Why we should not teach hacking to the IT students

Denne teksten er et debatt­inn­legg. Inn­holdet i teksten uttrykker forfatterens egen mening.

A recurrent topic in many cybersecurity curriculums is an «Ethical Hacking» course, often introduced in the early years of a bachelor's program. Ethical hacking is a type of «hacking» by considering ethical rules.

Introducing ethical hacking at an early stage of a bachelor program begs the question: How appropriate is it to introduce students to the hacking concept, especially at such an early stage?

To answer briefly: Students at this stage lack fundamental knowledge and experience and might misunderstand ethics. Instead of promoting genuine ethical hacking, the course could end up encouraging a risky hacking mindset, and embolden them, resulting in unforeseen risks in the future.

To discuss the question in more detail, let’s review the ethical hacking concept in cybersecurity and the study programs.

There are various definitions for hacking and hackers. Here are some commonly accepted ones:

• Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources.
  
  
• A hacker is a person who breaks into a system or network without authorization in order to destroy, steal sensitive data, or perform other malicious attacks.

Hackers are categorized on a spectrum, from white hat to black hat, based on their malicious intent and the ethical nature of their actions.

Ethical hackers require an advanced understanding of software, hardware, computer systems, and networks. Additionally, they should possess intermediate to advanced expertise in Operating Systems (OS), databases, IoT, AI, cryptography, and security protocols.

Bachelors in cybersecurity may on an «Ethical Hacking» course lack basic knowledge and maturity in the complicated area of information security. This may, unfortunately, open some unwanted gates in the near future.

Hacking needs a special mindset and experts continue to debate the definition of «ethics». Ethical hackers are not necessarily employed in any organization or affiliated with hacktivist groups like Anonymous, they can potentially target any organization. Although they may report vulnerabilities to these organizations, the definition of «ethics» remains subjective. Human understanding of «ethics» is constantly evolving due to the nature of social development, a large number of social factors and human aspects in cybersecurity resulting in changes in security standards, rules and regulations.

Ethics is and will be debatable. Hacking and hackers’ mindset is unique and could be acceptable for a specific and limited number of experts with maturity and knowledge. With a hacking mindset the hacker, the ethical hacker, must sit in a position against systems. Unfortunately, such a mindset can influence students’ thinking, feelings, behavior and actions.

Moreover, the number of bachelor students in cybersecurity is ever-increasing. And thus, growing the hacking mindset for these students who will graduate in the next years, can create a high risk.

So, is there any suitable replacement for ethical hackers that can also grow the protective mindset?

Compared to the general perception of the ethical hacking concept, we have the concept of penetration test or pen-test and penetration testers, who play a distinct role. These professionals are specifically hired by organizations to probe and evaluate the system's security.

Penetration testers’ objective is not just to pinpoint vulnerabilities, but also to devise strategies to thwart potential future attacks and risks. They then relay these insights back to the organization. The goal is to test, analyze, monitor, and revise the security features and implement robust security protocols in the organization.

— What is the difference between «ethical hacking» and «penetration testing»? I asked a group of bachelor students in cybersecurity in a close communication in a gathering.

— Hacking is cool, the students answered.

This is exactly what the educational system should not foster!

The mindsets behind «hacking» and «testing» differ significantly. While we aim to discourage the former, we actively seek to cultivate the latter. A significant distinction between «ethical hacking» and «penetration testing» lies in their core objectives: one focuses on «hacking,» while the other emphasizes «testing». Each fosters its own mindset.

Just as the need for surgeons in societies will not be satisfied by teaching «surgery» in the first years of education, in cybersecurity, the need for experts in ethical hacking will not be satisfied by teaching such a course to the bachelor students who are not even ready to learn it. And a significant number of them might not pursue such competence in the future.