jump to navigation

Security Based in Ethics October 18, 2013

Posted by patrickcallan2013 in Security.

Ken Thompson’s Turing Award Lecture, “Reflections on Trusting Trust”, demonstrates morality and ethics are the foundation of security in computing. [1] Thompson’s example of an application and altered C compiler to propagate a Trojan horse shows the ability of a “trusted” person to abuse their position of trust to inflict harm on others. The importance of trusting someone is reinforced by Thompson’s statement “You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” [1] Another article, “Reflections on Trusting Trust Revisited”, concurs with Thompson stating “Given our nearly unbroken track record of failed security technologies, we should view claims regarding a system’s trustworthiness with skepticism … [and] can rest assured that the war for total control of computing devices cannot be won.” [2] Security technologies can help enhance computing security but the root of security is trustworthy and ethical creators, maintainers and users of computing technology. The morality of the people interacting with the technology is central to establishing security.

Ethical and moral guidelines often originate from social norms and religions which guide the behavior of most members of society. Professional codes of conduct, like the ACM Code of Ethics, apply these more general ethical and moral guidelines to a particular profession. One of the ACM Code of Ethics Guidelines “1.3 Be honest and trustworthy” reinforces Thompson and Spinellis point that trust, and ultimately security, lies within people. [3] The ACM Code of Ethics Guidelines all involve guidance on appropriate human action – it is what people do with the computing technology that matters. IT staff are in positions of trust and often have extensive privileges to computing systems and resources. The ACM Code of Ethics can provide IT staff with more specific guidelines to avoid unethical behavior.

Often ethics and morality are about considering the consequences of actions before executing the actions. The potential to abuse information technology to harm others is increasing as discussed in the article “Death By Hacking: Tomorrow’s IT Worry?” which highlighted our vulnerability stating “…Jay Radcliffe, a diabetic patient, was among the first to show how hackers could scan for vulnerable insulin pumps from hundreds of feet away and force the medical device to dispense a lethal dose of insulin. That got the attention of the Department of Homeland Security, government regulators as well as many organizations in the medical community.” [4] There are many stories revealing increasing vulnerability to the abuse of information systems by employees with serious consequences. [5, 6] Applying available IT technologies to improve IT security and protect data can help to mitigate but not prevent all risks. Building confidence in the ethics of people entrusted with access to information systems will take considerable time and effort as the abstract nature of data and information systems access often masks the unethical behavior from the wrong doer. Some employees are unaware of the ethics and consequences of their actions as discussed in source [5]. Perhaps more frequent and open discussion of the ethical use of information systems could ultimately improve overall system security. Security involves people and needs to be addressed at that level to improve the current situation. Otherwise, the consequences of unethical use of IT will more seriously harm society and devolve into a state which Hobbes described more than 350 years ago, “…the life of man, solitary, poor, nasty, brutish, and short.” [7]

[1] Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM Volume 27 Number 8. August 1984.

[2] Spinellis, Diomidis. “Reflections on Trusting Trust Revisited.” Communications of the ACM Volume 46 Number 6. June 2003.

[3] ACM Council. “Code of Ethics.” Accessed on 10/17/2013 at http://www.acm.org/about/code-of-ethics .

[4] Coleman, Kevin G.. “Death By Hacking: Tomorrow’s IT Worry?” InformationWeek Government August 5 2013. Accessed on 10/13/2013 at http://www.informationweek.com/government/policy/death-by-hacking-tomorrows-it-worry/240159360 .

[5] Hatchimonji, Grant. “Report Indicates Insider Threats Leading Cause of Data Breaches in Last 12 Months” CIO October 8 2013. Accessed on 10/10/2013 at http://www.cio.com/article/741165/Report_Indicates_Insider_Threats_Leading_Cause_of_Data_Breaches_in_Last_12_Months?taxonomyId=3089 .

[6] Vijayan, Jaikumar. “CIA Dismissed Snowden 4 Years Before NSA Leaks.” CIO October 11 2013. Accessed on 10/11/2013 at http://www.cio.com/article/741402/CIA_Dismissed_Snowden_4_Years_Before_NSA_Leaks?taxonomyId=3089 .

[7] Hobbes, Thomas. “Leviathan.”



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: