Ethical hacking or penetration testing involves deliberately intruding into a network or system to identify vulnerabilities and threats. Ethical hacking aims to improve the security of a network or system by correcting vulnerabilities identified during testing to prevent malicious intruders from using them to access and alter data. However, the worker’s intent only distinguishes ethical and malicious hacking. Ethical and malicious hackers often use the same tools and methods of hacking. Therefore, comprehending the true intentions of any ethical hacker accessing a vulnerable network or system is hard. The advancement of technology continues to provide better tools for ethical hackers that serve the public. However, these tools can be devastating in the wrong hands, causing a breach of privacy, free will, and respect. Studies show that the majority of cybercrimes, approximately 90%, happen to be inside jobs (Memon et al., 2020). This raises concerns about how easily malicious hackers can find it working from inside an institution. The question, therefore, arises whether ethical hacking solves the problem of hacking or adds more problematic issues.
Ethical Actor
An ethical actor refers to the entity or person making the decisions. The ethical actor decides the actions that virtuous entities or individuals should perform and follows a similar path depending on particular situations. In ethical hacking, the ethical actor is the ethical hacker. Ethical concerns with these actors start from their education and training to be ethical hackers. The main concern is that education might improve intrusions into networks and systems. This potential drawback makes ethical hacking education a controversial topic that course leaders and curriculum developers face in developing such courses. The consequences are both positive and negative, with some students eventually using their knowledge to improve the system security of networks while others are bound to use the knowledge for malicious purposes (Abels, 2019). Regulatory policies like mandatory criminal record checks for all ethical hackers reduce the risk of training criminals in hacking.
Despite the mandatory criminal background check for ethical hackers, individuals still might have motives for using their access to systems to pursue selfish interests. This problem can be prevented by hiring two or more independent experts to conduct the tests, ensuring that no individual has total control over the whole system. The current technological trends make storing data in digital form advantageous, with most transactions transitioning to digital form. This makes the data accessible to hackers, whether ethical or unethical and therefore, there is a need for ethical hackers to be held responsible for the security breaches resulting from corrupted system testing.
Ethical Action
The ethical action being tested is ethical hacking. Ethical hacking is meant to assess vulnerabilities to reduce potential risks to networks and systems. The location of susceptibility in systems helps the company reduce the chances of attack. However, due to the limited time usually allocated to this process in many companies and institutions, there is always a risk of overlooking some vulnerabilities. When this process fails to secure a client’s system and a malicious hacker gains access to the system, it becomes an ethical dilemma whether to hold the ethical hacker liable or presume that the work of ethical hackers does not provide absolute security because of the many people who use the system.
Ethical hacking action is important in system security. Still, it comes with the risk of the ethical hacker utilizing knowledge about the client’s system vulnerabilities to plan and launch future cyber-attacks. An alternative to ethical hackers is the use of security software, but this limits self-improvement and flexibility with the funds directed toward system security. Another issue that causes conflicts is the amount of access given to the ethical hacker. Deeper access allows for better knowledge and problem identification, but the process does not assure total security. Still, hackers might be able to deceive and bypass the network.
Utilitarianism
Utilitarianism is a category of consequentialism. In consequentialism, actions’ consequences determine a scenario’s moral wrongness or rightness. In consequentialism, morally wrong behaviors are actions or lack of actions that have more negative consequences than positive ones. Morally right decisions involve actions with more positive consequences than negative consequences. On the other hand, from a utilitarian perspective, actions with few beneficiaries that harm more individuals are considered morally wrong. When the actions lead to more people benefitting than those harmed, the action is morally right.
There are different categories of benefits and harms. One perspective defines benefits and harm in terms of unhappiness and happiness or pleasure and pain. According to this view, morally right actions cause less unhappiness or pain than alternative actions or inactions. In contrast, inactions and actions that cause more pain and unhappiness than alternatives are deemed morally wrong. The utilitarian perspective is concerned with increasing the net utility with the theory of morality based on the utility principle that states, “The morally right action is the action that produces the most good” (Driver, 2014). Morally wrong actions lead to the reduction of the general good.
In most modern democracies, policies are made as proponents of free-market forces with a small level of bias and government interventions meant to enhance security and safety. Generally, the appropriate levels of government interference and interventions remain debatable. However, economic and political policies tend towards fostering the well-being of as many citizens as possible. When a portion of society is disadvantaged and ends up suffering inequalities in income and economic opportunities, it is the work of policymakers. Utilitarianism is the best ethical option that produces the greatest good for most people. This is the only moral framework that can justify acts of war and military force on other nations. This approach is also the best for business ethics as it accounts for benefits and costs. The theory asserts two utilitarian ethical practices in commerce and the business world. These categories are act and rule utilitarianism. Rule utilitarianism assists the largest number of individuals using the fairest methods.
For instance, tiered pricing is part of rule utilitarianism in business. The airline industry’s issue of first-class, economy, and business-class tickets to customers of different financial statuses. People traveling in business and first class pay more and get better amenities than those in economy class. Similarly, people in economy class enjoy reduced rates of air travel. In this way, the practice produces the best outcome for most people. Act utilitarianism enables the most ethical acts possible for the general good. An example of act utilitarianism is pharmaceutical companies being approved by the government to release medication and drugs that have known minor side effects because the general good affects more people than those facing adverse effects. In this case, the end does justify the means.
