One way of thinking about benefits and harms is to understand what our life interests are. Like all animals, humans have significant vital interests in food, water, air, shelter, and bodily integrity. But we also have strong life interests in our health, happiness, family, friendship, social reputation, liberty, autonomy, knowledge, privacy, economic security, respectful and fair treatment by others, education, meaningful work, and opportunities for leisure, play, entertainment, and creative and political expression, among other things.

Cybersecurity practices can significantly impact each of these fundamental interests of human beings. In this respect, then, cybersecurity has a broader ethical sweep than some of the stark examples of technical practice given earlier, such as the engineering of bridges. Unethical design choices in building bridges can destroy bodily integrity and health, and through such damage make it harder for people to flourish, but unethical choices in cybersecurity contexts can cause
many more different kinds of harm. While cybersecurity failures could in certain scenarios cost me my life, as we noted in the Introduction, they could also leave my body physically intact but my reputation, savings, or liberty destroyed. Effective cybersecurity practices can also generate a vast range of benefits for society at large, including safer infrastructure, reduced social and economic anxiety, and increased investment and innovation.

A. HARMS TO PRIVACY:

Thanks to the ocean of sensitive data that persons and organizations are generating today (or, to use a better metaphor, the many different lakes, springs, and rivers of data that are pooling and flowing across the digital landscape), most of us do not realize how exposed our lives and property are, or can be, by poor cybersecurity practices.

Some of the most common cyber-threats to privacy include identity theft, in which personally identifying information is stolen and used to impersonate victims in financial transactions (taking out loans in a victim’s name or using their credit cards to make unauthorized purchases), or for other illegitimate purposes, such as providing criminals with stolen identities. Hacking and other network intrusions can also be used to obtain sensitive information about individuals and their activities that can be used for the purposes of blackmail, extortion, and other forms of unethical and/or illegal manipulation of people’s will. Privacy violations of this sort are often used to get victims to harm the interests of third-parties, for example, using blackmail to pressure compromised employees to betray sensitive client information, trade secrets, or engage in other forms of corporate or government espionage and misconduct.

The risks of privacy harm created by poor or unethical cybersecurity practices are amplified further by the continued growth of a chaotic global data ecosystem that gives most individuals little to no ability to personally curate, delete, correct, or control the storage or release of their private information. Only thin, regionally inconsistent, and weakly enforced sets of data regulations and policies protect us from the reputational, economic, and emotional harms that release of sensitive data into the wrong hands can cause. Even anonymized data can, when linked
or merged with other datasets, reveal intimate facts (or in many cases, falsehoods) about us.

Privacy isn’t just about our online activities, either. Facial, gait, and voice- recognition algorithms, as well as geocoded mobile data, can now identify and gather information about us as we move and act in many public and private spaces.

It is important to note that privacy harms do not only threaten those whose sensitive information is directly exposed to cyber-threats; even those who try to live ‘off the digital grid’ cannot prevent sensitive data about them from being generated and shared by their friends, family, employers, clients, and service providers. For example, individuals who themselves practice stringent personal data security and encryption of their sensitive data might be targeted through
their medical provider or law firm, where sensitive data about them may be stored less securely.

In networked societies, sensitive data rarely stays confined to the digital context in which it was originally created or shared. This puts an immense amount of pressure on cybersecurity professionals, who are increasingly trusted to supply the critical line of defense against personal and organizational privacy harms.

Because personal control and containment of sensitive data is often virtually impossible to maintain in networked environments, especially without the benefit of highly specialized training and advanced cybersecurity tools, the ethical responsibility of preventing irreparable privacy harm falls increasingly upon cybersecurity professionals rather than the original ‘owners’ of sensitive data.
Therefore, poor cybersecurity practices, from lax patching efforts and outdated encryption tools to a lack of incident response planning, can be more than just ineffective—they can be unethical, insofar as they unnecessarily or negligently expose others to profound personal and organizational privacy harms.

