Ch3 - Ethics in Cybe-transcript.txt

SPEAKER Now you may be thinking we were supposed to be talking about cybersecurity, not Greek philosophers. You're right. But I wanted to go over some basic ethical concepts before we jumped in so that you'd have some form of frame of reference. Cybersecurity applies to all business and all business i.t. It spans both our personal and our professional lives. How do we decide what is acceptable use of it? I would think that it would vary depending on the situation. My personal use of it is definitely different than my professional use, for example. That's where ethics comes into play. We don't get to decide what's right or wrong alone. We have to do it in the construct of an organization, an industry or society as a whole. Let's take a look at the ethical challenges in our digital lives in business, in government, and even in the role of cybersecurity. The US Constitution arguably, arguably grants us the right to a reasonable expectation of privacy by way of the Supreme Court. This is evaluated two ways in the privacy of our own home or public restrooms. We're also kind of private areas, right, And in public spaces like restaurants, roads and parks. When we look at our digital lives, we may like in our email and our direct messages, texts or otherwise to something that you would do at home. And we may look at public facing blogs and websites and social media posts as public. But our legal system doesn't quite always match up with those expectations. Oftentimes, private communications on private servers, if for some reason you have a private server hosted at your home, it that would be considered private. But emails, direct messages on cloud systems can be interpreted sometimes more like public spaces. So do service providers have the right to share our private messages? What if there was a public interest in it? What if there was a national security interest in it? What about government organizations? When does the government's responsibility to keep us safe trump our rights to privacy? You can see utilitarianism can conflict with the ontology here. A utilitarian perspective might be that national security is more important than one's individual right to privacy. In fact, national security might trump all people's privacy, right? It's more important to make sure that we're all safe than to make sure that we all have privacy and digital means. And also, if a service provider thought that leaking a politician's emails, for example, would be interesting or of interest, I should say to the voting public, they would leak the data. Right? As an aside, my ethical compass plays to the elements of fairness and virtue, ethics or justice in virtue ethics in this regard. Right? If personal emails were being leaked, I would want them to be leaked fairly or evenly for all relative parties. Just saying for a Scientologist, you might say that a service provider has a moral duty or responsibility to respect the privacy of others. Or you might say that they have a moral duty to protect national security. These ethical conversations can get a bit rough. Let's take a moment to look at five of the biggest concerns with digital privacy from the individual's perspective. Let's start off with data collection and use. Now, we all are concerned with all the data that is getting collected on us right? Name, address, phone number, email address, credit card number, all that stuff piles up. And there's a growing concern that that data can be used against us or in ways that we didn't intend when we shared it. Data breaches and leaks is a concern for just about everybody. We'll talk about this when we get to both businesses and cybersecurity. Everybody cares about data breaches and nobody wants their information stolen. And certainly people are concerned that their information can be taken and used for malicious purposes, such as identity theft or financial fraud. We also have a concern for surveillance and monitoring, right, that when governments and organizations use surveillance technologies to monitor individuals and track their movements, behaviors and activities, that that's an invasion of our right to privacy. And it can also infringe on our civil liberties. There's also the concern for bias and discrimination when a lot of our data is collected. There is the risk that bias or discrimination can creep in. For example, algorithms used to make decisions about employment or loan applications may be biased against certain groups of people. That's not even touching on the issue of AI, social media and search engine bias, where the system order moderators that have created these search engines or these algorithms can tweak those algorithms to favor their perspectives, thus swaying general population. And last up for this quick conversation is the concept of informed consent. It's the idea that we want to know and be informed when data is being collected against us. Why that data is being collected, who it's being shared with. Right? We want to know how you're using the data. Now, let's switch gears over to business ethics. Our big thing in business, customers don't do business with people they feel are lying, cheating or stealing. There is a wide held belief that if you ignore business ethics, your reputation will eventually catch up to you and you'll end up in jail or bankrupt. In regard to cybersecurity, that usually means being responsible for a customer's data and ensuring adequate safeguards are in place. Customers typically don't fault non cybersecurity companies for data breaches if they know that the company tried to to protect the data in the first place. And they think that the company is being responsive in how they're dealing with the data breach. There's actually even a case of a cybersecurity company being hacked by an adversarial country. I said country. And customers basically gave that company a pass because everybody thought, well, you know, that country is persistent in the attack. And basically, anybody would have eventually been compromised by them if they wanted to. If you want to learn more about that one, look up the SolarWinds hack. Now, efforts here tend to swirl around corporate responsibilities that impact customers. Just because a company has recordings of your voice, Amazon does not mean that they can use those recordings for a different project. What is the ethical concern and what is the ethical collection and use of data? That's that's a tough one. Let's look at four ethical concerns from the perspective of a business. Starting with protecting customer data. First off, businesses need to protect the data that they collect. You're collecting it. We're giving it freely to you. You need to be a good steward of that data and protect it from unauthorized disclosure, use or modification. If you don't do that, you're going to lose customers. Next up, ensuring data, accuracy and integrity. Right. Just because you collect data, you need to make sure that it's right, especially if you're sharing it with other entities, especially if you're making decisions off of that data. A customer, a company sorry, has a responsibility to make sure that that data is used accurately. And to do that, that means that the data itself needs to be accurate. If you don't believe me, just think about for a second how you would feel if your bank couldn't keep track of your bank account balance. Pretty sure you would change banks. Next up, maintaining transparency and accountability. Businesses should be transparent about their cybersecurity practices, and they should be able