Ethics in Cyber Security—Second Quarter 2018
Ethics in Cyber Security: WWW in Reference to Cyber Security Does Not Mean What You Think!
Charles N. (Chuck) Persing
NACVA Ethics Oversight Board Member
When I was first asked to write an article about ethics in Cyber Security, hearing all that is happening and the many competing forces, I was concerned. It seems to me that www stands for the Wild Wild West. At this point, it looks like it is.
I tried to look at it from an employer, then an employee, followed by customer and vendors; all of whom have a place at the table, not to mention the hackers who, in many cases, bring the parties to the table. Then it dawned on me that in my past, circa 1985 to 1988, (and no someone did not steal or mess with my abacus) the question of ethics came up with my then company’s IT department.
At that time, I was CFO of an entertainment company in NY and oversaw the accounting, treasury, finance, and IT departments. Among other things, the IT director felt he was undervalued and should be a direct report to the COO. As luck would have it, my assistant (I will call her Lilly) was sharp and happened to need to speak to the IT director. As she approached him, he quickly shut down his screen and addressed her issue. Lilly immediately became suspicious and approached me. I said, keep an eye on this but it was likely nothing as he could be working on something personal. A few days later it happened again, this time Lilly was able to see what he was hiding; it was one of my interoffice memos to the COO. Not jumping to an immediate conclusion, I asked Lilly to print and then delete all old memos and for the new memos, print and delete them within one day after writing and sending. About a week into this procedure, I proceeded to dictate a memo to the COO which explained what the IT director was doing and recommended his termination for breach of ethics. That memo (never sent to the COO) was the bait, which was deleted within one day and not a word was spoken about it to anyone. Full circle, the suspense was killing the IT director and he asked for a meeting with the COO. I briefed the COO on what we believed happened and he alone met with the IT director. The IT director, in effect, said he can do what he wants and the COO could not do a thing about it. The IT director left the office within 10 minutes of the meeting, never to return and his second in charge took over to run the department in a professional manner.
Now this story is just about a 30+ year old memo on a word processing system but it is relevant today. Fast forward from 30+ years ago, the very same issues remain along with a whole host more now exist. Just pick up the paper and there is a whole host of breaches in the headlines or in commercials.
Remember the days where location mattered and you needed to have a source inside or physical access (Charlie Sheen in Wall Street running the cleaning company) to the company or do a dumpster dive to misappropriate confidential information; or if you were lucky, find a lost unprotected computer floppy drive or other memory device? The internet, cloud, and/or remote connectivity has enabled theft of confidential information without leaving your criminal lair.
Like most of you, I have attended Cyber Security workshops and each one of them say, in addition to many things, the standard three things:
- Have a plan,
- Get adequate insurance, and
- Assume you will have a breach!
In many of these courses they note the large financial damage to the breached company and indicate the small businesses that are attacked have a high likelihood of going out of business after a breach.
I found an article about the 17 biggest data breaches of the 21st century and summarized the details from a CSO report story by Taylor Armerding, dated Jan 26, 2018 3:44 a.m. PT.
Below I have summarized the breaches from the article.
- Yahoo, Date: 2013–14, Impact: 3 billion user accounts.
- Adult Friend Finder, Date: October 2016, Impact: More than 412.2 million accounts.
- eBay, Date: May 2014, Impact: 145 million users compromised.
- Equifax, Date: July 29, 2017, Impact: Personal information of 143 million consumers; 209,000 consumers also had their credit card data exposed.
- Heartland Payment Systems, Date: March 2008, Impact: 134 million credit cards.
- Target Stores, Date: December 2013, Impact: Credit/debit card information and/or contact information of up to 110 million people compromised. Target’s CIO and its CEO resigned. The company recently estimated the cost of the breach at $162 million.
- TJX Companies, Inc., Date: December 2006, Impact: 94 million credit cards exposed.
- Uber, Date: Late 2016, Impact: Personal information of 57 million Uber users and 600,000 drivers exposed. Here is the really bad part: It was not until about a year later that Uber made the breach public. What is worse, they paid the hackers $100,000 to destroy the data with no way to verify that they did, claiming it was a “bug bounty” fee.
- JP Morgan Chase, Date: July 2014, Impact: 76 million households and 7 million small businesses.
