computerwoche.de

Archiv

Opinion: Ethical, educated or neither?

18.07.2006
I recently read about the "Ethical Hacking and Countermeasures" degree being offered by a Scottish university. At first, I thought this was for a master's degree, and then I was really dismayed to see that this was a bachelor's-equivalent program. There are so many things wrong with that prospect, it's hard to know where to begin, but the story does raise some good questions about where degree programs fit into computer-related professions.

The very existence of a degree program officially called "Ethical Hacking and Countermeasures" annoys me, because the name is a marketing ploy. The program could accurately be referred to as computer security, and there are already degree programs with that title. The term ethical hacking simply implies intent -- and intent isn't a skill set one can teach. (Ethics, yes, but that would put this degree program in the Philosophy department.)

The university claims that it conducts background checks before people enter the degree program to weed out anyone who might want to use his skills criminally, in accordance with the Disclosure Scotland standards. But a background check only checks whether or not someone has been previously convicted -- a very rare occurrence even for established "black hats." A background check doesn't read minds, and it is likely that the check for the university is limited to a criminal records check and does not go out and interview their friends, neighbors, co-workers, etc.

It is extremely unlikely that the university will give further tests, such as polygraph exams, in addition to this background check, not least because a thorough check -- for the sort that can even begin to determine the applicant's intent -- costs tens of thousands of dollars. Also, as in the U.S. juvenile justice system, Disclosure Scotland doesn't disclose many offenses committed by young offenders (though their cutoff is 16 years of age, and serious offenses such as those resulting in a supervision requirement order or disposal in a court of law are not stricken from the record as a matter of course). Minor yet telling offenses might never come to university officials' attention.

Most importantly, "ethical hacking" is a trade, not a program of study. And that leads me to a deeper question: In that case, what are college degrees for? After all, we have trade programs if you want to learn a skill. If you want to learn about hacking skills, you can take courses from the SANS Institute or other programs -- and if you're self-motivated as many young hackers are, much of your learning is ad hoc.

On the other hand, if you look at most computer science and engineering bachelor degrees, only 25 percent of the program of study is actually devoted to the major's core skill sets. The rest of a bachelor's degree involves courses that expand the student's overall body of knowledge and skills. College degrees should represent the acquisition of basic knowledge and abilities across a broad range of subjects. They also represent some devotion and an overall breadth of instruction within each major. Even within the student's major, there's a broad focus rather than a specialization. For example, a computer science major takes a variety of computer courses. Biology students take a variety of biology courses. You don't generally see biology students majoring in molecular biology, nor should they.