Each day Derek Manky and his team of hackers fix their eyes on computer monitors, clutch their keyboards and comb the Internet for security vulnerabilities that could paralyze computer systems.
Since 2006, the team has uncovered 262 “zero-days” – flaws in networks or applications capable of anything from spreading malware to stealing passwords. And about 100 of those discoveries were made in 2015 alone.
“There’s so many new products, so many different vendors that are vulnerable now. So it’s not just one or two,” said Manky. “Now there’s literally hundreds of these targets that stem from cloud software to the Internet of Things and desktop software.”
The good thing, though, is Manky and the hackers he supervises aren’t there to exploit those targets.
His team at Fortinet’s (Nasdaq:FTNT) Burnaby office is made up of “white hat” or ethical hackers – security experts who seek out vulnerabilities and develop stopgap patches for vendors until a permanent solution is created.
“But there is no international standard for this [ethical hacking], and it’s been that way for over 10 years,” said Manky, a global security strategist at Fortinet.
At the University of British Columbia (UBC), students taking introductory computer security courses are provided with ethics lessons before participating in a mini-conference on ethical hacking. Before this year’s December conference, the students spent the fall building case studies on vulnerabilities and how they would go about foiling hackers.
“These projects are done in collaboration with system owners,” said UBC computer science professor Kosta Beznosov, who teaches the class.
“Before the students do any kind of analysis, any kind of interaction with the system, systems owners must approve such analysis.”
The team at Fortinet, meanwhile, proactively searches for vulnerabilities without first asking vendors.
But without any professional organizations or global industry standards, what’s to stop students from using their skills to exploit vendors?
“What I teach to my students is very well known in the [computer security] community and very well known to the criminals,” Beznosov said. “I’m not teaching anything highly specialized.”
He added the university has developed its own criteria about the ethical and legal obligations students and instructors must consider if presented with unauthorized access to systems.
But coders, developers and hackers don’t have a professional association similar to the Association of Professional Engineers & Geoscientists of BC (APEGBC) that requires members to follow a code of ethics.
“The code of ethics is a really fundamental part of APEG’s mandate to protect the public interest,” said Efrem Swartz, APEGBC’s director of legislation, ethics and compliance.
The organization disciplines members for violations ranging from improper movement of contaminated soil to poor structural engineering.
“All people have to follow a code of ethics. You’re just held to a higher standard if you’re a self-regulating body,” Swartz said.
“Certain professions have risen to the level of self-regulatory bodies and certain haven’t but it doesn’t mean the ones who haven’t are less important.”
But APEGBC lawyer Taymaz Rastin said his organization also takes action against self-described “software engineers” among tech firms and professionals when they don’t qualify as such.
“Without that prohibition in the [Engineers and Geoscientists] Act then it would be meaningless in terms of enforcing the code of ethics because then it wouldn’t be mandatory for the people who are practising to comply with the code of ethics.”
Bill Tam, CEO of the B.C. Technology Industry Association, said much of the issue comes down to how rapidly the tech industry has changed in recent years.
“Software engineers are software engineers. They don’t fit, necessarily, the original definition of what constituted an engineer. So I think what we’re going through is a fundamental growing pain in adjusting the language to suit what’s needed in the tech industry.”
There are some organizations that examine standards and best practices that should be implemented when handling ethical hacking, such as the International Standards Organization or the Oasis threat intelligence committee, which Fortinet employees contribute to.
Manky, meanwhile, has spent nearly a decade developing responsible disclosure practices for his company.
Among the standards his team follows is not making security vulnerabilities public before the vendor has fixed them.
But depending on the expert capabilities of the vendor, it can be years before a security flaw is fixed, Manky said. Out of the 262 zero-day vulnerabilities the Fortinet team has uncovered over nearly a decade, 83 remain unpatched.
There is nothing stopping other white-hat hackers from disclosing those vulnerabilities to the public in an effort to pressure the vendor into fixing them.
“We do need to get some sort of standard happening internationally,” Manky said.