Maintaining Ethics in Today's Cyber World
-
Upload
stephen-cox -
Category
Technology
-
view
171 -
download
1
Transcript of Maintaining Ethics in Today's Cyber World
Maintaining Ethics in Today’s Cyber WorldBlack Hat EuropeStephen Cox, Chief Security Architect, SecureAuth
November 13, 2015
2Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Agenda+ Why Talk About Ethics?+ A Bit of History+ Ethics Today in Cybersecurity+ Voices+ The Disclosure Dilemma+ Case Studies
Why Talk About Ethics?
4Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Engagement on the cyber-battlefield is escalating.
5Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Engagement on the cyber-battlefield is escalating.
The battlefield is asymmetric.
6Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Cybersecurity is a young field. Cybersecurity is a rapidly growing field.
7Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Cybersecurity is a young field. Cybersecurity is a highly educated and aging field.
8Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
We are currently in a talent shortage
There is a talent shortage.
9Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
We are currently in a talent shortageThere is a talent shortage.These are ethical pressures.
A Bit of History
11Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethics in Science, Technology & Engineering+ It turns out this is not a new problem! + The American Society of Mechanical Engineering (ASME)
discussed the adoption of a code of ethics as early as 1892+ Many other professional societies followed suit around the
turn of the 20th century
These conversations were driven by…
12Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ashtabula River Railroad Disaster, 1876
Source: https://en.wikipedia.org/wiki/Ashtabula_River_railroad_disaster#/media/File:Ashtabula_Bridge_disaster.jpg
13Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Tay Bridge Disaster, 1879
Source: https://en.wikipedia.org/wiki/Tay_Bridge_disaster#/media/File:Catastrophe_du_pont_sur_le_Tay_-_1879_-_Illustration.jpg
14Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Quebec Bridge Collapse(s), 1907 & 1916
Sources: https://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse_of_1907.jpghttps://en.wikipedia.org/wiki/Quebec_Bridge#/media/File:Quebec_Bridge_Collapse.jpg
1907 1916
15Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
A Pivotal Period in Engineering+ Turn of the 20th century pivotal for ethics
in civil and mechanical engineering professions
+ Fascinating book on the topic: The Revolt of the Engineers: Social Responsibility and the American Engineering Profession, by Edwin T. Layton
+ The issues we face today are not so different…
Source: http://www.amazon.com/The-Revolt-Engineers-Responsibility-Engineering/dp/080183287X
Ethics Today in Cybersecurity
17Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethical Challenges in Cybersecurity
Privacy Conflict of Interest
Intellectual Property Breach Disclosure
Toxic Containment Adequate Security
Ethical Hacking Hacking Back
Vulnerability Disclosure Cyberwarfare
18Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
With Great Power…
We have immense power as cybersecurity practitioners.
Source: http://marvel.com/characters/54/spider-man
19Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Organizations with Codes of Ethics
ISC2 ISACA
SANS IEEE
ISSA ASIS International
GIAC EC-Council
20Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Is It Time to Professionalize?
+ Prevailing opinion is “no”+ Field is too young and too diverse+ There is already a growing shortage of
qualified workers+ Would likely be counterproductive
So what can we do?
Source: http://www.nap.edu/catalog/18446/professionalizing-the-nations-cybersecurity-workforce-criteria-for-decision-making
Voices
22Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Ethics by Example
Richard Garriott Joseph RotblatJohn Cornwell
23Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Richard Garriott+ Game Developer and Entrepreneur+ Invented the Ultima role playing game
series+ Today runs Portalarium, a game
company out of Austin, Texas+ Ultima series had strong ethical and
moral underpinnings
Source: https://upload.wikimedia.org/wikipedia/commons/thumb/9/9c/Richard_garriott_july_2008.jpg/220px-Richard_garriott_july_2008.jpg
24Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
John Cornwell+ Journalist, author, academic+ Currently a director of the Rustat
Conferences at Cambridge + Wrote Hitler's Scientists: Science, War,
and the Devil's Pact (2004)
Source: http://www.amazon.com/Hitlers-Scientists-Science-Devils-Pact/dp/0142004804/
25Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Joseph Rotblat+ Nuclear Physicist+ Discovered that during the fission
process neutrons are emitted+ Work contributed to the atomic bomb+ Part of the Manhattan project, but later
left on grounds of conscience
Source: http://www.nobelprize.org/nobel_prizes/peace/laureates/1995/rotblat-facts.html
26Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Joseph Rotblat+ Went on to win the Nobel Peace Prize
in 1995+ His Nobel Peace Prize acceptance speech
suggested scientists take an oath, much like doctors do
A Hippocratic Oath for Scientists
Source: http://www.npg.org.uk/collections/search/portraitLarge/mw117251/Sir-Joseph-Rotblat
27Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
An Oath for Scientists
“The time has come to formulate guidelines for the ethical conduct of scientists, perhaps in the form of a voluntary Hippocratic Oath. This would be particularly valuable for young scientists when they embark on a scientific career.” -- Joseph Rotblat, 1995
28Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
An Oath for Cybersecurity Professionals?
+ Does swearing an oath have any value?+ Modern opinions on the value of the
Hippocratic Oath for medical professionalsare mixed
Source: https://en.wikipedia.org/wiki/Hippocratic_Oath#/media/File:HippocraticOath.jpg
29Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Reactions+ I wrote about this in an
op-ed for SC Magazine+ I received very interesting
and thoughtful responses!
The Disclosure Dilemma
31Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Vulnerability Disclosure+ The industry is struggling with this+ Not much progress in 20+ years of
finding and disclosing bugs+ Types of Disclosure
– Non Disclosure– Responsible or Coordinated Disclosure– Full Disclosure
32Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Closing the Trust Chasm
+ A huge chasm of trust exists between vendors/manufacturers and security researchers
+ How do we address this chasm?
33Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Crowdsourcing Security Research?+ BugCrowd & HackerOne+ Concept: Engage vendors and
security researchers in a structured way
+ Vendors can sign up products to be tested
+ Security researchers can sign up to test products
Case Studies in Disclosure
35Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Jeeps+ Charlie Miller, Chris Valasek
discovered Internet accessiblevuln. in modern Jeeps
+ Disclosed to Chrysler prior topresentation at Black Hat
+ Publically released but left out critical firmware step
My take: Miller and Vallasek acted ethically.
36Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Teslas+ Kevin Mahaffey and Marc Rogers
discovered multiple vulnerabilitiesin Tesla onboard systems
+ Detailed their findings at DefCon 23+ Tesla engages security researchers
via BugCrowd service
My take: Pure awesome.
37Maintaining Ethics in Today’s Cyber World – Black Hat Europe 2015 – © SecureAuth
Hacking Airplanes+ Chris Roberts, One World
Labs, discovered vuln. onUnited aircraft
+ Disclosed with lack of movement from United
+ May have issued commandsduring live flight
My take: Roberts crossed the line.
Thank You!
[email protected]: @StephenCoxSA