The Very Fine Line Between Hacking and Whistleblowing

Generally agreed: Hacking is an illegal criminal activity whereby criminals use a computer to gain unauthorized access to data in a system.

Generally agreed: Whistleblowing is a legal activity that constitutes exposing any kind of information or activity that is deemed illegal, unethical or constitutes a risk to individuals or the general public.However, if the whistleblowers are hacking in order to expose the illegal or unethical activity, does it make the act of hacking more acceptable to our society as it rides on the back of “the greater good”. As in true Robin Hood style, stealing from the rich in order to give to the poor is OK. But is it? Isn’t it a case of legal double standards?

Personal gain vs. public good

In 2015, a prominent UK pub chain, JD Wetherspoons, was yet another victim of a cyber attack resulting in the theft of around 657,000 personal customer details. The information stolen included names, dates of birth, email addresses and mobile phone numbers. This was a substantial invasion of privacy for their customers; it also caused brand damage and was a costly situation for Wetherspoons to rectify. What made it worse for Wetherspoons was that data was offered for sale on the darkweb without their knowledge for approximately six months until it was discovered by Cyberint.

Rationale for the hack? More than likely personal financial gain.

In the infamous Edward Snowden case, this former National Security Agency (NSA) contractor, leaked sensitive documents to the media in order to reveal the full extent of public surveillance by the US NSA and its international partners. The leak included information that NSA had access to Americans’ Google and Yahoo accounts through a program called PRISM, and revealed details of Tempora, a British black-ops surveillance program run by the NSA’s British partner, the Government Communications Headquarters (GCHQ).

Rationale for the whistleblowing? According to Snowden: “All I wanted was for the public to be able to have a say in how they are governed.” His punishment? Living in exile and presumably in Russia, for now.

Is the public good a sufficient reason?

As it stands, whistleblowing is hacking with a moral agenda. Hackers believe that they are accessing and releasing otherwise confidential information for the ‘greater good’ of society, and this justifies breaching numerous security systems and networks.

‘Hacktivist’ groups, such as Anonymous, have been growing and holding businesses to ransom, threatening them with the release of sensitive data. This takes us to the Ashley Madison hack in 2015. Ashley Madison is a commercial website that provides a platform for people to meet for the purpose of extramarital affairs. A group of hacktivists, called ‘The Impact Team’, were morally opposed to the purpose of this business. So they gained access to the company servers and copied personal information about the site’s users and threatened to release it unless the site was shut down. Ashley Maddison refused and so the details of 30 million users were released.

While whistleblowing may seem like a moral course of action, it is not actually that simple. In all cases of whistleblowing, it is arguable whether the consequences of making confidential information public are worthwhile. Edward Snowden believed his actions were morally correct, but he did make highly sensitive information available to the general public – including enemies of the state and terrorist groups around the world. With Ashley Madison, the line also blurs as it wasn’t a matter of national importance or even considered illegal to have an extra-marital affair.

Another interesting and less high profile case is that of an Anonymous hacktivist, Deric Lostutter, who stands to go to jail for exposing a rape case. In order to do that he hacked into the computers of Steubenville high school football team. Absurdly, if found guilty, he will be incarcerated for his ‘crime’ for a longer period than the rapists themselves.

Anonymous now claim that the police are creating ‘Fake Facebook Accounts to Monitor You’ and even offer methods of identifying fraudulent accounts. While this is an invasion of privacy, the gains of using this as an effective policing tool are also pretty clear. Through employing analytical policing software and monitoring these fictitious accounts, police are able to identify high-risk areas or individuals, pre-empt incidents and track down criminals. If fake Facebook accounts help police prevent the next Paris or Belgium airport massacres, isn’t this a worthwhile cause?

This begs the question, was it right for Anonymous to bring this practice to the surface as it directly affects local and national security and could help criminal enterprises prosper.

Protecting your company from a hackers and whistleblowers

There are many levels and severities of a hack, and this expands further when you consider how whistleblowers gain their information. Snowden’s ‘hack’ largely consisted of (illegally) copying documents he already had access to, but didn’t have authorization to distribute. He is not alone.  A staggering 50% of cybersecurity incidents are caused by employees – though most are carried out accidentally. They are the weakest link in the cybersecurity chain, and must be trained about cyber hygiene to ensure minimal risk to the organization. Many other hacks, including the Ashley Madison and JD Wetherspoons hack are much more complex and involve targeting vulnerabilities within a system to gain access to seemingly secure data.

Whatever your position on the argument of hacking and whistleblowing for the good or bad, there’s no doubt that organizations should be making it incredibly difficult for hackers to access the data for personal or public gain.

While it is impossible to create a bulletproof network, it is crucial to define which parts of it you consider to be your “crown jewels” and focus most of your cyber protection efforts on protecting them. Taking a more proactive approach to improving cyber posture is essential and there are a number of platforms that can help detect business’ weaknesses by simulating scenarios hackers would be likely to pursue in the event of a targeted attack.