Chapter 14

The Cyber Security Officer and Privacy, Ethical, and Liability Issues

Abstract

This chapter discusses the issues of ethics, privacy, and liability as they relate to the cyber security officer.

Keywords

Business practices; Code of ethics; Corporate ethics; Corporate values; Ethical behavior; Liability; Whistleblower

Ethics is not a policing function. It’s about creating the kind of climate in which people are encouraged to make the right decisions in the first place.1

Kent Kresa

Chapter Objective
This chapter discusses the issues of ethics, privacy, and liability as they relate to the cyber security officer.

Introduction to Privacy Issues

Much is made of the word “privacy” and the protection of privacy, privacy of an individual’s personal information, for example. However, unless you have been hiding under a rock for the last, oh, 50 years or more, you know that only lip service is given to privacy as anything other than a concept, a “nice try, now let’s move on” thing.
For example, when networks and databases are attacked and compromised, users’/customers’ names, addresses, social security numbers, credit card numbers, and the like are stolen literally by the millions.
What do we mean by privacy anyway? Well, according to the Sharp electronic dictionary, privacy is “the state or condition of being free from being observed or disturbed by other people.”
The U.S. government’s Department of Justice website states the following:

The Privacy Act of 1974, 5 U.S.C. § 552a (2006), which has been in effect since September 27, 1975, can generally be characterized as an omnibus “code of fair information practices” that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. However, the Act’s imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply. Moreover, even after more than thirty-five years of administrative and judicial analysis, numerous Privacy Act issues remain unresolved or unexplored. Adding to these interpretational difficulties is the fact that many earlier Privacy Act cases are unpublished district court decisions. A particular effort is made in this “Overview” to clarify the existing state of Privacy Act law while at the same time highlighting those controversial, unsettled areas where further litigation and case law development can be expected.

The interesting thing is that there seems to be more exceptions than not for government agencies and corporations. One just has to look at the massive collection of information being conducted 24/7 by U.S. agencies and the nation-states of pretty much the world. Of course, they cite their need to invade our privacy as being for our own good; you know, for our well-being and security. As a cyber security officer, you may be involved in this endeavor.
Corporations don’t do it in the interest of national security but in the interest of getting that competitive edge, identifying and selling to targeted potential customers. Such techniques are getting more sophisticated it seems by the day. Of course, you volunteer to give up much of your private information just to be able to make a purchase or do anything with about anyone online.
Now, although we all abhor such invasion of privacy, as a corporate or government agency cyber security officer you may be involved in such invasion of privacy as a minimum by ensuring that the information collected is properly protected. We know from the numerous attacks, for example, on Target and Sony, that some aren’t doing a very good job.
As a cyber security officer, you MUST find adequate ways to protect the information of the government agency or corporation. After all, that is what you are getting paid to do—protect the privacy of individuals and the corporation or government agency. So far, how’s that working for you?

