Download PDF Fall Issue of The Bridge on Cybersecurity September 19, 2019 Volume 49 Issue 3 This issue features selected papers intended to provide a basis for understanding the evolving nature of cyber-security threats, for learning from past incidents and best practices, and for anticipating the engineering challenges in an increasingly connected world. EES Perspective When White Hats Wear Black Hats: The Ethics of Cybersecurity Thursday, September 19, 2019 Author: C. Dianne Martin Codes of ethics for computer professionals have been evolving over the past four decades. The profession of computer science has matured to the extent that well-developed ethical principles have emerged to guide the general practice of the discipline. Background Since the first code of computer ethics was adopted by the Association for Computing Machinery in 1973, there has been a realization across the profession that the hardware, software, and networking systems developed by information technology (IT) experts are embedded with serious social and ethical implications, and those who develop and maintain them must adhere to a high moral standard if the interest of a dependent public is to be protected. This is particularly true in the area of cybersecurity, where the tools used by the guardians of cyberspace are often the same as those used by perpetrators of evil intent. The technical capabilities of computers in general and the internet in particular continue to develop rapidly beyond the human ability to guarantee a safe and ethical environment in cyberspace. While legal, medical, accounting, and other established professions have legally binding codes of conduct overseen by longstanding regulatory bodies, IT security professionals have yet to establish formal guidance or universal checks and balances. In addition, the industry lacks an independent register maintained by an oversight entity to determine who can practice ethical hacking or security research. Cyberspace is plagued with rogue individuals, groups, and even state-sponsored actors intent on fraud, crime, espionage, damage to infrastructure, even terrorism. This causes the cybersecurity landscape to shift quickly as organizations seek to fill a growing gap for security experts amid a shortfall of skilled graduates (Knowles 2016b). To combat this threat, it is necessary to train computer security experts along two fronts. The first is to provide the technical training to use the same tools and strategies as the bad actors in order to neutralize such threats. The second, often neglected, is to provide rigorous ethical training for cybersecurity professionals. In this charged climate, the tendency is to focus on fast-tracking the development of technical knowledge in order to deploy new talent to the front line quickly, not considering the lack of maturity of the new recruits, who may end up abusing their abilities. Lacking awareness of the context of cybersecurity ethics, many have to defer to their personal moral compass, which can lead to mistakes as often as it leads to good decisions. “Rainbow of Hackers” In addressing this issue, Aidan Knowles (2016a), an Ethical Hacking Engineer for IBM in Ireland, defines what he calls the “rainbow of hackers”: black hats (the bad guys), white hats (the good guys), and grey hats (somewhere in between): Generally, white-hat and black-hat hackers do similar tasks. Both target applications, networks, computer systems, infrastructure and occasionally even people; often, both camps use the same tools and resources. But their work is not completely homogeneous, differentiating on some major points—including motivation, permission, legality and time. A white hat is commonly employed or contracted to carry out an attack under explicit permission and clear-cut boundaries. The goal of white hats’ work is to research, find and test vulnerabilities, exploits and -viruses in their defined targets. The findings of these professional engagements are reported directly to the target to enable them to fix any holes and strengthen their overall security posture. White hats are also sometimes involved in developing security products and tools…. In contrast, black hats cause great intentional -damage and profit at the expense of their targets.… [They include] cybercriminals, cyber spies, cyber terrorists and hacktivists…. Malicious actors may not always be operating externally from their victim. Research suggested that the insider threat within an organization’s networks and premises, including from current or -former -employees and contractors, is responsible for a large portion of successful hacks. To carry out attacks, black hats may develop their own malicious tools but will fre-quently employ or repurpose existing white-hat software. Grey hats, as the name suggests, are more ambiguous in their definition. Their work may be classified as leaning toward good or bad on the spectrum depending on your perspective. The term grey hat is sometimes used to describe those who break the law but without criminal intent. This definition may include