to answer questions about what they're doing and how they're doing it, especially when a data breach occurs. Just like I said, SolarWinds example, I gave acting with transparency and accountability during those troubled times can help hold the company together. In fact, I think SolarWinds ability to work or the way that they handled the data breach and worked with the federal government and their customers. Microsoft was a big one that really helped people believe that SolarWinds was doing the job, is doing a good job, and was still a trustworthy company last night, avoiding conflicts of interest. Businesses should avoid conflicts of interest and should act on the best interest of their customers and stakeholders. They should avoid engaging in behavior that could compromise their objectivity or professional judgment. You don't want to hire your sister's company to perform your cybersecurity assessment for your company. We'll touch on that in cybersecurity as well. It just looks bad and it makes harder for people to trust that the business is operating ethically. So many businesses ethics concepts come from the ontology where there's an emphasis on obligations to behave in a specific way, regardless of outcomes. Actually, when the rubber meets the road or you're in a hard situation, right? A lot a lot of times businesses doing the right thing means taking a risk and potentially losing business in the short term. Next up, let's talk about cybersecurity. Cybersecurity professionals face a high bar of ethics due to their role in guarding I.T. systems against misuse. Who guards the guardians? Well, in part, we've designed a lot of controls to make sure that cybersecurity professionals are held to the highest standard. There are many ways that this is done. Job screening, for instance, many cybersecurity positions will require background checks. Criminal history. Known terrorist ties. Financial responsibility. So that financial responsibility, if you're interested, is so that you can't be easily bribed. And drug use are a few things that are looked at when screening for a cybersecurity provision. Cybersecurity positions also policies and agreements. A lot of cyber security professionals will have to sign confidentiality agreements that are legally binding documents that state that you can't disclose information about the company or specific engagement or client. And consequences for failing to uphold that agreement could be sanctions or being legally sued or fired from your job. Also, adequate security. You will hear that term quite a bit. Adequate security. So pay attention to it. That term gets thrown around a lot and we are often responsible for making sure that the security measures put in place are commensurate with the risk of the system. You don't spend $1,000,000 to secure a $100 system that contains public information, but you probably would spend $1,000,000 to protect the FBI's fingerprint database. In fact, they spend a lot more than a million. So ethics behind cybersecurity professionals typically fall within the ontology again. Duty based obligations. Malfeasance do no harm. It is a recurring theme that you'll see for cybersecurity professionals to the fix to a vulnerability cannot create more problems than it solves. So here are some of the ways in which ethics apply to cybersecurity. Number one, following ethical hacking practices, when you are doing penetration tests or whitehat hacking, there are a very strict rules codes of conduct that you need to behave in. And there's a lot of reason for that. But people need to know that when you're hacking that, you're not saying you're doing it for good reasons, that there is a legal purpose for it, there is a structure to it and controls in place so that you don't go out of bounds and perform in a unintended way or have unintended consequences. Number two, avoiding conflicts of interests. I mentioned this with business. Cybersecurity professionals should avoid looking like they are not objective. And so if you wrote the code, you probably aren't going to be the person to attest to the cyber security well being that the code is secure. You're probably going to get somebody else because you're probably not impartial. Maintaining confidentiality is a big one. We talked about that. You cannot cannot let people know the things that you learned in secret. I know a lot of information system vulnerabilities for customers that I've worked for. If I disclose that to anybody that breaks the confidentiality I have with my customers and that just reflects poorly on my ethics. Right. And last up, prioritizing risk management. We also talked about that one. Risk management means balancing security needs with operational constraints. Security almost always comes at a cost, budgetary and convenience. It takes longer to log in with multi-factor authentication, but our accounts are more secure. So how much is enough? How much is too much inconvenience for the users? That's the tradeoff cybersecurity professionals need to consider when managing risk. Last up, government in the government. Cybersecurity ethics are essential for maintaining the trust in trust of the public. Safeguarding sensitive information and protecting critical infrastructure because the government has access to a lot of sensitive information. Who? So the list of concerns are mostly covered in digital privacy, business and cybersecurity. However, the perspective is a little different when government organization exists because it solely exists to protect its people. First up, respect for privacy. Governments have a responsibility to respect the privacy of their citizens and to make appropriate steps to take appropriate steps to protect all the personal information that they might have on its citizens. This includes implementing appropriate security measures, using encryption, limiting access to sensitive data. This sounds like it comes from an individual's perspective, but not from the government. But that's how the U.S. government was formed, right, For the people, by the people. And that's why this is high on our list. Also, the ethical concern of transparency and accountability. Governments should be transparent with how they conduct business, including cybersecurity and data breaches. If a government agency was hacked, we want that to be disclosed because we, the people, want to be able to hold our government officials accountable for the consequences. Now we have fairness and nondiscrimination. This one really doesn't touch on cybersecurity so much, but it is an ethical concern for governments that governments are not acting in a biased or discriminatory way. And then we also have, again, informed consent, right? We want our governments to ask us before they collect data on us. It's a pretty simple concept. And last, this is new for government specifically. Collaboration and partnership. Governments should collaborate with other organizations and stakeholders, specifically the public, to promote cybersecurity best practices to share information about threats and vulnerabilities, and to make sure that the latest technologies and practices are secure across the entire nation that falls within that government, even if it's not government I.T.. That's a concept. We'll see. It played out a lot in an organization called CISA within Department of Homeland Security. From an ethical theory perspective, you can see some virtue ethics creep in here. Government should collaborate because collaboration is virtuous. Government should be fair because that's a virtuous characteristic as well.