Two weeks before the 2020 presidential elections in the US, a Dutch ethical hacker guessed the Twitter password of former president Donald Trump. He didn’t need any technical skills, only a few guesses. He tried variations of Trump’s slogan ‘Make America Great Again’. With maga2020! he got in. As an ethical hacker, he knew what to do. Gather evidence and get the hell out of there. Do not do more than strictly necessary to disclose the vulnerability responsibly.
Fun fact: 4 years earlier, one week before the presidential elections of 2016, this hacker also got access to Trump’s Twitter account. This time during the aftermath of a LinkedIn data breach (the password was: yourefired). He disclosed the vulnerability to Trump’s entourage with the strong advice to strengthen the security of his account. By using multiple-factor authentication and a strong password, for example. An advice Trump evidently ignored.
Imagine what could have happened. The hacker could have taken over Trump’s account and Tweeted some world-changing stuff. And if he could do it, anyone could do it. Cybersecurity is not a joke; knowing how to protect your information on the internet is not only important for individuals, but also for world peace.
In our digitized 21st century world, the risks of using the internet are plenty. Internet users might be spied upon, scammed, robbed, tricked, blackmailed, bullied, or manipulated with disinformation. How can we protect ourselves from these risks? I think there are many things we can learn from the ethical hacker community if we want our society to become more cyber-resilient.
Ethical hackers voluntarily make the internet safer, but must do their work in the dark. These hackers search the internet for vulnerabilities in computer systems and disclose them to the responsible party. In most cases, this is illegal, because to find a vulnerability a hacker often has to break in to someone’s computersystem. Therefore, hackers are usually met with hostility and subjected to criminal investigations.
So unsurprisingly, when the hacker tried to notify Trump about his weak password, he was subjected to a criminal investigation by the High-Tech Crime police unit of the Netherlands. He was accused by the White House of breaking into Trump’s account. Luckily, this was already his 5780th vulnerability he found on the internet. As such, he knew how to follow the guidelines of coordinated vulnerability disclosure (CVD).
Coordinated vulnerability disclosure
These guidelines are created in collaboration between the Dutch hacker community, companies, and the public prosecutor, and lawfully protect the rights of ethical hackers in their efforts to make the internet a safer space. They grant hackers the right to find vulnerabilities on the internet and disclose them to the responsible organisation.
When hackers follow these guidelines, they won’t get punished for breaking into a system. When a hacker is arrested for vulnerability disclosure, the Dutch prosecutor will look at factors such as: was there a substantial social interest? Did the hacker not go further than was strictly necessary? Were there not any other, less far-reaching ways to reach the same goal? Our hacker met the requirements. He pleaded not guilty.
This example shows that in recent years increasingly disruptive cyber-attacks have created awareness for the essential work of ethical hackers in keeping the internet safe. Slowly, policy is adapting by including ethical hackers in cybersecurity governance, in stead of trying to keep them out. This is a very good development, because it effectively strengthens the cyber resilience of society.
These guidelines are an example of what Philip Frankenveld calls ‘technological citizenship’ (1992). Frankenveld argues that just like citizens have rights and responsibilities as citizens of a country, they should also have rights and responsibilities in relation to the technology that impacts their lives. The idea of technological citizenship is that when citizens know how technology works, how it impacts their lives and society, and if they can participate in decision-making about technology, they will become more resilient to the negative impacts of this technology.
The CVD guidelines grant citizens the right to tinker with technology. It acknowledges the creative mind of hackers to always find new and unexpected ways to use technology. It allows hackers to ‘enact the sociality of technology’ by rejecting technological determinism, in the words of Tim Jordan, an author who wrote about hacker cultures. It shifts power relations by empowering citizens. And this is what’s needed for technological citizenship. Citizens should be able to do something about the technologies’ impact on their lives.
The hacker who discovered the vulnerability of Trump’s Twitter account produced an excellent example of technological citizenship. He knew how technology impacts society. He knew how to steer the technologies’ impact in the right direction. But most importantly, his actions were protected by the guidelines of CVD. He had the right to do what he did. The importance of his action was acknowledged by the state. He effectively improved the cyber-resilience of society and he was sufficiently empowerd to do so.
Technological citizenship for cyber resilience
For technological citizenship to take shape, the CVD guidelines are a great step in the right direction. But more is needed. What about the citizens who do not possess hacker skills? What are the rights of citizens whose personal information is leaked or stolen because of negligent cybersecurity measures? And how can we deal with emergent technologies, such as facial recognition and deepfakes?
We must ensure that all citizens can protect themselves, that they can be empowered and claim their rights in cyberspace. We’ll need more for technological citizenship to take shape. In my doctoral research, I aim to find out exactly what else is needed to strengthen cyber resilience.