“Ethical” Hacking – ethical or unethical

Think about it, when we come across the term “hacking”, what other words come to our mind? Cyber crime? Law breaking? More often than not, this is the case.  In fact, the term “hacking” has been around since the advent of information technology, and our perception towards hackers has changed constantly over the years. In our contemporary society, especially with the proliferation of new media, the term has gradually developed a negative connotation. For instance, Mark CcClelland (2007), in his article Meaning of Hacking, has stated that  computers have become “ mainstream and computing resources were exposed through telecommunications and networks, a more malicious form of hacking arose, sometimes self-serving and sometimes as a form of vandalism.” and such definition is ” most often used by mass media. “

How the definition of “hacker” has changed over the years http://www.readwriteweb.com/archives/open_thread_since_when_is_hacker_a_bad_word.php

Now, let try to think of alternatives to “beautify” the term. How about adding the word “ethical” in front of  “hacking”? Indeed, the term ethical hacking will seem apt for computer experts to volunteer their professional skills to good causes, as stated in The Software Engineering Code of Ethics. Many will then question the job scope of an ethical hacker, which is simply put, using one’s own hacking skills to penetrate into networks to look for computer security vulnerabilities for employers or the community. Hence, an ethical hacker, also known as a White hat hacker, makes use of his or her hacking abilities to benefit society, rather than doing evil. Furthermore, certification has to be provided by International Council of E-Commerce Consultants (EC-council) to be an ethical hacker, hence making it a legal profession.

However, this has led to raised eyebrows and controversial issues as many have questioned whether the term ethical hacking is just an excuse for computer experts to perform hacking skills, thereby granting them the freedom to penetrate into networks without being charged on legal grounds.

First and foremost, we must not ignore the fact that ethical hacking has indeed brought about many benefits to organizations, be it government agencies or businesses. Take for instance, ethical hacking has greatly helped to strengthen national security by fighting against terrorism and external threats. One example will be the use of ethical hacking by the United States Air Force to conduct an evaluation of their operating system (Beauchamp, Matt, n.d.). As a result, they were able to discover flaws like software vulnerabilities and security loophole in their system. Without ethical hacking, their security would be bypassed and terrorists groups will be able to retrieve classified data from their system. On a corporate level, companies like IBM also fully utilize ethical hacking to keep their clients’, as well as their own, systems secure. According to IBM’s hacking team, this is done so by testing their systems from an intruder’s point of view and that of an internal dissident, as security breaches may too be committed by employees (Langley, Nick, 2005). As we can see from these examples, organizations and individuals recognize the risks and dangers involved if the system security is being compromised, thus having the need to employ ethical hacking as an preemptive measure to stop people of similar capabilities to pose threats to their IT infrastructure.

However, the discussion does not stop here. While it is ostensible that ethical hacking has no doubt brought about many benefits, are there actually ethical grey areas  that corporates, governing bodies, or even the community choose to ignore?

First of all, a certified ethical hacker is granted the permission to follow a no-hold-barred approach when performing hacking, this implies that it will grant the hacker full access to the organization’s database, including the employees’, employers’ and the clients’ files and data. This, as a result, brings up the issue of privacy invasion and on a more serious note, data theft. The certified ethical hacker may manipulate data on the system, or even retrieve sensitive information such as credit card passwords and business processes from the database. Another thing worth worrying is that the certification of an ethical hacker will provide the hacker an excuse or opportunity for law-breaking. For instance, a certified ethical hacker may do harm to computer systems by performing malicious hacking and still be able to get away with it. Even if companies like IBM have asserted that they will not hire criminal hackers as ethical hackers due to fear of re-offending (Langley, Nick, 2005) how are they going to possibly ensure that ethical hackers without criminal record will be able to resist the temptation of performing acts which they should not? On a national level, government agencies, driven by political interests, may too exploit ethical hacking to penetrate into the networks of other nations, hoping to extract classified information, which, if exposed, will result in strained relations between nations, causing undesirable detriments. Thus, all these ethical issues raised then leads to the question of whether ethical hacking is ethical, albeit its many benefits.

As stated in Marcia J.Wilson’s article Is hacking ethical, she believes that the right approach is “understanding our freedoms and rights and protecting all that’s good in our society while preventing all that’s bad”. Indeed, from a Utilitarian point of view, where only the outcome is concerned, ethical hacking produces the greatest benefit for the greatest number of people, take for instance when national  security is being involved. Thus, she is inadvertently implying that there is no need to take into consideration the privacy and well-being of the targets of ethical hacking as they take up the minority of the stakeholders involved. Speaking of “understanding freedoms and rights” as mentioned in her article, wouldn’t it be contradicting as we will be ignoring and denying targets of ethical hacking the rights to privacy? Again, from a Utilitarian viewpoint, as we consider the long term consequences, the benefits will be the prevention of security breaches on both national and corporate level, whereas the possible repercussions will be that reputation of the particular organization will be at stake if exposed due to exploitation of ethical hacking. Well, it may be tempting to conclude that it is justified to employ ethical hacking as the benefits definitely outweigh the cons as there is a chance that the latter will not even happen if the hacking skills are in the right hands. Even so, i still feel that it does not align with my considerations of right of privacy when tackling this issue, hence ethical hacking is unethical.

