The Signs of Ethical and AI Hacking

I have previously blogged about the controversial issue of "Ethical Hacking" In this blog, I will update that discussion and add to it because changes are happening rapidly and the number of cybersecurity attacks are increasing. I discuss ethical and AI washing in this updated blog.

We live in an era of unprecedented cybercrime, both in quantity and quality. These attacks, which can take many forms, can significantly impact national security, business interests, and infrastructure. It is more important than ever for organizations to address these challenges, and one of the best precautions is prevention.

AI Washing

AI washing, or the use of false and misleading statements about artificial intelligence, has risen to a level that has prompted the government to act. Businesses interested in AI must balance their enthusiasm with careful attention to their public claims. Most important, they must have an ethical base to be believable and build trust with stakeholders.

Ethics Washing

Ethics Washing is the practice of fabricating or exaggerating a company’s interest in equitable AI systems that work for everyone. An organization that practices it follows a concept that can best be characterized as promoting ethics for the good of all. Some point to Google’s experience in 2019 of creating an Artificial Intelligence (AI) ethics board only to disband it less than two weeks later.

What is an ethical hacker?

I have previously blogged about ethical hacking. According to techtargtet.com, an ethical hacker, also referred to as a white hacker, is an information security expert who penetrates a computer system, network, application or other computing resource on behalf of its owners -- and with their authorization. Organizations call on ethical hackers to uncover potential security vulnerabilities that malicious hackers could exploit. Ethical hacking involves a detailed process to help detect vulnerabilities in an application, system, or organization’s infrastructure to prevent future attacks and security breaches.

The purpose of ethical hacking is to evaluate the security of and identify vulnerabilities in target systems, networks or system infrastructure. The process entails finding and then attempting to exploit vulnerabilities to determine whether unauthorized access or other malicious activities are possible.

Experts who engage in such activities are called “ethical hackers,” which means they are security experts performing security assessments to improve an organization’s security measures. After receiving approval from the business, the ethical hacker sets out to simulate hacking from malicious actors.

Unlike malicious hackers, ethical hackers use the same type of skills and knowledge to protect an organization and improve its technology rather than damage it. They should obtain various skills and certifications, and they often become specialized in certain areas. A well-rounded ethical hacker should be an expert in scripting languages, proficient in operating systems, and knowledgeable of networking. They should also possess a solid understanding of information security, especially in the context of the assessed organization.

Bloomberg Law Views

Bloomberg recommends steps that companies should take in the AI space.

Avoid hype. Vague descriptions, overstated claims, or a lack of clear understanding about AI’s functionalities can indicate AI washing. When using AI-powered technology, don’t race to promote it to investors or consumers and instead focus on the technology’s substance. This means providing detailed, accurate descriptions of AI systems, including their specific functions, benefits, and limitations.

Develop and enforce robust AI governance. Establish a comprehensive AI governance program, involving collaboration across departments, including legal, technology, investor relations, and marketing. Each plays a role in ensuring AI-related claims are accurate and align with a company’s business strategy.

Ensure accurate public disclosures. Consider what information companies disclose to the public, investors, and competitors about their AI capabilities. Be clear about what their technology can and can’t do, paying special attention to the phrasing used in public disclosures.

Engage AI experts. Experts can play a key role in assessing and validating AI capabilities. It’s worth turning to an internal team of data scientists or engaging an external partner with deep AI expertise. Assessing third-party AI systems requires advanced technical capabilities, but taking adequate time and resources to properly evaluate can help protect businesses from financial losses and other risks.

By prioritizing transparency, responsible communication, and genuine innovation, companies can ensure integrity and contribute to a more trustworthy AI landscape. True innovation will be rewarded, helping the entire industry by further advancing technology, encouraging investment, and promoting confidence in various products.

Writing for Forbes online, Dr. Lance B. Eliot, , a world-renowned expert on AI and Machine Learning, says that in addition to possible reputational harm there are “numerous legal ramifications [that can] bite them and their firm. One is that they didn’t do what they said they did and can be potentially legally held liable for their false claims. Moreover, AI practices might end up violating laws involving societally sensitive areas such as exhibiting undue biases and acting in discriminatory ways.

Bloomberg Law writers state that “misrepresenting AI erodes consumer and investor trust by prioritizing short-term hype over long-term reputation building. Once lost, trust is hard to rebuild. Companies risk their credibility, and the veracity of other disclosures may be questioned. This damages relationships with partners, decreases consumer loyalty, and tarnishes brand image—and in a worst-case scenario, it could lead to class-action litigation.”

It is not surprising to me that questions have been raised by the SEC and others about the truthfulness of disclosures about AI. Companies have adopted the policy of window dressing before including their ethical practices. It’s up to the government (i.e., SEC) and Congress to establish regulations/laws to create a pathway to ethical practice. It’s also up to technology companies to establish their own guidelines/policies that put the needs of the public/investors ahead of all else, including their own interests.

The Different Types of Hackers

Hackers can be categorized into different types, with their names indicating the intent of the hacking system.

There are two main types of hackers according to techtarget.com are:

• White Hat Hacker: An ethical hacker that does not intend to harm the system or organization. However, they simulate this process to locate vulnerabilities and provide solutions to ensure safety in the business.
• Black Hat Hacker: Your traditional hacker, black hat hackers are non-ethical hackers that conduct attacks based on malicious intentions, often to collect monetary benefits or steal data.

Teaching Ethical Hacking in the Workplace

Computer hacking skills are being taught in institutions of higher learning. I believe it should be taught to cyber-security students to "know the enemy" and ensure they will be equipped to effectively prevent and defend against attacks in the real world. Both academia and security experts add that schools must emphasize law and ethics so students "don't cross the line" and misuse their hacking abilities.

A wide range of educational opportunities exist for individuals interested in pursuing information security. Many of these are being offered in the public sector within community colleges and universities. It is interesting to note that while many schools offer such education and training, a number of professionals express concern about teaching hacking techniques. This apprehension stems from a fear that students may use the information unethically. In other words, they may use the information against the very company hiring them to protect their security.

A group of individuals called the Ghettohackers are trying to change way society views hackers, as stereotypical malcontents interested only in crashing systems, stealing credit cards and releasing computer viruses. While cybercrime arrests make headlines regularly, groups like GhettoHackers are aiming to help those curious about information security get hands-on experience without doing harm to others.

Conclusion

I am concerned about the practice of teaching ethical hacking. Is it right to teach something that itself is unethical? Do the benefits of using the skills of ethical hackers exceed the costs, such as ethical hackers not being so ethical and causing widespread damage?

The teaching ethical hacking is here to stay given the increasing number of attacks against computer systems and individuals. Let’s hope the educators are successful because ethical hackers may be drawn to the “dark side” and wind up hacking the hackers.

Posted by Steven Mintz, aka Ethics Sage, on March 4, 2025. You can sign up for his newsletter and learn more about his activities at: https://www.stevenmintzethics.com/