Maintaining Ethics in Today’s Cyber World Black Hat Europe Stephen Cox, Chief Security Architect, SecureAuth November 13, 2015
Maintaining Ethics in Today’s Cyber WorldBlack Hat EuropeStephen Cox, Chief Security Architect, SecureAuth
November 13, 2015
2Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Agenda+ Why Talk About Ethics?+ A Bit of History+ Ethics Today in Cybersecurity+ Voices+ The Disclosure Dilemma+ Case Studies
Why Talk About Ethics?
4Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Engagement on the cyber-battlefield is escalating.
5Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Engagement on the cyber-battlefield is escalating.
The battlefield is asymmetric.
6Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Cybersecurity is a young field. Cybersecurity is a rapidly growing field.
7Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Cybersecurity is a young field. Cybersecurity is a highly educated and aging field.
8Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
We are currently in a talent shortage
There is a talent shortage.
9Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
We are currently in a talent shortageThere is a talent shortage.These are ethical pressures.
A Bit of History
11Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethics in Science, Technology & Engineering+ It turns out this is not a new problem! + The American Society of Mechanical Engineering (ASME)
discussed the adoption of a code of ethics as early as 1892+ Many other professional societies followed suit around the
turn of the 20th century
These conversations were driven by…
12Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ashtabula River Railroad Disaster, 1876
Source: https://en.wikipedia.org/wiki/Ashtabula_River_railroad_disaster#/media/File:Ashtabula_Bridge_disaster.jpg
13Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Tay Bridge Disaster, 1879
Source: https://en.wikipedia.org/wiki/Tay_Bridge_disaster#/media/File:Catastrophe_du_pont_sur_le_Tay_-_1879_-_Illustration.jpg
14Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Quebec Bridge Collapse(s), 1907 & 1916
Sources: https://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse_of_1907.jpghttps://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse.jpg
1907 1916
15Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
A Pivotal Period in Engineering+ Turn of the 20th century pivotal for ethics
in civil and mechanical engineering professions
+ Fascinating book on the topic: The Revolt of the Engineers: Social Responsibility and the American Engineering Profession, by Edwin T. Layton
+ The issues we face today are not so different…
Source: http://www.amazon.com/The-Revolt-Engineers-Responsibility-Engineering/dp/080183287X
Ethics Today in Cybersecurity
17Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethical Challenges in Cybersecurity
Privacy Conflict of Interest
Intellectual Property Breach Disclosure
Toxic Containment Adequate Security
Ethical Hacking Hacking Back
Vulnerability Disclosure Cyberwarfare
18Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
With Great Power…
We have immense power as cybersecurity practitioners.
Source: http://marvel.com/characters/54/spider-man
19Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Organizations with Codes of Ethics
ISC2 ISACA
SANS IEEE
ISSA ASIS International
GIAC EC-Council
20Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Is It Time to Professionalize?
+ Prevailing opinion is “no”+ Field is too young and too diverse+ There is already a growing shortage of
qualified workers+ Would likely be counterproductive
So what can we do?
Source: http://www.nap.edu/catalog/18446/professionalizing-the-nations-cybersecurity-workforce-criteria-for-decision-making
Voices
22Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethics by Example
Richard Garriott Joseph RotblatJohn Cornwell
23Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Richard Garriott+ Game Developer and Entrepreneur+ Invented the Ultima role playing game
series+ Today runs Portalarium, a game
company out of Austin, Texas+ Ultima series had strong ethical and
moral underpinnings
Source: https://upload.wikimedia.org/wikipedia/commons/thumb/9/9c/Richard_garriott_july_2008.jpg/220px-Richard_garriott_july_2008.jpg
24Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
John Cornwell+ Journalist, author, academic+ Currently a director of the Rustat
Conferences at Cambridge + Wrote Hitler's Scientists: Science, War,
and the Devil's Pact (2004)
Source: http://www.amazon.com/Hitlers-Scientists-Science-Devils-Pact/dp/0142004804/
25Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Joseph Rotblat+ Nuclear Physicist+ Discovered that during the fission
process neutrons are emitted+ Work contributed to the atomic bomb+ Part of the Manhattan project, but later
left on grounds of conscience
Source: http://www.nobelprize.org/nobel_prizes/peace/laureates/1995/rotblat-facts.html
26Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Joseph Rotblat+ Went on to win the Nobel Peace Prize
in 1995+ His Nobel Peace Prize acceptance speech
suggested scientists take an oath, much like doctors do
A Hippocratic Oath for Scientists
Source: http://www.npg.org.uk/collections/search/portraitLarge/mw117251/Sir-Joseph-Rotblat
27Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
An Oath for Scientists
“The time has come to formulate guidelines for the ethical conduct of scientists, perhaps in the form of a voluntary Hippocratic Oath. This would be particularly valuable for young scientists when they embark on a scientific career.” -- Joseph Rotblat, 1995
28Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
An Oath for Cybersecurity Professionals?
+ Does swearing an oath have any value?+ Modern opinions on the value of the
Hippocratic Oath for medical professionalsare mixed
Source: https://en.wikipedia.org/wiki/Hippocratic_Oath#/media/File:HippocraticOath.jpg
29Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Reactions+ I wrote about this in an
op-ed for SC Magazine+ I received very interesting
and thoughtful responses!
The Disclosure Dilemma
31Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Vulnerability Disclosure+ The industry is struggling with this+ Not much progress in 20+ years of
finding and disclosing bugs+ Types of Disclosure
– Non Disclosure– Responsible or Coordinated Disclosure– Full Disclosure
32Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Closing the Trust Chasm
+ A huge chasm of trust exists between vendors/manufacturers and security researchers
+ How do we address this chasm?
33Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Crowdsourcing Security Research?+ BugCrowd & HackerOne+ Concept: Engage vendors and
security researchers in a structured way
+ Vendors can sign up products to be tested
+ Security researchers can sign up to test products
Case Studies in Disclosure
35Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Jeeps+ Charlie Miller, Chris Valasek
discovered Internet accessiblevuln. in modern Jeeps
+ Disclosed to Chrysler prior topresentation at Black Hat
+ Publically released but left out critical firmware step
My take: Miller and Vallasek acted ethically.
36Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Teslas+ Kevin Mahaffey and Marc Rogers
discovered multiple vulnerabilitiesin Tesla onboard systems
+ Detailed their findings at DefCon 23+ Tesla engages security researchers
via BugCrowd service
My take: Pure awesome.
37Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Airplanes+ Chris Roberts, One World
Labs, discovered vuln. onUnited aircraft
+ Disclosed with lack of movement from United
+ May have issued commandsduring live flight
My take: Roberts crossed the line.
Thank You!
[email protected]: @StephenCoxSA