- U.S. Office of Personnel Management (OPM), Date: 2012–14, Impact: Personal information of 22 million current and former federal employees.
- Sony's PlayStation Network, Date: April 20, 2011, Impact: 77 million.
- PlayStation Network accounts hacked; estimated losses of $171 million while the site was down for a month.
- RSA Security, Date: March 2011, Impact: Possibly 40 million employee records stolen.
- Stuxnet, Date: Sometime in 2010, but origins date to 2005, Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies, or public transportation systems.
- VeriSign, Date: Throughout 2010, Impact: Undisclosed information stolen. VeriSign never announced the attacks. The incidents did not become public until 2011, and then only through a new SEC-mandated filing.
- Home Depot, Date: September 2014, Impact: Theft of credit/debit card information of 56 million customers.
- Adobe, Date: October 2013, Impact: 38 million user records.
A casual reader of the cyber related headlines (and/or commercials for identity thief protection) must consider the numerous breaches in trust and data in the headlines.
- Sony e-mail hack; red faces all over Hollywood.
- Temporary termination of President Trump’s twitter account.
- Current trend in use of ransomware by hackers to charge companies to unlock high-jacked data.
- Numerous WikiLeaks leaks delivered from front man Julian Paul Assange.
Who does this stuff? It now seems that the array of threats come from a collection of insiders, former insiders, worldwide sources including third party enterprises, individuals, and government sponsored groups.
The most famous parties, noted below, of this reign of cyber terrorism include the following top ten hackers:
- Gary McKinnon must have been a curious, restless child, he could shut down the U.S. Military’s Washington Network of about 2000 computers for 24 hours, making the hack, the biggest military computer hack of all time!
- LulzSec or Lulz Security, a high profile, Black Hat hacker group, gained credentials for hacking into Sony, News International, CIA, FBI, Scotland Yard, and several noteworthy accounts.
- Adrian Lamo decided to switch careers when he realized the potentials of his skills. He became news when he hacked into Yahoo!, Microsoft, Google, and The New York Times. This, although culminated into his arrest, it later helped him gain the batch of an American Threat Analyst.
- Mathew Bevan and Richard Pryce targeting the over-sensitive nerves…could have triggered great many issues between USA and North Korea. The duo hacked the U.S. military computers and used it as a means to infiltrate the foreign systems.
- Jonathan James was the first juvenile to be imprisoned for a cyber-crime at the age of 16, Jonathan James or better known as c0mrade, hacked into Defense Threat Reduction Agency of U.S. department.
- Kevin Poulsen infiltrated a radio shows call-in contest just so he could win a Porsche.
- Kevin Mitnick, who is now a security consultant, was convicted of hacking Nokia, Motorola, and Pentagon.
- Anonymous “hacktivist group” called Anonymous are known with the penname of being the “digital Robin Hood” attacked the government, religious, and corporate websites. The Vatican, the FBI, the CIA, PayPal, Sony, Mastercard, Visa, Chinese, Israeli, Tunisian, and Ugandan governments have been amongst their targets.
- Astra, a Sanskrit word for weapon was the penname of a hacker who dealt in the weapon stealing and selling. A 58-year-old Greek Mathematician hacked into the systems of France’s Dassault Group, stole vulnerable weapons technology data and sold it to different countries for five long years.
- For two long years, Albert Gonzalez, stole from credit cards of the netizens. This was recorded to be the biggest credit card theft in the history of mankind. He resold approximately 170 million credit cards and ATM numbers.
“Cybersecurity practitioners and researchers are working at the cutting edge of a highly adversarial industry, and dealing with a range of thorny problems.
- Is it OK to disclose a vulnerability before a vendor has had a chance to patch it?
- Is it permissible for a botnet researcher to take control of a compromised machine for the greater good, or to disrupt its command and control structure?
- Should we buy exploits from cybercriminals to make them available for the public to protect themselves?
- What about striking back against attackers who are stealing our data and wrecking our systems?
Each of these questions is complex, with a lot to unpack, and some of them come up regularly in practice. Google drew flak from Microsoft last October (2016) for publicizing a local privacy escalation bug in Microsoft Windows. Redmond said that it endangered customers. Google had angered Microsoft before, and has since published information about more zero-day vulnerabilities in its rival’s systems.
