Ethical Hacking and the Ethics of Disclosure
Irina Raicu
Whether we call it “ethical hacking,” “penetration testing,” “vulnerability analysis,” “cyberoffense,” or “cybersecurity research,” we are talking about an increasingly important field rich in remunerative employment, intellectual challenges, and ethical dilemmas.
As a recent Washington Post article noted, this is a “controversial area of technology: the teaching and practice of what is loosely called ‘cyberoffense.’ In a world in which businesses, the military and governments rely on computer systems that are potentially vulnerable, having the ability to break into those systems provides a strategic advantage.” The Post adds, “Unsurprisingly, ethics is a big issue in this field.”
(Also unsurprisingly, perhaps, the coverage of ethics included in cyberoffense courses at various universities—at least as described in the article—is deeply underwhelming. In many engineering and computer science courses, ethics is barely mentioned; discussion of ethics, when it does happen, is often left to a separate course, removed from the substance and skills that the students are actually mastering.)
Last month, as part of the “IT, Ethics, and Law” lecture series co-sponsored by the Markkula Center for Applied Ethics and the High Tech Law Institute, Santa Clara University hosted a panel discussion about ethical hacking. The panelists were Marisa Fagan (Director of Crowd Ops at Bugcrowd), Manju Mude (Chief Security Officer at Splunk), Abe Chen (Director of Information and Product Security at Tesla Motors), Alex Wheeler (Director of R&D at Accuvant), and Seth Schoen (Senior Staff Technologist at the Electronic Frontier Foundation). The topics ranged from an effort to define “ethical hacking” to a review of current bug bounty practices and employment opportunities for ethical hackers, to a discussion about the ethics of teaching cyberoffense in colleges and universities, and more.
A particularly interesting chunk of the conversation addressed the ethical issues associated with disclosures of discovered vulnerabilities. Rather than try to summarize it, I’ve included an audio clip of that discussion below. Unfortunately, the participants are (mostly) not identified by name; I can tell you, though, that the voices you hear, in order, are those of yours truly (who moderated), and then Seth, Alex, Seth, Abe, Marisa, Abe, Alex, Marisa, and me again.
As it happens, the one participant who is not heard in this clip is Manju Mude—so it bears noting that Manju contributed significantly throughout the panel (including steering the conversation, right after this clip, to the related topic of hacktivism), and that she was a driving force beyond the convening of the whole event, as well as invaluable help in reaching out to the other panelists. I will take this opportunity to thank all of them again, and hope that you will appreciate their insights on the topic of the ethics of disclosure:
For more on the topic of ethical decision-making in general, please see the Markkula Center for Applied Ethics' framework for ethical decision making--and, for an introduction to its key concepts, download the free companion app!
[In the photo, left to right: Seth Schoen, Marisa Fagan, Abe Chen, Alex Wheeler, Manju Mude, Irina Raicu]
Dec 23, 2014