Kyle Chin
updated Aug 21, 2023
Cybersecurity is necessary to protect data from criminals. However, the world of cybersecurity is not so simple. Therefore, a discussion of cybersecurity ethics needs to examine the morality of businesses collecting, processing, using, and storing data.
How cybersecurity professionals affect security measures is also worth exploring. Businesses and individuals should ask themselves whether the ends justify the means and to what extent they are willing to sacrifice data privacy for data protection.
This post underlines the ethical concerns and cybersecurity issues surrounding information security policies, procedures, systems, and teams and how they ought to contribute to the well-being of consumers.
What Are Ethics in Cybersecurity?
Ethics can be described as ideals and values that determine how people live and, increasingly, how businesses and their employees work.
While it is far from the technical specifications of networks and device configurations, it is an increasingly important part of business operations. It can be codified and included in an organization’s framework, determining acceptable behavior throughout the company in any scenario.
One of the main benefits of a strong ethical foundation for a business is that it will have a moral compass to help make ethical decisions in a rapidly changing business environment. The world is experiencing massive changes in information technology with advancements in artificial intelligence, machine learning algorithms, 5G, and data collection and processing.
The cyber threat landscape is also rapidly evolving, and businesses must make critical decisions about protecting themselves and their clients. With cybercrime on the rise and emerging threats driven by new technology such as AI, businesses need to elevate their cybersecurity. Doing so without sacrificing the customers or clients they set out to protect requires a strong ethical foundation and a written code of conduct.
The ACM Code of Ethics and Professional Conduct
In 1992, the Association for Computing Machinery (ACM) developed its Code of Ethics and Professional Conduct for computer systems workers. While it is not mandated, except for members of the ACM, it can be a useful starting point for Chief Information Security Officers (CISOs) and other stakeholders to think about and take a stance on ethical practices when tackling sensitive cybersecurity issues.
The Code of Ethics was revisited and revised in 2018. While the cloud stands to make more updates in the face of 5G, AI, and other advances in computing, it remains a valuable resource for anyone seeking to define ethical standards concerning computer systems and technology.
Having a clear set of ethical principles is helpful because it can clarify and speed up important decision-making in an increasingly complex, rapidly evolving cyber threat landscape.
The ACM Code of Ethics is divided into four categories:
- General Ethical Principles
- Professional Responsibilities
- Professional Leadership Principles
- Compliance with the Code
General Ethical Principles
The General Ethical Principles section makes the following assertions about the role of computing professionals. Computing professionals should:
- Use their skills to benefit society and people’s well-being, and note that everyone is a stakeholder in computing.
- Avoid negative and unjust consequences, noting that well-intended actions can result in harm that they should then mitigate.
- Fully disclose all pertinent computing issues and not misrepresent data while being transparent about their capabilities to perform necessary tasks.
- Demonstrate respect and tolerance for all people.
- Credit the creators of the resources they use.
- Respect privacy, using best cybersecurity practices, including data limitation.
- Honor confidentiality, including trade secrets, business strategies, and client data.
Professional Responsibilities
The Professional Responsibilities section also says that computing professionals must prioritize high-quality services, maintain competence and ethical practice, promote computing awareness, and perform their duties within authorized boundaries.
- Strive to achieve high quality in both the processes and products of professional work.
- Maintain high standards of professional competence, conduct, and ethical practice.
- Know and respect existing rules pertaining to professional work.
- Accept and provide an appropriate professional review.
- Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.
- Perform work only in areas of competence.
- Foster public awareness and understanding of computing, related technologies, and their consequences.
- Access computing and communication resources only when authorized or when compelled by the public good.
- Design and implement systems that are robustly and usably secure.
Professional Leadership Principles
Professional Leadership pertains to any position within an organization that has influence or managerial responsibilities over other members and has increased responsibilities to uphold certain values set by the organization.
- Ensure that the public good is the central concern during all professional computing work.
- Articulate, encourage acceptance of, and evaluate fulfillment of social responsibilities by the organization or group members.
- Manage personnel and resources to enhance the quality of working life.
- Articulate, apply, and support policies and processes that reflect the principles of the Code.
- Create opportunities for members of the organization or group to grow as professionals.
- Use care when modifying or retiring systems.
- Recognize and take special care of systems that become integrated into the infrastructure of society.
Compliance with the Code
Of course, compliance with the Code of Ethics is the only way to ensure cybersecurity professionals uphold certain ethical standards. Without enforcement of the Code of Ethics or similar ethical considerations, it is impossible to document and recognize adherence to ethics and social responsibility.
- Uphold, promote, and respect the principles of the Code.
- Treat violations of the Code as inconsistent with membership in the ACM.
Corporate Social Responsibility and Cybersecurity
To compete with other businesses and delivery the user experiences that consumers expect, modern businesses are obligated to collect and process increasing amounts of data. This particular genie is already out of the bottle, so the question is not really whether big data should exist but how businesses use and protect data.
