Maintaining Ethics in Today's Cyber World

Maintaining Ethics in Today’s Cyber WorldBlack Hat EuropeStephen Cox, Chief Security Architect, SecureAuth

November 13, 2015

2Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth

Agenda+ Why Talk About Ethics?+ A Bit of History+ Ethics Today in Cybersecurity+ Voices+ The Disclosure Dilemma+ Case Studies

Why Talk About Ethics?


Engagement on the cyber-battlefield is escalating.


Engagement on the cyber-battlefield is escalating.

The battlefield is asymmetric.


Cybersecurity is a young field. Cybersecurity is a rapidly growing field.


Cybersecurity is a young field. Cybersecurity is a highly educated and aging field.


We are currently in a talent shortage

There is a talent shortage.


We are currently in a talent shortageThere is a talent shortage.These are ethical pressures.

A Bit of History


Ethics in Science, Technology & Engineering+ It turns out this is not a new problem! + The American Society of Mechanical Engineering (ASME)

discussed the adoption of a code of ethics as early as 1892+ Many other professional societies followed suit around the

turn of the 20th century

These conversations were driven by…


Ashtabula River Railroad Disaster, 1876

Source: https://en.wikipedia.org/wiki/Ashtabula_River_railroad_disaster#/media/File:Ashtabula_Bridge_disaster.jpg


Tay Bridge Disaster, 1879

Source: https://en.wikipedia.org/wiki/Tay_Bridge_disaster#/media/File:Catastrophe_du_pont_sur_le_Tay_-_1879_-_Illustration.jpg


Quebec Bridge Collapse(s), 1907 & 1916

Sources: https://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse_of_1907.jpghttps://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse.jpg

1907 1916


A Pivotal Period in Engineering+ Turn of the 20th century pivotal for ethics

in civil and mechanical engineering professions

+ Fascinating book on the topic: The Revolt of the Engineers: Social Responsibility and the American Engineering Profession, by Edwin T. Layton

+ The issues we face today are not so different…

Source: http://www.amazon.com/The-Revolt-Engineers-Responsibility-Engineering/dp/080183287X

Ethics Today in Cybersecurity


Ethical Challenges in Cybersecurity

Privacy Conflict of Interest

Intellectual Property Breach Disclosure

Toxic Containment Adequate Security

Ethical Hacking Hacking Back

Vulnerability Disclosure Cyberwarfare


With Great Power…

We have immense power as cybersecurity practitioners.

Source: http://marvel.com/characters/54/spider-man


Organizations with Codes of Ethics

ISC2 ISACA

SANS IEEE

ISSA ASIS International

GIAC EC-Council


Is It Time to Professionalize?

+ Prevailing opinion is “no”+ Field is too young and too diverse+ There is already a growing shortage of

qualified workers+ Would likely be counterproductive

So what can we do?

Source: http://www.nap.edu/catalog/18446/professionalizing-the-nations-cybersecurity-workforce-criteria-for-decision-making

Voices


Ethics by Example

Richard Garriott Joseph RotblatJohn Cornwell


Richard Garriott+ Game Developer and Entrepreneur+ Invented the Ultima role playing game

series+ Today runs Portalarium, a game

company out of Austin, Texas+ Ultima series had strong ethical and

moral underpinnings

Source: https://upload.wikimedia.org/wikipedia/commons/thumb/9/9c/Richard_garriott_july_2008.jpg/220px-Richard_garriott_july_2008.jpg


John Cornwell+ Journalist, author, academic+ Currently a director of the Rustat

Conferences at Cambridge + Wrote Hitler's Scientists: Science, War,

and the Devil's Pact (2004)

Source: http://www.amazon.com/Hitlers-Scientists-Science-Devils-Pact/dp/0142004804/


Joseph Rotblat+ Nuclear Physicist+ Discovered that during the fission

process neutrons are emitted+ Work contributed to the atomic bomb+ Part of the Manhattan project, but later

left on grounds of conscience

Source: http://www.nobelprize.org/nobel_prizes/peace/laureates/1995/rotblat-facts.html


Joseph Rotblat+ Went on to win the Nobel Peace Prize

in 1995+ His Nobel Peace Prize acceptance speech

suggested scientists take an oath, much like doctors do

A Hippocratic Oath for Scientists

Source: http://www.npg.org.uk/collections/search/portraitLarge/mw117251/Sir-Joseph-Rotblat


An Oath for Scientists

“The time has come to formulate guidelines for the ethical conduct of scientists, perhaps in the form of a voluntary Hippocratic Oath. This would be particularly valuable for young scientists when they embark on a scientific career.” -- Joseph Rotblat, 1995


An Oath for Cybersecurity Professionals?

+ Does swearing an oath have any value?+ Modern opinions on the value of the

Hippocratic Oath for medical professionalsare mixed

Source: https://en.wikipedia.org/wiki/Hippocratic_Oath#/media/File:HippocraticOath.jpg


Reactions+ I wrote about this in an

op-ed for SC Magazine+ I received very interesting

and thoughtful responses!

The Disclosure Dilemma


Vulnerability Disclosure+ The industry is struggling with this+ Not much progress in 20+ years of

finding and disclosing bugs+ Types of Disclosure

– Non Disclosure– Responsible or Coordinated Disclosure– Full Disclosure


Closing the Trust Chasm

+ A huge chasm of trust exists between vendors/manufacturers and security researchers

+ How do we address this chasm?


Crowdsourcing Security Research?+ BugCrowd & HackerOne+ Concept: Engage vendors and

security researchers in a structured way

+ Vendors can sign up products to be tested

+ Security researchers can sign up to test products

Case Studies in Disclosure


Hacking Jeeps+ Charlie Miller, Chris Valasek

discovered Internet accessiblevuln. in modern Jeeps

+ Disclosed to Chrysler prior topresentation at Black Hat

+ Publically released but left out critical firmware step

My take: Miller and Vallasek acted ethically.


Hacking Teslas+ Kevin Mahaffey and Marc Rogers

discovered multiple vulnerabilitiesin Tesla onboard systems

+ Detailed their findings at DefCon 23+ Tesla engages security researchers

via BugCrowd service

My take: Pure awesome.


Hacking Airplanes+ Chris Roberts, One World

Labs, discovered vuln. onUnited aircraft

+ Disclosed with lack of movement from United

+ May have issued commandsduring live flight

My take: Roberts crossed the line.

Thank You!

[email protected]: @StephenCoxSA