Why do companies turn to white hat hackers to solve cybersecurity problems?

25 Jul 2019

Image: © jgolby/Stock.adobe.com

Would you trust a white hat hacker to solve your business’s problems?

How can companies keep up with the breathless pace at which the modern threat landscape is evolving?

It’s a question that plagues cybersecurity professionals, and one that calls for increasingly creative solutions. One option that has become more popular in recent years is ‘white hat hackers’.

White hat hackers, used interchangeably with ‘ethical hackers’, are essentially hackers who use their powers for good, as opposed to the nefarious applications for which ‘black hat hackers’ are known.

Regardless of how robust a cybersecurity team a company may have, bringing in someone from the outside, who isn’t intimately familiar with a company’s system, will always be valuable as they’ll bring a fresh pair of eyes and a different technical perspective to the mix.

Julia Kanouse, CEO of the Illinois Technology Association, believes that the rise in white hat hackers partnering with companies can be chalked up to shifts in perception.

“Hackers 20 years ago were all ‘bad guys’ and now the times have caught up to that … Companies are catching up to the idea that [hackers] can be a benefit to them,” she says.

Not to mention that seeking independent actors can often be a great way to bolster your talent pipeline.

“I have quite a few members who are in the cybersecurity space. There’s a need from a talent standpoint, a growing need for people with this skillset,” Kanouse adds.

“Often, you’ll find that the best hackers don’t want to work for a bank. They tend to have a little bit of a rogue, independent, ‘do it on my own’ mindset. So, the people who are really good at [hacking] don’t want to work in an internal team.”

‘Hackers 20 years ago were all “bad guys” and now the times have caught up’
– JULIE KANOUSE

Yet for Kanouse, leaning on white hat hackers for tasks such as penetration testing is a murky practice for both parties.

“Some companies might put what is called a ‘bug bounty’ out, where they are not necessarily contracting directly with anybody in this space but they say, ‘Hey, if you find bugs and you’re able to hack into our system, here is the process to report those to us,’” Kanouse explains.

“Another is completely unasked for, but you have people who are doing security research. They may be academics and they may discover a security vulnerability, so they’ll try and reach out and let that company know about it.

“That’s where you can see some things maybe go off the rails a little bit when it’s not asked for and the company doesn’t have any processes or procedures for dealing with it.”

Her worry is, she explains, that some of these transactions lack the necessary legal protections and formalisation. It’s certainly not always the case – companies do often specifically contract hackers and have all the requisite NDAs, agreements and other key documentation to ensure things go smoothly – but often, people working against company systems are operating in a liminal space.

“I think where the grey line starts to happen is when someone is looking to expose vulnerabilities without the company’s knowledge of it, or without the explicit or implicit consent.”

How do they disclose?

Whether specifically commissioned or not, white hat hackers who discover a vulnerability will likely want to let the relevant parties know, but how does that even work in the context of an already murky process?

“This is where companies can get their hackles up. If that disclosure comes in [and] the hacker doesn’t get a response from the company, they may take that information public,” Kanouse says.

She points out that hackers who don’t hear back may find themselves in a bit of a quandary. If the company is processing a lot of sensitive data, customers will continue to be at risk of falling victim to a cyberattack every day that the vulnerability persists. “Is it your responsibility to make that public? That’s where those ethics are really blurred.”

Kanouse worries that how the hackers are treated in these instances is not adequately codified. How does a hacker know whether they’ll be handsomely rewarded or prosecuted for their efforts?

“I think the next step is [figuring out] how to more formalise that process while keeping the benefit of having rogue hackers out there.”

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com