Cybersecurity helps prevent and mitigate data breaches and attacks that threaten information security, so it is crucial for public safety and well-being, as well as helping to ensure the longevity of businesses. There is so much at stake that cybersecurity professionals should be willing to come under scrutiny by those in and outside the field.
Cyber ethics encapsulates common courtesy, trust, and legal considerations. Acting ethically should protect individuals, organizations, and the wider economy. So it’s vital for cyber professionals and the organizations that employ them. The following considerations will explore what makes effective cybersecurity and explain how poor cybersecurity is not only ineffective but also potentially unethical.
Information Security
Businesses have a moral obligation to protect their customers and business partners. They benefit from data that allows them to operate and can give them a competitive advantage, but they need to protect that information from hackers and accidental leaks.
Unfortunately, businesses that are hacked are often at fault. While nobody deserves to be hacked, a business’s moral obligations to consumers are such that they are expected to have adequate cybersecurity for their computer systems and respond promptly and decisively in the event of a cyber incident.
Equifax’s 2017 cyber attack is a prime example of a business that damaged its reputation due to inadequate cybersecurity and poor response to attacks. It was hacked around May 2017 but did not disclose the breach until September.
While Equifax’s president for Europe said that protecting consumer and client data was always its top priority, it failed to follow through with patching a software security vulnerability it knew about in March and failed to let affected customers know so that they could take steps to protect themselves from phishing, identity theft, and other kinds of fraud.
Equifax’s human and technological failures compromised 14.5 million sensitive data records, including addresses, birth dates, driver’s licenses, and social security numbers. It also puts the firm’s morality into question, as it processes sensitive information and purports to help customers with their financial security, but its ineffective cybersecurity procedures put those people at risk.
Transparency
Ethically, businesses should be prepared to disclose the risks inherent to the business if they could substantially affect people, whether customers, business partners, or their supply chain.
Data breach reporting is a significant part of a business’s transparency. While reporting a breach highlights a business in crisis, failing to report promptly can lead to a more significant loss of trust, criticism from industry professionals, and sometimes, as in Equifax’s case, action from investigators.
Even if a business operates in an unregulated industry or a cyber attack does not cause business disruption or affect clients, reporting all data breaches is a worthwhile ethical consideration. The more businesses report cyber attacks, the more information there is for cybersecurity experts and industry professionals to share and learn from. This protects other businesses and their clients from emerging threats.
While revealing a vulnerability or data breach according to applicable regulations may not be necessary, there is a moral question as to whether this information should be shared regardless. Being transparent about discovering vulnerabilities can help all businesses protect their information systems and clients.
Cyber incidents are varied, and cybercriminals are continually researching new methods to apply and vulnerabilities to exploit. So how businesses respond to threats and potential threats needs to change on a case-by-case basis. However, they can base their decision-making on an explicit, underlying ethical framework that guides the business according to its values and corporate social responsibility.
While some businesses reject revealing data breaches “unnecessarily” for fear of losing trust or business, disclosing data breaches late can cause more damage and even harsh penalties. Handling a crisis professionally and ethically can even be good for a firm’s reputation, as in the case of Norsk Hydro’s handling of the fallout from its 2017 ransomware attack, which impressed industry professionals and cybersecurity experts.
Organizations and their cybersecurity teams can reap rewards from being proactive and enacting policies and procedures according to a defined, documented code of ethics.
Security vs. Privacy Protection
A prime ethical dilemma in cybersecurity concerns cybersecurity experts’ privileged access to sensitive information. In effect, they must understand how cybercriminals operate and be able theoretically to perform the same feats without crossing the line into the territory of black hat hackers.
Cybersecurity professionals set access privileges, monitor network activity, and can read people’s emails. They can scan machines and therefore can compromise and protect people’s personal lives.
Collecting data leads to ethical questions but so does protecting it. Ethically, everyone deserves dignity, which is tied in with privacy. But how do businesses achieve privacy when they collect customer data, and that data must be protected?
Social engineering and identity theft are among the biggest cyber risks to the public. This is partly because it can affect people beyond those whose data is stored. With stolen data, a cybercriminal can launch phishing attacks against the victim and their associates.
Keeping personally identifiable information (PII) secure, therefore, is paramount. However, that requires personnel to access and in some ways manipulate that data. Anyone working in cybersecurity is walking a tightrope of ethical issues every day. It’s helpful to acknowledge this so that grey areas can be defined and clients are reassured.
Confidentiality
Excellent cybersecurity is not just about technical standards. Cybersecurity professionals need to demonstrate their moral standards when handling sensitive data. During daily duties, cybersecurity professionals will have access to confidential data and files. This could include sensitive data such as payroll details, private emails, and medical records.
Intellectual property theft is one of the most costly cybercrime, as stealing a business’s product designs and concepts can give opponents an unfair advantage while saving them the massive cost and time investment of product development. Nation-states may sponsor cyber espionage to achieve this advantage, risking destabilizing the affected nation’s market and economy. Intellectual property theft can be a serious risk to human life in a critical infrastructure industry, such as defense or healthcare.
