Since security intersects so much with privacy, cybersecurity ethics decisions should be on your mind at work.
Being part of a high-performing computer security incident response team (CSIRT) or security operations center (SOC) involves making big, intentional decisions. Increasing the maturity of your team is more than dropping a bag of shiny new tools and technology and then hoping for the best. One of the crucial components to building a successful CSIRT team or SOC are the people pulling the levers of this technology, and the culture in which they have to operate. Chances to train, improve your skill set and form clear career plans are key. Along with them, this culture should include a focus on cybersecurity ethics. You can enforce this with a cybersecurity code of conduct or an IT security code of ethics.
To stress its importance, some maturity frameworks include an entire category for the human aspect. Frameworks based on the Security Incident Management Maturity Model (SIM3) as laid forward by The European Union Agency for Cybersecurity (ENISA) in their CSIRT maturity assessment model and the Global Forum on Cyber Expertise (GFCE) maturity framework include an entire category for the human touch. This ranges from personal strength, skill set descriptions, training options, networking and one topic which is of interest here: codes of conduct. This topic covers a set of rules or guidelines for your staff on how to behave, perhaps outside work, as well as on the clock.
Security teams can be faced with ethical dilemmas in their daily tasks. How so? At first the job description might sound simple: keep the bad guys out. But the truth is deeper.
For example, in a workplace that allows employees to connect their own devices to the network (bring your own device or BYOD), how does your cybersecurity ethics code call for you to handle privacy? When searching for the sources of a data breach, are these personal devices and their content included? What do you do if you encounter data not in line with corporate policy? Or if you find questionable content?
How do you comply with a request to monitor the traffic of a person suspected of potential malicious actions? How can you then align this with human rights?
What do you do if you discover a risk in a common and critical safety component? To be specific, if the vendor does not respond to your requests for having the problem fixed, what do you do?
How do you deal with staff having beliefs strongly and vocally opposing the current government’s actions?
There are different approaches to answer these questions. To start, you can apply the principles of utilitarian ethics, a reason-based approach to knowing right and wrong. Utilitarian ethics is entirely focused on outcomes. It proposes that the actions that provide the greatest amount of good are the ethical choices. The problem is the outcome of future actions is often difficult to predict. This is especially the case in cybersecurity, where you have so many parameters to take into account.
Next, the rights approach has a strong focus on human dignity. It focuses on our ability to choose freely how we live our lives and make our choices. Judgment of actions is steered by how our actions affect the rights of those around us.
Lastly, the common good approach refers to actions taken or policies that are put in place in order to not only benefit a certain group of people, but also society as a whole. In practice, our decision would be based on how our actions would affect the common good of society or our group.
Note we did not include specifics on ethical hacking. Ethical hacking is legally breaking into computers and devices to test their defenses. In general, the same principles apply for ethical hacking.
So, how do you apply these ideas to cybersecurity ethics in the real world? Let’s look at the example about finding a flaw in a critical safety component. If the vendor refuses to acknowledge the problem and your estimate is that potential risk is trivial, what do you do? Responsible disclosure is certainly the recommended option.
What if this approach takes a very long time to warn potential victims? Would you take the chance of contacting potential victims proactively, with the risk of leaking details of the risk to the general public, including potential miscreants? On the other hand, hiding the vulnerability will not resolve the problem right away either.
Unfortunately, there is no black or white choice. You’ll often have to deal with dilemmas for which there is no clear answer. For these situations, you have to rely on the common sense of people and their own good judgment. There are a number of good practices and standards that you can use to support your staff.
The Forum of Incident Response and Security Teams (FIRST) has dedicated an entire working group on cybersecurity ethics. The group has formulated statements of responsibility, based on the understanding that the public good is always the primary goal. Each principle is augmented by guidelines, which explain how to understand and apply these principles.
Another standard that you can use is the CSIRT Code of Practice (CCoP), as made available by Trusted Introducer. The code contains a list of practices that a team or team member should or must adhere to. Often overlooked is also the fact that the General Data Protection Regulation (GDPR) contains rights for citizens, which can be translated into a code of practice.
The CCoP from Trusted Introducer is a ready-to-use document to define cybersecurity ethics. But, sometimes these documents can be too complex, and you might need a clearer approach. This can be done by first defining a set of canons, or ’10 commandments,’ and including them in the general policies of your group or team. You can use this list as a starting point, and then later on work toward a complete code of practice. Possible items to include in these commandments are:
Businesses and nations around the world have become more aware of the importance of digital protection and the possible negative outcomes of attacks. They heavily rely on the work done by CSIRTs and SOCs for keeping their systems and data safe and trustworthy. Because of this, security professionals should consider creating a standard code of cybersecurity ethics for business.