Although the predominant opinion expressed by governments and mainstream press regarding hacking is one of disapproval and unsubstantiated fear, the truth is that hacking may be deployed ethically or unethically depending on the situation, and in fact, hacking into a website or database is entirely justifiable in certain contexts. In order to see why this is the case as well as understand the complex role of corporations and CEOs in responding to hacking attempts, it will be useful to examine a variety of instances in which corporations have been hacked or otherwise had their data or systems compromised. By looking at the recent hacks of the security firm HBGary, the search engine giant Google, and the collection of blogs run by Gawker Media, it will become clear that not only do corporations have a social responsibility to protect their customers and clients from hacking attempts, but that hacking into a corporation or government's website or systems may be entirely justifiable given the realities of the contemporary information landscape.
As Palmer (2001) notes, with the rise of the internet and the massive stores of data connected to it, "organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems," which is essentially "similar to having independent auditors come into an organization to verify its bookkeeping records" (Palmer, p. 770). This kind of "ethical hacking" is somewhat different from the hacking under discussion here, because it clearly falls into the category of acceptable behavior and as such does not really require the qualifier "ethical." Instead, this essay will examine acts of hacking that, while possibly illegal or frowned upon, may nonetheless be described as ethical due to the specific context of the hack. The most readily apparent example of this justifiable hacking of a corporation is the recent hacking of security firm HBGary by the loose collection of hackers and activists known as Anonymous. HBGary had been compiling information on Anonymous members, Wikileaks supporters, and the journalist Glenn Greenwald after having been hired by Bank of America in an attempt to disrupt both Wikileaks and its supporters after rumors appeared that the transparency advocacy group was in possession of a hard drive containing evidence of criminal wrongdoing at Bank of America (Bright, 2011). HBGary "offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software" for "a variety of three letter agencies, including the NSA," performing the kind of "ethical hacking" discussed by Palmer. In addition, however, the company has a history of ominously targeting individuals and critics, and for this reason Anonymous set its sights on the company.
As Ars Technica reports, just as "HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-coordinating the group's actions," HBGary had its "servers […] broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced" (Bright 2011). It is worth pointing out explicitly that ethical behavior is not always the same as legal behavior, because while at least some of Anonymous' actions were likely illegal, the collective's actions were entirely justifiable in light of HBGary's disturbingly authoritarian behavior, especially their targeting of Glenn Greenwald and Wikileaks supporters. Anonymous' actions can be seen as ethical resistance to a clearly destructive and dishonest corporation, and the monetary damages and loss of clients HBGary experienced as a result should be celebrated just as much as the ouster of a corrupt politician, because the only way to effectively combat unethical corporations is by damaging their bottom line (especially because America's representative democracy has largely been transformed into a corporate oligarchy).
The flip side of the scenario described above is theoretically ethical hacking conducted by a corporation. While the above example may seem to indicate that there could never be an instance in which a corporation could justify hacking, in reality, there are entirely justifiable instances of corporate hacking, because the question does not depend on the action, but rather the target. HBGary's behavior was the powerful attacking the (relatively) powerless, but if, for example, a foreign government were attempting to compromise a corporation's systems, that corporation would be entirely justified in organizing some kind of counter-attack or preemptive hacking operation.
In fact, the first half of this hypothetical occurred last year, when the Chinese government "coordinated the recent intrusions of Google systems" in an attempt to censor negative comments regarding a member of the politburo ("China leadership 'orchestrated Google hacking," BBC, 2011). This came after Google pulled out of China in protest of the country's censorship regime, and according to diplomatic sources, "the action against Google was '100% political'" (BBC 2011). Although there is no evidence to suggest that Google orchestrated any kind of retaliation, the company would be justified in doing so (although again, this is not to say that it would be legal, or that it would not result in an escalation of attacks such that it created an international incident beyond the original event). Although Google itself is not a computer security firm, the example demonstrates at least one instance in which hacking could be allowed or even encouraged beyond what Palmer terms "ethical hacking," which is actually more like "surprise internal auditing." Corporations most likely to encourage the more ethically-gray hacking under discussion here would likely be in the computer security industry, and would have a vested interest in being able to justify intruding into external systems.
A corporate ethics statement for a hypothetical computer security firm that allows or even encourages hacking of external targets might go as follows: "Super Secure International understands the security concerns of our clients and customers in an increasingly insecure digital world, and enacts policies to ensure that not only is your data secure but that any attempts to steal, destroy, or otherwise contaminate this data are met with swift and effective countermeasures, ensuring that anyone who attacks you once won't be able to do it again." (Granted, this statement does not provide the kind of robust argument that one might desire in a discussion of actual ethics, but should suffice for the oxymoronic phenomena that is the "corporate ethics statement.")
When corporations do suffer from unwanted intrusions into their systems, they have a social responsibility to notify their customers, clients, or users and take immediate steps to rectify the situation. Such was the case in December, when Gawker Media's commenting system was hacked by the group Gnosis, resulting the in the compromise of thousands of user passwords and e-mail accounts. Gawker Media attempted to disseminate helpful information to its users following the attack while noting that "you may be angry and upset about what has happened. You have a right to be." Furthermore, the management at Gawker Media admitted that "we're upset, too, and deeply embarrassed about the breach. Rest assured that we're doing what we can to both fix what's happened and ensure that it doesn't happen again in the future" (Stern 2010). However, this mea culpa does not make up for the fact that the Gnosis hack was made possible by the initial arrogance and hubris of Gawker Media' management, who employed faulty password and security systems even after being informed of their flaws.
While Gawker Media' response demonstrates a generally positive response to a security breach, CEOs have a difficult task in deciding how to respond to such breaches, because they must balance customer and client's right to know when their data is compromised with stockholder's interest in keeping bad publicity to a minimum. Thus, while the ethical CEO should notify the public immediately following any breach, the profit-minded CEO would do better to keep it quiet until all the problems have been worked out, so the breach might be spun as an example of the corporation solving a problem rather than becoming a victim. In addition, different industries require different responses. Where Gawker Media was able to apologize and move on, the HBGary hack was a devastating blow, especially because the hack was made possible by a bug in the company's content management system, something which would have been caught had "HBGary conducted any kind of vulnerability assessment of the software -- which is, after all, one of the services the company offers" (Bright 2011). Thus, the CEO of a company that has been the victim of an unauthorized hack must consider a number of factors before responding, all the while aware that the more time which passes between identifying the intrusion and notifying the public will increase the appearance of incompetence or complicity.
To see how a company might respond to a security breach, consider the following hypothetical e-mail script to be sent to AT&T customers in light of the security flaw which allowed members of 4 chan to access thousands of Apple iPad…