Introduction to Ethics Issues

We hear a lot about ethics these days, when it seems everyone is out for themselves, from the executives of major corporations to a secretary in a small company office who perpetrates a fraud. One thing that makes a professional a true professional is ethical conduct. That is especially a requirement for a cyber security officer.
When you think of ethics and ethical behavior, what comes to mind? For some it means “doing the right thing.” But what is the “right” thing to do? For some, it is anything that they can get away with without violating any laws. In fact, some narrowly define being ethical as doing anything as long as it does not violate laws. However, ethics and morality go hand and hand, but what is moral? For example, communists believe that whatever furthers the advance of communism is moral and acting in a manner that does not further communism is immoral.
Remember that we talked earlier in this book about committing crimes, and committing crimes takes opportunity, motive, and rationalization. The same applies to ethical behavior. You can use opportunity, motive, and rationalization to do the “right” thing or to not do what is right.
eth·ics [éthiks] noun
1. study of morality’s effect on conduct: the study of moral standards and how they affect conduct (takes a singular verb); also called moral philosophy;
2. code of morality: a system of moral principles governing the appropriate conduct for an individual or group (takes a plural verb).
[15th century; via Old French ethiques from, ultimately, Greek ēthikē, from ēthikos “ethical” (see ethic).]2
If you find someone’s wallet, you have the opportunity to keep it. Suppose the motive is that you do not have a job and you have a family to support. You can rationalize it by saying that the money can buy much-needed food for the family, and besides, the person must be well off based on the number of gold and platinum credit cards in the wallet. Let’s say that you just found the money and there is absolutely no evidence indicating to whom it belonged. Would it then be ok to keep it? The answer in both cases is no. Why? It does not belong to you. Therefore, even if it were not against the law to keep the money, it would be still unethical. However, sometimes the process is that you turn it over to the local police and if, after a set period of time, no one claims the money, it is yours. That would be ethical because you followed the locally established processes. What about illegally copying software in violation of copyright laws? Isn’t that also unethical?
The interesting thing about ethics is that it may also depend on your culture. For example, the businessperson who gives gifts to a procurement officer in a corporation that he or she wants to do business with may be breaking the law in some countries, but such gifts are expected in others. Is it wrong to accept the gifts in those countries where that is a tradition? No. Of course, if it violated a law or company policy, it would be unethical because violating a law is in itself unethical. Add to all this the moral issues, knowing what is right and what is wrong, considering what you were taught growing up, and all this brought together and integrated in each of us with our culture, working environment, and the like. The philosophy of morals and ethics has been the subject of study and discussion for centuries. We surely will not provide the definitive answers here. However, we must understand the basics of ethics because it does have an impact on protecting corporate assets.
mor·al [máwrəl] adjective
1. involving right and wrong: relating to issues of right and wrong and to how individuals should behave;
2. derived from personal conscience: based on what somebody’s conscience suggests is right or wrong, rather than on what the law says should be done;
3. in terms of natural justice: regarded in terms of what is known to be right or just, as opposed to what is officially or outwardly declared to be right or just; a moral victory;
4. encouraging goodness and respectability: giving guidance on how to behave decently and honorably;
5. good by accepted standards: good or right, when judged by the standards of the average person or society at large;
6. telling right from wrong: able to distinguish right from wrong and to make decisions based on that knowledge;
7. based on conviction: based on an inner conviction, in the absence of physical proof.
noun (plural mor·als)
1. valuable lesson in behavior: a conclusion about how to behave or proceed drawn from a story or event;
2. final sentence of story giving advice: a short, precise rule, usually written in a rather literary style as the conclusion to a story, used to help people remember the best or most sensible way to behave.
plural noun mor·als
standards of behavior: principles of right and wrong as they govern standards of general or sexual behavior.
[14th century; from Latin moralis, from mor-, stem of mos “custom,” in plural “morals” (source of English morale and morose).]3
Ethical behavior is expected of everyone who works in a corporation. Few, if any, corporations or any type of business or government agency want to be seen as doing anything unethical.
Some people believe that if it is not against the law, it is ethical. Often it seems that corporations that walk a fine line between legal and illegal behavior use a great deal of rationalization to justify their actions. However, in most circumstances, the ethical question remains: Yes, it is legal, but is it the ethical thing to do?
If you see someone in your corporation doing something that violates corporate policy, should you report that person to management? This is probably an employee’s most difficult ethical dilemma. In some nation-states, it is better to not report anyone, even someone committing a serious crime, because many children were brought up not to be a “squealer,” a “fink,” a “snitch.” In some societies, that is almost as bad, if not worse, as committing the offense that is being reported.
Because of the amount of unethical behavior within some corporations and nation-states, there are processes by which one, sometimes called a whistleblower, can receive financial rewards for identifying illegal or unethical behavior. However, as much as corporations like to say that they have an ethics program within their corporation, when an employee comes forth and reports illegal activities, it seems that, more often than not, he or she is the subject of harassment, receives no promotions, and is made to feel unwanted in the corporation. Management looks upon that person as one who could not be trusted. Ironic, isn’t it? A person reports someone’s unethical behavior in accordance with the corporate policy. That person, instead of being considered an honest and loyal employee, is considered to be untrustworthy. There are many examples of such conduct within the corporations of the United States and other nation-states. Suffice it to say that corporate management can tout an ethics program, but one that truly works as stated in the brochures is another matter.

Codes of Ethics

Most, if not all, professional associations have a code of ethics. They are all about the same in that one must do what is right and report what is wrong. As a cyber security professional, you must behave in a professional manner at all times and, therefore, comply with the professional code of ethics.
It is quite possible that members of associations with a code of ethics have actually never read the code of ethics, even though as a cyber security professional and member of one or more security-related associations, you are required to comply with the association’s code of ethics. In fact, it can even be considered unethical not to have ever read the code of ethics for the various associations to which you as a cyber security professional belong.
What does that say about you and your professionalism? One may counter by saying that he or she always acts in an ethical manner and doesn’t have to read any code of ethics. This “know-it-all” attitude is a symptom of possibly a more serious matter: the idea that one has no more to learn about an information security-related topic. That not only is impossible but will end up costing the corporation in terms of effectiveness and efficiency. How? Because the cyber security officer who is not continuously learning and applying new and better techniques does not take advantage of new (and possibly better and cheaper) ways of protecting assets.
Now is a good time to take the opportunity to read some codes of ethics from security-related professional associations. Please take the time to search online, read, understand, and apply the codes of ethics as an integral part of your job and profession.