Specific provisions
The specific provision of the utilitarian approach used is the rule utilitarianism. Rule utilitarianism comprises actions that provide the best-desired outcomes for most involved parties while keeping harmful actions or inactions low (Mokriski, 2020). In this case, the ethical hacker is an ethical actor who tests systems security for future protection against malicious hackers. The function of utility in rule utilitarianism is to use guidelines that result in the best general outcome for most people. The EH will be required to use the method that brings the best and shun tools and methods with consequent harmful outcomes that outweigh the merits.
In ethical hacking, the greatest net utility will be achieved when a comprehensive analysis of network vulnerabilities is achieved, and future security threats are identified and fixed. The ethical hacker’s future actions are also included in the net utility. When an ethical hacker completes their work without becoming future threats to the system they tested, this activity will be considered morally right. If the hacker turns out to be a future security threat, then the decision to grant the hacker access to the network is morally wrong because the resulting outcomes only benefit the hacker while accruing heavy losses on the clients under attack.
Several steps can be implemented to ensure that the decision to grant ethical hackers access to system information is morally right. First, the education of ethical hackers must be regulated, and all enrolled students must undergo criminal background checks before admission. Additionally, clients should hire two or more independent professional ethical hackers who would access different parts of the network but not have access to the entire system. This will prevent any hacker from total control of a company’s or institution’s system.
Analysis
Ethical
The ethical action is ethical hacking. An ethical factor is the assessment of susceptible areas to reduce future risks. This assessment faces criticism because it allows hackers to tamper with the system at will. Since it is impossible to predict a person’s intentions, trusting ethical hackers accurately is often unlikely. The location of susceptibility in systems helps the company reduce the chances of attack. The process is morally right and considered ethical when system security is attained without the addition of further vulnerabilities to the system.
Unethical
Due to the limited time usually allocated to ethical hacking in many companies and institutions, there is always a risk of overlooking some vulnerabilities. When this process fails to secure a client’s system and a malicious hacker gains access, the hacker commits a moral crime.
Ethical hacking is important in system security but comes with the risk of the ethical hacker utilizing knowledge gained about the client’s system vulnerabilities to plan and launch future cyber-attacks. There is an alternative to using pre-fabricated security software, which limits self-improvement and flexibility with the funds directed toward system security. This problem stems from a lack of proper frameworks that can prevent hackers from using knowledge of the system for future attacks against the network (Rafferty, 2016).
Satisfaction of Ethical Test
Ethical
The ethical test is based on rule utilitarianism. It is satisfied when the best outcome for everybody is achieved using the fairest process that leads to greater good for the majority while reducing harmful outcomes (Hojjat, 2018). The process of hacking that identifies problems with the network and corrects areas of susceptibility satisfies the ethical test. The satisfaction of the test depends on the outcome of the cybersecurity process of ethical hacking. Possible outcomes are either the realization of a secure system from cybercrimes identified or projected during the hacking process.
Unethical
When rule utilitarianism is used as the principle for an ethical test, the success or failure of the process solely depends on the outcome of the action. When the general outcome leads to a system that is poorer against threats compared to the system before the ethical hacking process, the test is failed. Failure of the test means that the ethical test has not been satisfied. Ethical hacking will always have a degree of uncertainty regarding the future intents of professional ethical hackers. This means that cyber-attack risk is often inevitably increased whenever any institution hires an ethical hacker. In a sense, this can be considered a failure in system security because the hacker is given tools that make the network vulnerable to the EH.
The paper successfully identifies the ethics of ethical hacking and the problems that come with hacking for ethical purposes or otherwise. The ethical actor in the ethical hacking process is the professional hacker. The ethical action is the professional job description of an ethical hacker, which is ethical hacking. The concerns stakeholders in education and the cybersecurity industry have about educating potential black-hat hackers in methods that give them better access to networks and systems are legitimate. The ethical standard used is identified to be utilitarianism. This system is concerned with the consequences of actions and assigns morality, whether right or wrong, based on the outcome and consequences of undertaken actions.
References
Abels, G. (2019). The European Community as an ethical actor? Policymaking on the human genome and the role of the European Parliament. In The Social Management of Genetic Engineering (pp. 45-62). Routledge.
Driver, J. (2014). The History of Utilitarianism: Stanford Encyclopedia of Philosophy.
HOJJAT, H. H. (2018). John Stuart Mill; Act or Rule Utilitarianism.
Memon, I., Shaikh, R. A., Fazal, H., Tunio, H., & Arain, Q. A. (2020). The World of Hacking: A Survey. University of Sindh Journal of Information and Communication Technology, 4(1), 31-37.
Mokriski, D. (2020). The Eligibility of Rule Utilitarianism. Journal of Ethics and Social Philosophy, 17(3).
Rafferty, B. (2016). The dangerous skills gap leaves organizations vulnerable. Network Security, 2016(8), 11-13.
