Our society is undergoing pervasive digitization. It's not an understatement to say that computing devices and digital technologies is profoundly changing every facet of human endeavor. Naturally, such sweeping changes also bring forth ethical issues that computing professionals must deal with everyday. But are they equipped to deal with them daily?

Our society is undergoing pervasive digitalization. It's not an understatement to say that computing devices and digital technologies is profoundly changing every facet of human endeavor. Naturally, such sweeping changes also bring forth ethical issues that computing professionals must deal with everyday. But are they equipped to deal with them daily?

Ethical concerns in computing are widely recognized. For example, the recent upsurge in the popularity of applying machine learning techniques to various problems has raised several ethical questions. Biases inherent in training data can render these systems unfair in their decisions (for example, basing hiring decisions on factors, such as distance from workplace, that correlate closely with past performance might also inadvertently correlate with other factors like race). Identifying such sources of unfairness and making machine learning systems accountable are active research topics. Similarly, the rise of autonomous systems has led to questions such as how to deal with the moral aspects of autonomous decision making and how societies can respond to people whose professions might be rendered obsolete by the deployment of such systems.

The information security profession is grappling with its own share of ethical considerations. Among them are privacy concerns about large-scale data collection, the use of end-to-end cryptography in communication systems, wiretapping and large-scale surveillance, and the practice of weaponizing software vulnerabilities as “offensive security.”

The latter issue was brought forth in dramatic fashion in early March of this year when WikiLeaks published a collection of documents called Vault 7, which consisted of numerous vulnerabilities in popular software platforms like Android and iOS that could be used to compromise end systems based on these platforms. That national intelligence agencies use such vulnerabilities as offensive weapons didn't surprise anyone except the popular press. But the WikiLeaks revelation led to a flurry of discussion on the ethics of how vulnerabilities should be handled.

Over the years, the information security community has developed best practices for dealing with vulnerabilities. Timely “responsible disclosure” of vulnerabilities to affected vendors is a cornerstone of such practices. Using vulnerabilities for offense is at odds with responsible disclosure. As George Danezis, a well-known information security expert and professor at University College London, put it, “government ‘Cyber’ doctrine [not only] corrupts directly this practice, by hoarding security bugs and feeding an industry that does not contribute to collective computer security, but it also corrupts the process indirectly.” (Danezis, 2017)

However, when a government intelligence agency finds a new vulnerability, deciding when to disclose it to the vendors concerned is complex. As another well-known expert and academic, Matt Blaze from the University of Pennsylvania, pointed out, on the one hand, an adversary might rediscover the same vulnerability and use it against innocent people and institutions, which calls for immediate disclosure leading to a timely fix. On the other hand, the same vulnerability can help intelligence agencies thwart adversaries from harming innocent people, which is the rationale to delay disclosure. Blaze reasoned that this decision should be informed by the likelihood of the vulnerability's rediscovery but concluded that, despite several studies, there's insufficient understanding of factors that affect how frequently vulnerability is likely to be rediscovered.

This brings us back to our original question: Do information security professionals have the right knowledge, tools, and practices to make judgment calls when confronted with such complex ethical issues? Guidelines for computing ethics have existed for decades. For example, the IEEE Computer Society and ACM published a code of ethics for software engineers back in 1999. The ACM Code of Ethics and Professional Conduct was introduced in 1992 and is currently being revised (ethics.acm.org). But to what extent do such codes reach practitioners and inform their work? There are certainly efforts in this direction. For example, program committees of top information security conferences routinely look for a discussion on “ethical considerations” in submitted research papers dealing with privacy-sensitive data or vulnerabilities in deployed products. They frequently grapple with the dilemma of requiring authors to reveal datasets in the interest of reproducible research without compromising the privacy of the people whose data was collected. Awareness of ethical considerations needs to be fostered systematically at all levels of the profession.

Ethical concerns in information security can't be simply outsourced to philosophers and ethicists, because such considerations will inevitably inform the very nature of our work as cyber security professionals. For example, many researchers are developing techniques that allow privacy-preserving training and prediction mechanisms for systems, which are based on machine learning. Similarly, as Blaze pointed out, active research is needed to understand the dynamics of vulnerability rediscovery in todays technological field. (M.Blaze, 2017)

Should graduates of computer science curricula require exposure to ethics in computing? Where is the right place to add this to the curriculum, given the limited instructional time available for such program? Should university computer science departments host computing ethicists among their ranks and fill? What are the ethical limits of computer scientists working for intelligence agencies on finding vulnerabilities and developing attacks that use them as tools?

Vault 7 had a silver lining: the focus on amassing weaponized vulnerabilities to attack end systems suggests that the increasing adoption of end-to-end encryption by a wide variety of messaging applications has been successful! Passive wiretapping is likely to be much less effective today than it was only a few years ago. Intelligence services are now forced to attack the endpoints, rather than the cryptography of such equipment or platforms.

Bibliography

Danezis. (2017, 06 22). what the CIA Hack and leak teaches us about bankruptcy off currrent "cyber Doctrines,". Retrieved 02 22, 2020, from conspicicuouschatter: conspicicuouschatter.wordpress.com/2017/03/08what-the-CIA-hack-and-leak-teaches-us-about-the-banlruptcy-of-current-doctrines

M.Blaze. (2017, March 23). when should government Disclose" stockpiled" Vulnerabilities. (N. Asokan, Editor) Retrieved Feb 22, 2020, from crypto: www.crypto.com/blog/between_immediately_and_never

This is your blog post. Blogs are a great way to connect with your audience and keep them coming back. They can also be a great way to position yourself as an authority in your field. To edit your content, click Manage Blog. From the Dashboard, you can edit posts and also add brand new posts with ease.

Want to help visitors explore more content? Create categories. When you write a post, you can add it to up to 3 categories. These categories appear in your blog’s navigation menu, so choose categories that cover the main topics of your blog, e.g., Food, Fashion, Travel, etc. For easy navigation, it’s best to keep your category names short – 1 to 2 word titles. For a clean look on your blog’s navigation menu, we recommend 7 categories max.

#problemsolving #timemanagement