Ethical Dilemmas in Cybersecurity
A Learning Lab at RSA
Irina Raicu is the director of the Internet Ethics program at the Markkula Center for Applied Ethics at Santa Clara University. Views are her own.
On April 17, I was one of three facilitators of a Learning Lab as part of the RSA conference in San Francisco—joining Sean Brooks of the Center for Long-term Cybersecurity at U.C. Berkley and Jeff Klaben of SRI International. The Learning Lab discussed a number of ethical dilemmas in cybersecurity and introduced ways to address those dilemmas. In anticipation of that discussion, we asked potential participants to rank the ones listed below, and invited them to add other dilemmas to the list.
Vulnerability disclosure: When and how should researchers inform the public about vulnerabilities in widely-used products? What steps should be taken before any such notification?
Encryption: What should companies do in response to legal law enforcement requests for encrypted data? Should known vulnerabilities in systems be used to comply with requests that would otherwise be impossible? Should law enforcement agencies use such vulnerabilities themselves if they suspect a formal legal request will not bear fruit?
Research: How should researchers balance the use of potentially aggressive penetration testing techniques against the legal rights of the owners of systems they are researching? Does that balance change in cases where those system owners are not implementing reasonably strong security methods?
Automated security tools: Is it ethical to release tools that can automate attacks on a broad array of systems into the wild?
Sale restrictions: What (if any) is the responsibility of cybersecurity professionals to try to prevent the sale of products they have developed to autocratic governments that would use them to harm their citizens?
The role of the CISO: What kinds of personal risk should a Chief Information Security Officer or manager-level security officer accept on behalf of an organization? It is not uncommon for CISOs to be fired or forced out when a cybersecurity breach occurs; should organizations offer CISOs employment agreements that include provisions for relief from personal legal liability or other protections? How should organizational deficiencies (under-investment, bad practices, etc.) factor in this analysis?
Cybersecurity incident response: How much time and energy should be spent investigating a breach? What is an appropriate level of incident detail to share with customers and other stakeholders? How thick is the line between satisfying organizational obligations and finding the complete truth behind an incident?
Have you considered the ethical dimensions of these issues? What other cybersecurity-related ethical questions would you add to that list?
- "A Framework for Ethical Decision Making": https://www.scu.edu/ethics/ethics-resources/ethical-decision-making/a-framework-for-ethical-decision-making/
- "An Introduction to Cybersecurity Ethics" (a free teaching module for cybersecurity courses): https://www.scu.edu/ethics/focus-areas/technology-ethics/resources/an-introduction-to-cybersecurity-ethics/
Image by Christiaan Colen, cropped, used under a Creative Commons license.