The dark side of white hat hacking: who can cybersecurity experts help and who shouldn’t?
Consider the ethical issue of selling hacker tools to certain interested parties.
The recent increase in the use of various hacker tools to monitor “undesirable” individuals and associations raises fundamental ethical and moral questions for the so-called “white hat hackers”, whose activity in developing and even using tools for hacking and espionage is often quite legal and can be used to help the government of certain countries.
NSO Group as a prime example of unethical attitude to cybersecurity
The Israeli company NSO Group, whose experts develop and apply a variety of custom hacker tools, claims that its products are designed primarily to help governments of different countries in the fight against terrorism and crime. However, evidence periodically emerges that the company’s technology is regularly used, including to attack journalists, activists and political dissidents. That is, even if the hacker tools developed by the company are used by the authorities and law enforcement officers, their scope clearly goes beyond countering terrorism and other good intentions.
ReportCitizen Lab, released in collaboration with Mexican digital rights organization R3D (Red en Defensa de los Derechos Digitales), has identified a number of Pegasus infections targeting journalists and human rights activists between 2019 and 2021. Among the victims were two journalists who reported on government corruption and one well-known human rights activist.
Mexican opposition figure Agustín Basave Alanis was also infected with Pegasus spyware in 2021. These infections occurred years after the first revelations of Pegasus abuse in Mexico, despite repeated assurances from the current president that the government no longer uses such practices and further abuse of spyware is out of the question.
Misuse of the Pegasus by state actors in the Palestinian territories has also been previously reported targeting human rights organizations in Bahrain and a host of other groups.
And the problem here is not so much in the hacker tools themselves, but in their sale to government forces and misuse.
One of the major ethical issues in selling hacking tools to governments is the issue of control. And the lack of transparency in sales, as well as the absence of an international regulatory framework, only exacerbate the problem, allowing governments of different countries to use hacking tools for malicious purposes with impunity.
Ethical balance and potential liability
The sale of hacker tools raises numerous moral and ethical questions for white hat hackers. On the one hand, these tools can indeed be used by the same government and law enforcement agencies for legitimate purposes, such as fighting terrorism or hunting down criminals. However, the potential for misuse is also huge, especially when these tools are sold to countries with a history of human rights violations.
Moreover, the use of hacker tools for espionage raises questions about the balance between national security and personal integrity. In a world where governments are increasingly turning to digital surveillance to monitor and control their populations, white hat hackers and other IT professionals must consider the ethical implications of their work and whether their services will infringe on civil liberties.
Professionals should also be aware of the legal implications of their actions, as they may face possible liability for facilitating clients who use their services for illegal activities. For example, in some jurisdictions, providing assistance, even indirectly, to individuals or organizations engaged in criminal activity can result in severe penalties, including fines and imprisonment.
To mitigate all these risks, providers of such services should develop rigorous client screening procedures and maintain strict ethical standards in their work.
It is critical for companies providing computer security services to understand and evaluate the reasons why their customers want to develop their offensive capabilities. There are several ethically questionable reasons why clients might seek these services. It is unlikely that a potential client will talk about these reasons directly, so capturing the context is an important task that lies on the shoulders of organizations providing such services.
Political repression: governments can use hacking tools to monitor and suppress opposition groups, resulting in violations of human rights and civil liberties.
Corporate espionage: private companies may engage in cyberespionage to steal trade secrets, intellectual property, or other sensitive information from competitors.
cyberwar: State actors can use hacking tools as part of their broader military strategy, potentially causing collateral damage and violating international law.
Blackmail and extortion: criminal groups or individuals may use hacking tools to collect sensitive information for blackmail or extortion.
Disinformation Campaigns: State or non-state actors may use hacking tools to spread false information, manipulate public opinion, or undermine trust in public institutions.
In light of these potential motivations, information security professionals should develop strategies to screen clients and their intentions to ensure that their services are not being misused.
The development of artificial intelligence tools in the cybersecurity industry adds another layer of complexity to ethical considerations. These tools are often based on machine learning algorithms, which can be opaque in their functionality and decision-making processes. As a result, developers may not fully understand how their tools work, what distortions may be introduced into their functionality, and how exactly these tools will be used by customers.
The sale of hacking tools raises many ethical, moral, and legal concerns for cybersecurity professionals. The potential for misuse of such tools is significant, and the consequences can be dire for privacy and civil liberties.
To navigate this complex landscape, security professionals must develop strategies to verify clients and their intentions, adhere to strict ethical standards, and be aware of the legal implications of their actions. In addition, the growing popularity of artificial intelligence tools in the industry requires greater transparency and collaboration to ensure that these tools are used responsibly, in line with international norms.
Ultimately, the responsibility to ensure that certain services contribute to a more secure digital environment, and not exacerbate existing inequalities and injustices, lies with information security professionals.