Friday, March 2, 2012

The importance of Ethics


I have been working in Information Technology for over a decade, throught my career as an “it security guy” I have recieved many questionable requests; the gamut usually includes everything from indviduals to government bodies asking one of the following questions:


1. Can you hack into so and so’s e-mail and screw with them for me?
2. Can you get me free software / movies / music both from friends and employers?
3. Can you find out so and so’s password to this or that resource? 
4. Can you engage in this project that is potentially liable and possibly illegal but must be done by our group?


What are morals? what is ethical? certianly there have been many great men and women before myself that have spent lifetimes of study in philosphy arguing the benefice of the populace over that of the individual or nominitive and utilitarian views and many doctors of philosophy have argued the virtues and diffrences between Kant, Descartes, Camus, Wittgenstien and Popper(Edmunds et al.)1 Confucius, Plato and Tzun Tzu even pontificated on what might be ethical two thousand years before we crawled out of the dark ages. There are countless diatribes on the subject of the application of ethics and morality to any given problem. Generally morality may be best summerized as the “right thing to do for all parties concerned given a specific situation.” In the cases of War and Medical resarch the water get’s very muddy and murky very quickly. Is it ethical to test cosmitics on any mammal when almost perfect computer models exist? Is it ethical to test potentially fatal cancer treatments on humans that are not sick? The whole goal of Total War is to eliminate the threat posed by an opponent which less than 75 years ago meant another industrialized nation; as we have seen modern warfare views civilian casualties as a "collateral damage"; instead of "innocent bystanders".


With respect to security resarch; when if at al is it alright to publish security vulnerabilities in sofware is a matter of great debate; the CERT is designed to allow the vendor to fix or patch their issue before it causes grevious harm to their clients. Cisco has actually had consultants and employees alike sued and arrested for publishing vulnerabilities related to thier management and routing and switching hardware and software.(Scheiner)2 . 


There are many considerations that I make when I recieve the above requests; one is if I am asked to conduct a formal forensic investigation; I am not a forensics expert but usually law enforcement and private investigators will violate a persons right to privacy as part of a justified investigation where immideate grevious harm may be present. These are conducted where warrants have been granted to process digital assets; This includes people engaging in fraud, or whom have threatened acts of terrorism or violence against others or are at risk of doing causing harm to others. With respect to these situations and only these situations would I even consider recovering someone else password and divulging it to the appropriate parties.  


My paticular expierence where I had chosen not to engage a client and avoid legal and political liability; We had recieved a request from a potential client to help revise a medical records database in clear violation of the law. The client had asked me to update a platform they were using as an interim measure while they were waiting on a software release that complied with privacy and adminstrative legislation. Suffice it to say that recently this information has become poltically sensitive and at the time I had mentioned to our client during the initial meetings that thier actions to circumnavigate the process and procedures may land them in jail due to the sensitive nature of the records management involved and the contravention of the privacy act; Not to mention the associated disclosure risk was at a political level. 


I delicined the contract offer and I told the consultancy I was working for that if they engaged that client in that project that it would quite literaly result in leagal action in the future if it were uncovered by an inquirty or by any other means as the project it self violated the rights to privacy and both federal and provincial security policies regarding personal medical records and data handeling pratices. In the U.S. Medical companies must comply with HIPPA when dealing in the digital storage of records, Banks must comply with BASEL and FISMA and businesses must comply with Sarbanes Oxley (SOX); Failure to comply with these regulations usually results in punitive damages being exercised by the Federal government; however Sarbanes Oxley has yet to be tested by the courts against any business. 


As for the personal “Can you hack so and so for me” requests, I always offer the following guiding pieces of ethical training offered to me during my CISSP training. (Tipton)3 These are based upon the findins of Firtz H. Gupe, Timothy Garcia-Jay and Willion Kuheler.


Golden Rule - Treat others as you wish to be treated.
Kant’s Catagorical Imperative - If an action is not right for everyone it’s not right for anyone.
Descartes Rule of Change - If an action is not repeatable at all times; it’s not right for anyone.
Utilitarian Principal - Take the action that achieves the most good.
Risk Aversion Principal - Incur the least harm or cost.
Avoid Harm - Avoid Malfesance or “Do no Harm”. 
There is no free lunch - Everything belongs to somone.
Legalism - Is the action legal?
Professionalism - Is the action contrary to the code of ethics? Does it contravine one of the above rules; or will it require that someone I ask violate the above code?


As Groucho Marx once stated; “These are my principles and if you don’t like them I have others!”, in cases where ethical questions come to light I often find myself returning to this simple page to consider weather or not what I am doing is right. If it violates any of these rules, I tell my client politely that I cannot work with them on ethical grounds. 


1 Edmunds, David; Eidinow, John; Wittgenstien, Popper (Harper Collins, October 2002) Wittgenstein's Poker: The Story of a Ten-Minute Argument Between Two Great Philosophers ISBN: 978-0-060-9366-48


2 Scheiner, Bruce (Scheiner on Security, 2005) More on the Lynn / Cisco contraversy [Online] World Wide Web available from:http://www.schneier.com/blog/archives/2005/08/more_lynncisco.html (Accesssed on March 1st 2012) 


3 Tipton, Harold F (Auerbach, Taylor and Francis, 2010) The offical guide to the (ISC)2 CISSP CBK 2nd edition P 495 ISBN: 978-1-4398-0959-4

No comments:

Post a Comment