When it comes to cybersecurity, Sandra Braman, Abbott professor of liberal arts and professor of communication at Texas A&M University, draws a distinction between ethics and the law. “Codes of ethics are associated with professionalism; responsibilities of people who are members of specific professions and for whom accreditation by that profession requires signing on to, and adhering to, codes of ethics,” she explains, adding that the law will take cybersecurity practitioners further than ethics. “In the cybersecurity domain, such professions don’t exist in the sense that such a wide range of types of jobs, skills, and people are involved.”
Tom Graves, the Republican Senator for Georgia, proposed a bill that would let companies take limited actions against attackers in cyberspace. The Active Cyber Defense Certainty Act would give private companies legal immunity in some cases, should they choose to strike back against online attackers in certain ways. The bill would amend Title 18 of the United States Code (that is the main criminal code), making it possible to use ‘attributional technology’—code that spies on attackers. It also lets victims access an attacker’s network to prove their criminal activity, monitor their behavior, and disrupt unauthorized activity against the victim’s own network.”
In further research, I have found that this bill, while helpful and maybe controversial, has not been acted upon.
In an article entitled “Tough Challenges in Cybersecurity Ethics” dated October 12, 2016, by Aidan Knowles.he discuss the following current challenges facing the industry. Below I have excerpted key quotes from the article:
“Cybersecurity professionals are the technological gatekeepers in their respective organizations, entrusted with great responsibility and the high levels of access needed to carry out their roles effectively.
White hats work with sensitive data, come across company secrets, and wield great power over computer networks, applications, and systems. How an individual manages this authority comes down to his or her own ethical yardstick, which is why organizations must carefully select security experts who exhibit sufficient standards and technical competency. But is this enough? Can we trust our respected practitioners?
- As a booming, immature industry, organizations are desperate to fill the growing chasm of security jobs amid a serious shortfall of skilled graduates.
- When a company leaves the public in the dark after a catastrophic breach, customers remain vulnerable.
- Cybersecurity professionals are the technological gatekeepers in their respective organizations, entrusted with great responsibility and the high levels of access needed to carry out their roles effectively.
Even the lines between the different shades of the hacker spectrum—white hat, gray hat, black hat, etc.—can be blurry. In fact, black- and white-hat hackers often use the same tools and methods to achieve vastly different ends. This muddies the ethical waters of cybersecurity even more, making it difficult to determine exactly where the moral line falls when it comes to producing fruitful, legitimate, and ethically sound security research.
- Security researcher and One World Labs founder Chris Roberts made controversial headlines in 2015 after tweeting that he was considering doing a live penetration test of his domestic United Airlines flight to Syracuse, New York. Roberts…allegedly commandeered a Boeing aircraft by tampering with the thrust management computer via its in-flight entertainment system, causing “one of the airplane engines to climb, resulting in a lateral or sideways movement” of the aircraft, Wired reported.
- Alex Stamos, then CISO at Yahoo, tweeted, “You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.
- While legal, medical, accounting, and other established professions have legally binding codes of conduct overseen by longstanding regulatory bodies, IT security professionals have yet to establish formal guidance or universal checks and balances. The industry lacks an independent register to determine who can practice ethical hacking or security research. Several associations, such as ISSA, ISC2, and SANS, have volunteered to tackle governing ethical issues in IT and cybersecurity. However, industry professionals are rarely required to subscribe to these bodies or adhere to their codes of conduct.”
Next, I turned my research to determine if there are a code of ethics that professionals follow. I found a white paper entitled “Crossing the Line: Ethics for the Security Professional” by Scott Carle, GSEC Practical (v.1.4b) published by the© SANS Institute 2003. It includes two codes of ethics: one for forensic testimony and one for computer ethics.
The Code of Ethics
From “A Guide to Forensic Testimony”
- Technology is important to modern society.
- Technologists must take care not to endanger the life, health, safety, and welfare of the public.
- Technologists should demonstrate competence and due care in their technical duties.
- Technologists must maintain and update their technical skills.
- Technologists should avoid conflicts of interest.
- Technologists should be honest and forthright in their dealings with others.
- Technologists should be honest about their limitations, acknowledging errors and correcting them.
- Technologists should refrain from discriminating against individuals based on race, religion, age, gender, or national origin.
- Technologists should give proper credit to others for their work and honor property rights, including copyrights and intellectual property.
