What Star Wars can teach us about cyber ethics

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/12157054/what-star-wars-can-teach-us-about-cyber-ethics

As media headlines have been dominated by the launch of Star Wars: The
Force Awakens and shenanigans (or worse) with voter data by Bernie Sanders
political campaign, I pondered the question: what do these recent news
stories have in common?

 Without going into the specific details of what happened (especially in
the new movie), a few possible answers include:

- We have seen the enemy, and they are us. Or, not all data breaches come
from foreign hackers, organized crime or other “outsiders” with malicious
intent.
- Security controls and even technology training have limitations. Or,
Darth Vader (and several other Jedi Knights) were well-trained – but used
their skills to go over to the “dark side.”
- There are shades of gray that technology professionals face in their
daily duties that often get darker if not exposed and corrected early
enough. Or, “the road to hell is paved with good intentions.”

 Ethical Challenges for Security Professionals

Oftentimes, security pros quietly think they are above Internet laws,
company rules and regulations. As the cyber police, bending a policy may
seem acceptable, as long as no one catches you in the process. Sometimes,
it may even seem to be required – like the state police needing to speed to
catch a car going 100 miles per hour.

Beyond cyber war and the good guys having the right tools to catch the bad
guys, there can be a tendency to ignore “more mundane” acceptable use
directives. That is, security staff can download copyrighted material, view
porn at work, look at private information, “borrow” passwords or delete log
files to cover their tracks, etc. These acts may almost be viewed as “the
spoils of war.” Hackers come across this data once as part of their job,
and later they become accustomed to accessing it freely.

But actions have consequences. Much like Anakin Skywalker’s turn to the
dark side, this is a slippery slope.

The reality is that the smarter you are, the more you advance as a cyber
security expert, the farther you go as a hacker, the greater your
temptation will be. As you learn what the enemy does and how they do what
they do (in order to stop them), the new ways to avoid detection, the
secrets of the trade and the best ways to build and get around defenses,
you will face a series of crossroads. Your ethics, values and beliefs will
inevitably be tested. This is similar to a cop who arrests drug lords and
finds a stash of cocaine or cash. Should he/she take a bit of the money
while no one is looking? It seems so easy, so close and perhaps even
innocent.

Sadly, I have seen talented security and technology professionals
disciplined for inappropriate behavior at home or work such as stealing
property, downloading files or distributing child porn. I personally know
technically savvy staff members who are in jail, and I must say that I
never would have guessed that certain “experts” would turn to the dark
side. Additionally, I have read and heard about dozens of such cases.
People are blinded to their own deceitfulness.

Avoid the Dark Side

So what can be done to strengthen the ethical culture in your situation?

First, we need to be aware of the problem. Ethics is important, not only my
children when on Facebook, but perhaps even more vitally for veteran
security and technology professionals who know how to beat the system.

No doubt, we are all susceptible to slip and being honest about the
challenges and temptations is a good start. Understanding that these
situations will arise and discussing appropriate actions with your team is
a good initial step.

Here are a few other ways to help in this area:

Seek advice from respected colleagues regarding practical ethical behavior
as a security pro. Find one or more accountability partner(s) who share
your professional values. Remember that accountability is for winners, not
losers. The best musicians, artists, athletes, and other experts are
accountable to teachers or coaches. Everyone who strives to improve needs
accountability.
Find a trusted mentor who you admire in the industry. Make yourself
accountable to this person regarding the direction of your professional
career decisions.
Practice these seven habits of online integrity.

Bottom line, cyber ethics is not just an academic topic or a class you once
took to get a computer degree. Cyber ethics are the brakes that enable us
to traverse cyberspace safely.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.