EI-ISAC Cybersecurity Spotlight – Black, Gray, & White Hat Hackers
What it is
The term “hacking” is most commonly used in reference to illegal, malicious, or illicit cyber activity. However, within the information security community, the term does not always have a negative connotation and not all hacking is considered inherently bad. The term originated with individuals who liked to tinker with systems and electronics and is still associated with that community. In information security, those who belong to that community, as well as those who attempt to gain illegal or malicious access to systems, are all “hackers.”
These individuals use their technical curiosity and expertise with computers and networks to bypass security mechanisms, identify vulnerabilities, develop exploits, and gain or leverage insider knowledge to access systems, networks, or data belonging to others. When not previously authorized by targeted parties, hacking activity may be illegal under sections of the U.S. Computer Fraud and Abuse Act (CFAA) or under varying laws in other countries. The line between legal and illegal hacking varies greatly among different countries.
In information security, hackers are commonly divided into one of three types:
- Black hats – malicious hackers whose primary motivation is collective, personal, or financial gain. These hackers may be amateurs, professional criminals, or nation-state or terrorist supported. Occasionally, they may also be insiders, employed, formerly employed, or affiliated with the victim. Black hats are generally associated with malware, data breaches, intrusions, or destroying victim computers, devices, or networks.
- Gray hats – security researchers, corporations, or hobbyists who walk the line between ethical and illegal hacking. Gray hats may identify vulnerabilities in systems without the permission of the system owner but report the information to the owner instead of exploiting it or selling it on the black market. However, they may also request a fee for reporting the vulnerability or publicly disclose the information if the entity does not fix the problem fast enough to satisfy the gray hat. Though not inherently malicious in most instances, gray hat hacking can be illegal.
- White hats – ethical hackers whose motivation is to identify security vulnerabilities and exploits, and then responsibly disclose them to a manufacturer or client organization. White hats may be hired as employees, contracted security researchers, or hobbyists. They generally conduct penetration and vulnerability testing, security audits, or participate in corporate bug bounty programs.
Note: In some instances, an individual may not fall into a single category. Some professional white hat hackers may engage in gray hat activity after hours. Additionally, several former black hat hackers have become prominent experts in the white hat community.
Why does it matter
Understanding the three types of hackers can provide election officials with the context on how to approach reporting of vulnerabilities and malicious attacks against their organization. This can assist in responding to and accurately communicating security issues to stakeholders, citizens, and the media. Election offices may be contacted by white or gray hat hackers seeking to report a vulnerability and should be aware that their motivation or intention is not necessarily malicious or antagonistic.
Many government organizations and private companies seek to capitalize on white hat expertise through initiatives like bug bounty programs and responsible disclosure policies. In bug bounty programs, organizations like the Pentagon, U.S. Army, Google, and Microsoft allow white hat security researchers to legally search for, identify, and report security vulnerabilities for compensation or public recognition. Bug bounty programs also seek to counter the financial incentive for individuals to act as gray or black hat hackers. Responsible disclosure policies seek to provide security researchers with transparent guidelines to ethically and privately report vulnerabilities for patching before they are made public. These programs are designed to identify and remediate existing vulnerabilities, which reduces the overall threat against the organization and services they offer.
What you can do
Election offices should consider how they can leverage the hacker community to improve their understanding of the threats facing election infrastructure and as part of a layered security approach. Consider partnering with reputable providers of white hat hacking services to identify and remediate vulnerabilities in election systems and networks. States and mature local information technology organizations should also consider implementing a responsible disclosure policy. Lastly, election offices should take advantage of the many white hat services, including vulnerability assessments, phishing exercises, penetration testing offered by the EI-ISAC, U.S. DHS, and other partners. Depending on the provider, these assessments can be scheduled at varying intervals, and as a best practice should be conducted at least monthly and immediately following any major changes in systems or networks.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.