Sunday, October 11, 2020

Cybersecurity awareness: history and the ethics factor (Cybersecurity Awareness Month, Day 11)

Encouraging people to think of cybersecurity as a shared responsibility is a recurrent theme in cybersecurity awareness programs. This probably strikes you as entirely reasonable if, like me, you think there is a clear need to establish norms of attitude and behavior in cyberspace, just as humans have done in meatspace. 

For example, I would argue that most humans today frown on things like theft, extortion, bullying, and deception for selfish or malicious purposes. In many instances, in many societies, such things are considered crimes, and traditional crime reduction programs have long encouraged consumers to "do their bit" to reduce crime (for example, I pass several Neighborhood Watch signs every time I walk to the corner store).

At the top of this article I have pasted one of the official graphics from the organizers of the 2020 Cybersecurity Awareness Month in the US. Here are three of the suggested social media messages that go along with this image, with emphasis added by me:

This message of shared responsibility has been stressed for many years. For example, here is a message from the 2014 campaign, known back then as National Cyber Security Awareness Month and referred to as NCSAM: 

Messaging about share responsiblity from National Cyber Security Awareness Month 2014

(Note that in 2014 the hashtag for cybersecurity awareness month was #NCSAM and a quick search today suggests some folks have not yet switched up to the 2020 tag which is #BeCyberSmart. However, fans of cybersecurity history can see tweets from 2014 with this search link.) 

My purpose in writing about this today, Sunday, October 11, 2020, which is day 11 of cybersecurity awareness month, is to encourage us to reflect on the fact that this theme of shared responsibility is based on several assumptions about ethics, such as: a) most people have a well-developed sense of right and wrong, and b) they are willing to apply this to their actions in cyberspace. 

Rather than delve into the validity of these assumptions—something I may do later in the month—today I just want to provide some historical perspective. To that end, please consider this statement:

During the last five years, hundreds of new security products have appeared, but hundreds of new threats have emerged. It is clear that ultimate success in the struggle to protect information depends not upon technology, but upon the development of appropriate ethical standards for the information age. 

Photo of the NCSA Guide to PC and LAN Security by Stephen Cobb, 1995
Can you guess when that was written? The answer in 1996. The "five years" to which the writer refers are 1991 to 1995. I know this because I wrote those words. They were published by McGraw-Hill in the final chapter of the NCSA Guide to PC and LAN Security* which came out towards the end of 1995. (I should point out that the NCSA in the title is not the same NCSA that runs cybersecurity awareness month—it's complicated.)

Today, I stand by those words. In fact, today I am even more firmly convinced that the development of appropriate ethical standards for the information age is of critical importance to our future. Back in 1995, I made this call to action:

We have to insist on higher standards of conduct on all sides. That means everyone, from users, who tend to flaunt software-licensing agreements, to vendors, who tend to prefer quick bucks over commitment to the user community, to CEOs, who demand growth without budgets for security and training, to employees, who don't realize that their continued employment depends upon effective security.

Thankfully, over time, I have seen numerous examples of people and organizations committing to higher standards of conduct, and enforcing them; but regrettably it appears that the world at large is still falling woefully short. The reasons for this are numerous and undoubtedly complex, but part of the problem is the slowness of our response to what I went on to say in that chapter:   

It also means teaching our kids to respect property and privacy rights in cyberspace, while providing them with educational and employment opportunities that keep them challenged (many of tomorrow's hackers will be kids whose curiosity about digital technology outpaced the meager facilities of underfunded or ill-managed schools).

Fortunately, the most recent five years has seen more attention paid to engaging young people in cybersecurity and hacking—in the best senses of that word. From established international events like DEFCON, to growing regional events like CORNCON, there has been a growing effort to encourage children to consider the implications of technology and the ethics of messing about with it. Young people can now participate in cybersecurity competitions like the US national CyberPatriot program in the US, and also a range of regional programs (see these two videos on Mayor's Cyber Cup programs and how they are empowering a diverse group of young people). 

What I did not grasp clearly enough back in 1995, was the role of governments in addressing the ethics of digital technology and the many ills inherent in the abuse of digital technology. Here's what I did say then about the need for higher standards of conduct: 

[] means governments and corporations setting aside the cynical exploitation of the marketplace and public opinion so that bad actions are once again seen to have bad consequences, from the top down.

Twenty-five years ago I was concerned that the abuse of technology was not being taken seriously enough, with governments failing to appropriately prosecute computer intrusions and theft of intellectual property, even as they surreptitiously adopted these tactics for government purposes. At the same time, digital products were being marketed as though they could not possibly have any downsides at all.

While I was able to imagine things going badly if we stayed on that course, and have constantly warned of the need to change course, I did not think we would so quickly arrive at a point where a man aspiring to be President of the United States could not only get away with publicly urging foreign actors to criminally abuse the data systems of US citizens, but he would actually get elected on the back of them doing so.

So, in addition to being aware of what we can do to increase the security of information systems, we need to do what we can to ensure most people have a well-developed sense of right and wrong, and that they are willing to apply this to their actions in cyberspace. 


* The book is still listed for sale on Amazon, but I regained the copyright some years ago to make a free PDF version available, in three parts, on this blog—the links are near the top right of the page you are now reading—mainly as an historical artifact because some of the technology discussed in the book is no longer in use.

No comments: