If you manage to penetrate a company’s network, and identify all its security flaws and vulnerabilities, why should its bosses be upset? Or, better put, if, during your hacking endeavours, you discover that certain users’ accounts or computers have been compromised by a malicious hacker and inform them accordingly, is a lawsuit or, worse, a criminal prosecution the best you can get for that?

These questions and whether ethical hacking should be legalised are what I intend to answer here. The issue came to the fore after four computer science students were investigated by the police when they found and highlighted a security weakness in Malta’s largest student application, FreeHour. But before I provide any answers, it is important to first understand what ethical hacking is and what it is not.

Ethical hacking is the process of penetrating a network of an organisation or company or software in order to find security flaws and vulnerabilities with the intention of fixing them and securing the system. Most ethical hackers possess advanced skills in computer programming, operating systems, and other server software. They then use these skills to launch a real cyberattack on a system legally to find its weaknesses and fix them.

But that is just generic ethical hacking. One must then distinguish between three different types of hackers. These are white-hat hackers, grey-hat hackers, and black-hat hackers.

A white-hat hacker is anyone who penetrates a network or application in order to find its security vulnerabilities and remedy them. They are also known as ethical hackers or penetration testers. Ethical hacking should undoubtedly be completely legal and is one of the highest-paid and fastest-growing professions in information technology today.

Often, an ethical hacker would work as an employee in an organisation, a security firm, or as an independent security consultant. In this sense, therefore, those four unfortunate students would not have had all the qualifications to be classified as white-hat hackers.

A grey-hat hacker stands somewhat between an ethical hacker and a malicious hacker.

This type of hacker would attack an organisation’s or company’s system, network, or application in order to find its vulnerabilities without any malicious intent.

It could be just for the fun of it, just to prove to themselves or satisfy their little ego that they can break into something, or, sometimes, with the intention of informing the company of the vulnerability later on. This is why I would classify those four students in this category.

According to the law, breaking into an organisation’s system without their permission is illegal. That is why some of these grey-hats get locked up in lawsuits or face criminal prosecution just after informing the company about the security flaws they detected.

Ethical hackers protect businesses or individuals from cybercrime- Mark Said

So, strictly speaking, the local authorities were right in denouncing the students. What was objectionable was the manner in which they went about it, including the unwarranted arrests, searches, and seizures.

A black-hat hacker is anyone who penetrates a network, system, or application with the intention of exploiting its security flaws and vulnerabilities for malicious ends. It could be to steal sensitive user information, alter or destroy data, or simply interrupt its normal operations.

Black-hat hackers are also simply referred to as hackers, attackers, or crackers, and the practice is completely illegal and punishable by law. What differentiates ethical hackers from black-hat hackers is their intentions.

Now, why am I calling for legalising ethical hackers in the sense explained above? Simply put, they protect businesses or individuals from cybercrime. They protect sensitive information from attackers. A firm or organisation can use hacking to instantly identify security vulnerabilities and eliminate them.

Ethical hacking aids in the prevention of cyber-terrorism and terrorist attacks, hence safeguarding national security. It discovers potential entry points, allowing you to fix them before an attack. To eliminate further danger, ethical hackers check that the software works properly under normal and extreme settings.

Last, and perhaps most important, ethical hacking can open up dozens of new job opportunities every year. It has a promising future, as experience abroad has shown.

To address the issue of network security, government departments and agencies, as well as businesses, could begin to employ a strategy in which they test their security by having computer security personnel hack into their systems.

These professionals would be able to infiltrate the system the same way a cracker would, but instead of causing damage or stealing information, they would report on the system’s flaws and vulnerabilities.

Is it not time to encourage and aid educational institutions to launch accredited hacking courses?

Practicality and effectiveness should no longer remain legitimate concerns about ethical hacking. As with many other things, legalising the practice can create an opportunity for regulation to ensure that it is not abused, to strengthen the rule of law, and to help make it more effective. Due-process safeguards are not all that difficult to formulate.

Malta has experienced some high-profile cyber security incidents in the last few years. As things stand, our laws are deficient, and we need to act now and introduce a ‘safe harbour’ legislative framework that would provide protection from legal action when a researcher, or even any inquisitive and prying individual, identifies a vulnerability and reports it in good faith to the responsible organisation.

We sure could do with more than one Ankit Fadia!

Mark Said is a lawyer.