Hacking began in the 1970s and is defined as the “unauthorized intrusion into a computer system” . This definition includes both the practice of malicious hacking and ethical hacking. The difference lies in the hacker’s intent: if the purpose of hacking is just for the challenge, the thrill, and finding (and reporting) leaks in the security, but without stealing money or disseminating data, then that hacker is called a “white hat”, or an ethical hacker. Note that hacking for the thrill or challenge alone would not constitute ethical hacking in the absence of reporting. There is a grey area where someone is neither an ethical hacker nor a malicious one; they are what can be called a “grey hat”: morally ambiguous hackers that do not fully adhere to ethical hackers’ principles but whose actions are not fundamentally guided by malicious intentions [28, 33]. Instead, if the aim is the hacker’s financial gain and disruption, we are faced with a “black hat”, namely a malicious hacker. Nonetheless, it is not always so simple to differentiate and the same hacker can sometimes act in both ways or later “convert” to ethical hacking. Some argue that it is wrong to fit hackers into a moral binary, in which they are either heroes or villains .
Besides the difficulty of categorizing every hacker with certainty, there is the issue that even hacking “for the good” can be punishable. This causes many ethical hackers to avoid reporting vulnerabilities for fear of legal repercussionsFootnote 3 . It also contributes to hackers’ willingness to work in the shadows and consequently creates a distorted perception of hacking practices. Media coverage that portrays them in dark hoodies in dark rooms at night further contributes to this misconception. The term “hacker” itself presents negative and pejorative connotations, stigmatizing a widely varied group [28, 36]. In an effort to collaborate with ethical hackers (and to professionalize them as pen-testers, particularly in the healthcare sector), a first fundamental step is to acknowledge the prejudices and narratives surrounding their practice. A second step would entail recognizing the existence of different categories of hackers. Lastly, better understanding hacker ethics could address some controversies and concerns.
Considering hacker ethics is useful for better understanding ethical hackers and their values. Sooner or later, hackers are confronted with ethics. Even if hacking is not primarily an ethical issue, most hackers come to a point where they have to face some ethical questions, hence, there is a certain connection between hacking and ethics . Hacker ethics is a type of personal ethics, therefore every hacker has a unique understanding of its values. In fact, some claim that “there is no hacker ethics. Everyone has his own” . Despite the lack of unitary hacker ethics, the many hacker codes present numerous similarities [38, 39]. Indeed, they all somehow share liberalistic ideals. For example, they endorse open-source projects and are very privacy-aware. What differs is how they interpret and defend these ideals. This difference can be well-illustrated by the positive and the negative understanding of “freedom”.
In its positive connotation, freedom invokes free and open access to information with the pedagogical goal of equally allowing humans to educate themselves . What matters is to advance human knowledge, make sure that it is available to everyone, and encourage cooperation . From this perspective, mechanisms to privatize and monetize information and software constitute a barrier and are considered unethical . Copyright laws corrupt freedom since information is not ownable property. Sharing information would then be a moral imperative. However, this does not call for the elimination of all barriers: it is important to maintain and enforce privacy measures. This is a freedom that values learning, community, sharing, and equal opportunities. It aims to advance human knowledge and bridge the current information gap. For this reason, the focus is on the liberalization of knowledge and open-source software, rather than on the notion of privacy, although deemed extremely important.
The negative sense of freedom stands close to anarchistic ideals and can be intended as “freedom from everything”. It greatly values privacy and often leads to acts of civil disobedience to protect it . It is antagonistic to institutionalization and surveillance measures. The focus is on self-determination and non-interference of others. Its primary values are individual autonomy, self-reliance, and, of course, individual privacy. While positive freedom emphasizes community welfare, negative freedom is focused on individuality.
Hacker ethics is neither dichotomic nor unitary; it entails a different, and sometimes contradictory, understanding of values. However, as has been previously observed, there are commonalities and similarities. It is noteworthy that it revolves around two values: freedom and privacy. Although distinctively interpreted, they constitute the core of hacker ethics. Hackers’ actions often emanate from different interpretations of these two values. However, adherence to hacker ethics does not imply that their actions would be deemed morally good by society: some hackers may advocate their ethics by stealing confidential information and disseminating it.Footnote 4 Although black hat hackers’ actions are generally unquestionably unethical, with grey hat hackers the morality of some actions can be debatable (for example, grey hat hackers that report vulnerabilities often threaten the owner of the hacked system to publicly reveal it, hence enormously exposing the system to malicious hackers’ attacks, in case it will not be timely patched ). Therefore, for more safely employing pen-testers in healthcare cybersecurity, it is necessary to re-think hacker ethics, and in particular the understanding that ethical hackers have of it, as something else than just a personal ethics that is subject to an immense variety of strands and interpretations.
Pen-testers comply with a specific interpretation of hacker ethics, namely the one that includes and prioritizes respect for individuals’ privacy. This entails that pen-testers do not disseminate or leak data. They also do not intend to cause damage when hacking into systems, nor do they download, modify, or disseminate the data. Their intent is rather to find vulnerabilities and appropriately report them. Therefore, they work towards the establishment of a safer cyber environment. They are institutionalized (through regular employment contracts and certifications) and confine their activity within the law . It is true that pen-tests often resort to the same techniques and tools as malicious hackers, but the goal is always to conduct realistic simulations to efficiently bolster cybersecurity without disrupting the workflow . Following the present description of pen-testing practice, it seems possible to consider their ethical hackers’ ethics as a sort of professional ethics, beyond that of personal ethics. This would allow for a two-fold benefit: it would be possible (and recommended) to draft an international code of ethics that can less arbitrarily define and describe moral principles, standards, expectations, and best practices; also as a consequence, it would facilitate the regulation of their practice and allow punitive measures when said code is disrespected. When professionals disregard their code of ethics they lose the right to practice. Equally, when pen-testers are intentionally violating privacy norms by, for example, breaching data or damaging infrastructures, they could be excluded from the cybersecurity field. This can be enforced with pen-testers as they are regularly employed, and controlling and sanctioning their behaviour can be simpler than with ethical hackers in general. However, as of now, there is no official ethics of conduct for pen-testers. At a professional level, the absence of an ethical code is surprising. A similar code would be a great advantage for further promoting the service of pen-testing, particularly in sensitive sectors such as healthcare. Following the present conceptualization of hacker ethics, it seems possible to consider the employment of ethical hackers as pen-testers in healthcare cybersecurity, with the recommendation of establishing an official code of ethics for their practice.