As media headlines have been dominated by the launch of Star Wars: The Force Awakens and shenanigans (or worse) with voter data by Bernie Sanders political campaign, I pondered the question: what do these recent news stories have in common?
Without going into the specific details of what happened (especially in the new movie), a few possible answers include:
- We have seen the enemy, and they are us. Or, not all data breaches come from foreign hackers, organized crime or other “outsiders” with malicious intent.
- Security controls and even technology training have limitations. Or, Darth Vader (and several other Jedi Knights) were well-trained – but used their skills to go over to the “dark side.”
- There are shades of gray that technology professionals face in their daily duties that often get darker if not exposed and corrected early enough. Or, “the road to hell is paved with good intentions.”
Ethical Challenges for Security Professionals
Oftentimes, security pros quietly think they are above Internet laws, company rules and regulations. As the cyber police, bending a policy may seem acceptable, as long as no one catches you in the process. Sometimes, it may even seem to be required – like the state police needing to speed to catch a car going 100 miles per hour.
Beyond cyber war and the good guys having the right tools to catch the bad guys, there can be a tendency to ignore “more mundane” acceptable use directives. That is, security staff can download copyrighted material, view porn at work, look at private information, “borrow” passwords or delete log files to cover their tracks, etc. These acts may almost be viewed as “the spoils of war.” Hackers come across this data once as part of their job, and later they become accustomed to accessing it freely.
But actions have consequences. Much like Anakin Skywalker’s turn to the dark side, this is a slippery slope.
The reality is that the smarter you are, the more you advance as a cyber security expert, the farther you go as a hacker, the greater your temptation will be. As you learn what the enemy does and how they do what they do (in order to stop them), the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he/she take a bit of the money while no one is looking? It seems so easy, so close and perhaps even innocent.
Sadly, I have seen talented security and technology professionals disciplined for inappropriate behavior at home or work such as stealing property, downloading files or distributing child porn. I personally know technically savvy staff members who are in jail, and I must say that I never would have guessed that certain “experts” would turn to the dark side. Additionally, I have read and heard about dozens of such cases. People are blinded to their own deceitfulness.
Avoid the Dark Side
So what can be done to strengthen the ethical culture in your situation?
First, we need to be aware of the problem. Ethics is important, not only my children when on Facebook, but perhaps even more vitally for veteran security and technology professionals who know how to beat the system.
No doubt, we are all susceptible to slip and being honest about the challenges and temptations is a good start. Understanding that these situations will arise and discussing appropriate actions with your team is a good initial step.
Here are a few other ways to help in this area:
- Seek advice from respected colleagues regarding practical ethical behavior as a security pro. Find one or more accountability partner(s) who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists, athletes, and other experts are accountable to teachers or coaches. Everyone who strives to improve needs accountability.
- Find a trusted mentor who you admire in the industry. Make yourself accountable to this person regarding the direction of your professional career decisions.
- Practice these seven habits of online integrity.
Bottom line, cyber ethics is not just an academic topic or a class you once took to get a computer degree. Cyber ethics are the brakes that enable us to traverse cyberspace safely.
About the Author:
Dan Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Lohrmann has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
Lohrmann joinedSecurity Mentor, Inc. in August, 2014, and he currently serves as the Chief Security Officer (CSO) and Chief Strategist for this award-winning training company. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors.