Generally speaking the word “hacking” has negative appeal, but ethical hackers use their skills in constructive manner to protect organizations from malicious black hat hackers.
Hacking in common parlance is understood as unauthorized access to a computer or network. In most of the cases, hackers leverage the vulnerabilities including zero day vulnerabilities to accomplish unauthorized intrusion. However, not all hacking are with mens rea i.e, bad intention. This is what differentiates ethical hacking from others. In this write up, we shall discuss what ethical hacking is and whether it’s legal in India.
Categories of Hackers:
Based on intention, hackers can be broadly divided into three categories, as below:
Category 1: White hat hackers: They are also known as ethical hackers. They use their computer skills to protect and secure the systems from malicious elements like black hat hackers. They are generally recruited by firms and government, and in turn are paid for exposing and rectifying the vulnerabilities found in the system. They breach into the system with prior authorization and are defenders of the virtual world.
Category 2: Black hat hackers: They are also known as crackers. They have malice in their hearts and hack into an entity for personal gains. They are evils of the virtual world, who are to be defended against.
Category 3: Grey hat hackers: They are ambivalent. They become white hat or black hat hacker as per the situation. As such, they are not trustworthy. In most situations they are self proclaimed ethical hackers.
What is Ethical Hacking?
We read bout white hat hackers, grey hats and finally black hats. While black hats intrude into the system with malice and without legitimate prior authorization, white hats are complete opposite. They are recruited by individuals and corporate for specific task of ethical hacking, and thus work with prior consent and has good intention.
Black hat hackers aim to cause wrongful loss to the entity being compromised. For example, data breaches. Here, hackers compromise the data stored within the systems of an organization and then either force the entity to pay ransom or sell the data on underground forums like DarkNet. In few other cases, hackers simply paste the sensitive personal information so gathered on sites like Pastebin.
On the other hand, ethical hacking is meant to contain the fallouts of black hat hacking, and the person recruited for the purpose is called ethical hacker. In most aspects both are same as underlying principles and fundamentals remain the same. But the difference lies in the consent and intention.
Hacking can cause irreversible and irreparable loss to an organization. It includes loss of faith of public in the institution, legal liability in terms of monetary compensation for data theft (for example under European Union, Global Data Protection Rules), lowering of values of shares, loss of customers/ users etc.
Ethical hackers on the other hand, showcase the exploits and vulnerabilities of the systems. It enables security officers to patch the vulnerabilities, before black hat hackers exploit it for personal gains. Thus, ethical hackers make the system more safe and secure by addressing the issues in the networks and systems.
Ethical Hacking Decoded Further:
Ethical hacking is the study of vulnerabilities and weaknesses of a system/ network with prior consent of the owner, by cyber security experts. The study finds and exposes the probable ways to hack the system. If so found, the person responsible for cyber security, patches the exploits before it can be hacked by black hat hackers.
Thus, ethical hacking is constructed as good hacking.
Why term Ethical Hacking is Contentious?
The term “Ethical Hacking” has been contentious since it’s inception. Mainly because the words ethical and hacking are seen as contradictory. At the end of the day, hacking involves intrusion into a system’s defenses, and therefore has a negative connotation.
Many feel, the term “Ethical Hacking” is hacking in disguise. However, the proponents of Ethical Hacking, view it as defensive form of hacking.
Importance of Ethical Hacking:
In recent times, there has been a massive increase in number of hacking attempts. Data of even large organizations like Facebook are getting compromised. Since, any theft of sensitive personal information can put the customers at risk – for example, of well crafted phishing campaigns. Similarly, if passwords get stolen in hacking attacks, it puts several accounts of users at risk. It includes not only the account created on the website breached, but also others. This is because most users tend to re-use passwords across websites.
Thus, any successful hacking by black hat hacker, can seriously point fingers at the credibility of the organization. Keeping interest of users, data privacy laws have evolved in the last few years. Most of these laws penalize the company breached, for not protecting the data of its users sufficiently. In times to come more stricter data privacy laws are expected, which may mandate jail or enhanced penalties for data breaches.
For especially severe violations, listed in Article 83(5) of GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
But for even the catalogue of less severe violations in Article 83(4), GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
Not only this, a newer threat vector – ransom-ware attacks – has unsettled organizations and government alike. “Ransom malware, or ransom-ware, is a type of malware that prevents users from accessing their own system or personal files. The attackers demand ransom, generally in form of money in order to regain access to files”.
These attacks have paralyzed organizations, forcing many of them to brink of bankruptcy. As per recent studies, on an average ransom-ware attacks, inflict direct damage of Rs 8 crore to an organization. The indirect damages in terms of opportunity cost, perhaps are much larger.
The continuous cyber attacks have forced entities, to employ ethical hackers and deploy robust intrusion detection systems. The studies show that not only this approach is cost effective but also better in terms of outcomes. As such, ethical hacking is rapidly growing into well paid profession, whose future seems brighter with every passing day.
History of Ethical Hacking:
The earliest reported ethical hacking were conducted by United States of America military agencies, to test the security worthiness of their systems before deploying them on full fledged basis. Gradually, as internet got worldwide acceptance, both hacking and ethical hacking became buzzword and rightly continues to be so.
As internet exploded in form of e commerce, information related websites, forums etc and instances of hacking increased, website owners became increasingly cautious for hacking attempts. It gave birth to systematic study of vulnerabilities and exploits in their own systems, also known as ethical hacking. Organizations started hiring cyber experts, Chief Information Security Officer etc who could access their system with consent, evaluate its security measure and report any vulnerabilities if found. Moreover, they also help fix the issues.
Ethical Hacking in India:
It must be borne in mind that hacking is illegal as per Indian laws – Information Technology Act, 2000. Here is the relevant section, reproduced below:
Section 43: Penalty and compensation for damage to computer, computer system, etc:
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network –
He shall be liable to pay damages by way of compensation to the person so affected.
Explanation: For the purposes of this section
The punishment has been provided under Section 66 of IT Act, 2000 reproduced in toto below:
Section 66: Computer related offences:
If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
Explanation: For the purposes of this section –
Now let’s move onto ethical hacking, which is a rapidly evolving profession in India. Several institutions pan India are providing courses and degrees in ethical hacking. Given it’s growing popularity and top notch institutions providing regular courses in ethical hacking, you might have sensed that it shouldn’t be illegal in India. In reality, ethical hacking has not been explicitly dealt by Indian laws, therefore it enjoys neutral status under Indian legal framework.
We will now discuss ethical hacking in light of Indian criminal jurisprudence principles, whether they satisfy the ingredients to constitute a crime.
Two elements essential to constitute a crime are:
In ethical hacking, the first ingredient i.e, mens rea (bad intention) is missing. Therefore, it’s not a crime.
Their Growing Demand in India:
India stands at second position, in terms of number of targeted cyber attacks, as per cyber security firm Symantec. Therefore, for websites to function properly including e commerce sites, ethical hacking is the need of the hour. Till the time, the underlying motive is benign – to protect the system from black hat hackers – it’s definitely legal, and in fact should be promoted. Given it’s current necessity and importance, an ecosystem should be created to give boost to ethical hacking.
Ethical Hacking as a Profession:
Cyber attacks especially data theft, ransom-ware threaten to nullify the gains of the virtual world. Therefore, cyber security has rapidly emerged as new profession. In fact, cyber security is one of the highly paid carrier options for tech savvy individuals.
Ethical hackers are now-a-days, recruited not only by organizations and corporate, but also by governments.
The possible career options in cyber security domain include:
In fact, this sector is so rapidly expanding that it’s near impossible to list down all the career options! The biggest employers of cyber professionals are:
Recently, various posts have been created in the government sector also, including in e-governance, e-learning, DRDO, CERT-IN, as forensic experts, specialised pen-tester, cyber security architect, database administrator etc. So, government jobs are also being created in this field in large numbers. With the explosion of the virtual world, jobs creation in this sector in an inevitable phenomenon.
How to Become Ethical Hacker?
To become ethical hacker the first and foremost requirement is your love for networking and coding. Basic requirements include knowledge of programming languages like Python, C++, C, Ruby, PhP etc. Besides you should have good knowledge of Operating Systems like Linux, Windows etc. Linux is favourite tool for pen-testers.
There is vast amount of literature freely available on the internet meant to secure the world from such attacks. We recommend you the website https://www.owasp.org/index.php/Main_Page for more information. This site is considered the Gold standards on hacking, among thousands of websites freely available on the internet on hacking.
Additionally, you must have conceptual clarity about the following beforehand to firmly grasp the subject:
Ethical hacking has not been dealt explicitly by Indian laws. However, based on the basis fundamental of criminal jurisprudence in India, it can be safely said to be legal. The foremost reasons being lack of mens rea. Therefore, ethical hacking is not illegal in India.