The Case Against Certified Ethical Hacking
by aestetix
Certifications (certs) have been around for a long time.
There are real benefits to them: whereas a traditional college degree in a field like computer science gives us four (or five) years of intensive education which we slowly forget and which can become outdated, certifications encourage us to keep up to date on technology and provide employers with a more accurate way to gauge aptitude.
There is a downside, though, especially when people obtain a cert and then assume they know technology better than people without a cert. The comic Dilbert captured this well in an old strip from October of 2000 in which a certification "superhero" proudly summons the "vast powers of certification," and then realizes he can't remember anything else from the classes.
A more dangerous issue with certifications has arisen in recent years, beginning with the Certified Information Systems Security Professional (CISSP), and now moving to full force with the Certified Ethical Hacker (CEH) certification.
People who have achieved their CISSP will frequently tell us that they have had to "reform" their hacker ways, or that they had to stop using a handle as part of the guidelines of the cert. But the CEH takes this a step further, establishing a rather long Code of Ethics (www.eccouncil.org/code-of-ethics) which every individual who earns a CEH is required to swear an oath to uphold.
For anyone who adheres to the original "Hacker Ethic" as described by Steven Levy in his book Hackers, several demands from the CEH Code of Ethics are very problematic.
To start with: item 16 of the Code states that one must vow "Not to take part in any black hat activity or be associated with any black hat community that serves to endanger networks." If we define "black hat activity" as illegal activity - although CEH does not - the first part of this seems reasonable enough. The second part raises some questions though. What is a "black hat community?"
What if we are in a community where some of the members download illegal copies of episodes of Game of Thrones? Is this enough to warrant a violation? And beyond that, what if we are in a group where some people do "black hat" things, but we ourselves do not? Is it really fair to punish someone for the crimes of someone else, simply due to association?
It gets even worse with item 17, which demands us "Not to be part of any underground hacking community for purposes of preaching and expanding black hat activities."
What do "preaching and expanding' mean? What if we're in an IRC channel where some people do illegal things, and we have discussions with them? Are we required to cut off ties with people? And who decides what constitutes "black hat?" What if we encourage civil disobedience, pushing to purposefully break a bad law in order to enact a greater good? Is this grounds for a Code violation? I now wonder if the hackers who devised (((Stuxnet))), the worm that infected Iran's nuclear centrifuges, would be in violation of the Code, even though they were carrying out orders from the President.
The last item we need to visit is a bit more controversial, but nonetheless important. Item 19 states that we should not be "convicted in any felony" nor should we have "violated any law of the land."
This rule is simply too sweeping. What if we are a convicted felon for something unrelated to computers? And more important, what if we are a convicted felon, but have served our time, and want to reintegrate into society? If someone has done something wrong in the past and wants to redeem themselves, isn't agreeing to follow a set of ethics precisely what they should do? Why create a requirement that eliminates the very people who might want to use this certification to achieve that goal?
That's just the Code itself.
And, while I think it is poorly thought out, the enforcement of it is even worse.
The EC-Council, who provides this cert, has a procedure to report "violations" of the Code, found at: cert.eccouncil.org/report-violation.html
The form amounts to filling out a police report, using the Code, and including the items we just reviewed as a pseudo-legal system. Anyone can fill out this form and report someone. It is in a sense creating secret police, because anyone who doesn't like us can figure out an interpretation of Code that will make us look bad.
The result is that we could lose our certification. Of course, the EC-Council will likely assure us that these things would never happen and we're reading too much into their words. But then I must ask: what is the point of having a Code to which they force people to swear an oath if they do not plan to enforce it?
And it's not just that.
More and more security and technology jobs these days have "CEH certification" as a job requirement, partly because it's a nice sounding term that HR can use to filter out resumes.
So what happens when someone sees us download Game of Thrones, decides that this violates item 16, and reports us? If the EC-Council Tribunal takes up our case and decides against us, not only could we lose our certification, we could also lose our job and livelihood. And because this is becoming a standard with many companies, this amounts to being blacklisted from getting another tech job, unless EC-Council Tribunal, in their good graces, grants us some form of clemency.
Adding insult to injury, the use of the word "ethic" within the CEH Code is completely removed from any traditional definition. When we study ethics in school, we might have a class on Aristotle, or explore exercises like the Trolley Problem and learn that sometimes there is no good way out of a situation.
With the CEH Code, all of the items reinforce a notion that mindless obedience to corporations and governments is good, which betrays both the Hacker Ethic as well as a true exploration of the word "ethic."
In truth, the CEH certification is a scheme that is used to trap people who are interested in working in tech into a situation that binds and controls not only what they do outside of work, but even the people with whom they associate.
To paraphrase George Orwell, Big Brother is Certifying You.