Five ethical decisions cybersecurity pros face: What would you do?
Back in the 1990s, when I first entered the world of information security, I was creating encryption software. The UK government wanted to know the ins and outs of encryption algorithms used in commercial product development. As a “matter of national security,” government officials visited our company and asked us, as encryption vendors, to give them a back door into our application in case of a “national emergency” — essentially, a “break glass in case of emergency” access code.
We felt this presented an ethical dilemma: We wanted to give robust security to our enterprise customers to protect their proprietary information and intellectual property but having a back door was potentially a way to circumvent this protection. How could we, in all honesty, present this solution as a robust encryption solution when we knew that it had a backdoor that could slip into the wrong hands?
Ethics in software is a complex area, and the encryption dilemma I experienced in the 1990s has continued to haunt security vendors. Here is a short exploration of five other examples of issues we face as security professionals and/or security app designers and developers.
ChatGPT training built for everyone
1. Walking the tightrope of making money and calling out bad tech
Artificial intelligence (AI) is a technology that has ridden the wave of tech futures for several years now, offering the promise of unique innovations. Companies that build AI apps are pulling in large amounts of investment money. Potential revenue is eye-opening: Statistica researchers predict around $126 billion in revenue from AI-enabled apps by 2025. But AI is still an emerging technology for certain predictive qualities. I
n 2020, Timnit Gebru, a researcher in AI and ethics at Google, was allegedly sacked for highlighting a lack of diversity in AI research and bias in AI facial recognition: Gebru has expertise in the high error rates of AI when analyzing the faces of women with darker skin tones. Gebru felt an ethical imperative to ensure that technology used to identify people was fit-for-purpose for all, not just white faces. Her decision put the investment and stock prices of Google at risk, and her resultant dismissal is blamed on this factor. This type of conflict of interest is behind many ethical decisions IT professionals make every day.
If you were in Gebru’s position, would you have called out Google, even if it meant losing a dream job?
2. Sacked for telling the security truth
Security professionals are often on the firing line of security risk, even losing their jobs because of breaches. For example, San Francisco State University suffered a major data breach in 2014, exposing many student records. An information security officer at the university, Mignon Hoffman, was sacked after the breach. Hoffman alleged that the university sacked her for disclosing the security failings of the university — in other words, she chose to become a whistleblower as the most ethical thing to do. As a result, Hoffman sued the university for "wrongful termination and whistleblower retaliation."
Hoffman felt that telling the truth was an important ethical decision. However, she paid the price by losing her job. Whistleblowing is protected by law in the U.S. The decision to blow the whistle on bad practices can be complex and contextual, but some security issues are just too big to ignore. Such was the case when Edward Snowden blew the whistle on the surveillance activities of the NSA back in 2013. Snowden paid a heavy price, having to leave his home country. He said in the first documents he provided, "I understand that I will be made to suffer for my actions," but "I will be satisfied if the federation of secret law, unequal pardon and irresistible executive powers that rule the world that I love are revealed even for an instant."
Sometimes an ethical decision is a no-brainer. But would you have given up your home to highlight state wrongdoings?
3. To tell or not to tell, that is the question
Some of the jobs in information security can place an employee in an ethical dilemma room with multiple doorways. The door you choose to open may embarrass your employer or result in your prosecution. A recent example of this ethical dilemma was when a security firm employee hacked into a client's computer at Middlebury College, discovering a hoard of images and videos showing child sexual abuse. The hacker was part of a penetration test company looking for vulnerabilities in the client's network. The ethical hacker was not supposed to be trawling for information on personal computers and was concerned about being prosecuted for doing so. However, the pentester decided that this discovery was too important not to disclose. The pentester first connected to the offensive computer containing the material before handing it over to law enforcement to investigate.
Security professionals have a duty of confidentiality to clients, often expressed in confidentiality agreements signed by pentesters. This confidentiality must be taken seriously because pentesters may have access to privileged and sensitive information. This fact leads to a meaningful conversation about the ethical conduct of ethical hackers. However, some discoveries, especially those that could cause harm to others, should come outside of this remit.
