The internet crisscrosses our world while removing the distance barrier between people. Undersea cables literally connect the continents, faithfully ferrying our data around the globe at the speed of light. Satellites orbit high above the Earth’s surface, relaying information over the horizon. This cyberspace plugs into our daily lives, facilitating a web of interactions from a myriad of users. The diversity of humanity is undoubtedly our greatest strength as a species, but it’s is not without drawbacks. No matter what you believe about people, there will always be some who seek to unethically gain from others.
Physical space and cyberspace need to be policed for the same reasons. The laws that were originally formulated to govern the physical world have been adapted and expanded to apply to cyberspace. While this legal overlap is a good starting point for securing cyberspace, it is far from comprehensive and in some ways, it misses the mark altogether. One of the most interesting points of debate on this topic is the issue of hackers. A great deal of progress has been made in defining the term “hacker” and today most people affiliated with internet culture know the word applies to both good and bad actors. In fact, there is a spectrum to measure the deeds of hackers by, from the benevolent to the deplorable. Generally speaking, hackers fall into three types of categories: white hats, gray hats, and black hats. White hats represent the benevolent end of the spectrum in that they don’t break the law. Black hats represent the opposite end – breaking laws without conscience. There are infinite variations on both ends which converge towards their ideological middle ground, where there is a hacker type that plays both sides of the law.
Gray hats keep or break laws according to the incentives or consequences of their tasks, which are as diverse as their individual motivations and beliefs. Whereas a white hat might just fix your code and send you an email with a patch, a gray hat might inform you about a bug, but ask for a small fee to fix it. However, the gray hat hacker isn’t necessarily someone who breaks the law unpredictably or according to their mood on a given day. The complexities of cyberspace and cyber-law enforcement sometimes require white hats to battle black hats by breaking the law, much like running a red light on the way to the hospital. This issue gets very complex, very quickly, and in the shadowy realm of hackers, it’s easy to lose the thread of what is credible. Recent events can help us better understand how some white hats are caught in a position in which they must act to protect a portion of cyberspace because law enforcement can’t.
The case of Marcus Hutchins has recently illustrated the conundrum of gray hat hackers to the world. Hutchins has risen, twice, to international fame over the past few months. In early May of this year, Hutchins, a 22-year-old cybersecurity researcher from the UK, famously exploited the kill switch in the WannaCry ransomware cyberattack from his bedroom in his parents’ house. WannaCry was (and still is) a piece of malicious software that spread around the globe, encrypting victim’s computer files, restricting access to them, and demanding a ransom payment. The fact that WannaCry was defeated from a hacker’s bedroom shouldn’t diminish our attempt to understand the serious danger it posed. The severity of WannaCry’s threat matrix is exemplified by what happened to the UK’s National Health Service, which was taken offline by WannaCry on May 12, 2017. Later, Hutchins was arrested by US federal agents on August 2, 2017, right before he was scheduled to fly home from a hacker convention in Las Vegas. Hutchins has pleaded not guilty to the charges brought against him, which purport his involvement with an unrelated cybercrime from 2014. Hutchins’ case highlights one of the most significant pieces of the gray hat puzzle: the skillsets between hacker types generally overlap. It’s their personal character that makes the difference.
Much like when banks of yesteryear hired safecrackers to design more secure vaults, companies today hire hackers to try and penetrate their systems. This paradigm of relying on black hat skills to perform white hat work is truly timeless. To better understand it, ETHNews spoke with Roderick Jones, founder and CEO of Rubica and former member of Scotland Yard’s Special Branch. Jones told ETHNews:
“The ability to defend comes from an outstanding ability to understand attack. The best medieval castle builders were the best castle takers. The institutional danger, which exists for governments, is that they silo the culture of defense without training people to think like attackers. These are not new trends. Criminals and terrorists have been exploiting the Internet for a couple of decades. There are a host of ‘threat intelligence’ companies that have emerged from individuals conducting research into [terrorist] networks as well as human hacking networks. The best and safest way for these researchers to describe themselves is as ‘security researchers’ and [to] align themselves with legitimate institutions as far as possible. I think the whole use of the word hacker needs to be rethought as it has dangerous legal implications for individuals acting in the space. Individuals acting in cyberspace are potentially acting in ways that cross lines placed by governments. This is a danger for them and society. One solution is for governments, national or local, to be able to deputize individuals with specific talents to enable them to work on projects of clear social good. Having the equivalent of a Digital National Guard, where people can volunteer a weekend in return for training and be available for emergencies also seems like an idea whose time has come. Overall, governments local and national need to engage their populations more to ensure collective digital safety.”
“The only thing necessary for the triumph of evil is for good men to do nothing.”
– The White Hat Group, quoting Edmund Burke to ETHNews
It will take time and consideration to create a truly just system in cyberspace. Until then, the networked ecosystems in the digital world will have to, in part, rely on the skills of individual security researchers to aid industry players in defending cyberspace. Ron Austin, an associate professor at Birmingham City University’s School of Computing and Digital Technology in the UK, and a member of the cybersecurity community who spoke out in defense of Marcus Hutchins, elaborated about the role of security researchers for ETHNews: “Without the cybersecurity researchers keeping the software companies in check there would be many more undisclosed breaches of security. It’s a challenge, as technology is being created faster than the law can keep up. New technology will and has always pushed the boundaries of the law as it’s often used in ways not at first perceived.”
Jones echoed this sentiment, stating, “The battle between offense and defense in cyberspace is destined to go back and forth indefinitely. This is simply the nature of the technology being developed. Technology is utterly Janusian in character and can be used for either good or bad purposes. A good example of this are encrypted chat applications. Clearly, these were built with individual privacy protections in mind but have become an essential part of the criminal toolkit. Similarly, [cryptocurrencies] which [are] a fundamental technology leap forward also enable the funding of criminal networks at an unprecedented rate.”
Given the dubious possibilities associated with hacking, we’re fortunate to have security researchers like the White Hat Group in the Ethereum ecosystem. While their identities remain a mystery, their actions are legendary within the community. From saving The DAO to their latest white-hat exploit, during which the group acted quickly under pressure to use a black hat’s own hack to remove vulnerable funds from multi-signature contracts, essentially stealing around $85 million of Ether, only to return it to the rightful owners after the danger had passed. Speaking through back channels, the White Hat Group told ETHNews: “If the authorities do somehow misjudge our actions, the people we are rescuing will surely defend us. Actually, white hats have a huge advantage. When there is a problem, people tell the white hats so we get a head start. Honestly, we are Ethereum developers so we are well connected in the Ethereum ecosystem. It’s easier to step up here, but that said, in the most recent hack, we reached out to UBIQ and the ETC communities to make sure they didn’t have any vulnerable multi-signature contracts. There were no instances of that version of the [multi-signature contract] on their chains. Otherwise, of course we would have helped.”
Perhaps the future will provide society with some form of a digital Geneva Convention. Until then, we will have to rely on a blend of efforts in cybersecurity. A large part of that effort is made by communities who help self-regulate the spaces they use online. This works, but it requires people whose greatest skillsets include caring for the welfare of others.