It almost goes without saying that cybersecurity staff shouldn’t say anything to the public about the confidential data and intellectual property they see, nor should they store or transmit it in any way that is not aligned with the business’s goals to protect data. “Almost” because ethical debates often involve bringing things out of the shadows and into the light.
An implicit understanding may not be enough to ensure the confidentiality of sensitive data. It’s better to have documented policies and procedures regarding confidentiality and the organization’s attitude to how cybersecurity interacts with personal data.
On April 13, 2023, federal investigators arrested Jake Teixeira, an air national guardsman, concerning the unauthorized transmission of classified US intelligence documents. Teixeira’s role in the Massachusetts Air National Guard was as a Cyber Transport Systems Journeyman responsible for maintaining communication networks.
While there are some claims that he acted as a whistleblower, he shared the documents in a small private group on a social media platform, not seeming to have intended to share it with a wider audience.
Nonetheless, this massive data security breach calls into question cybersecurity professionals’ commitment to upholding the law when faced with tempting confidential information. Cybersecurity teams must be continuously committed and engaged to perform their duties honorably, within the law, and according to the expectations of their employers.
Although The Association for Computing Machinery (ACM) developed a Code of Ethics and Professional Conduct for computer systems workers, ethics in cybersecurity is not regulated. Ethics can’t be ensured by law enforcement.
Having said that, unethical behavior can lead to fines, loss of revenue, and loss of customers, so businesses and cybersecurity professionals will benefit from addressing ethics seriously.
While there’s no handy accreditation that cybersecurity staff can achieve to attest to their honesty, hiring organizations should look at a cybersecurity firm’s history and culture for evidence of its ethical stance on cybersecurity.
Security
Cybersecurity professionals cannot have a lapse of concentration or a couple of days where they’re off their game and let things slide. Responsibility for others’ information security is a massive contractual and ethical responsibility. Almost no matter what the individual does, scrutiny will be on any assigned cybersecurity team or professional in the event of a cyber incident.
Cybersecurity professionals must maintain their competence level, respect sensitive information privacy, and uphold the well-being of those they serve. It requires honesty for these team members to evaluate their skills, abilities, and alertness and ensure that they take the appropriate action to stay on top of their game.
Ethical Hacking
Ethical hacking refers to sanctioned hacking by businesses onto their own systems to discover vulnerabilities and security gaps. Ethical hackers attempt to find vulnerabilities to exploit and break into information systems to fix those issues before cybercriminals find them.
But now imagine an ethical break-in, in which an ethical burglar break into people’s homes and then advises them on which locks they should have used and where to hide their laptops. Ethical hackers use illegal means to achieve positive results.
To protect data from hackers, particularly when they are using increasingly sophisticated methods and rapidly advancing technologies, cybersecurity professionals must use the same techniques. Cybersecurity programmers need to know how to commit crimes by black hat hackers, such as stealing credit card data. What stops them from doing this, however, is that ethical principles separate them.
Cyber professionals must be aware of computer ethics since what they do gives them access to privileged information. This is especially true for professionals working in critical infrastructure, including defense, healthcare, finance, and manufacturing, where the consequences of unethical actions regarding sensitive data could cause serious harm to individuals, organizations, and the economy.
Cybersecurity professionals and businesses that need them must understand cyber ethics and insist that a moral code is always evident in their attitude and behavior.
Whistleblowing
Before the dark web became known as a haven for hackers and cybercriminals to extort money, purchase malware, and prepare to commit multiple kinds of cybercrime, it existed in large part to protect whistleblowers.
Whistleblowing refers to someone reporting their organization’s wrongdoing, typically an employee. A whistleblower’s objection might be that the organization or someone in it is acting illegally, fraudulently, immorally, or without proper regard for safety or human rights. Furthermore, the issue should be in the public interest.
Public sector whistleblowers are protected by the First Amendment. Even so, whistleblowing might be considered a grey area when considering cyber ethics.
If a cybersecurity expert reveals confidential information to stop a harmful practice, the objective is good, but how they achieved this breaks the ethical confidentiality essential to that employee-employer relationship.
Edward Snowden famously blew the whistle on the National Security Agency’s unethical, invasive surveillance of innocent US citizens. While the former computer intelligence consultant and CIA systems administrator is a hero to many, his actions were criminal. The US Department of Justice charged him with stealing government property and violating the Espionage Act of 1917.
Jesselyn Radack, from the Government Accountability Project, argued that Snowden’s contract with the Government was less important than the social contract of a democracy.
Security vs. Functionality
While organizations have a responsibility to society to protect data, they need to balance this requirement with maintaining functionality. A technically workable cybersecurity solution is not necessarily the best if it prevents the organization from operating. This is a moral debate because organizations won’t always use the most secure cybersecurity practices or systems. Operating a modern business means navigating such trade-offs daily.
Cybersecurity experts have a responsibility to balance securing information and keeping organizations running. Some businesses need to be able to work quickly, such as in healthcare where the most robust security system could slow daily operations and risk human life. A holistic approach to information security is required based on thorough risk management.
