This article was written by Carlos Valderrama, VP of Engineering of a UK Cyber Intelligence firm and one of the foremost cyber security experts in the world with over 15 years experience in Computer Forensics, Incident Response, Malware Analysis and Cyber Intelligence. The original post in Spanish can be found here.
With the developments that have taken place in the most recent data breaches in some big companies and online services, it continues to extensively highlight a market that still makes our industry more dangerous (if it’s not already enough).
As if it were the Mid-west (Wild-Wild West pure uncle Sam style), and perhaps because there are people today who have this way of acting embedded in their DNA, passed down from generation to generation, we see the Bounty Hunter back in the picture with their moneybags full to the brim, nothing insignificant in these days of fluctuating international markets.
Are we living in the digital Wild-Wild West now? In fact, it’s pretty curious that it also shares the same initials as World Wide Web.
It seems that the powerful people use their weapons and money to further stigmatize security specialists who in most cases only seek to demonstrate their skills and raise awareness among companies and individuals about the weaknesses in information systems in today’s world.
This only shows that the law enforcement agencies in almost all countries (if not all) do not have the tools and/or skills to “hunt” Cyber Criminals and that’s when the game starts: the powerful put the bags full of gold coins on the table to hunt their enemies and subsequently publicly disclose all of this on the Internet (which has the same effect it had when ‘Most Wanted’ posters were hung in public places in the Wild-Wild West).
What ensues is that “security professionals”; people with skills, time, tools, guts and with gold in their eyes, try to find evidence on the person or persons behind the attack so the powerful (who can pay for it) can carry out their own form of justice.
What about the millions of people affected by clinical data theft at Anthem and whose data are being sold on the black market? These “security professionals” do not seem as interested in finding the attackers. At minimum, it’s a little curious no?
There is constant talk of ethics in Cyber Security environments, Ethical Hacking and other matters read in articles coming from all over the world. They often defend the researchers who are seeking security flaws which can be corrected before the hackers have a chance to do their thing, but it turns out there are other companies that also sell such security flaws found the highest bidder and make this their whole business.
Where is the line of ethics?
If I have skills to find faults in a computer system or an application, isn’t it best to report it to the manufacturer and to avoid that millions of people are affected? Or is it better to sell it for a nice sum and hope that God saves whom he can?
If my skills are more focused on research data, open source and intelligence threats, do I help people affected to enable them to have justice for stealing your data or do I become a mercenary of the all powerful who want justice to cover up their own lack of ethics, morality, decency, loyalty and confidentiality?
One cannot criminalize a person for having some evidence of suspicious activity in one case in an effort to snatch the bag of gold. If you have relevant data, you have to make sure that it arrives to the relevant authorities and that said person is given a fair and legal trial with the freedom to defend himself. We do not judge people publicly and even less in cases where there is so much at stake, we think that the best punishment for the accused is prison, because the powerful want to know their identity for other purposes. That person has a job, a family and a future ahead.
Security professionals criminalizing other security professionals publicly? Is this where we are? All for a big bag of gold coins? Is that ethical? Is that fair? Would we like to start our career being criminalized? Not me, of course.
Where is the investigative arm? Where is all of the forensic analysis demonstrating the delinquent behavior? Where is the well-structured evidence? Where the legal defense and fair trial?
With our knowledge as security specialists, we can do a lot of damage, but we can also collaborate and do good. We should measure very well our actions and act in a way that aligns with professional ethics, as well as human ethics, because the life of a person can be ruined easily.
If justice does not take us where we need to go then we work to change that so the real criminals end up behind bars and the security specialists can develop their skills freely without being stigmatized for it.
I appreciate the knowledge and ethical foundations that the profound study of Computer Forensics has given me and that is why we ask that security professionals who are not very familiar with it, study it or leave these matters in the hands of the specialists.
Remember that a person is innocent unless proven the opposite; at least to me this is very clear after many years doing forensic analysis. Apparently other people don’t have it so clear.
Five famous bounty hunters
Main jailed hacking