A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). Hackers are here. Where are you?*
Legislation proposed by the German government in 2006 aimed to make computer hacking a punishable crime. ‘On 23 May 2007, the Committee on Legal Affairs of the Bundestag (the lower chamber of Germany’s Federal Parliament) approved a controversial government bill meant to improve criminal prosecution of computer crimes.’
German anti-hacking laws place tools used by security firms in a legal gray area. The most serious offences are punishable on conviction by up to 10 years’ imprisonment.
Cybersecurity. Pushing the frontiers. What is Ethical Hacking?
A warm welcome to the third discussion at our ‘Top Cyber News’ extended roundtable!
Striving for knowledge sharing and learning from our readers, Charles (Chuck) Brooks and I are eager to bring your attention to the cyber ecosystem facts and information with hope to create and scale globally an inclusive ‘authors-publisher-readers’ circle of wisdom and expertise. To illuminate a cyber ecosystem in action, Stewart (Stew) Skomra , President and the Chief Technology Officer (CTO) of TeMeDa presents to our readers worldwide the diversity, the dynamism and creativity, challenges and rewards of his 33-year industry experience.
Stew Skomra is responsible for TeMeDa market and technology vision, formulating and creating market-driven and market-driving Telematics-based solutions – comprising hardware, software, mobile & wireless data, and services.Stew has led global market and product development for Fortune 500 companies with extensive multi-national Global 2000 customer exposure in product marketing and strategic business development spanning industries including: Transportation and Logistics, Manufacturing, Retail and Wholesale Distribution, Healthcare, Education, Finance and Insurance. During his career he has worked at IBM, Telxon (now owned by Google), Aironet (owned by Cisco Systems), Intel, Qualcomm, and Trimble Navigation.He has been a co-founder/principal of five start-ups driving company formation (both spin-outs, and grass root start-ups), Angel and institutional funding rounds, pre-IPO private placements/bridge financing through to Initial Public Offering.Stewart Skomra is inventor or co-inventor of patents in areas of information technology including: security, trust, identity management, electronic commerce, location-based services, distributed processing, and telematics.With B.S. Mechanical Engineering from The Ohio State University and MBA from The Ohio State University Fisher School, Stew is also APICS Certified Practitioner, a member of IEEE, SAE, AEMP, and IANA organizations and guest lecturer for graduate entrepreneurship programs.
Chuck and Ludmila, first of all it is an honour to join you at this intellectual social medium, the ‘Top Cyber News’ Roundtable.
My impression is that we work from similar if not identical tenets and precepts: seeking truth and building upon that truth to create good. I hope that you, and those with whom you share your knowledge, may serve as the “sounding-boards” for my thoughts. Just as there is much for me to learn from and through you, there is much that I would like to share with you and your readers.
Please let me apologize in advance if my expression of thought is perceived as too pedantic or being excessively concerned with minor details and rules. In my opinion, the topic ‘Ethical Hacking’ calls for this approach – I expect we will get to that later on. The reason for excessive concern over minor details and rules is because of the reality of the biggest strength and biggest weakness of machines (i.e. computers). The biggest strength of a machine is that it does what it is instructed to do. The biggest weakness of a machine is that it does what it is instructed to do.
A brief introduction of myself and what TeMeDa (short for: “Tele Meta Data”) is about: I am in the 33rd year of my industry – where “industry” is used in its original meaning, that of ‘diligent pursuit of a personal passion’. Each step in this 33-year journey has been on the road to enabling machines to automatically create machine automation. In other words: enable computers to program computers. This capability – which is an inevitability – may dramatically elevate discourse on the definition and ownership of data and can easily promulgate myriad metaphysic debates. Fortunately, for now, we will stick to the simpler topic of ‘Ethical Hacking.’
The final stage of my industry is TeMeDa – short for: Tele Meta Data or, for the longer explanation, TeMeDa = Information about meaningful facts separated in space and time. What TeMeDa is doing is working to develop and deliver the fundamental secure identity, systems and network infrastructure through which the information tapestries of our interconnected world may be woven. Investors tend to want to categorize companies as it makes it easier for them to pick-and-choose in their portfolio plays. If you want to categorize TeMeDa, please consider it to be an EaaS – Everything-as-a-Service provider (pronounced “Ease”). TeMeDa EaaS™ alleviates the stress that builds from not knowing the status of things that are important to you and separated from you in space and time by providing an easy to acquire, simple to install, and intuitive to use approach for turning “Actionable Intelligence” into Intelligent Action.
The instrumentation and interconnectivity of mankind’s world began thousands of years ago and its implementation is inevitable;
You will find TeMeDa throughout the yet-to-be-defined Intranet-of-All as well as in the underpinnings of today’s fledgling IoT efforts that survive the tsunami of opportunity resulting from the tectonic shift TeMeDa EaaS™ introduces.
