A Black Hat Education?

by Dr Guy Bunker.

We have been writing about the need for improved education in the cyber-security arena for a long time now as there is an evident skills shortage - to address the needs of organisations that want to improve their cyber-security. Getting more people trained in the necessary specialist skills required is obviously a step in the right direction, but it will take time - and then there is the potential issue of when there are actually too many candidates, with everyone fighting over too few jobs. Another, and more sinister, potential issue is that some may use their new-found cyber skills for ‘ulterior motives’ who ‘turn to the dark side’ and put on a black hat.

The colour of the ‘hat’ is the way we refer to the individuals’ ethics in the field, and is usually coupled with the term ‘hacker’ for good measure. So…..‘white hat’ hackers are the good guys (and girls) who pretend they are ‘black hats’ in order to test the security of an organization to find the holes in security and block them, before a ‘black hat’ does, and causes damage. The trouble is that the skills and tools used by the ‘white hats’ are also those used by the ‘black hats’. So, if you train up a ‘white hat’ the skills can be easily and readily transferred to become a ‘black hat’. Fortunately, the number of ‘black hats’ that make good money out of cyber-crime is not that great, and a ‘real’ job is easier – in all ways. Collecting a pay-cheque is easier than extortion and won’t result in going to jail! 

However, the tools required for running a cyber-attack are now readily available; hackers even offer ‘how- to’ YouTube video guides- and while you won’t necessarily get rich quick, the option to cause real and potential damage is there.

If we create the next generation of cyber-security experts, and then there becomes a glut of them, where will they turn? An unemployed history graduate seems benign compared to an unemployed white hat graduate, and, without sounding like too much like the Harry Potter sorting hat (!) the point is that the same skills used in illegal hacking are the same used by cyber security experts testing the cyber security readiness of a company’s infrastructure.

Oh, and just for the record, there are grey hats as well... these are the black hats that then turned white. There are often stories in the press of well-known hackers who have then been employed by well-known companies as a means to improve their security, such as Facebook’s George Hotz. In the short term, amidst the skills shortage there’s certainly the option of luring the dark hats to become white hats – it just depends on whether you want to take the risk!