Abstract: We present our statement of ethics, and a brief discussion of what ethics is in the context of cyber security. In this article, there are many more questions than there are answers. Our goal in including the topic of ethics in a course on Internet security is to raise your level of awareness even when we cannot provide clear-cut answers to ethical dilemmas you may have. We also require reading of the codes of ethics of ACM, and IEEE.
Engineering education always includes a course or two on ethics. A course like ours must include a discussion even if we cannot deliver satisfactory answers.
From www.merriam-webster.com: Main Entry: eth·ic Pronunciation: 'e-thik Function: noun Etymology: Middle English ethik, from Middle French ethique, from Latin ethice, from Greek EthikE, from Ethikos Date: 14th century 1 plural but singular or plural in construction : the discipline dealing with what is good and bad and with moral duty and obligation 2 a : a set of moral principles or values b : a theory or system of moral values <the present-day materialistic ethic> c plural but singular or plural in construction: the principles of conduct governing an individual or a group; < professional ethics> d: a guiding philosophy
The Macquarie Dictionary says: ethics - a system of moral principles, by which human actions and proposals may be judged good or bad or right or wrong (may refer to a particular class of actions - e.g. professional) [derived from a Greek word meaning moral] morals - principles or habits with respect to right or wrong conduct [derived from a Latin word meaning manners or customs]
A few years ago, sociologist Raymond Baumhart asked business people "What does ethics mean to you?" [from www.scu.edu/ethics/] Among their replies were the following:
"Ethics has to do with what my feelings tell me is right or wrong."
"Ethics has to do with my religious beliefs."
"Being ethical is doing what the law requires."
"Ethics consists of the standards of behavior our society accepts."
"I don't know what the word means."
These replies might be typical of our own. The meaning of "ethics" is hard to pin down, and the views many people have about ethics are difficult to articulate. Like Baumhart's first respondent, many people tend to equate ethics with their feelings. But being ethical clearly is not a matter of following one's feelings. A person following his or her feelings may recoil from doing what is right. In fact, feelings frequently deviate from what is ethical.
Ethics and religion are often coupled in ones mind because of our upbringing. But ethics is not confined to religion, nor is it the same as religion. Most religions, of course, advocate high ethical standards. Ethics applies as much to the behavior of an atheist as to that of the saint.
Being ethical also is not following the law. The law often incorporates ethical standards to which most citizens subscribe. But laws, like feelings, can deviate from what is ethical. American pre-Civil-War slavery laws and the apartheid laws of South Africa, are grotesquely obvious examples of laws that deviate from what is ethical.
As you can see, these paragraphs are not helpful in distinguishing between "ethics" and "morals".
Practical ethics through basic philosophy includes three elements: ethical thought; ethical definition; and ethical values. If a person conceives of, say, engineering activity, as only making money, for example, then one's definition of practical ethics, one's actions and values will, be guided by this basic philosophical position. Ethics is defined as a set of rules that clarify right conduct from wrong conduct.
Being ethical is not the same as doing "whatever our society
accepts." In any society, most people accept standards that
are, in fact, ethical. But standards of behavior in society can
deviate from what is ethical. An entire society can become
ethically corrupt. Nazi Germany is a good example of an ethically
corrupt society.
Ownership of many things, such as your car, books, computer, etc., is usually quite clear. Do you own the air? When you buy a piece of software, what is it that you own? The use of it? -- anything beyond that? If you could reverse engineer the source code of the program, is the source now yours?
We are also usually clear that we must not enter some-one's house just because they left their back door wide open. If my files are read open, should you assume that you are allowed to read? What if they were also writable? If my computer account has no password, should you login as me?
This is a commonly held belief that there is nothing wrong in sharing something that "is yours." Whereas loaning a book or a CD to a friend is never considered unethical, to place the content of the same on the web and share it is often considered unethical and illegal.
Nearly all present day effort in Internet security in "securing" computer systems, networks, web sites, etc. hopes to protect that which is theirs.
You stole it from me, so I can steal it back. Is this attitude ethical?
From Wikipedia : "Tit for tat is an English saying meaning "equivalent retaliation". It is also a highly effective strategy in game theory for the iterated prisoner's dilemma. It was first introduced by Anatol Rapoport in Robert Axelrod's two tournaments, held around 1980. An agent using this strategy will initially cooperate, then respond in kind to an opponent's previous action. If the opponent previously was cooperative, the agent is cooperative. If not, the agent is not. This is similar to superrationality and reciprocal altruism in biology."
"An eye for an eye makes the whole world blind." -- Mahatma Gandhi.
Suppose you have come across a behavior of a colleague that in your mind is clearly unethical. Should you squeal? Why is it that squealing has such a negative connotation?
Under what circumstances is it either permissible or required for a technician repairing a computer to report the contents of files found there? A case [Journal of Information Systems Education, 11, Summer-Fall 2000, pp. 121-126] of firing of a dean of the Harvard Divinity School who had pornographic files on his university-owned computer raises questions of privacy and whistle-blowing.
In the context of cyber security and privacy, let us focus on ethics only, not on morality.
It appears that the word "hacker" has become synonymous with "attacker", at least in the news media. We are still trying to keep the word and have it refer to a person with good intentions.
To computer wizards, the term "hacker" is reserved for unusually clever programmers. To them, the electronic burglars who break into computers aren't hackers but intruders, attackers or "crackers."
Theft of services: Every system offers some type of service, and if a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks. The question of entitlement may not occur to them.
Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.g., credit-card numbers, or info on operation of telecommunication etc. systems. Such hackers are clearly aware that their activity is unlawful and they can get prosecuted.
Vengeance and hate: Another reason for hacking is vengeance and hatred. Causing harm to people and systems belongs here.
Thrill and excitement: The forth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be. This accounts for the vast majority of "true hacking".
For knowledge and experiment: The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn great deal every time they break into a new type of system.
Steven Levy published this book in 1984. Editorial Reviews at Amazon.com describes the book as follows.
"Steven Levy's classic book explains why the misuse of the word "hackers" to describe computer criminals does a terrible disservice to many important shapers of the digital revolution. Levy follows members of an MIT model railroad club--a group of brilliant budding electrical engineers and computer innovators--from the late 1950s to the mid-1980s. These eccentric characters used the term "hack" to describe a clever way of improving the electronic system that ran their massive railroad. And as they started designing clever ways to improve computer systems, "hack" moved over with them. These maverick characters were often fanatics who did not always restrict themselves to the letter of the law and who devoted themselves to what became known as "The Hacker Ethic." The book traces the history of hackers, from finagling access to clunky computer-card-punching machines to uncovering the inner secrets of what would become the Internet. This story of brilliant, eccentric, flawed, and often funny people devoted to their dream of a better world will appeal to a wide audience."
Levy in this book lists the following hacker tenets:
Do you subscribe to any of them? Why? Why not?
Preamble: Hackers are diverse, from all cultures and backgrounds. Every hacker is unique, yet we all share some characteristics. While not every hacker follows this Code, many believe it is a fair description of our shared traditions, goals and values.
Hacktivism now has entry in the Wikipedia. As with any controversial topic, we should understand their views. Hacktivists believe in a form of altruistic justice.
Here are a few examples. Each of you need to discover your own answers, and the answers that our community gives, and how they change over the years.
Presently she is designing a database management system for the personnel office of'a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about the kind and degree of security to build into the system. Diane has described several options to the client. Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.
With weak security, employees working on microcomputers may be able to figure out ways to get access to this data, not to mention the possibilities for on-line access from hackers. Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request? (Adapted from: Johnson, D. G. Computer Ethics, Second Ed. Prentice Hall, Englewood Cliffs, N.J., 1993.) [From http://www.onlineethics.org/privacy/scene3.html]
I expect all those attending our class to abide by the following statement. I welcome improvements to the statement.
In this course, I am learning computer-security principles. It is a semester long course, with a prerequisite of operating systems and general understanding of computer networks. I realize that this learning is just a beginning. I also realize that the tools and techniques that I learn can be put to illegal and unethical use. Therefore, I am signing the following statement.
|
Name of the student |
Signature and Date |
One way that we can all be ethical humans is to have/learn/teach no skills. Suppose a tool T presents not much of a case of how it can be used ethically but it is almost immediately obvious how it can be used unethically. Should a university course teach T? There are many readily-available cyber security tools that have the attributes of T. Should a teacher be solely focused on imparting techniques and ignore how a student may use them? Can we be sure that a student who signed the above statement will adhere to it? For how long?
These lecture materials are gleaned from many sources. All are presented after careful reading. In some cases, I may have neglected proper attribution. I assure the reader it is not because I claim authorship. Indeed, in the lectures there is hardly any thing new that I have contributed. Suggestions for improvement are always welcome.