Q. to Stewart Skomra: Who opened doors for you in your professional life, career?
There have been several key individuals who opened doors. My dear, departed older brother Bernard M. Skomra, dear, departed, IBM Branch Systems Manager William Bolden, Robert F. Meyerson Founder and CEO, and David Loadman CTO of Telxon (what was once Telxon is now part of Motorola, Intel, and Google) and Aironet Wireless Communications (the company that brought the world IEEE 802.11b and one of the creator of Wi-Fi – Wireless Fidelity which was acquired by Cisco Systems), John Major – Motorola CTO, Tim Towell and Lil Mohan – Intel Mobility Group, Joan Waltman – President Qualcomm Enterprise Services, Rick Beyer – President Trimble MRM, and Scott Morey – CEO The Morey Corporation.
The ‘door opening’ did not come as a surprise since it required persistent ‘door knocking’ with these specific individuals. These doors were very intentionally sought out in my pursuit of my industry/personal passion. In each case – as in most all interpersonal relationships that I choose to initiate – I like to think the “door opener” gained as much or more from their letting me into their world than I think I have gained. This is not self immolation/altruism/permitting myself to be exploited – it is simply that I believe that every interaction is an exchange of Value and that I choose to provide what others might consider to be an equal or greater contribution of Value than that which they perceive I receive. The reason I choose to do so is because I can. The reality is that these Value exchanges are always fair.
Q. to Stewart Skomra: What makes difference for you?
Creating good. Yes, this reads rather abstract. However, I believe that an individual human may choose to create or consume – to make or take – to either advance or decline – to grow or atrophy – to live or be evil (I have always thought it curious that the English word for Evil is Live spelled backward).
There is no stasis – the belief mankind has in earning ‘stations’, ‘titles’, ‘respite’ is intolerable to me. What makes difference for me is movement, progress, advancement, toward good – in this there is no stasis.
Early in my career at IBM I had the privilege of working to architect, develop and deliver fully-integrated three-tier continuous-flow manufacturing planning-scheduling-execution systems with both U.S. and Japan auto manufacturers – such an extraordinary contrast! What I learned most from the Japanese auto maker was their definition: Manager = failed Engineer. To this world-class and industry leading global manufacturer, the more valuable you are, the closer you should be to the point where product Value Add is realized.
Any individual being moved to “management” was considered to have failed as an engineer – an engineer being the highest valued resource in that Japanese auto company. Far too often management (a verb) is confused with a leader (a noun). Machines must be managed – Mankind must be led.
I always correct employee candidates who express a desire to be “promoted to management” by emphasizing: “Management is demotion – Leadership is promoted”. Leadership is always needed by each and every person. If an individual’s industry aligns with mine, and they have proven success through their industriousness, everyone gains by their promotion to leadership. Maybe I am broken in the way that I think. Bottom-Line: What makes difference for me is Industry, focus on Value Add, and Leadership.
Q. to Stewart Skomra: How was it to know that you changed somebody’s life in a positive way?
To me, changing anything in a constructive way is evidence of progress toward good – since I choose a positive and proactive approach to life, most all change that I have helped to accomplish is intended to affect somebody’s life in a positive way.
Yes, there are errors/mistakes that I make that cause hurt/have negative effects. These are catastrophically detrimental to my industry – I do not forget these errors. Although I refuse to dwell on these mistakes, obsessing to the point of regret, in all cases I do work to achieve redemption/recovery to an equal or better state of good.
How might I gauge my success? By reflecting on all of the lives of individuals – customers, employees, business partners, suppliers and company shareholders – affected by businesses and products that I have had the privilege to help create. All of the individual persons that these efforts have affected – helping each of them to pursue their individual passions, their own unique industry – while providing for their selves and their families – this is all personally rewarding. It is also a reminder of how much more will always remain to be done – the growth of good needs no bound.
Q. to Stew Skomra: Given your pursuit of “fundamental secure identity, systems and network infrastructure through which the information tapestries of our interconnected world will be woven”, what are your thoughts on the topic of ‘Ethical Hacking’?
Conrad Constantine and Dominique Karg’s Forbes article Exploding The Myth of the ‘Ethical Hacker’ provides an excellent example of a perfectly accurate answer to a different question than the spirit or intent of my interpretation of our immediate ‘Ethical Hacking’ discussion. This is where being a pedant comes into play especially concerning computers (i.e. machines).
