Ethics — moral principles that govern a person’s behavior — is a critical part of any sound cybersecurity defense strategy. Without clear ethical standards and rules, cybersecurity professionals are almost indistinguishable from the black-hat criminals against whom they seek to protect systems and data.
The study of cybersecurity ethics, which encompasses a wide array of approaches and schools of thought, does not offer a simple solution to the many complex ethical dilemmas IT professionals, chief information security officers (CISOs) and organizations face on a daily basis.
A Shaky Moral Compass
The cybersecurity landscape shifts every year. As a booming, immature industry, organizations are desperate to fill the growing chasm of security jobs amid a serious shortfall of skilled graduates.
In this frenetic climate, we tend to focus on developing individuals’ cybersecurity knowledge and talent and putting them on the front line as quickly as possible. In the mad rush, we often forget to consider how new recruits could potentially abuse these abilities on the job or in the wild. Lacking context on cybersecurity ethics, individuals must defer to their personal moral compass. This leads to good decisions as often as it leads to mistakes.
How can management infuse the highest of cybersecurity ethical standards and intrinsic values? If your organization has not done so already, you should strongly consider implementing an ethical practice policy, guidelines and/or code of conduct for your IT and security staff to follow. Review this policy regularly in the context of available industry guidelines and best practices. After formulating a clear policy, be sure to engage your employees in the ethics conversation by offering training and guidance.
Even the most ethical and highly technical of cybersecurity teams cannot prevent the most determined attackers. It is wise, therefore, to thoroughly prepare for cybersecurity incidents. This requires a well-prepped incident response plan that encompasses the technical details, practical instructions for executive and legal teams, and any key ethical considerations.
Aside from their employees, businesses themselves must fulfill certain ethical and legal obligations in the event of a security incident, particularly a data breach. Time is undoubtedly a key factor in responding to cyberattacks. However, notifying customers and clients about any serious, immediate implications, such as stolen data and credentials, is also an integral part of the incident response process. When a company leaves the public in the dark after a catastrophic breach, customers remain vulnerable.
When a company’s data is compromised, it may face lawsuits, reputational damage and questions about its ethical standards. Delaying a public announcement can compound these consequences. Those responsible for overseeing information security practices within organizations, such as CISOs and supporting executive management, must be engaged and lead by example to help engender a culture of high ethical standards.
Where Do White Hats Draw the Line?
Outside of university courses and industry certifications, there is little standardized training or formal accreditation required to work as a cybersecurity professional, yet they face daily ethical dilemmas unique to their line of work. Cybersecurity professionals are the technological gatekeepers in their respective organizations, entrusted with great responsibility and the high levels of access needed to carry out their roles effectively.
White hats work with sensitive data, come across company secrets and wield great power over computer networks, applications and systems. How an individual manages this authority comes down to his or her own ethical yardstick, which is why organizations must carefully select security experts who exhibit sufficient standards and technical competency. But is this enough? Can we trust our respected practitioners?
Without codified cybersecurity ethics guidelines in place at the industry and employer levels, it is largely up to the individual at the helm to determine the most ethically sound response to a given incident.
Ethics can be subjective, influenced by an individual’s background, culture, education, personality and other factors. Some white-hat hackers, for example, have no problem casually testing their phone company’s billing platform for vulnerabilities. By poking holes in the phone providers’ security infrastructure, they believe they are legitimately contributing to the common good of cybersecurity. Others might regard these activities as criminal, or at least unethical, well-intentioned or not.
Hats of All Colors
Even the lines between the different shades of the hacker spectrum — white hat, gray hat, black hat, etc. — can be blurry. In fact, black- and white-hat hackers often use the same tools and methods to achieve vastly different ends. This muddies the ethical waters of cybersecurity even more, making it difficult to determine exactly where the moral line falls when it comes to producing fruitful, legitimate and ethically sound security research.
While legal, medical, accounting and other established professions have legally binding codes of conduct overseen by longstanding regulatory bodies, IT security professionals have yet to establish formal guidance or universal checks and balances. The industry lacks an independent register to determine who can practice ethical hacking or security research.
Cybersecurity leaders must rely on reputation and background checks alone to determine the trustworthiness of potential hires. If IT professionals betray this trust by behaving unethically, there is no third-party committee or board to evaluate the consequences of these actions and rule in the context of the profession as a whole. Rogue security professionals cannot be struck off the register or removed from a database, because such a database does not exist.
Several associations, such as ISSA, ISC2 and SANS, have volunteered to tackle governing ethical issues in IT and cybersecurity. However, industry professionals are rarely required to subscribe to these bodies or adhere to their codes of conduct.
