The Difficult Ethics of Cybersecurity

As cybercrime ramps up, ethics in cybersecurity is becoming a more pressing issue. Most people today understand the importance of data security, but many may not realize that the field introduces several ethical questions. Cybersecurity ethics can be surprisingly complicated, but it deserves attention.

On the surface, cybersecurity codes of ethics may seem straightforward. Stop the bad guys from getting in, and keep the good guys’ data safe. However, when you get down to the details, lines start to blur. Here’s a look at a few examples of the biggest ethical problems in cybersecurity.

Data Privacy

Perhaps the most significant question in cybersecurity ethics is the matter of privacy. In a recent survey, 86% of U.S. adults said that data privacy is a growing concern for them; ethics and privacy in information security are essential pieces to running a trusted business. But while most of these worries surround how businesses use their personal information, it applies to cybersecurity, too.

This can seem strange at first, as your data should be safe from prying eyes with good cybersecurity. That’s exactly where the problem arises, though. In the process of keeping information safe from hackers, you often lose privacy from another party.

The strictest cybersecurity measures involve things like network monitoring that give some authority access to the data they’re protecting. In becoming private from others, your information becomes visible to someone else. How much personal information can these people see and access before it becomes unethical?

Privacy From Governments

Some of the biggest cybersecurity ethics examples deal with this issue, specifically in the realm of government regulations. Laws like Europe’s General Data Protection Regulation (GDPR) are becoming increasingly common. Some of these rules introduce situations where governments could view citizens’ information, raising questions about privacy.

Take China’s Data Personal Information Protection Law (PIPL), for example. While PIPL limits what companies can see and do with user data, it does not stop the state from accessing anything. In the name of ensuring security compliance, the government could see millions of users’ personal information, even without their knowledge.

More government regulations about cybersecurity could mean opening access to people’s private information. With companies using data centers worldwide, individuals may face privacy invasions from foreign governments, not just their own.

Privacy From Cybersecurity Professionals

Governments aren’t the only entities that may see your data with tight cybersecurity, either. Cybersecurity professionals that monitor systems for suspicious activity have access to potentially sensitive information. Bring your own device (BYOD) policies take this concern further, as these workers could see your personal files and web history.

Imagine you used your personal laptop at work. As part of your company’s security policy, network administrators could see your files and activity while you’re on the company Wi-Fi. While this would help IT teams monitor for hacking, it also means they could see what you use your laptop for outside of work.

Cybersecurity codes of ethics may stop security teams from prying into your personal data, but people can be untrustworthy. What if one of these workers breaks policy and steals or leaks your information for personal gain? What if they don’t do anything illegal but still go through your files without your consent or knowledge?

Whistleblowing

The discussion over privacy versus security raises another cybersecurity ethics question: Is whistleblowing ethical? One of the most famous cybersecurity ethics case examples deals with this topic. In 2013, Edward Snowden exposed thousands of secret documents to journalists, revealing the National Security Agency (NSA) was collecting data on U.S. citizens.

Many saw this secret and widespread data collection as an invasion of privacy, but Snowden violated contracts and the law to expose it. Depending on who you ask, you’ll get different answers on whether or not that was ethical. This same dilemma applies to many potential scenarios in cybersecurity.

Imagine you’re a cybersecurity professional when you discover a company has a flaw that could expose its customers’ sensitive information. When you tell the business about the vulnerability, it doesn’t take any action to solve it. If you go public, you may violate your contract with the company, but people’s data could be vulnerable if you don’t.

Which is more important: your responsibility to your client or the people whose data may be at risk? In this case, protecting people’s information could mean breaking the law or violating the business’s privacy. Depending on how extreme the issue is, the right answer may not be clear.

Vigilante and White-Hat Hacking

A similar issue in cybersecurity ethics is vigilante hacking. It’s easy to say hacking is unethical, but what if it serves a good purpose? What if by breaking into some service, you end up protecting more people than you harm through the attack?

In 2004, a security worker named Shawn Carpenter found gigabytes of stolen classified documents after hacking a group that had infiltrated Lockheed Martin to steal them. Doing this was, and still is, illegal, and Carpenter’s company fired him for it. However, the military might not have known what files the hackers had stolen had he not done it.