Please recall the greatest strength and weakness of a computer: it does what it is instructed to do. Unfortunately, as a species, humanity has not yet determined how to program morality, we have not even yet agreed whether morality can be legislated. From a pedantic analysis ‘ethical hacking’, where ethical is intended to mean amoral, may be perfectly acceptable since ethical may be defined as either morally ethical or amorally ethical. Now, a professional linguist may argue that in our contemporary interpersonal communication, ‘ethical hacking’ is intended to mean ‘moral hacking’ which, if ‘hacking’ is generally agreed to be bad, makes the phrase ‘ethical hacking’ an oxymoron. So Constantine and Karg, if it is of any importance to them, would find that I am in agreement with their article.
However (I hope that you were expecting a big ‘however’), my understanding of the spirit of the White Hat community reference to ‘Ethical Hacking’ is: ‘better the devil you know than the devil you don’t know, worse yet the devil or devils you may never know exist.’ This is a relationship definition versus a morality definition. Computers are really, really good when it comes to relationships – when it comes to morality – not so good. Furthermore, the context within which we now need to consider Cyber world security is one of relentless expansion of data acquisition-transformation-presentation capacity by increasing orders of exponentiation with the fractal of this manifested chaos being none other than a machine: the computer. And both the good and bad thing about a computer is that it does what it is instructed to do and, unfortunately, is limited by humanity not yet knowing how to instruct a computer to do morality. With this spirit and within this context, the White Hat community spirit/ its industry – its diligent pursuit of its passion – needs to be cast in a more appropriate light.
Rather than ‘Ethical Hacking’, I propose an substitute more in line with the use of the human biology as the analogy for the U.S. DHS – Department of Homeland Security Cybersecurity ecosystem description in its publication: Enabling Distributed Security in Cyberspace – Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action March 23, 2011. It should come as no surprise that human biology serves as the DHS Healthy and Resilient Cyber Ecosystem analogy since we know the human biology as good or better than any other and the purpose toward which humanity directs machines (e.g. computers) is to perform work for and on-behalf of humans.
Staying with human biology analogy, “Ethical Hacking” is to “the devil you know versus the devil you don’t” as inoculation is to human immunology. Both muscular-skeletal strength training and immunology fundamentally weaken the subject by subjecting it, respectively, to physical stress and environmental pathogens. To develop an immunity, to grow stronger you must have the subject contract the disease and allow the autoimmune system to build up resistance so that, over time, the subject is no longer made weak by the introduction of the stressors/pathogens. In the DHS paper’s human biology example, the human immune system is the analogy for a proscribed Cyber Security ACOA – Automated Courses of Action.
For this article and “Ethical Hacking”, being consistent with the DHS paper’s human biology analogy, my preference is to treat the first word as simply an adverb with a synonym of Proactive (which is a good thing) and the second as a verb being replaced by a synonymous expression: Exposure of Required Automated Courses of Action. Therefore, for the purpose of the following, my preference is the reader consider ‘Ethical Hacking’ = ‘Proactive Exposure of Required Automated Courses of Action’ = PERACA (which makes for a horrible acronym).
We are on the cusp of an accelerating plunge in the human-to-computer ratio with the condition of humanity/the human experience continuously enhanced through machine automation. As humanity evolves to and beyond a point where 100s and 1,000s of computers exist and operate – not in curious correlation with – rather as direct causation of each human life, these machines (i.e. computers) must organize to serve the human in a manner similar to the human immune system. Thus the essential need for PERACA (a.k.a. “Ethical Hacking”).
When considering PERACA, its very foundation, in my opinion, is: Security + Trust + Privacy. Each of these attributes/traits/conditions may require extensive dialog to arrive upon “One Mind + One Voice” in a co-authored publication. We might choose to begin the dialog with Privacy.
Postulate that humans choose to interact with one another through an exchange of thought that is inventoried in the written-word, Privacy is anathema. In other words, Privacy and Society are somewhat mutually exclusive.
Where individuals within a Society are wanting to force their self’s into a selective-group dialog without the permission of the existing members of the group – this would be considered an invasion of a group Privacy. The Black Hat hacker falls into this category.
Where a selective-group agrees that their shared thoughts should be monitored by a non-member of the selective-group for the purpose of ensuring that individuals wishing to force their self’s into the selective-group thought sharing are detected and either prevented from joining or expunged from the selective-group, this would be considered protection of a group Privacy under agreement by all accepted selective-group participants to the thought sharing.This non-member monitor is represented by the White Hat hacker fulfilling the role of PERACA.
It follows that:
PERACA (a.k.a. “Ethical Hacking”) is essential to a Cyber Secure Society.
