generally a more formal test cycle, where the organisation is aware that testing is taking place[xi].  This can form part of the development life cycle.   It was recently reported that the NHS is planning to use ethical hacking[xii]  to shore up their own defenses.

This can only be a good thing. I would personally go one step further and recommend that ethical hacking be introduced into computer science qualifications from GCSE to degree level and should also be discussed in schools.  Anything that allows a greater focus on cybersecurity to reach out to a wider audience should be welcomed.

I would also say that when hackers that exploit systems ethically, not causing damage (for example, physical or that related to reputation, such as the destruction or publishing of data), and seek to inform the owner of the system about the vulnerability and how to resolve it, should not be criminalized.  The exploitation of computer systems in this way is currently a breach of the Computer Misuse Act[xiii] (unauthorized access to computer material).  Instead, (possibly under GDPR legislation) any organisation that receives information on vulnerabilities should be held accountable for their remediation.  In this way, we can aspire to a more open and collaborative approach to cybersecurity, involving those who know the most about the topic.

Summary

In conclusion, we are becoming a more connected world and this is set to increase dramatically over the coming years.  Our dependency on technology is at an all-time high and the scale of disruption to our society due to cybersecurity breaches can now have catastrophic consequences.

I feel that Ethical Hacking can begin to give organizations the ability to turn the corner regarding cybersecurity. This can ensure that systems can be resilient from the same type of attacks that they might face in the real world.  It may be argued that the higher the standard of ethical hacker, potentially the greater the likelihood of Britain ‘becoming secure and resilient to cyber threats.’

References

[i] The Worldwide Threat Assessment of the United States for 2017

[ii] The World Economic Forum Survey: Global Risks for 2017

[iii] Pew Research Centre – Leading Security Threats for 2017

[iv] WannaCry Ransomware Attack (source: BBC)

[v] Petya Ransomware Attack  (source: The Guardian)

[vi] Equifax Data Breach (source: The Telegraph)

[vii] Uber Data Hack Cyber Attack (source: The Guardian)

[viii] UK hit by 590 ‘significant’ cyber attacks in the last year (source: Computing)

[ix] Ukraine’s Power Grid Cyber Attack (source: Wired)

[x] National Cyber Security Strategy 2016 to 2021

[xi] Penetration Testing vs Ethical Hacking

[xii] NHS to use “white hat” hackers (source: Computing)

[xiii] The Computer Misuse Act 1990

Related Posts

Cybersecurity

Selling security and privacy: Why cybersecurity is the new competitive advantage for retailers

Subrahmanyam KVJ
May 28, 2018
Consumers now see cybersecurity and data privacy as one of the three main reasons to select a retailer, beating even price. In India, it even comes out on top as the number-one reason to do business with a particular retailer.
Cybersecurity

Are you prepared for GDPR?

Peter Hansen
May 17, 2018
The general issue lies with that anyone with justified and managed access to process data, for its purpose, since that’s the business need and actual reason for the data existing in the first place.
Cybersecurity

Why retailers are missing an opportunity to use cybersecurity to drive growth?

Christer Jansson
May 9, 2018
Cybersecurity is often seen in terms of the cost of mitigation—or the ramifications of a breach—it is also a business driver and can be a source of competitive advantage in the retail sector.
cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information