White hat hackers – carrot or stick?

Hacking, like selfies and beards, is all the rage nowadays. You can’t go five minutes without a major corporation announcing a data breach, usually perpetrated by an inanely named criminal group.

The best PR response to a malicious hack is actually pretty straightforward – get out in front of the story, be transparent, beg forgiveness and announce a suitably logical and robust change in procedure or security. Such is the regularity of hacking, the public is becoming increasingly desensitised to data breaches.

The situation becomes altogether more complicated when ‘white hat’ hackers get involved. White hats, unlike their decidedly more sinister black hatted counterparts, hack to expose security or design flaws that could harm the public. In this scenario, the business has to make a difficult choice. Does it reward the white hat hacker and risk more ‘attacks’, does it seek to hush everything up, or does it go after the hacker to deter copy cats?

These choices are not as clear cut as they initially appear. First, the white hat might not actually be whiter than white. He or she could have a dodgy track record and their hack may have initially had more of a criminal or selfish intention. The impact of their work could also be devastating, exposing a flaw so severe that it risks fatally damaging a business.

The public’s response is also much more unpredictable, especially in the case of ‘faux’ white hat attacks – where the hackers ostensibly argue from a moral position but are really after cash or publicity e.g. Ashley Madison.

Recent white hat attacks have elicited a variety of responses with a range of result. Cisco notoriously tried to hush up a white hat who found a way to hijack Cisco’s internet routers by threatening legal actionVolkswagen allegedly sued three computer scientists to bury news that there was a huge security flaw in its car key fobs.

On the other hand, United Airlines rewarded a hacker with millions of air miles after he uncovered security gaps. Meanwhile, Chrysler announced a massive recall after hackers working for Wired remotely hijacked a Jeep (with terrifying consequences).

Seeking to bury the security breach or acting aggressively against a hacker to silence them has repeatedly been shown to be a fool’s errand. Although it can be initially successful, the truth will inevitably come out and damage to a company’s reputation will be magnified by the attempted cover up.

Rewarding a hacker is also a risky tactic. Although it can draw attention away from the initial breach and create some good will. There is also a risk it can come across as cynical, especially if the breach is sufficiently serious. If a company goes down the reward road, it needs to make sure that it has done sufficient due diligence on who the hacker is. Giving money to a Russian criminal gang isn’t a smart move.

Similarly, firing an employee who reveals a breach should be avoided – it comes across as sour grapes.

In my view, the best approach is to treat an ethical hackers as you would an investigative journalist. Engage with them before they release their results by answering questions and showing how you will solve the problem. In an ideal scenario, you can work with the hacker to fix the breach before it is revealed. Of course, like journalists, not all hackers will play ball. Nevertheless, focusing on showing how the problem will be solved and what the company has learnt rather than wasting time attacking the hacker makes much more sense.

As is often said, ‘sunshine is the best antiseptic’, and these hacking ‘events’, if handled properly, can have a silver lining for businesses by leading to improvements in product design and security.

This article first appeared in PR Week and can be viewed here.

All rights reserved Salient.