Charles (Chuck) Brooks serves as the Vice President for Government Relations & Marketing for Sutherland Global Services. Chuck is Chairman of CompTIA’s New and Emerging Technology Committee, as a Fellow oat The National Cybersecurity Institute, and serves on Boards to several prominent public and private companies and organizations. Chuck has extensive service in Senior Executive Management, Marketing, Government Relations, and Business Development and worked in those capacities for three large public corporations.
In government, he served at the Department of Homeland Security as the first Director of Legislative Affairs for the Science & Technology Directorate. He also spent six years on Capitol Hill as a Senior Advisor to the late Senator Arlen Specter where he covered foreign affairs, business, and technology issues. In academia, Chuck was an Adjunct Faculty Member at Johns Hopkins University where he taught graduate level students about homeland security and Congress. He has an MA in International relations from the University of Chicago, and a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague. Chuck is widely published on the subjects of innovation, public/private partnerships, emerging technologies, and issues of homeland security and cybersecurity (he was recently named Cybersecurity Marketer of the Year by The Cybersecurity Excellence Awards)
Q. to Chuck Brooks: Hacking Laws May Make Security Researchers ‘Endangered Species’. Could the ethical hackers be we outlawed? Or should the ethical hackers be register? Registered by whom?
The major problem is that the law is too vague and allows for such prosecution. The goal of stopping malicious hackers may be warranted but it can also be abused, including with security researchers and ethical hackers.
They play an important role. There are a variety of Certified Ethical Hacking Certifications.
According to the EC-Council, a “Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.”
I do not envision certified ethical hackers being outlawed, most likely certification roles and regulations they will be expanded to adapt to the new digital world. Outlawing ethical hackers would be self-defeating and illogical as they play an important role both in cybersecurity and promoting safe commerce. However, (although that does not preclude the reality that often legislation and many laws are that are enacted are often illogical. That is why there is amendments.
Also, the question of registering is a good one. There is no global governing cybersecurity authority and international courts have been the playing field for legal and policy actions. Personally, I think the public and private sectors should agree to a convention in cooperation with a neutral organization or entity that could bring various parties together to determine working compliance guidelines (perhaps at The Hague). A hopeful outcome of such a meeting would be to protect ethical hackers and security researchers from litigation and share information on the priority of mitigating malicious threats.
Germany and Belgium were taken to court by the European Union, after refusing to implement the 2006 Data Retention Directive. The measure was overturned in April 2014. **
With their proposal to reintroduce data retention in Germany, Justice Minister Heiko Maas and Interior Minister Thomas de Maizière are planning a new law that opposition parties say is simply a scheme to “relabel” existing legislation. ***
In 2015, the Australian government introduced mandatory data retention laws that allow data to be retained up to two years.
Australia: (Not) defining ‘data’ in data retention laws.
The United States does not have any Internet Service Provider (ISP) mandatory data retention laws similar to the European Data Retention Directive.
The controversial website WikiLeaks collects and posts highly classified documents and videos.
Q. to Chuck Brooks: If there is NO clear definition of ‘data’ in data retention laws. If there is no clear definition of ‘data ownership’… Does it not provoke a precedent of creating, sustaining a ‘Julian Assange / Edward Snowden’ syndrome? Does the world need WikiLeaks?
Like many legal concepts, the terms of what constitutes data in data ownership is very broad and subject to many interpretations. Techopedia explains Data Ownership as “primarily a data governance process that details an organization’s legal ownership of enterprise-wide data. A specific organization or the data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner’s ability to assign, share or surrender all of these privileges to a third party. This concept is generally implemented in medium to large enterprises with huge repositories of centralized or distributed data elements.The data owner claims the possession and copyrights to such data to ensure their control and ability to take legal action if their ownership is illegitimately breached by an internal or external entity.”
I think the better way to view the topic is from a contractual or implied contractual manner. If you are working for a company and are privy to information that only employees of the company have access, then it is the company’s data. If you sign an agreement as part of your role to protect data that may have security implications as part of your government role, that is government owned data. A good example is your own personal medical records, they are your records but shared by your designated medical authority who can edit them and modify them under defined in the United States regulated by HIPAA privacy laws. If you start from the basis of implied and stated sensitivity and confidentiality, it is easier to establish what is assigned and what is not assigned data.
The concept of data ownership does become a greyer issue when it is data related to a moral public interest matter, or falls into an area of journalistic investigation under free speech. In a world lacking in democratic nations with free and open press it is difficult to establish and uphold universal standards of such ownership as it may be censored or manipulated for state rather than individual purposes. In most of the world, there is no free media ombudsman.
Along with data ownership, a fundamental question arises, what constitutes privacy in a digital era on how we may conduct activities in our daily lives, our commerce, and for the realities of homeland and national security? It is a tricky hypothetical question and a trickier hypothetical answer.
To be continued…