cyber vandals who deface websites and so-called rogue security researchers who publicly share discovered vulnerabilities without notifying or receiving prior permission from their -targets. Without clear ethical standards and rules, cyber-security professionals may be almost indistinguishable from the black-hat criminals against whom they seek to protect systems and data. Standards and Codes of Ethics At present cybersecurity managers have to rely on repu-tation and background checks to determine the trustworthiness of potential hires. If new hires betray this trust by behaving unethically, there is no third-party committee or board to evaluate the consequences of these actions and to rule in the context of the profession as a whole. In most cases, rogue security professionals cannot be struck from a register or removed from a database because an industrywide database does not exist. What are appropriate ethical standards for cyber-security experts and how can those standards be integrated in their training and job experiences? -Several associations—the Information Systems Security Association (ISSA), International Information Systems -Security Certification Consortium [(ISC)²], and -SysAdmin, Audit, Network and Security (SANS)—have voluntarily developed ethics codes for cyber-security (those of ISSA and (ISC)2 are reproduced below). However, in general industry professionals are not required to subscribe to these bodies or adhere to their codes of conduct. The exception is the (ISC)² Certified Information Systems Security Professional (CISSP), who could lose this certification if evidence reveals violation of the (ISC)² Code of Ethics. ISSA Code of Ethics To fill the compelling need for an ethics code for cybersecurity professionals, the Information Systems Security Association was the first to establish the following Code of Ethics[1] for its members in 2006: Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles; Promote generally accepted information security current best practices and standards; Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities; Discharge professional responsibilities with diligence and honesty; Refrain from any activities which might constitute a conflict of interest or otherwise damage the -reputation of or is detrimental to employers, the information security profession, or the Association; and Not intentionally injure or impugn the -professional reputation or practice of colleagues, clients, or employers. Although the code is quite general, it does provide a moral framework for ethical cybersecurity practice based on the principles of integrity, respect for confidentiality and privacy, and avoidance of conflicts of interest. (ISC)² Code of Ethics Similarly, (ISC)² recognized the need for an ethics code to cover its certification of expertise in cybersecurity. Information security professionals certified by (ISC)² are informed that such certification is a privilege that must be earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support the (ISC)² Code of Ethics. Members who intentionally or knowingly violate any provision of the code are subject to action by a peer review panel, including possible revocation of certification. (ISC)² members are obligated to follow an ethics complaint procedure to report any action by another member that breaches the code. There are only four mandatory -canons in the code, which are high level and general. The (ISC)² Code of Ethics Preamble and Canons[2] are shown below: (ISC)² Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification. (ISC)² Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The basic elements of the canons are similar to all codes of ethics for IT professionals: the need to serve and protect a dependent public, the requirement of competence to perform the work, and a focus on overall integrity. As stated on the (ISC)² website, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional. Examples of Actions Requiring an Ethical Response Using the general ethical principles delineated by ISSA and (ISC)² as guidelines, following are examples of inappropriate (“low road”) and appropriate (“high road”) actions that fall within typical cybersecurity duties (Martin 2017; Tull 2016). Denial of Service Attack Recovery In the course of doing firewall security scans, the security team may discover a port call that results in a denial of service (DoS) attack. The low road response to such an attack is to hack and attack back at the host. However, that could result in other sites being caught in the DoS crossfire. The high road response—in keeping with ISSA standards 1 and 2 as well as (ISC)² canons 1 and 2—is to block the attack and gather forensic evidence to respond to it legally and ethically. Penetration Testing and Response Cybersecurity professionals often do penetration testing to determine the robustness of firewalls and security features in a system. If they detect a weakness or vulnerability that could allow a remote hacker to take control of the system and cause significant harm, there are two possible