When a massive vulnerability in the Log4j logging library was discovered in December 2021, both security researchers and cybercriminals rushed to exploit it using near-identical code. What separated them wasn't skill or methods, but authorization.

In December 2021, a security researcher uncovered a huge vulnerability in the Log4j logging library that was used in hundreds of millions of devices. Within a couple of hours of the exploit being made public, cybercriminals were already taking advantage. Within days, researchers were testing their own systems to see if they were also at risk.

The “good” and “bad” sides of the cybersecurity landscape were running near-identical code on near-identical infrastructure. The only thing that really separated them, whether legally or morally, was authorization.

Ethical hacking, or “penetration testing,” as those in the game prefer it to be called, relies on the same techniques that would otherwise constitute a crime, but because they’re used with the permission of the owner of the system, practitioners stay on the right side of the law.

The profession is built on the Certified Ethical Hacker syllabus produced by the EC Council, which defines ethical hacking as “'the practice of employing hacking skills with the knowledge and permission of the owner of the target system.” The word “permission” carries enormous legal and ethical weight.

The legal landscape

In the United States, the field is governed by the Computer Fraud and Abuse Act (CFAA) of 1986, which was drafted before the internet really existed, and certainly before it existed in the form we know it today. The CFAA prohibits “unauthorized access” to systems, but doesn’t really define what “authorized” actually means. Traditionally, courts have adopted an expansive definition of the term, which has resulted in some decidedly mild violations, such as accessing data one is technically permitted to view but for purposes the owner would not have sanctioned.

In 2021, the Supreme Court ruled in Van Buren v. United States that exceeding authorized access does not cover using legitimately accessible data for improper purposes, which narrowed the CFAA’s reach considerably. Aaron Swartz, the programmer and activist who faced CFAA charges for bulk-downloading academic articles from MIT's network, became the most prominent symbol of prosecutorial overreach before he died in 2013. His case remains a cautionary tale in security circles.

The Internet's Own Boy: The Story of Aaron Swartz (2014) - Aaron was a Reddit co-founder, child prodigy, and transparency activist who committed suicide 11 years ago today [01:45:00]
by u/thinkcomp in Documentaries

The binary landscape of “authorized” or “unauthorized” quickly melts away whenever scrutinized. For instance, bug bounty competitions explicitly invite hackers to test corporate systems for vulnerabilities. Most of these competitions come with clear rules of engagement, with anyone straying from these rules liable to legal issues, even if they’re acting in good faith. This is exactly what happened in 2021, when a security researcher was detained after reporting a flaw in the Omnibus system. The line between hero and villain is a fuzzy one indeed.

Added complexity

The picture is muddied even further when nation-states get involved. When employees of intelligence agencies break into systems, this would be a clear criminal offence under normal circumstances, but it’s acceptable when done in the name of national security. Indeed, in leaked documents, the NSA's TAILORED ACCESS OPERATIONS unit used much the same approach as criminal hackers, but they did so under the kind of political and legal cover that civilians wouldn’t enjoy.

There have been attempts to overcome this ambiguity, not least through the development of clear ethical and professional frameworks. For instance, both the EC-Council and the SANS Institute have ethical codes of conduct baked into their certifications. Likewise, the Forum of Incident Response and Security Teams (FIRST) maintains global standards for responsible vulnerability disclosure.

There’s also the concept of “coordinated disclosure,” where researchers give vendors a clearly defined window, which is usually around 90 days, to fix a vulnerability before it’s made public. This has become the norm, helped in large part by Google’s Project Zero, which was announced in 2014.

Lack of legal clout

These frameworks are undoubtedly useful, but they are nonetheless not legally binding. For instance, you can follow all of the professional norms and still face prosecution if a system owner argues that your intrusion was unwelcome. This uncertainty has clear implications, as it adds real risk to any security researcher probing systems for legitimate vulnerabilities. Vulnerabilities that criminals would have no qualms about exploiting.

The fine line between cybercrime and ethical hacking is largely a legal construct established on top of moral intuition. The same act can be either legitimate or illegitimate, with the distinction resting on consent and purpose. The intuition itself is largely sound, but the legal frameworks that exist to enforce it were largely written in a different technological era. The frameworks haven’t really kept pace with a profession employing hundreds of thousands of people that serves as the first line of defence for critical infrastructure around the world. Until the law catches up, security researchers will continue to operate in a gray zone that serves no one particularly well.

---

Unlock more exclusive Cybernews content on YouTube.