As hacking headlines saturate the media every year – from the A-list hacking scandal, to Yahoo’s billion accounts in 2016, to the recent data breach that affected 200,000 organisations in 150 countries – there has been a seismic shift in the way that companies view cybersecurity. Two weeks ago, we looked at how women might be able to help bridge this gap. Today, we’re looking to grey hat hackers who still stir up controversy in tech circles. In this turbulent environment, can we afford to cut out the grey hats, and if not, can we afford to let them in?
Does my head look big in this?
Let’s handle the terminology first. Broadly speaking, hackers can be classified into three categories: white hats, black hats and grey hats. The white hats are your classic good guy, knight in shining armour types. As cybersecurity experts, the white hats are employed to test the relative strength of an organisation’s technical innards. They have full approval, confidentiality clauses and only access those areas they’re entitled to. By contrast, their evil twin, the black hats, are notorious delinquents or members of elite mafia-esque organisations. Black hats exploit weaknesses within the system to hack information that can be used for personal or financial gain or sold on the black market.
Then there are grey hats. If we think of white hats as the police and the black hats as criminals, then the grey hats serve as the slightly underhand detective. Grey hat hackers are something of a smart-aleck; illegally breaking and entering into technical systems in the same way as a black hat, but treating the material they find as a white hat. This could mean leaving a helpful note on the system to make companies aware of their indiscretions (like a burglar who leaves a note to let you know you’ve left the tap running while you were on holiday); it could mean disclosing the information to the company privately to enable them to fix the flaw – or it could mean releasing the information publically, leaving the company exposed to black hat hackers until they fix the problem.
There are multiple issues with grey hats. Firstly, by hacking into a system they have no authority to – irrespective of how noble a motive there may be – they are acting illegally. Secondly, when a grey hat hacker notices a vulnerability, they have the decision to privately or publically announce their discovery. On the one hand, exposing system errors to the public further compromises the security of an organisation and risks reputational damage, on the other not disclosing this information publicly means that the organisation has the option to not address the problem and for the public to remain oblivious.
Thirdly, and almost consequently, should a grey hat hacker elect to disclose the information to the affected company privately, a moral dilemma materialises for the company in question. The grey hat hacker suddenly has leverage. Should they be rewarded for discovering glitches and errors and not going public, or does that incentivise illegal activity and bribery? And what’s to stop a grey hat from turning black if the reward isn’t high enough? As it stands, black hatting is one of the most lucrative ways to make money out of hacking. While cyber security professionals may cash in 2.7x the average wage, skilled black hats can make a lot more. An in-depth study by Trustwave into the different payment schemes highlighted that basic ransomware that targets 20,000 users a day could generate $3,000 for a black hat hacker, amounting to $84,100 a month after expenses. That means that even with companies investing millions in cash prizes for white hat hacking competitions (Google paid out more than £1.5 million in 2014 to 200 different researchers as part of its Security Rewards Program), the temptation to turn black is still there.
Do we even need them?
Despite the concerns, the expertise of grey hats cannot be ignored in such a skill short market. The dearth in cybersecurity skills is well reported, leaving companies exposed to the operations of black hats. McAfee’s ‘Hacking the Skills Shortage’ cited that 82% of respondents were affected by a cybersecurity shortage, while a study by Indeed revealed that cyber security job vacancies has risen by nearly a third in two years, resulting in the skills gap rising by 5% in the UK. CyberSecurity Ventures predicts that global spend on cybersecurity will exceed $1 trillion over the next five years and estimates that there will be 1.5 million job vacancies by 2019 . With such a severe disparity between supply and demand, prosecuting grey as well as black hats could have serious repercussions for the cybersecurity market.
Finding a better fit
There is a solution. The rise of the gig economy, hackathons and bug bounty programmes are providing an alternative means of coaxing grey hats to the white side of life, enabling organisations to leverage grey hat skillsets in safe environment. Crowdsourced sites such as Bugcrowd and HackerOne – a joint-venture company created by Facebook, Microsoft and Google – act as the middle-man between software companies and hackers. With clear cut terms and conditions, focus areas and ‘out of scope’ sections, these sites eclipse any legality issues by giving hackers free reign to uncover issues – within reason. Bugcrowd also has inbuilt support for its customer base by pipelining traffic through its own servers to separate those acting through Bugcrowd from those potentially launching an external attack. Different participating companies also provide hackers with the variation and challenge they crave (e.g. Hack the Pentagon), while the cash rewards and recognition schemes curb any attraction associated with the notoriety of black hatting. Here, hackers can prove their mettle, get paid for it and avoid a nasty lawsuit.
One of the core benefits of these platforms is that with so many white and/or grey hats working to detect bugs it’s likely that any defects will be reported by multiple hackers, alerting the customer to any issues and allowing them to fix the problem before it can be sold on the black market. The nature of crowd sourcing also means that bugs are being identified and fixed all the time, driving down the value of bugs to criminals. With compensation for bugs ranging as high as $100,000, that’s food for thought for even the most tempted grey hat.
And if you’re thinking that those sound like pretty big figures to be paying out for cybersecurity, consider this: bug bounties can be more cost-effective than hiring full-time security consultants. Black hat hackers are deemed by some circles to be more experienced and advanced than their white hat counterparts, so it’s a natural assumption that crowdsourcing channels are more effective because they’re attracting different ‘hats’, including former grey and black hats. After all, who better to out-fox a fox than a former fox? And when you put into context that cybercrime costs the global economy $445 billion annually, a bug bounty of £100,000 doesn’t sound so high.
These networks could also prove critical for long-term recruitment needs and to curb the enduring skill shortage. While bug bounties are a fantastic resource to leverage skills for short projects or to provide ongoing back-up to a team of white hats, we cannot rely solely on these skills to defend our systems. This is where a recruitment provider with a strong understanding of the market can be brought to the fore (like Lorien, for instance; we actually have an extensive background of hiring cybersecurity professionals into some of the largest professional and technical companies in the world, including members of the FTSE100, as well as to countless smaller organisations). We believe that these bug bounty communities are creating an incredible hotbed of up and coming talent that can be tapped into as part of a wider resourcing strategy, alongside additional and established cyber forums (especially those occupied by women) and traditional advertising channels. Better yet, many of these networks include rating systems and internal recognition, providing a ready-made screening and ratification system. To address the skill shortage, as recruiters and as businesses, we need to look at the behavioural patterns of these workers, identify their hangouts, and look to their motives in order to leverage the strongest available skillset to meet long-term cybersecurity needs.
Cybercrime is endemic and only set to escalate as we become more technologically dependent. If we pit black hat against white hat, it’s the grey hat that swings the balance. We cannot afford to lose the skills of the grey hat to the black hat by penalising, criminalising and persecuting; that much is clear. We also cannot afford to sacrifice the integrity and morality of the white hats to the whims of the grey hats by rewarding or commending acts that are by all rights, illegal. What we can do, however, is to invest heavily in bug bounty programs. To leverage their skillsets, reward good behaviour, encourage creativity and outpace the black market. In these terms we can trust grey hat hackers. In fact, we have to trust grey hat hackers, because we really, really need them.