Ethics in Cyber security

Linux Foundation, which is the core of the open-source community, took the unprecedented step of banning the entire University of Minnesota from contributing to the Linux kernel

• Linux is a widely used operating system found in everything from servers to cell phones
• In February 2021, a team from UMN published a research article outlining how they systematically and stealthily introduced vulnerabilities into open-source software.
• They did this through comments that appeared beneficial but, in actuality, introduced critical vulnerabilities. Though stating it targeted open source as a whole, much of the researcher’s attention was aimed at the Linux Kernel.
• The Kernel is the foundation of the operating system and manages the interactions between hardware and applications.
• The open-source community is built upon the principles of trust, cooperation and transparency.

What is Cybersecurity?

• Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.
• Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.

Ethical issues and challenges for cybersecurity

• There is a widening gap between demand and supply of qualified cyber security professionals. This quite often leads to the rushed recruitment and onboarding of new cyber security staff, and potentially, a lack of guidance provided to the new recruit on ethical decision-making and expectations.
• Organisations need to consider whether they have appropriate controls and processes in place to safeguard the integrity and privacy of their customers and their data. A key question to ask would be: what would the result to the customer be if this information was compromised?
• If a company’s data is compromised, it may face lawsuits, reputational damage, and questions about its ethical standards. Delaying a public announcement can compound these consequences, at the cost of saving the image of organisation.
• Another consideration is the customer’s right to their information. This is particularly important when considering how long user data should be stored.
  • Should it be deleted immediately after its use?
  • If it is kept, how will it be secured?
  • An even thornier question is what happens to the data when the user dies?
  • Should their family be able to gain access to it?

Why upholding highest standards of ethics is important in the field of cybersecurity?

• Two case studies are presented that reflects the opposite ends of the spectrum of ethical decision-making in response to cyber security incidents and the effects the wrong decision can have on an organisation.
• Yahoo was in the middle of being acquired by Verizon in 2017 when it disclosed it had discovered three data breaches in 2013 and 2014 that affected over one (1) billion users. Unfortunately, these data breaches were not disclosed until late 2016 after the original Verizon acquisition deal had been agreed to, but not yet paid for. The original deal between Verizon and Yahoo was worth USD 4.8 billion, and after the data breaches were disclosed, Yahoo’s worth was slashed by an incredible USD 352 million. The Security and Exchange Commission (SEC) also investigated Yahoo for waiting too long to notify victims of the data breach, and whether Yahoo violated SEC securities legislation by not providing documents to the SEC related to the data breaches. Yahoo continues to be liable for half (50 percent) of any debts incurred from third-party litigation and regulatory fines.
• The Yahoo breaches and their lack of ethical behaviour concerning the notification of victims and regulatory bodies is an apt example of the damage that can occur when behaviours are not governed by ethical principles.
• On the other end of the spectrum of ethical decision-making sits the Australian Red Cross. The Red Cross suffered a data breach of over 550,000 blood donor’s details, including name, address, date of birth, gender, and information regarding sexual history. The data was inadvertently published by a third-party contractor to an online public-facing application form.
• The Red Cross immediately disclosed the data breach to affected donors and to the Australian Government CERT (Computer Emergency Response Team). Not only did the Red Cross avoid any fines for the data breach, but they also received an extraordinary commendation for their response efforts by the Commissioner of the Office of Australian Information Commission, Timothy Pilgrim. The assurance that the Red Cross provided donors served to increase their reputation for transparency and trust within the Australian community.

Conclusion

• The new world of information society with global networks and cyberspace will inevitably generate a wide variety of social, political, and ethical problems. Many problems related to human relationships and the community become apparent, when most human activities are carried on in cyberspace.
• Some basic ethical issues on the use of IT on global networks consist of personal privacy, data access rights, and harmful actions on the Internet. These basic issues have been solved partially using technological approaches, such as encryption technique, SSL, digitalIDs and computer firewalls.
• Besides these protection technologies, legal laws are also needed in cyberspace to address hundreds of countries, which are incorporated into one global network. Guidelines and strategies should be implemented so that global information can be exploited in a socially and ethically sensitive way for our future benefit and applications.