B. HARMS TO PROPERTY:

We saw above that property can be indirectly threatened by violations of data privacy, through mechanisms such as extortion. However, often property is directly targeted through cyber intrusions that may seek to misappropriate electronic funds, steal valuable intellectual property such as trade secrets, obtain bank account numbers and passwords, or remotely cause damage or destruction to an individual or organization’s digital or physical property. The motivations for
such harms vary widely: such property may be targeted by profit-seeking criminal enterprises; by politically-motivated groups of non-state actors; by agents of corporate espionage; by hostile military or intelligence agents of foreign nations; or by the aggressive impulses of a lone hacker or collective seeking to demonstrate their own destructive power.

It is important to recognize that unauthorized harms to property are, typically, significant ethical harms; they injure persons who rely upon such property to secure good lives for themselves or others. Property may not be of intrinsic ethical value, as human lives are, but we frequently have good reason to consider unauthorized damage to property to be unethical— even in cases when it
is not strictly or explicitly prohibited by law.

There are rare cases in which the unauthorized destruction of property might be argued by some to be ethically justified by a higher moral duty, such as national security interests. Presumably, for example, this is the kind of claim that was made by the agents of the nation state or states responsible for using the Stuxnet worm in 2010 to disable Iranian centrifuges being used as part of Iran’s efforts to enrich uranium. In other cases, defenders of a network under cyberattack might assert an ethical right to ‘hack back’ in ways that aim to damage the systems of the cyberattacker.

Even in such cases, however, cyber-intrusions that target property generate significant ethical concerns; for example, consider the fact that the release of the Stuxnet worm also infected hundreds of thousands of other computers of individuals and organizations unrelated to the Iranian nuclear program. Likewise, ‘hacking back’ has been challenged as creating an unacceptable risk to innocent parties, since its collateral effects are usually unknown and since cyberattacks often involve ‘spoofing’ strategies that make it easy to misidentify the system
responsible for the attack.

Regardless of the validity of arguments for and against so-called ‘defensive’ cyberattacks on property, professionals tasked with cybersecurity have a default
ethical obligation to protect their organization’s networks, or those of their clients, from any and all property-targeting intrusions and attacks.

C. CYBERSECURITY RESOURCE ALLOCATION:

Another ethical issue that must always inform cybersecurity practice is the inevitably high cost of cybersecurity. Cybersecurity efforts consume considerable individual and organizational resources: time, money, and expertise. They also impose considerable costs on system resources: cybersecurity efforts can negatively impact data storage capacity, network and download speeds, power efficiency, and system usability/reliability. Of course, not having effective cybersecurity measures in place typically imposes even higher and more unacceptable costs. Still, a network that is maximally secure but as a result is practically unusable, or economically unsustainable, can normally not be justified—just as it would normally not be reasonable or justifiable to secure a bank by boarding up and padlocking all of the doors.

That said, in some cases, even usability/product viability concerns can’t justify weakening security standards. If, for example, my company wants to make a Wi-Fi enabled pacemaker, but simply lacks the resources necessary to make that product both effective and reasonably secure from hackers, then there is a strong ethical argument that my company should not be in the business of making Wi-Fi enabled pacemakers. In that case, a cybersecurity professional who signed off on or otherwise enabled lax security controls on such a device would also be violating
ethical standards, since he or she would be well aware of the unacceptable risk of grave harm to others that his or her action creates.

If it’s not clear how the issue of resource allocation can be an ethical issue, consider the stakes involved in getting the right balance between security and other competing resource needs. If a hospital network security administrator gets spooked by a suspicious port scan of the network and decides to respond to the possible threat by immediately instituting a new and extremely time-consuming security logon procedure, without first considering the core function and interests of users of the network, they could be endangering patient’s lives, especially in
departments where quick network access is needed in order to use life-saving medicines or equipment.

Thus the task of identifying a justifiable balance between well-resourced cybersecurity and other kinds of functionality is an ethical one, since it requires reflecting carefully upon the harms, benefits, rights and values involved in such a decision, and the likely impact of the decision on the ability of others to seek and lead good lives.