Hollywood Hacking and Real-World Challenges
In the very first episode of “Mr. Robot,” the Emmy-nominated, cybercrime-themed fictional television series, the show’s protagonist, Elliot, a disillusioned cybersecurity engineer working in New York, faces a critical ethical decision on the job. The character, played by Rami Malek, comes across a suspicious file on a client’s compromised server when diagnosing a distributed denial-of-service (DDoS) attack. This unusual file has a mysterious message for Elliot: “Leave me here.”
In this pivotal moment of the show, Elliot can choose to either delete the file (the ethical decision) or leave it on the client’s server. Intrigued, Elliot acts unethically and leaves the file on the server without notifying his incident response team, management or the server owner. This decision is the catalyst upon which the whole story arc hinges, leading to the protagonist’s involvement with the enigmatic illegal cybercrime gang fsociety and a massive data breach for the important client.
While the depiction of cybersecurity ethics in “Mr. Robot” is a somewhat overdramatic Hollywood rendition, it is not totally dissimilar to the real-world ethical challenges security professionals frequently encounter in the field. Through both deliberate and unintentional actions, a cybersecurity professional can criss-cross the often complex and delicate ethical line. Like Malek’s character in “Mr. Robot,” even the smallest diversion in the nuances of ethical decision-making could open a can of worms with far-reaching consequences, potentially putting the business, customer base and individual at risk.
Hacking Airplanes: Helpful or Harebrained?
Security researcher and One World Labs founder Chris Roberts made controversial headlines in 2015 after tweeting that he was considering doing a live penetration test of his domestic United Airlines flight to Syracuse, New York. Roberts, who was the subject of an FBI affidavit, allegedly commandeered a Boeing aircraft by tampering with the thrust management computer via its in-flight entertainment system, causing “one of the airplane engines to climb, resulting in a lateral or sideways movement” of the aircraft, Wired reported.
It’s unlikely Roberts intended to threaten or harm himself, airline staff or the other passengers onboard. Despite apparent white-hat intentions, however, the consequences of Roberts’ alleged actions against such critical systems could have been grave.
After the story broke, several prominent cybersecurity professionals spoke publicly about the dubious ethics and legalities at play. According to Business Insider, Alex Stamos, then CISO at Yahoo, tweeted, “You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.”
Education, Awareness and Outreach
While a deeply integrated code of cybersecurity ethics and conduct is vital, it is also crucial to cultivate ethical teachings among students and young enthusiasts — the security professionals of tomorrow. By promoting awareness of cybersecurity ethics at the early stages of learning and professional development, we can help ensure that future white hats stay on the right side of the ethical divide.
Bug bounties and hacking competitions provide ethical sandboxes where budding young hackers and senior professionals can mess around and challenge themselves. Many major organizations, including Facebook, Google and several prominent airlines, offer crowd-sourced bug bounty programs in which hackers are rewarded for discovering vulnerabilities in selected targets. This model improves the security of the company’s assets while offering a defined structure and guidelines under which eager global security researchers can legally hack, learn and reap handsome rewards.
Cybersecurity enthusiasts can also use a variety of deliberately vulnerable simulation platforms to learn penetration testing skills inside a safe environment. It is important that such education tools provide users with the necessary ethical context to ensure that their teachings are not misplaced.
Who’s to Blame?
Young rogue hackers often fall into the hands of law enforcement when conducting activities against legitimate, unsuspecting targets. Many plead ignorance, asserting that they did not realize the activities were illegal.
Who is to blame in these situations? In some cases, hacking tools, including those that contribute to DDoS botnet attacks, are part of the problem. Often, at a core level, this software has become so easy to use that it enables unwitting newbies to invoke potentially illegal damage across the internet with just a single mouse click.
On the other hand, many hackers have knowingly crossed ethical boundaries with ignorance falling short as a defense. If a young cybersecurity enthusiast behaved unethically in his or her juvenile hacking past but shows a promising future, can he or she be trusted by a potential employer? Despite the noted demand for cybersecurity professionals, organizations are usually hesitant to hire talented ex-black hats.
Cybersecurity Ethics Workshops
It is important to give talented youth the best opportunity to develop cybersecurity skills in safe and legal environments and to provide concrete guidance and rules regarding ethics.
As part of our outreach and awareness initiatives in the IBM Ireland Lab, my colleagues and I on the IBM Ethical Hacking team occasionally run cybersecurity workshops with third-level computer science students across Ireland and the U.K. These workshops are designed to give soon-to-be graduates a brief introduction to cybersecurity and the skills required to work in the industry. In this capacity, my team serves the critical role of educators and role models. This requires very careful consideration.
Imperatively, at the very beginning of each university workshop session, we make certain to specifically emphasize the fine legal and ethical line and the exceptional duty that comes with having much-touted hacking skills. As the saying goes, with great power comes great responsibility.