- Technologists should help the public understand technology and support the professional development of peers.
Ten Commandments of Computer Ethics
From the Washington Consulting Group and the Computer Ethics Institute
- Thou Shalt Not Use a Computer to Harm Other People.
- Thou Shalt Not Interfere with Other People’s Computer Work.
- Thou Shalt Not Snoop Around in Other People’s Computer Files.
- Thou Shalt Not Use a Computer to Steal.
- Thou Shalt Not Use a Computer to Bear False Witness.
- Thou Shalt Not Copy or Use Proprietary Software for Which You Have Not Paid.
- Thou Shalt Not Use Other People’s Computer Resources Without Authorization or Proper Compensation.
- Thou Shalt Not Appropriate Other People’s Intellectual Output.
- Thou Shalt Think About the Social Consequences of the Program You are Writing or the System You are Designing.
- Thou Shalt Always Use a Computer in Ways That Insure Consideration and Respect for Your Fellow Humans.
Next, I noted the Cybersecurity Institute offering Cyber security certifications and consulting which notes the following concerning a code of ethics:
“Our students, employees, contractors, and those testing for the CyberSecurity Forensic Analyst (CSFA)™ certification must agree to and abide by this Code of Ethics and Conduct:
- I will observe and honor any other code of ethics or conduct for the organizations I am a member of or employed by.
- I will respect the confidential nature of any information, methodologies, or techniques that I become aware of in relation to computer forensics/forensic computing.
- I will strive to keep my technical skills current.
- I will be honest and forthright in my dealings with others.
- I will not reveal facts, data, or information without the prior consent of my client or employer except as authorized or required by law.
- I will not accept compensation for my services based on contingency.
- I will not permit the use of my name by, or associate in business ventures with, any person or firm that I believe to be engaged in fraudulent or dishonest practices.
- I will perform services only in areas I am competent in. I will rely upon other qualified parties for assistance in matters that are beyond my area of expertise.
- I will maintain custody and control over whatever materials are entrusted to my care.
- I will refuse or terminate involvement in any work when I feel that I am being coerced into a particular opinion.
- I will disclose all known or potential conflicts of interest that could influence or appear to influence my judgment or the quality of my services.
- I will not falsify my qualifications or permit misrepresentation of my associates' qualifications, nor will I misrepresent or exaggerate my responsibilities in or for the subject matter of prior assignments, employment, or past accomplishments.
- I will always acknowledge my errors and will not distort or alter the facts.
- I am to be committed to the integrity of my profession, and will avoid situations in business or personal life where I might contribute to the wrongdoing of others or find myself viewed as a contributor to wrongdoing.
- I will conduct my work based upon established, validated principles.
- I will only render opinions that are demonstratively reasonable.
- I will do my best to thoroughly examine and analyze all evidence, and will not withhold any of my findings, whether inculpatory or exculpatory.
- I will provide assistance to those involved in my profession, as long as my assistance does not conflict with any other provision of this Code of Ethics and Conduct.
- I will conform to all laws—federal, state, and local—pertinent to my profession. If I am unsure of the laws in a given situation, I will seek the assistance of legal counsel.”
“The primary goal of the ISSA is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association. As an ISSA member, guest, and/or applicant for membership, confirm that they have in the past and will in the future:
- Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
- Promote generally accepted information security current best practices and standards;
- Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
- Discharge professional responsibilities with diligence and honesty;
- Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the Association; and
- Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.”
More questions than answers. Ethical standards in Cyber Security are evolving, the laws and organizations have not caught up to the current landscape. Consider the longer lived professions like CPAs, doctors, and lawyers that are much further along in the coordination between the industry participants, regulatory bodies (government and industry), and international, federal, state, and local laws. Not all Cyber Security industry groups are following a comprehensive code of ethics and with rare exceptions are there ramifications for non-compliance. Laws have not yet matured and will need to be reconciled between location of the participant and breachor and laws. Companies, government agencies, and other organizations have various degrees of plans and safeguards for Cyber Security from none to comprehensive but all are subject to attack and penetration. All companies with computer connectivity and remote devices (company issued or third parties including employees) are likely to be under friendly fire and/or hostile attack (directly or indirectly) from governments, hackers, employees, former employees, IT staff, customers, and vendors to name a few.