D. TRANSPARENCY AND DISCLOSURE:

Another set of ethical issues in cybersecurity practice has to do with our general but limited obligations of transparency in practices that affect the well-being of other people. Because cybersecurity is a form of risk management, and because those risks significantly impact other parties, there is a default ethical duty to disclose those risks when known, so that those affected can make informed decisions. For example, it is generally agreed to be the case that if an organization discovers a critical vulnerability in its software, it should notify its customers/clients of that discovery in a timely fashion so that they can install a patch (if available) or take other defensive measures.

Yet in many cases the appropriate mode and extent of the disclosure, and what counts as a ‘timely’ notification, is subject to considerable debate. For example, in a case where a vulnerability would be very challenging to discover and exploit by a third party, cannot yet be patched by the security team, and involves a critical network of high utility to customers, a delay in notification until a patch is available may be ethically defensible, since premature disclosure would potentially invite an attack that would otherwise not be forthcoming, creating a higher risk
of harm to others.

Although there are some general transparency and disclosure guidelines that can be helpful to consider, as articulated in Section V, it remains the case that because each cybersecurity scenario involves different facts, and places different goods and interests at stake, there is no ‘one-size-fits-all’ rule or instruction that one can follow to guarantee appropriately transparent cybersecurity practice. This means that typically, what is required in each case is careful ethical reflection on the particular scenario and the specific risks, benefits, tradeoffs, and stakeholder
interests involved, followed by a well-reasoned ethical judgment about what is best to do, given the particular facts and options.

E. CYBERSECURITY ROLES, DUTIES, AND INTERESTS:

Cybersecurity practices involve a number of distinct roles and interests, some of which are in tension with one another. In such cases it can be unclear what our ethical duties are, to whom we owe the greatest ethical concern, and whose interests we should be most invested in protecting.

The variety of roles and subcultures of cybersecurity practice can also generate confusion about the ethical standards of the cybersecurity community. Careful ethical reflection is necessary to sort through such confusions and arrive at justifiable decisions in particular cases. For example, there has long been a debate about the ethical standards of the ‘hacker’ community, a debate amplified by the divergent sub-communities of those who identify as ‘white-hat,’ ‘black-hat,’ or ‘gray-hat’ hackers.

The joint origin of hacking and security practices among individual computer hobbyists and informal collectives makes the need to develop clear community standards within an emerging cybersecurity profession especially complicated. Many cybersecurity professionals have occupied multiple and competing roles in the development of their own security skillset and knowledge base; they may feel conflicting loyalties to the interests of the public, government agencies, their employers or clients, and to particular subcultures and interest groups within the security community, not to mention their own personal interests. The market for ‘zero-day’ exploits perfectly embodies the complex ethical landscape of
cybersecurity, in which financial incentives are given both for creating and exposing potentially harmful cybertools.

Illustrations of tensions among different roles and interests in the cybersecurity community are easy to come by. One cybersecurity researcher may have a strong desire to publish a formerly unknown method of undermining a popular encryption key management system, for the sake of improving the community’s knowledge base and spurring research into countermeasures. Yet the same researcher may also have clients of his or her cybersecurity consulting firm who would be placed at greater risk by such a disclosure. Or consider a chief information security officer (CISO) who wishes to hire for his or her ‘Red Team’ of penetration testers a brilliant young hacker whose skills are unparalleled, but whose professionalism and ethical values are still underdeveloped; the CISO hopes to mentor this person fully into the culture of ‘white-hat’
cybersecurity practice, giving more ammunition to the ‘good guys,’ but knows there is a real risk of failure—one that could expose his or her employer to an internal breach. How should the CISO make this call?

All of the issues outlined above in Part One involve ethical choices that must be made by cybersecurity professionals, choices that significantly impact the lives and welfare of others. All of these ethical issues are highly complex and variable, although this does not mean that they are therefore subjective. There are many responses to cybersecurity issues that are clearly ethically wrong. Others are clearly ethically dubious, or fall short of what we would expect from any respected cybersecurity professional. Still, finding cybersecurity solutions that are clearly right or justifiable by reasonable professional standards can be challenging, and requires careful ethical reflection, analysis, and problem-solving. The function of this module is to illustrate the critical need for those skills in cybersecurity, and to give students some initial practice in using them.