The recent accusation that a prominent information security training company in India was responsible for release of some malware in the wild and used for Cyber Espionage of Telenor and also for attacking Pakistani and Chinese web assets has raised an issue of ethics for all security trainers.
Naavi.org has for years advocating that there should be a proper regulation of training of ethical hackers since the skills acquired by people during these training programs can be used for committing crimes.
Recently the Government of India has announced that India needs 4.7 lakh security experts. Obviously this has created an opportunity for many unscrupulous IT training companies to start what they call as “Ethical Hacking Course”. APPIN itself has created many franchisees and trying to provide training to hundreds of persons across the country.
Who will be the persons who will undertake the training? what will they do afterwards? are areas of concern of the society.
If these training companies are not strictly regulated, there will be lakhs of young trained hackers ready to test their skills in the open market. During these training programs trainees also get a “Hacking Kit” and information about online resources. These can be dangerous terrorist training camps in the digital world.
It is the responsibility of IN CERT to immediately take stock of the activities of these companies and put a hold on their activities until a proper system of regulation is evolved.
There is no doubt that we need information security professionals. But we donot need “hackers”. The very use of the term “hacker” mentally indicates to the trainee a status different from a “Security Professional”. Just as there is a ban on the use of “Bank” by any organization other than licensed Banking institutions, the use of the word “Hacking” or “Ethical Hacking” should be banned in India.
Also all companies indulging in information security training other than registered educational institutions such as the Engineering and Law Colleges whose curriculum is controlled by regulators such as the AICTE or BAR councils should be subject to scrutiny of IN CERT. If a licensing system is required for this purpose, it should be designed.
All persons who are enrolled into such programs should submit proper ID documents and the details are to be kept in a central data base accessible to public who can report any adverse activity of a person. Such list should be available for employee background check by companies. INCERT should periodically conduct audit of such educational organizations and record their observations. Sample background checks should be done on the candidates.
Once trained and certified, the trainees should submit themselves to a life time surveillance of their activities by IN CERT. Their employment movements, financial returns, IT activities should all be voluntarily submitted for surveillance of the State.
If any organization or individual does not enter into appropriate contractual agreement to be monitored (like a person on parole) they should not be allowed to run such courses or take such training.
I am sure that many of my friends in the security professions may express strong dissent for such a move which appears “Draconian”. I agree that it is draconian. But the consequences of letting loose trained hackers in lakhs to the field already reeling under the growing threats of Cyber crimes is disastrous. It will eventually destroy the Internet and convert it into a Cyber Crime Paradise.
If for this purpose we need to enact a separate law such as “Cyber Security Regulation Act” on the lines of Banking regulation and give the powers of regulation to say the newly formed National Cyber Security Council, it can be considered.
If this suggestion needs to be countered by the private sector information security education industry then there is a need for formation of a similar “Cyber Security Education Regulatory Forum” as a private sector initiative. This should not be left either to NASSCOM or DSCI. It should be more like TRAI and headed by a person outside the corprote influence which gets reflected in NASSCOM or DSCI.
If APPIN is an affected party in the current controversy, they can consider taking the leading initiative in formation of such a forum without putting themselves into a position where they can be accused of influencing the activities of such an academic organization.
I see a parallel in this proposal with the need for BCCI to set up an independent committee (Uninfluenced by BCCI cronies such as Atul Wassan) to monitor Betting in IPL.
On many occasions I have suggested formation of a “Netizen Protection Forum” as a Netizen imitative and “Netizen Protection Commission” as a regulatory structure. The same commission can also undertake the responsibility of regulating the ethical hacking training.
Comments are welcome.