The Ethics of Teaching Hacking
Disclaimer: The ideas below are my own and may not reflect those of my employer.
Introduction
Before we begin, I want to reiterate the above the disclaimer. I prepend this disclaimer to every post, but I want to make it especially clear that the views I am expressing today reflect only my own beliefs. Further, the moral positions taken in this post are about me as an individual, and not necessarily as part of an organization or community.
Perhaps the most frequent question/objection I get asked when I tell people what I do goes something like this: "How can you possibly justify teaching hacking in terms of ethics or morality? In teaching people how to get access to devices and information that does not belong to them, are you not adding more danger to the planet? Can you truly claim to be helping the world to become more secure? Or is it possible that you are just enabling bad actors with bad intentions?"
This is an extremely important question, and we would do well as a security community to consider it carefully and seriously. When speaking with non-security or non-technical folk, I try to answer this by analogy. Like all analogies, it isn't perfect, but I think it does provide an intuition and a framework for thinking about this topic more clearly.
It will come to no surprise to my readers that this analogy will be about combat sports. We teach many people - including children - how to defend themselves via boxing, martial arts, and wrestling all over the world. One might reasonably make a similar critique to the one voiced above: "How can you possibly justify teaching kickboxing in terms of ethics or morality? In teaching people how to strike other humans, are you not adding more danger to the planet? Can you truly claim to be helping the world to become more safe? Or is it possible that you are just enabling bad actors with bad intentions?"
It's hopefully easy to see the analogy between the two lines of questioning. In the first case, we are transferring digital skills to people who can perform violent actions in cyberspace. In the second case, we are transferring physical skills to people who can perform violent actions in physical space. I think for most people who have thought a bit about it, it's fairly obvious why the existence of martial art schools are a net good. Therefore, I'll first try to reply to the personal-combat-skeptic with three points of view. For each one, I will attempt to translate it to the ethical-hacking-skeptic in the hope that the analogy is strong enough to carry over across domains.
An Economic View
While dojos - I am taking license with the word to use it to refer to boxing or MMA gyms and the like - can be fertile ground for bullies, gang members, or generally unsavory people to learn to fight, they certainly aren't the only place where such people can learn to fight. If someone wants to learn to fight outside of a school/dojo/military, there are plenty of terrible ways of going about it. Someone sufficiently motivated will not be deterred by the lack of a formal training institution. I don't have any data to support this, but my intuition is that many if not most hand-to-hand fighters of a certain caliber are probably not taught in dojos but rather pick up skills through a much more rough and dangerous path. (EDIT: Thinking about it a little bit more, I think my credence in the above statement is lower than when I initially typed it a few days ago, given the popularity of the UFC and MMA).
Likewise, none of the hacking and security techniques OffSec (or anyone else for that matter) teaches are sacred. Anyone sufficiently motivated can and will find resources to teach themselves without a teacher/vendor/school/company. I would be surprised if the ratio of cybercriminals who learn outside of a legitimate cyber education vendor is much smaller than the ratio of physical criminals who learn outside of a dojo.
Since this is an argument based purely on intuition, let me say what it would take for me to change my mind here: If it turned out that a majority of physical criminals learned to fight by virtue of dojo membership, or if it turned out that a majority of cybercriminals learned to hack by virtue of legitimate online training, then this argument would no longer be very good.
However, given that I currently believe that most bad actors learn outside of a formal system, I also believe that the net benefit of those institutions far exceeds this particular danger.
A Sociological View
Of the three ideas I'm defending here, this is perhaps the most idealistic. One argument for the dojo as an institution is that it has the potential of changing the minds of would-be bad actors. If you are part of a community that is empowering, supportive, nurturing, and understanding, you'll (we hope) become less likely to go start fights or join a gang or cause violence, even if your original desire was to learn to throw your weight around.
Again, as with physical violence, so with cyber: We aspire that students joining communities like OffSec's (and the infosec community in general) receive enough support, guidance and purpose so that they become less likely to need to be bad actors, even if that was their original goal.
A great power of community is that while any individual can join and influence it, it in turn can and will influence the individual. By encouraging a world with institutions that teach ethical hacking, we provide space for people who are curious about these subjects to develop humility and trust and belonging and empathy.
I'm aware that I'm painting a very black and white picture here. Sometimes bad actors do great things, and sometimes great people do horrible things. More, what is considered "good" and "bad" is often a matter of perspective; though I tend to be a moral realist, I recognize that not everyone has the same belief structure.
Once again though, I do think that on average, a properly sheparded dojo with attentive care to its membership can cultivate excellent social attributes in its membership, and likewise I believe that information security communities can be similarly powerful positive influences. This isn't to say that I think that the information security community today is a perfect bastion of light and hope; I think there are definitely things we can and will continue to do better in this space.
A Philosophical View
There is a logical fallacy in philosophy called "proving too much". We can say that an argument proves too much when it forces us to draw a conclusion that is unreasonable if we generalize it. Let's take a quick detour to go over an example.
First, consider the argument "We should ban all knives, because knives can be used to hurt people".
Next, we take the general form of the argument: "We should ban all X, because X can be used to hurt people".
To know if our argument is vulnerable to this fallacy, we only need to find an instance of X where the statement "X can be used to hurt people is true", but which would obviously be unreasonable to ban. I happen to be drinking some coffee out of a beautiful clay mug, and I'm pretty sure one could inflict some damage on someone's head with it should they be so inclined... and yet I don't think most people would support a general ban on coffee mugs.
(One could also point out that the instance where X=Knives is itself such a counter example, since we all use knives for the exceptionally useful purpose of cutting food every day).
Now, let's return from the dizzying world of philosophical logic and return to violence. "We should stop teaching hacking because people can do bad things with it" is itself an example of proving too much. In this case, martial arts is the X.
You might respond "Ok, but I think we shouldn't teach hacking or fighting because they both enable bad actors". This would be perfectly acceptable as a position, except that there are plenty other instances of X where teaching it can enable bad actors. Accounting? Television would have us believe that drug dealers are fantastic at money management. Chemistry? Chemical engineers can make weapons. Programming? But cybercriminals need to learn to code too!
The point here is, if we really think that teaching hacking is bad, it can't be only because it enables bad actors, because teaching many other skills can enable bad actors that we definitely want to continue teaching and learning!
Conclusion
Finally, let's take the initial argument to its logical conclusion and imagine that we put a stop to all martial art schools. Now all the "bad guys" will continue to "bad act", but the "good guys" have no means to defend themselves. Similarly, if we stop formally teaching 'offensive' security (and we do need to learn offense to understand defense well), we'll be left in a world where the only people who know how to get compromises are the bad actors we were initially concerned with.
The thoughts here are by no means a knockdown argument. I think the general feeling behind hacking-education skepticism is important, and the last thing I think we should do is dismiss it lightly.
We should continue to think about how we can mitigate bad-actor education. We should continue to consider how to transfer knowledge and skills in an ethical and responsible manner. And we should continue to make our communities more welcoming, more friendly, and more able to nurture the best in their members.