This article was published on July 14, 2017

Singapore wants ethical hackers to get a license, or else


Singapore wants ethical hackers to get a license, or else

When it comes to information security, Singapore is a world leader. The tiny Asian nation punches well above its weight, topping lists like the International Telecommunication Union’s Global Cybersecurity Index.

But if a draft bill comes to fruition, it’ll be the first country to license ethical hackers, forcing anyone doing investigative work (penetration testers, basically) to pay (and study) up. The same is also true for anyone working in computer forensics.

Anyone working without a license will quickly find themselves in hot water, with a potential maximum penalty of two years in jail and up to S$50,000 ($36,000) in fines. According to Quartz’s Joon Ian Wong, this is “in line with the country’s reputation for extreme orderliness.” Given he used to live there, I’ll take his word for it.

You could argue that licensing will weed out low-talent ‘skids’ from the marketplace. And given that manicurists and plumbers have to get licensed, isn’t it only right that the same standard applies to ethical hackers?

Perhaps. It’s a reasonable argument, but it’s one I thoroughly disagree with. It’s hard to see how licensing hackers can be good for the Singaporean information security industry.

Compared to other industries, a disproportionate number of hackers have limited formal education. These people found their way  through self-motivated study, and an innate sense of curiosity, which is essential for a career in information security. Some of the best, most talented ethical hackers I’ve ever met were high-school drop outs.

Put simply, many of these people don’t perform well in academic environments.

Ultimately, this push towards formalizing the information security industry through licensing wrongly conflates talent with certification. And, as anyone who has ever attended a Security BSides conference will tell you, this is utterly bogus.

Furthermore, if obtaining a license is anywhere near as time-consuming and expensive as gaining an industry certification like CISSP or CEH, it will be disastrous for independent professionals and small companies.

Not only will they have to pay literally thousands for the piece of paper, but they’ll spend hours preparing for, and taking tests. This is time that could be spent earning money by doing client work.

Dumb. Dumb. Just so incredibly dumb.

Get the TNW newsletter

Get the most important tech news in your inbox each week.