Knowing your enemy is half of the battle, as the old adage goes. This is no less true when it comes to defending against cyber-attacks. Turkey, like many other states, faces a range of threats today that go beyond conventional violence, touching instead on the complex dependencies built into modern infrastructure, from defense systems, to banks, to electricity and other essential services. Facing a number of recent high-profile, headline-grabbing attacks through the internet, the issue of cyber security has come to the forefront of the national security discussion in Turkey. Dr. Merve Seren talks to Halil Öztürkci, a “White Hat” hacker, about how governments are trying to use the expertise of otherwise malicious cyber attackers to build better defenses.
Mr. Öztürkci, would you like to explain the notion of “White Hat Hacker”? Should “White Hat Hackers” be perceived as people who serve states and protect interests of states?
They do not necessarily function as servants of states. Hackers are categorized into three groups:
- White Hat Hackers
- Black Hat Hackers
- Grey Hat Hackers
“Black Hat Hackers” generally violate computer security laws and log into systems for personal gain without an official permission. There is also another group called “White Hat Hackers” having the purpose of preserving computer security to counteract Black Hat Hackers’ cyber-attacks. White Hat Hackers also break into protected systems and networks to test and assess the security systems they work on. But their activities focus on the protection of systems. While doing so, they have to be capable of thinking as a Black Hat Hacker to clearly solve the origin, type and target of the attacks. Therefore, this means that White Hat Hackers are as equipped as Black Hat Hackers in terms of the capability for cyber-attacks. However, apart from Black Hat Hackers, White Hat Hackers use this capability to protect systems and to discover the security flaws in systems. In addition to these two groups, there also emerges a third one. Grey Hat hackers, who, when it is needed, discover the security flaws, log into systems or protect the systems.
Then, can we assume Grey Hat Hackers are people who are Black Hat Hackers in the night but turn into White ones during the day time?
Yes, you are right; this is the point describing the grey term. But there are other classifications among this one. For instance, socialist hackers are called “Red Hat Hackers,” whereas Islamist- jihadist ones are called “Green Hat Hackers.”
The Turkish Standards Institution provides a certificate of cyber security to individuals who are able to pass standards of their course. Hence, could it be inferred that a state may utilize the skills of White Hat Hackers for its own sake? Or does Turkey have such a strategy to employ White Hat Hackers to meet the needs of cyber security? Secondly, White Hat Hackers’ knowledge of security flaws could lead them to turn into Grey Hat Hackers. How could this be handled?
White Hat Hackers could be used to meet needs in the cyber security field. However, the question, whether the employment of White Hat Hackers can meet the need, still remains unanswered. Furthermore, there are strict government standards and procedures which one cannot change. For instance, an employee in this cyber security field should be a university graduate. However, it is a fact that there are people who are perfectly talented when it comes to cyber problems, but do not have university diplomas. Here is where the problem lies.
In that sense, Russia provides benefits or payment to people on a temporary or permanent basis without acknowledging them as official servants. Could this also be done in Turkey?
I think, Turkey should employ both temporary and permanent cyber security specialists. Institutions such as the Turkish Standards Institution, other private corporations or universities, somehow manage to fulfill the temporary part of it. However, the state must take the initiative to develop an integrated policy on cyber-security and create an area of expertise. It is in relation to this that the Information and Communication Technologies Authority (ICTA) has stepped into action recently.
The “cyber camp” which is held with the co-operation of Turkcell, could be able to provide cyber specialists to firms. ICTA also took a step like this in order to create a field of expertise in itself. As mentioned, people who are talented in the cyber world but do not have a university diploma, were also chosen for those courses. This is something hopeful for the future of cyber-security. However, the mentorship and the development of those people must be done well.
How do the White Hat Hackers in this model compare with what is found in Western countries? For instance, Russia has many employees working for the sake of the national interests. But are there any standards applied to those people, such as not having any cybercriminal background?
People with a cybercriminal background cannot be employed as official servants. However, I think we can benefit from their skills in one way or another. They do not necessarily have to be categorized as state servants. To give an example, it is a well-known example that once the head of the US cyber army participated in a conference called Black Hat and declared the state’s need for more hackers. Therefore, it is acceptable to gather all kinds of people working in the cyber area.
In Turkey, there is a group called the Ayyıldız Team [or “Star and Crescent Team”] which definitely has a significant impact on the cyber world. The Ayyıldız Team is capable of preventing attacks and furthermore of carrying out attacks. So, is it possible to collect and employ the same kind of groups like Ayyıldız Team? Or let me ask, are there any other alternatives to the Ayyıldız Team?
Yes, there are, such as Cyber Warriors [CW]. There are many others with different ideologies or intentions. But such groups do not follow a higher authority to make them organized and follow orders.
There is another field called “computer forensics”. Computer forensics evokes the idea of criminal case investigations. What are the most difficult computer forensics case studies you have ever confronted? How much does it take for you to detect them?
We make investigations through “digital evidence” that is very different from other types of evidence. It is really sensitive because it can be destroyed or fully erased easily. Therefore, in order to conduct investigations we have valid and appropriate digital evidence. The more technology advances, the harder it gets to detect threats.
Which type of attacks or cases have you been working on nowadays?
These days, we are working on Advanced Persistent Threats (APT). Turkey is under attack, both its public or private institutes. We both detect these threats and try to prevent them. In this period of detection, the departments have the responsibility of repulsing those attacks, and experts must think and act like cyber-hunters. Here, cyber-hunting implies the procedures of detecting the threats.
I would like to ask about a different topic, about Virtual Private Networks (VPNs). The government occasionally restricts access to Twitter and Facebook. Then, users download VPN applications to have access to the restricted services. How does the use of a VPN effect personal privacy?
VPNs certainly effect personal privacy in a negative way. VPNs are like tunnels to help you to access websites or applications that you cannot reach through your server. These tunnels that help you also have the capability of reaching the personal information that lies in your cell-phone or computer.
Are there any official or national VPNs?
There are not any such official or national VPNs yet, but some institutions are trying to develop one.
Mr. Öztürkci thank you very much for sharing your time with us.