In a less extreme case, a Facebook user hacked Mark Zuckerberg’s account in 2013 to highlight an unpatched bug in the website’s security. This “white-hat” hacking can help reveal pressing security flaws, leading to improvements and protecting people’s sensitive information. At the same time, hacking is illegal, and some may say it’s unethical without the target’s consent.

If someone discovers a vulnerability and can’t get their message out any other way, is it right for them to demonstrate it practically? What about in the case of Carpenter, when it’s a matter of national security? Some of these cases may be easily justifiable, but it may get difficult to draw the line when vigilante hacking becomes unethical if it’s more widely accepted.

Cybersecurity Codes of Ethics

One of the reasons these concerns are so pressing is because the cybersecurity industry lacks comprehensive ethical guidelines. Plenty of laws dictate what people can and can’t do in cybersecurity, but what’s legal and ethical aren’t always the same.

Some organizations have sought to fix this by publishing cybersecurity codes of ethics. Here’s a look at a few of the most prominent.

ACM Code of Ethics

The Association for Computing Machinery (ACM) has a code for computing professionals, including students looking to enter the field. These guidelines fall into three main categories: general ethical principles, professional responsibilities and guides for people in leadership roles.

Generally speaking, the ACM’s code asks people to avoid harm, be transparent and uphold privacy. That includes not accessing someone else’s system, software or data unless they have “reasonable belief” that it’s for the public good. In those cases, workers should take extreme caution to ensure their actions aren’t harmful.

The ACM Code of Ethics also includes a section about upholding and enforcing the code. ACM members should report violations, resulting in things like bans from conferences or ejection from the association.

CSIRT Code of Practice

The Task Force on Computer Security Incident Response Teams (TF-CSIRT) has a similar cybersecurity code of ethics. The TF-CSIRT adopted these guidelines, dubbed the CSIRT Code of Practice (CCoP), in 2005, though they’ve undergone several changes since.

Most of the CCoP’s guidelines are rather open-ended. Much of the language refers to companies taking necessary steps to protect things appropriate to the given situation without explaining them.

Under the CCoP, teams must comply with any local laws, even when they conflict with other CCoP guidelines. Considering one of the code’s requirements is only disclosing information on a need-to-know basis, conflicts may arise with growing government regulations.

The CCoP isn’t mandatory for TF-CSIRT members, but it is highly recommended. Organizations outside this group can also use it as a baseline for their own ethical guidelines.

EthicsfIRST

Another cybersecurity code of ethics comes from the Forum of Incident Response and Security Teams (FIRST). This code, called EthicsfIRST, is supposed to guide anyone using computers in a meaningful way, including IT workers, students and influencers. 

EthicsfIRST outlines 12 duties people have when dealing with cybersecurity ethics. These include a duty to confidentiality, to respect human rights, for informing people of security threats and to legal guidelines. Each contains some examples and guidelines for how to apply them.

Interestingly, EthicsfIRST doesn’t place any of the duties over the other. If conflicts arise between them, people have to decide for themselves which commitment is more important to serve.

Potential Dilemmas With Cybersecurity Ethics Codes

Even with a cybersecurity code of ethics, there can still be ethical dilemmas. There’s a reason these generally take the form of guidelines and not strict rules. In some situations, complying with one recommendation could mean violating another.

For example, local laws may require companies to offer data to authorities in a way that would violate their ethical code. Alternatively, some actions may harm users but protect a greater amount, raising questions about whether “do no harm” policies or a duty to defend is more important.

Cybersecurity Ethics Are Complicated

These kinds of ethical dilemmas aren’t unique to cybersecurity. There are gray areas in any moral consideration, and what’s right in one situation doesn’t always apply to another. Cybersecurity codes of ethics can help guide decisions, but they don’t prevent every possible complication.

Cybersecurity professionals and users should know about these possible ethical complications to help prepare for them. As these issues become more prominent, people will run into more dilemmas. Understanding what’s at stake and how others have handled similar ethical issues in cybersecurity can provide guidance.