White hat hackers: carrot or stick?

So-called 'white hat' hackers could just be the guardian angels you never knew you had, so should corporations punish or reward 'good' hackers, asks Robert Bownes at data science consultancy Profusion.

White hat hackers: is carrot or stick best? asks Robert Bownes
White hat hackers: is carrot or stick best? asks Robert Bownes
Hacking, like selfies and beards, is all the rage nowadays. You can’t go five minutes without a major corporation announcing a data breach perpetrated by an inanely named criminal group. 

Despite the opining of many PR ‘experts’, the best PR response is actually pretty straightforward – get out in front of the story, be transparent, beg forgiveness and announce a suitably logical and robust change in procedure. Such is the regularity of hacking, the public is becoming more and more desensitised. 

The situation becomes altogether more complicated when ‘white hat’ hackers get involved. White hats, unlike their decidedly more sinister black-hatted counterparts, hack to expose security or design flaws that could harm the public. 

In this scenario, the business has to make a difficult choice. Does it reward the hacker and risk more ‘attacks’, does it seek to hush everything up, or does it go after the hacker to seek some retribution and deter copy cats?

These choices aren’t as clear-cut as they appear initially. 

First, the white hat might not actually be whiter than white. He or she could have a dodgy track record and their hack may have initially had more of a criminal or selfish intention. The impact of their work could also be devastating, exposing a flaw so severe that it risks fatally damaging a business. 

The public’s response is also much more unpredictable, especially in the case of ‘faux’ white hat attacks – where the hackers ostensibly argue from a moral position but are really after cash e.g. Ashley Madison. 

Recent white hat attacks have elicited a variety of responses with a range of results. 

Cisco notoriously tried to hush up a white hat who found a way to hijack Cisco’s internet routers by threatening legal action. On the other hand, Chrysler announced a massive recall after hackers working for Wired remotely hijacked a Jeep with terrifying consequences. 

Seeking to bury the breach or acting aggressively against a hacker is a fool’s errand. Although it can be successful initially, the truth will out. 

Rewarding a hacker is also risky. Although it could draw attention away from the initial breach, it can come across as cynical if the breach is sufficiently serious. 

If you go down this road, make sure that you do sufficient due diligence on who the hacker is – giving money to a Russian criminal gang isn’t top banana. Firing an employee who reveals a breach should be avoided – it comes across as sour grapes. 

The best approach is to treat ethical hackers as you would an investigative journalist. Engage with them before they release their results by answering questions and showing how you will solve the problem. 

Of course, like journalists, not all hackers will play ball. Nevertheless, focus on showing how the problem will be solved and what you have learned rather than attacking the hacker. 

As is often said, ‘sunshine is the best antiseptic’, and these ‘events’ can have a silver lining for businesses by leading to improvements in product design and security. 

Robert Bownes is director of comms at Profusion

Would you like to post a comment?

Please Sign in or register.