responses. The low road response is immediate full -disclosure—publishing full details of the vulnerability as soon as possible and making the information available to everyone without restriction. This could enable -black-hat -hackers to exploit the weakness before it is fixed. The high road response, “responsible disclosure,” is more nuanced. Responsible disclosure requires the security expert to confidentially report the weakness to the company, work with the company to develop a fix -within a given timeframe, and then publicly disclose the vulnerability and the fix at the same time (Tull 2016). This response would be in keeping with ISSA standards 3, 5, and 6 and (ISC)² canons 1 and 3. Fighting Malignant Worms with Benign Worms A cybersecurity expert believes that a benign worm might be able to patch a known vulnerability, -inoculate systems to protect them from a malignant worm, and keep it from spreading. Should she release it “in the wild”? The low road decision would be to release it and hope for the best. The high road approach, consistent with ISSA standards 2, 4, and 5 and (ISC)² canons 1, 2, and 4, would be to make the benign worm code publicly available with caveats that knowledgeable professionals should use it with care. Conclusion Cybersecurity experts—the white hats—work with sensitive data, have access to company and national secrets and generally wield much power over networks, systems, and data. How individuals handle this responsibility comes down to their ethical yardstick, and reinforcing that ethical yardstick is a fundamental responsibility of the programs that train these experts. One way to move in this direction would be to require certification for all cybersecurity experts, with man-dated ethics training and periodic updates to this training required to maintain certification. Although this would not be a guarantee to prevent malicious hacking, it would at least ensure that all trained professionals were made aware of ethical issues related to the exercise of their technical skills. It is very likely that rogue actors will continue to proliferate on the internet regardless of the presence of legally binding codes of conduct and other measures, just as criminal acts persist even in the presence of well-established legal systems. This makes an even stronger case for rigorous ethics training to be required for all cybersecurity professionals as one line of defense against such attacks. In a recent comprehensive white paper on cyber-security and ethics (Yaghmaei et al. 2017, p. 3), the authors observe that the ethics of cybersecurity is not an established subject. In all domains, cybersecurity is recognized as being an instrumental value, not an end in itself, which opens up the possibility of trade-offs with different values in different spheres. The most prominent common theme is the existence of trade-offs and even conflicts between reason-able goals, for example between -usability and security, accessibility and security, privacy and -convenience. They go on to state that one of the most important features of cybersecurity is to sustain trust in institutions and maintain the integrity of data. Given the -inherent tension between possible end goals and the importance of preserving overall trust in the internet, it can be argued that developing ethically aware cybersecurity experts is as important as developing technically competent cybersecurity experts. Acknowledgments The author gratefully acknowledges the thoughtful suggestions and edits made to improve this article by Keith Miller, University of Missouri–St. Louis, and The Bridge’s managing editor, Cameron Fletcher. References Knowles A. 2016a. How black hats and white hats collaborate to be successful: The hacker rainbow. Security Intelligence, May 4. Online at https://securityintelligence.com/how-black-hats-and-white- hats-collaborate-to-be-successful/. Knowles A. 2016b. Tough challenges in cyber-security ethics. Security Intelligence, Oct 12. Online at https://-securityintelligence.com/tough-challenges-- cybersec urity-ethics/. Martin CD. 2017. Black hat, white hat: The ethics of cybersecurity. ACM Inroads 8(1). Tull J. 2016. A Snapshot in Cybersecurity Ethics. Formerly available at http://informationassurance.regis.edu/ia--programs/ resources /blog/cyber-security-ethics. Yaghmaei E, van de Poel I, Christen M, Gordijn B, Kleine N, Loi M, Morgan G, Weber K. 2017. CANVAS White Paper 1: Cybersecurity and Ethics. Vrije Universiteit -Brussel. Online at https://ssrn.com/abstract=3091909. This column is produced in collaboration with the NAE’s Center for Engineering Ethics and Society to bring attention to and prompt thinking about ethical and social dimensions of engineering practice. [1] https://www.issa.org/issa-code-of-ethics/ [2] https://www.isc2.org/Ethics About the Author:Codes of ethics for computer professionals have been evolving over the past four decades. The profession of computer science has matured to the extent that well-developed ethical principles have emerged to guide the general practice of the discipline.