Corporate Ethics, Standards of Conduct, Business Practices, and Corporate Values

Many corporations in many countries of the world today concern themselves with ethics, standards of conduct, business practices, and values. What does all that mean? Basically, it still means that one must know the difference between right and wrong, acceptable conduct and unacceptable conduct. In today’s world, corporations are successfully sued because of the unethical conduct of their employees. Therefore, if for no other reason than loss of revenue, such matters are a serious concern of corporate management.
There are corporate policies and awareness training sessions given to employees and often special training given to management. This is because it seems that it is mostly management that is involved in unethical conduct. For example, management may direct their employees to act in an unethical manner by taking a shortcut in a manufacturing process such as a quality check to get the product out the door faster.
Cyber security professionals in corporations are often involved in following up on ethics matters that have been reported by managers or employees, either directly or through a corporate ethics hotline, for example, noncompliance with the cyber security program. The ethics hotline provides a communications medium to obtain reports of unethical behavior. It should never be used to try to identify the caller if that caller did not leave any information relative to his or her identity. In fact, to do so would be unethical in itself, and once word got out of such conduct by management, the chances of obtaining further information concerning unethical behavior would be almost zero. If that did occur, that manager seeking the identity of the caller should be the subject of an ethics inquiry. One should never dwell so much on the messenger as the message. After all, isn’t that the objective of the ethics program and ethics hotline? It is amazing how many managers in corporations focus on identifying the caller instead of acting on the information the caller provided. That alone tells a great deal about the ethics of some managers.
One often hears about managers “shooting the messenger.” Any manager who verbally or otherwise attacks the messenger is “not getting the message.” So, what does this have to do with the ISSO and professionalism? As an employee of a corporation, you have probably been on one end or the other—or both—of such incidents. Think about it. No one likes to receive bad news, and finding out through some ethics channel that some assets were stolen, that someone was not complying with the assets protection policies, and that this person was a senior executive may cause management to “shoot the messenger.”
As a cyber security professional, you have a professional responsibility not to allow the shooting of messengers. Instead, you must direct management efforts to the identified problem. If you are requested or directed to do all you can to identify the anonymous reporter of ethics violations, you should explain that such conduct is in violation of the corporate ethics policy and, therefore, the request or demand itself is unethical. Unfortunately, it may cost you your merit raise, a less than favorable performance review, and the like, but that is a price that you must be willing to pay. It is a matter of principle—your professional integrity—and that means a matter of ethical conduct.

Liability Issues

One of the consequences of not providing adequate cyber security is the successful attacks that lead to violations of privacy and ethics. These result in often massive lawsuits in which the corporation that employs you must pay out. We are talking millions of dollars.
Your job is of course on the line because regardless of your telling management what needs to be done falling on deaf management ears, you will be held responsible. Saying “I told you so” and “I didn’t have enough budget” or such will not help you. The best you can do is continually document all the “I told you so’s” and requests for whatever you needed that you didn’t get, for example, staff, security software, etc. It probably won’t stop you from getting fired but maybe will help with a “wrongful discharge” lawsuit.
The other way to handle such issues is to convince your legal department, and then for both of you to advise management, of the need for insurance to cover such losses due to, for example, successful hacker attacks. In many cases, it is a prudent business decision.
Cyber attack risk requires $1 bn of insurance cover, companies warned4

Questions to Consider

Based on what you have read, consider the following questions and how you would reply to them:
• Does your company have ethics and privacy programs?
• Are you and your staff actively involved in the programs?
• Do you support the programs by conducting inquiries into noncompliance with the cyber security program or company ethics policies?
• Does your corporation have an ethics hotline?
• Do you discuss proper behavior with your staff?
• If not, why not?
• If so, what do you discuss and how often?
• Do you use the corporate ethics and privacy programs to support following the cyber security program?
• If so, do you try to get management to view a cyber security noncompliance issue as also an ethics or privacy issue?
• Have you discussed liability insurance with your legal staff, maybe auditors and management?

Summary

Cyber security professionals must be extremely honest people of high integrity. After all, they know the vulnerabilities of the corporate information and information systems assets as well as the protection mechanisms. That is very valuable information. Cyber security officers must conduct themselves in an ethical manner at all times. If they belong to a professional, security-related association, they must also adhere to the association’s code of conduct.
Cyber security professionals must also do their best to encourage all corporate employees, led by executive management, to act in an ethical manner when doing their work at the corporation. The cyber security program will benefit through fewer information thefts, less damage, less unauthorized modification, and fewer cyber security violations and will provide for a corporate cyber security environment that is better overall.
As part of their job, they must also protect the privacy of the corporation, employees, associates, subcontractors, and of course customers. You may be personally liable if your cyber security program fails. Certainly your corporation will be.

1 Kent Kresa is Chairman of the Board and CEO of Northrop Grumman Corporation.

2 Encarta World English Dictionary, ©1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

3 Encarta World English Dictionary, ©1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.110.5