Now, we shall look at it from a Kantian point of view. Let us apply the First Formulation of Categorical Imperative to the problem, which is to universalize ethical hacking as a moral rule – everyone can ethically hack for preventive security measures. However, if everyone follows such rule, everyone will be hacking into each others system and everyone will be able to grant access to every other computer systems. This makes no difference from illegal hacking, which is self defeating. This is again a contradiction just as Marcus J. Ranum has said in his interview before, “There’s no such term as ‘ethical hacker’ – that’s like saying ‘ethical rapist’ – it’s a contradiction in terms” . We can also apply the Second Formulation of the Categorical Imperative to this problem, and in this case, ethical hackers are treating the targets of the hackers (other organizations, employees, or clients) as a means to an end, which is morally wrong. Hence, using Kantianism, we can conclude that ethical hacking is unethical, not simply only being derived from the Categorical Imperative, but also because the word ‘ethical’ in front of hacking does not prove any difference.

After much evaluation from the ethical theories and personal judgement, I have come to a conclusion that ethical hacking is unethical.  But, even so, many organizations have realized the importance to use ethical hacking to prevent external threats or even internal dissidents. According to EC-Council, there has been an increase of careers in ethical hacking due to rapid advancements of technology today. While governments and corporates are receptive towards the employment of ethical hacking, perhaps due to desperate needs, i believe there is a need to enforce stringent laws and checks, not only guidelines to follow, to exercise control of such hacking.


McClelland, Mark (May 11, 2007). Meaning of hacking. Retrieved September 9, 2012, from http://www.helium.com/items/110975-meaning-of-hacking

Beautchamp, Matt (n.d.).Examples of Ethical Hacking – How Hacking Can Improve Our Lives. Retrieved September 9, 2012, from http://ezinearticles.com/?Examples-of-Ethical-Hacking—How-Hacking-Can-Improve-Our-Lives&id=5428490

C.C Palmer (n.d.). Ethical Hacking IBM. Retrieved September 9, 2012, from http://domino.research.ibm.com/tchjr/journalindex.nsf/600cc5649e2871db852568150060213c/01a6d2b15cbb71ae85256bfa00685d06!OpenDocument

Langley, Nick (July 28, 2005). Ethical hacking is challenging and lucrative but training is expensive. ComputerWeekly. Retrieved September 9, 2012, from http://www.computerweekly.com/news/2240061428/Ethical-hacking-is-challenging-and-lucrative-but-training-is-expensive

Marcia J.Wilson (Mar 24, 2004). Is Hacking Ethical?. COMPUTERWORLD. Retrieved September9, 2012, from http://www.computerworld.com/s/article/91549/Is_hacking_ethical_?taxonomyId=17&pageNumber=1

Ron (Dec 17, 2009). Ethical Hacking? Can It be Considered Ethical?. Retrieved September9, 2012, from http://geektrio.net/?p=521





2 thoughts on ““Ethical” Hacking – ethical or unethical

  1. I don’t have much to add, but if a certified hacker is considered a profession, said hacker will have to abide by the rules and code of ethics (more of a guideline, nonetheless can still be violated grossly through unethical acts), and the violation of those codes and rules will result in the persecution of the hacker. I think that the fear of repercussion will still exist in the mind of the ethical hacker, and furthermore, going by virtue ethics, the hacker invading the system is doing it with good intentions and the ‘professionalism’ aspect of the virtue keeps the hacker in line with the public interest, the interest of his clients, and more importantly himself, as well as his own conscience. Although this does not apply to all hackers, I still think that it is worth a thought.

  2. Thank you Zheng Hao. =)

    Evaluating the problem using virtue ethics is indeed a point worth bringing up, which i have failed to do so. However, i believe that everybody possesses different virtues and we cannot possibly assume that all ethical hackers have integrity and professionalism. Hence, we cannot focus on the nature of the acting person which in this case, applies to all the ethical hackers. But again, virtue ethics is still needed if we have to complement the other ethical theories as we tackle the ethical issues of ethical hacking, but only subjected to one single ethical hacker, rather than the whole ethical hacking population.

    Thank you for bringing the point up =))

Leave a Reply

Your email address will not be published. Required fields are marked *