I have been spending a fair amount of time lately thinking about the state of the information security industry. I don’t think that things are going all that well to tell you the truth. I am constantly hearing of hackers in our industry, seemingly going out of their way to disrespect, humiliate, and attack others. For examples of this, you need only to check #infosec on Twitter.
To be clear, I am of the opinion that those who pretend to be of the band of ‘ethical’ hackers, whose ethics stop as soon as they put down the terminal, are not in fact ‘ethical’ hackers at all. What I mean by this, is that those who call themselves ethical hackers, who claim to be one of the good guys, but who only show it through their refusal to hack others, aren’t.
There is more to being ethical than simply not hacking someone without permission. If you hack legally, but then spin around and treat your peers with disrespect… if you hack legally, but refuse to seek consent with others in more intimate affairs… if you hack legally, but aren’t willing to support and defend the humanity of those around you; then you are not an ‘ethical’ hacker.
Being ethical doesn’t end. Ethical action is a state of being. It’s not just about what you do while you’re at work. It’s about who you are. Think about it, as members of the information security industry you are often trusted with power to view highly sensitive data, control infrastructure, and cause real damage. The skills that you have, and that you will learn and teach others, are some of the most powerful weapons on earth today, sought by and used by governments to wage real 21st century warfare.
You will be scrutinized, you should be scrutinized. Your actions have weight, and the things that you do matter.
Chivalry & Bushido
I’ve been a bit fascinated as of late by the concept of warrior codes of honor. Two of the most well known of these are the chivalric code, and bushido. These codes were the ethical standard by which knights, and samurai (respectively) ensures that their actions and their lives were to the standards of their time. These warriors were the specially empowered warriors of their age, just like hackers are the empowered knights of the digital age. And just as how your actions as a hacker hold power, the actions of warriors of ancient times shaped their world.
If you were a knight who was known for having no morals, then you would also be known as someone disgraced. The same is true for samurai, who may even have been ordered to kill themselves should they ever break the bushido code. This might sound intense, but it isn’t just a punishment. You see, if you break the code, then how can you ever be trusted by others again?
Through these codes, similar themes appear time and again. These include:
Code of Honor
We need a code of honor for information security. Never has this ever been more of an issue in our field. I know some similar attempts have been made, I’m thinking of the codes of conduct which appear through various projects and teams. This is not enough. For those who wish to be known as the great and ethical digital warriors of our time, simply ‘hacking with permission’ is not enough. If you want others to trust you, you must show yourself to be worthy of their trust.
Certainly there are many members of our industry who have shown themselves to be ‘honorable’ in their affairs. But there is no standard code.
I propose that we create one.
I’m not sure today what all should be in it, but I suggest the following three basic pre-cepts.
- Integrity & Sincerity
- Mercy & Benevolence (liberality)
- Honor & Excellence
Integrity & Sincerity mean treating others with openness and truth. Seeking consent in your interactions with others, and building them up with you – to the advantage of you both.
Mercy & Benevolence mean caring for those who are less fortunate. This means helping rookies who are just starting out, and it also means only hacking someone fairly.
Honor & Excellence mean showing the best of yourself, and what you can do. Honor means building yourself to be capable of greatness. So that you can climb the heights, as a guide for others.
What are your thoughts? Do you agree or disagree that we need a code of honor for hackers? What do you think of these proposed values? Are there more you would add? What things matter to you? Please drop a comment, I will try hars to get to them. Or just reach out to me on twitter @zaeyx, I’m easy to reach there!