In this case, protecting children made the pentester’s decision easy. I imagine most readers would agree.
Phishing simulations & training
4. Zero-days for sale
Zero-days were used in 66% of malware attacks in Q3 2021 because they are open doors not yet closed by security patches. In other words, a cybercriminal who knows about a zero-day can exploit it to their heart's content. Consequently, finding a zero-day exploit can be lucrative for the person locating the flaw if a company has a bug bounty program. These bug bounty programs can offer thousands of dollars for anyone who can identify a zero-day exploit. For example, a Zoom zero-day recently sold for $500,000.
Unfortunately, not all zero-day marketplaces are legitimate and controlled by a vendor. A grayer, fuzzier marketplace for zero-day sales exists, one populated by nation-states, the Italian Hacking Group, Israeli NSO Group, and others. These zero-days can end up in the hands of cybercriminals and state-sponsored hacking groups: This was the case for a group of Al Jazeera journalists, hacked by an NSO group that acquired the zero-day.
Security researchers who find important zero-days, such as iOS zero-days, could end up in an ethical dilemma when they are offered a large sum of money, perhaps millions of dollars, for their find. They may naively believe they are selling to a legitimate group, but the state and state-sponsored lines can be fuzzy.
Many of us would cave at the thought of getting a massive payday for a zero-day. The question is: Would you do it if you knew it could end up potentially causing patient risk in a healthcare setting?
5. Harm to privacy and dark patterns
Technology increasingly shapes how we live and interact with others online. Our data is our proxy in this digital world. Privacy and app design can seriously impact this digital life. Dark patterns are a type of UI/UX design method that encourages users to perform actions that are beneficial to the application instead of themselves. You can almost think of them as a form of corporate phishing as they often involve taking more personal data than is needed to perform the task.
Deceptive Design is a site dedicated to calling out unethical dark patterns of app and web design. The site describes the practice of “privacy zuckering,” where a site or app tricks a user into publicly sharing more personal information than was intended. Dark patterns are not illegal, but they are unethical. They are often beneficial to an organization because they take people down a pathway that encourages purchases or provides data to ad tech companies. Facebook is renowned for unethical dark pattern practice and poor privacy – the dark patterns behind the Facebook/Cambridge Analytica debacle being a poster child for privacy harm.
Security and privacy professionals involved in designing systems and apps that utilize personal data may be under pressure to use dark patterns. In this situation, it can be challenging to be ethical and resist the pressure to build user journeys that end in privacy harm.
Conclusion: It’s a question of ethics
Technology is not just about having the latest gadget: Tech is deeply integrated into our lives. Social media and other online interactions can have a real-life impact on our society's governance. Technology has the potential to create a more inclusive society or, conversely, to divide and conquer. Technologies can magnify inequalities when poorly designed or the harm they could inflict is not considered. Cybersecurity, privacy and digital identity are at the intersection of ethical software design, development and use.
When security professionals engage in pentesting or hardening security systems or have privileged access to perform their roles, they may encounter the types of ethical dilemmas mentioned above. But understanding the complex nuances behind ethical decisions is not a black-or-white issue. One person's ethical choice is another's missed opportunity. Because of this, ethical issues must be part of general education in cybersecurity for all security professionals. We are all human, and being ethical is always challenging. Hopefully, our decisions are the right ones. Perhaps cybersecurity professionals should take an oath, as our medical counterparts have, that says we will "do no harm."
ChatGPT training built for everyone
Sources:
- Revenues from the artificial intelligence (AI), Statistica
- Fired employee sues SF State for $1 million after alleged hack, Databreaches.net
- Whistleblowing protection program, United States Department of Labor
- Edward Snowden, in Russia Since 2013, Is Granted Permanent Residency, NY Times
- WatchGuard Internet Security Report, Watchguard.com
- Bug Bounty Programs: The Low-Down, Infosec
- Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit, The Citizen Lab
- Deceptive Design
In this Series
- Five ethical decisions cybersecurity pros face: What would you do?
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization