Ethical Issues in Cybersecurity
What is right and wrong in the world of cybersecurity is not always clear. Learn more about emerging ethical questions, like the balance between security and privacy in the digital space.
- Edward Snowden
It’s a scary world out there in the Wild West of the internet, with viruses and worms and ransomware running amok, trying to crash our machines and steal our data—or our money.
So we hire cybersecurity experts to be the guardians at the gates, protecting our systems and information from those who would misuse them. We place a great deal of trust in these professionals who can assign and revoke passwords and access privileges, who can read our emails, track our web activity and scan our computers to reveal all their contents.
But should we?
Issues Facing Cybersecurity Professionals
On the one hand, we seem to have little choice in the matter. Most people’s lives don’t revolve around virus signatures and threat vectors; most of us use computers and smartphones and networks to do other things, so we have to entrust our security to the experts. However, we should understand that cybersecurity experts face special ethical issues that the rest of us may not ever deal with.
Confidentiality is a key ethical issue in cybersecurity. Security professionals will, by the nature of their profession, see and handle personal, private or proprietary information that should be kept strictly confidential. People working in these fields may be tempted to reveal whatever juicy gossip they discovered while running a virus scan on somebody’s hard drive, but doing so could ruin that person’s career or personal life. Cybersecurity professionals should follow what has been called the “butler’s credo”: The butler never tells.
Security is another ethical issue, which may sound redundant when speaking of a cybersecruity professional, but think of it this way: If we’re all responsible for following appropriate cybersecurity procedures in our own lives, take your personal level of responsibility and multiply it by 100. That’s the security responsibility of a cybersecurity professional. If most people leave their computer unattended or neglect to perform a scheduled update, it may not be a big deal; but for a cybersecurity expert, that could be a severe ethical lapse. They, more than anyone, are obliged to keep devices, data and networks secure.
The Ethics of Whistleblowing
Let’s say you work for a company that mostly does good work, but one business unit is involved in something you think is ethically wrong. If you steal electronic documentation of the business’ shady practices and provide it to the media or law enforcement, you could shine a light on their wrongdoing and hopefully put a stop to it. You’ve done what you think is a good deed—or at least you’ve done a questionable deed to achieve a good result. Congratulations, you're a whistleblower. But does the end justify the means? Have you behaved ethically?
The answer, of course, depends on the details of the situation, as well as whom you ask. To many people, Edward Snowden is a hero who discovered that the National Security Agency was conducting unethical surveillance on innocent Americans. The fact that he had to steal the documentation of these practices in order to provide it to the public is almost entirely beside the point. To others, he is a criminal (that part is beyond dispute) and a traitor who endangered the lives of intelligence agents working for the United States and its allies by revealing classified information about clandestine operations. Did he behave ethically? What do you think?
Threats to Privacy
Privacy concerns are intertwined with cybersecurity issues in a complex relationship. Cybersecurity is intended to defend us against such threats as ransomware and identity theft, two forms of hacking that depend on deeply violating a user’s privacy. Think about all the high-profile data breaches that have happened recently: Target’s 70 million credit-card transactions recorded by thieves, Facebook’s 87 million user records compromised by Cambridge Analytica, Equifax’s 143 million credit records stolen by unknown parties.
Organizations that possess personal information about their users are ethically responsible for protecting that information from hackers. Unfortunately, in many high-profile data breaches the organizations that got hacked were at least partially at fault. For instance, in Equifax’s case, view citation the firm was initially hacked through a consumer complaint web portal on the company’s site. The attackers used a widely known vulnerability that Equifax should have already patched. However, the company’s internal processes for rolling out patches were insufficient or were not being followed, causing the vulnerability to remain unpatched and leaving the door wide open for the hackers to get busy stealing.
In a world where unauthorized access is a fact of life, we need security measures to protect our devices, data and networks. However, sometimes the security we implement to protect our privacy can wind up violating it instead, as when Edward Snowden found that the NSA was collecting far more data than the agency’s director had admitted to Congress. One of the main reasons Snowden stole classified files from the NSA and provided them to the public is that he felt the agency was collecting too much information on the wrong people. In other words, he believed that the NSA was violating the privacy of law-abiding Americans for no good reason.
Wrestling With the Dilemma
How do we balance the need to be secure with the need to protect our privacy? How do we determine the extent of an organization’s ethical responsibility to safeguard our information or respect our privacy—and how do we hold them accountable? The first step we all need to take is to value privacy as a worthy end in itself. The notion that people are entitled to privacy stems from the ethical idea that humans have intrinsic worth and dignity. Beings with dignity are entitled to privacy, both in person and online. To behave or believe otherwise would violate our most deeply held ethical principles.
That’s the starting point for a set of ethical debates that we have to have. We may never arrive at a solution that pleases everyone, but at least we’ll be asking the right questions and moving in the right direction: greater safety, security and privacy for us all.
“Equifax data breach FAQ: What happened, who was affected, what was the impact?” CSO. October 2019. View Source