So I’m starting to get a little concerned over our educational institution’s paranoia around teaching ethical hacking skills to information security students. To start I ran a search to find universities or colleges that offer an ethical hacking course as part of a degree program and was quite surprised to see that USC, John Hopkins, and The University of Colorado at Boulder offer this just to name a few. But as I expanded my search I came across a presentation written by Gail Finley, who was a faculty member at Hampton University in 2009, that was titled “Just Say No to Teaching Ethical Hacking”, link is here . Interested in the title and always willing to read something for a laugh I opened the presentation. Dispensing with the junk in the front of the presentation I finally got to the meat of the argument of why we should not teach this class to students in a university or college setting.
Of the 3 reasons presented I could only partially agree with one of them. I agree it is a liability if the university or college supplies the tools and systems to use in a lab environment and is unable to sufficiently lock these systems down so they couldn’t be used to attack other networks on the internet. I agree as long as Gail could tell me if they prohibited the installation of 3rd party applications on all school systems which had an internet connection. If she couldn’t then why would it matter…don’t want me running nmap in a lab environment, well I’ll just go install it somewhere else and run it. Or, Gail, did the university disallow students from “plugging in” their laptops and netbooks? If not then this point doesn’t hold up.
Now on to the 2 reasons I actually disagree with. First, Gail mentioned a concern about teaching a “dangerous skill” to students who may be unable to make the correct ethical or moral decisions on how to use their newly acquired skill. Isn’t that true at any age? She mentioned that “some may consider hacking as a prank”… again, that is as true for a self-taught 12 year old as it is for a person in their 80’s today. I’m not sure why age matters given the range of ages of the students attending college today. In fact, I’d say their moral compass is far more likely to be “developed” than say a high school student’s just based on life experience. Then again, I was an engineering major and received a B- in psych so what do I know?
Second, and related to the “dangerous skill”, is a concern that “some students have a background that would make them unsuitable for such a class”. Really, is the student population heavy on ex-con hackers trying to live a reformed life? Could it be a comment related to the ethnic mix at an inner-city university? Who knows? Only Gail knows. My sense is that Gail is trying to say some of the students, although good students, are predisposed to a life of crime and this would only act as an enabler. To that I would answer the same as above…if you don’t teach them and they want to learn they will teach themselves. Some of the best people in the field of pen testing and ethical hacking don’t go to or haven’t graduated college. Point being, if you want to use this skill to commit crimes you’d be better off skipping the high tuition of a university course and teaching yourself. When I started in this game there was one book “Hacking Exposed Volume One” and a bunch of IRC channels where you could learn. Add Google and 10 years and you can teach yourself anything, including ethical hacking or basket weaving if you so choose.
Now a few years have passed since Gail wrote and gave this presentation, and I’m wondering if she still feels the same. She didn’t have the opportunity to witness the lulz of LulzSec…BTW Gail, how many of the people associated with LulzSec do you think learned their skills in a college course? You could always answer “none, because we won’t teach them” which would make me laugh.
So to my question in the title, can we ethically teach ethical hacking? Yes. Part of teaching a course like this entails instilling a sense of ethics and responsibility in the students. If you read any “ethical hacking” book flip to the first chapter…no the one after the one about the certification test…there. It is probably something on ethics and a brief intro to the laws related to computer crimes. I’m not saying this stops someone from committing crimes once they know how to use certain tools…but I can also tell you that there is no way one or two college courses could condense and convey the knowledge required to be a hacker of the skill level required to start your own underground cybercrime ring. My view is that the student is going to use their skill for good, or evil, or something in between. In the end that isn’t up to us…and all we can do is hope. And I honestly do believe that we are doing a disservice to our industry if we can’t, and don’t, teach people this offensive skill. Some of the most well defended networks I’ve come across were designed by folks who truly understand offense as much as defense. And if I had one message to the institutions of higher education…get over it and start teaching your students the skills that make them valuable and worry less about teaching the “wrong” students.