A vibrant, connected community of ethical hackers has an important role to play in the increasingly complex fight against cyber-crime, explains Brigitte d’Heygère, Vice President Security & Consulting Services at Gemalto
Buried treasure is not just the stuff of fiction and legend. For at least some of our ancestors, it was quite simply the most effective means of protecting prized possessions from unwanted attention. And whilst the methods of defense have inevitably evolved over time, the basic game of cat and mouse between legitimate owners and those who seek to steal from them has never gone away. Of course, in an era of digitalisation, the treasure being fought over is often no longer physical. Harvesting personal data, attacking critical national infrastructures and disrupting online services are just some of the aspirations of today’s cyber-criminals. In common parlance, these 21st century bandits are often lumped together under a single, catch-all label – hackers. Equally, there is a widespread assumption that our security will be ensured simply by the application of ever-more sophisticated technologies. However, in reality, this only tells half the story. Keeping digital resources safe from cyber-attacks ultimately means harnessing the ingenuity and expertise of a diverse global family of IT and digital security specialists. What’s more, at the heart of this community is an often-overlooked citizen army – made up of hackers with a very different ethical agenda to those who usually hit the headlines.
A shifting security landscape
Whilst the science of cryptography has a history stretching back almost as far as mathematics itself, prior to the advent of the internet, it was generally the preserve of select sections of society, such as governments and the military. But with digitalisation came a paradigm shift. In a permanently connected world, the security perimeter has become highly scalable and volatile, the attack surface exponentially bigger. Instead of simply protecting a physical memory unit or processor, for example, complex networks of computers and servers, as well as the constant flow of information between them, needs to be defended.
Machine learning and Big Data are changing the rules, again
What’s more, the world continues to spin faster. The digital footprints that individuals and organisations leave in cyberspace are getting deeper. Furthermore, the advent of machine learning has now made it easier for malevolent forces to compromise and reap this Big Data. But, at the same time, machine learning also represents a potentially powerful defense tool. In particular, its ability to predict situations and scenarios based on accumulated evidence can play a key role in detecting vulnerabilities and pre-empting attacks. A new front in the cyber-security arms race has opened.
Next on the horizon – quantum computing
As if the implications of machine learning and Big Data were not enough to contend with, yet another technology revolution is on the horizon. It comes in the form of quantum computing, which is set to redefine the limits of data processing power. In doing so, it will undermine the fundamentals on which many of our currently ‘unbreakable’ cryptographic codes are built. For the security industry, that obviously means another profound challenge: the creation of new, quantum-resistant cryptographic algorithms.
Harnessing the hackers
Given these rapidly shifting sands, the security sector has no choice but to evolve fast. And one of the most significant ways that this is being achieved is through closer collaboration with, and between, the good guys: the ethical hackers.
In terms of harnessing this key resource, we have already seen a major change in the landscape. Not so long ago, security experts were almost invariably drawn from the world of academic research. Consequently, cryptographic skills were concentrated in the hands of a relatively small circle of people, and typically paid for by governments. However, the ubiquity and accessibility of powerful IT systems has swiftly democratised the art of hacking. Subsequently, an extended community has developed, embracing both the public and private sectors, employed professionals, freelancers and talented amateurs. Moreover, whilst media attention, and consequently public fears, have tended to focus on the malevolent hackers, the energy, dynamism and co-operative approach of this ethical movement deserves to be recognised fully – and utilised as effectively as possible.
Cybersecurity Act will set new standards
There is growing recognition that, to stay one step ahead of the criminals, this exchange of ideas needs to be as comprehensive as possible. Within digital security companies, talented and dedicated digital security experts already represent a vital force. They invest their energy for good, continually and rigorously testing systems and products to identify and address any potential weak spots. By actively encouraging collaboration with the wider ethical hacking family, we are now forging an even stronger alliance between all those people who share not just the right skills, but the right principles too. Looking ahead, changes in the regulatory framework are only likely to make this approach even more worthwhile. In Europe, the forthcoming Cybersecurity Act will introduce a single means of security certification for ICT products, with levels ranging from ‘basic’ to ‘high’. Authorised hacking of products to test for any vulnerabilities will clearly be an important part of the process.
Listening, learning, sharing
To this end, the work of the ethical hacking community is being channeled not just by informal interaction, but also major organised events and conferences. Better known examples of these include Black Hat, “Nuit du Hack”, CHES Conference, DEF CON, AppSec and Pwn2Own. Notably, many play hosts to hack contests (aka bug bounties), which challenge participants to find vulnerabilities in a system, and a means of exploiting it, and then reward the team that is first to do so.
Time to bury the stereotypes
Stereotypes are invariably difficult to dispel. But, in the case of the hacker, we should at least try to change the perception that the term applies exclusively to malevolent loners, organised criminals and the murky world of state-sponsored cyber warfare. Today, a very different type of hacker is also hard at work, helping to protect us from the manifold threats that inhabit the dark corners of cyberspace. Moreover, as the systems that must be secured become more complex, so are the skills needed to defend them. Helping to build a truly diverse ethical hacking community and fostering dialogue with the principled experts working inside the digital security industry, should therefore be an imperative for all interested parties.
To this end, reclaiming the term hacker from the bad guys, and giving this vital and dynamic community due credit are more than symbolic gestures. Beneath it lies an understanding that, in an ever more digitalised world, greater safety and security remain rooted in the most positive elements of the human character.