The views expressed here and elsewhere on the need to regulate the “Ethical hacking Training” in India has evoked some responses which need to be debated. I will try to present some of these views and my perceptions about them.
Two important points of view that have been raised are as follows:
1. Regulation means one more opportunity for corruption and hurdles for development.
2. More Security education will lead to reduction of cyber crimes and hence no regulation is required.
One of the biggest advantages of regulating the ethical hacking education is more accountability in the industry.
Yes one more regulation, one more regulator, one more licensing scheme, one more audit power etc., will also open the possibilities of corruption. But even if a few training institutes get valid accreditation despite being ineligible, such people will at least be accountable after some time through RTI or otherwise. No scam can be hidden for long as we have seen in the recent days.
Secondly, whether more security education will reduce cyber crimes, depends on what type of “Security Education” we are talking about.
I agree that teaching a software developer to build security into the software architecture at the design level will help better practices to prevail in the community and enhance the security environment.
Also, I believe that teaching ethics at the graduation level when the students are at a more impressionable age is more likely to embed an ethical behaviour rather than years later when they have seen the world and tasted money flowing in their hands. (In the relative sense).
If ethical hacking training is imparted at an age where people are not willing to easily accept ethical suggestions and are only looking forward to acquiring skills which they themselves will decide how to use, then the probability of misuse is far higher. Since these trainings also distribute ready made hacking tools, I believe that the risk of mis-application of knowledge is higher.
What could reduce cyber crimes is security education where the curriculum is meant for the Aam Admi and sensitizing him to the dangers that lurk in the Internet and the tools of security he can use to minimize the risks while using web based services.
These type of trainings are done mostly by NGOs and self motivated individuals without the expectation of financial rewards while training for developing fraud skills is done by other companies for making profit.
The Government of India needs to invest in the “Security Awareness Programs for the Public” and not financing the “Fraud Skills Development” programs.
Hence regulation of Ethical Hacking education is in my opinion requires a serious consideration both at the basic academic level and at the advanced private education level.
May be the regulation may also include that for every ethical hacking trainee trained by a company, 100 members of the public are to be trained in security awareness through schools, colleges and public fora… so that the environment improves.. similar to de-forestation and re-forestation programs.
More Comments are welcome
Naavi