In comparing ethical frameworks and relating them to Van de Poel’s value clusters, I will argue that that Deontic ethics is a more suitable framework in Cyber Security because it is more adaptable than consequentialist ethics given the evolving nature of technology and need to adapt to changing social contexts, while consequentialist considers only the static importance of an good outcomes (which don’t change), this is particularly relevant as people, attitudes and social contexts do change, are complex and are multivariate.
For example, not all security and actions that lead to good security is good. While consequentialists consider security as an enablement of desirable characteristics for social good, Deontic ethics would evaluate the context for appropriateness of the security measure itself.
For example, using an authentication mechanism such as a password (knowledge) to protect against unauthorised access to an intensive care unit’s medication dosage system, while a good consequentialist outcome (security), would not be a correct measure if when considering (as Deontologists would) the capability of current improvements in technology that can brute force passwords, and the relative weakness in password strengths chosen by humans, and the severity of the compromised security.
Consequentialist ethics is short-sighted, inflexibly and in this case could lead to failing to protect/secure a particularly sensitive system adequately. Deontologists would assess the measures and the impact considering prevailing context and consider instead, that physical ownership (possession) of an access card and/or behavioural authentication (fingerprint) and is better and more reasonable approach to implementing security, considering the risk to critical patients.
This extends to not all privacy being good either, or all measures that lead to it being correct. Whilst confidentially, freedom and anonymity might be seen by consequentialist as a fundamental right that justify their approaches, it can also hide criminal information from the authorities. Should the freedoms of criminals be respected if they are perpetrating crimes that harm society?
For example, a system that uses encryption to restrict access to another user’s actions (confidentiality/anonymity) is a generally a good thing , but should criminals’ data and their actions be allowed to be hidden or be unencrypted? Should criminals be allowed to be anonymous? Consequentialist would say so. The recent case concerning national security which involved Apple, the FBI and an encrypted iPhone is a case in point (Lowell, 2017).
Deontologist would suggest that the platform must always be allowed to unencrypt data identified as criminal or of national importance considering the context and those affected by the crime.
A Deontic approach to better authentication mechanisms would be one that that requires a verified identity, known to the platform but which is not shared publicly such as requiring an identity certificate to use the platform which is issued and trusted by a 3rd party authority. This, combined with an additional requirement to physically possess the private key associated with that verified identity (e.g., smart card), makes identities more reliable and more difficult to spoof (or hide) and makes privacy conditional on the context (criminal vs non, crime vs usual activity) possible.
Likewise consequentialist approaches to Accountability are not always correct, despite the pursuit of good intentions.
Consequentialists will consider a system that logs user actions based on username/password authentication as suitable for establishing responsibility for that user’s actions, however this authentication does not in of itself guarantee a claim of identity (knowledge) if the password was stolen and the identity spoofed. This can lead to incorrect accountability which has implications for blaming the wrong person, particularly if this information is presented to the authorities, for example.
Deontologists would instead consider a more correct approach to verifying identity is using a provable means such as use of host/certificate authentication (eg. ssh) or using digital signatures to sign/authenticate operations and actions as this attaches a verifiable identity and therefore origin, and therefore can be used as a basis for reliable accountability.
Consequentialist approaches that implement fairness are not always fair either.
For example, it’s not fair to implement a strong authentication mechanism that is only accessible to able-bodied people. For example, a retina scanner placed at eye-level on a door where eye-level is dependent on having the ability to use legs to stand. This favours the desirability of good authentication, at the expense (or discrimination) of people with limited motor abilities.
While leaving the specific ethical approach taken at the discretion of its members, the ISC’s code of ethics refers to approaches that protect society, and this is comparable to preventing harm which is defined by the value of security, as the protection from or the absence of threat or harm.
The code also includes acting honestly and legally which is comparable to the value of fairness or accountability, especially considering that laws are social constructs created to be fair and just.
Furthermore, acting responsibly is being, and corresponds to, the value of being accountable, i.e., assigning and taking ownership for one’s actions and so is being competent and diligent in one’s own work.
Radwan, A.G., AbdElHaleem, S.H. and Abd-El-Hafiz, S.K. (2016) ‘Symmetric encryption algorithms using chaotic and non-chaotic generators: A review’, Journal of advanced research, 7(2), pp. 193–208. Available at: https://doi.org/10.1016/j.jare.2015.07.002.
Shostack, A. (2014) Threat modeling: designing for security. 1st edn. New York: John Wiley & Sons, Incorporated. Available from: ProQuest Ebook Central. [17 November 2020]. Available at: https://ebookcentral.proquest.com/lib/open/detail.action?docID=1629177&pq-origsite=primo (Accessed: 20 December 2020)
References
Spafford, S.G.& G. (1999) Practical UNIX & Internet Security, 1-56592-148-8. O’Reilly & Associates, Inc. Available at: https://www.cs.ait.ac.th/~on/O/oreilly/tcpip/puis/ch06_05.htm (Accessed: 1 May 2023).
van de Poel, I. (2020) ‘Core Values and Value Conflicts in Cybersecurity: Beyond Privacy Versus Security’, in M. Christen, B. Gordijn, and M. Loi (eds) The Ethics of Cybersecurity. Cham: Springer International Publishing (The International Library of Ethics, Law and Technology), pp. 45–71. Available at: https://doi.org/10.1007/978-3-030-29053-5_3.
Tim Maurer, Ariel Levite, and George Perkovich (2017) ‘Toward a global norm against manipulating the integrity of financial data’, Economics. The open-access, open-assessment e-journal [Preprint].
Danyang Cao and Bingru Yang (2010) ‘Design and implementation for MD5-based data integrity checking system’, in. IEEE, pp. 608–611. Available at: https://doi.org/10.1109/ICIME.2010.5477912.
Gollmann, D. (2019) ‘The Cyber Security Body of Knowledge v1.0, 2019’, in. University of Bristol. Available at: https://www.cybok.org/.
Crosman, P. (2016) ‘Carbanak Hackers Targeting Banks Again, Security Pros Say’, The American banker, 1(F354).
Bošnjak, L. and Brumen, B. (2019) ‘Shoulder surfing: From an experimental study to a comparative framework’, International journal of human-computer studies, 130, pp. 1–20. Available at: https://doi.org/10.1016/j.ijhcs.2019.04.003.
Lowell, K.G. (2017) ‘Civil Liberty or National Security: The Battle Over iPhone Encryption’, Georgia State University law review, 33(2), pp. 485-.