Building an Active Computer Security Ethics Community
Modern threats such as
denial-of-service (DoS) attacks, worms, viruses, phishing, and botnets
underscore the need for Internet security research in an increasingly networked
and computationally reliant society. Responses to these threats vary from
passive observation to calls for the legal right to defend computer systems
using aggressive countermeasures.
took active control of malicious botnet C&C servers. The attacks targeted
high-profile victims, resulting in high-profile news coverage. They involved
hostile (criminal) activity across international borders. The targets included
both governmental and nongovernmental organizations with ties to sovereign
governments in multiple nations.
However, they differ in that the
attacks in the first case were fast moving and aggressive, whereas the second
involved more subtle and concealed attacks on information and information
Ethics is the field of ethics (or
moral philosophy) involves systematizing, defending, and recommending concepts
of right and wrong behavior. Normative ethics is a subfield that seeks to
develop a set of morals or guiding principles to influence the conduct of
individuals and groups within a population (such as a profession, religion, or
society at large).
Three main strategies for arriving
at these moral standards have emerged over time:
Consequentialism espouses the end
justifies the means. For example, a consequentialist argument regarding torture
would evaluate the benefits of the information gained in relation to the loss
of an individual’s rights. Deontology, or duty-based ethics, looks at the
rightness or wrongness of the acts themselves and the duty to follow rules. For
example, a deontological argument might state that it’s never acceptable to
torture anyone, for any reason. Virtue ethics considers the character of the
person making the choice, rather than the act or its consequences. For example,
you would consider an individual’s strong moral foundation and history of
acting in virtuous ways when evaluating his or her decision to use torture.
The definition of computer ethics
has various interpretations in line with this broader definition. One of the
most oft-cited definitions is from James Moor who said that a typical problem
in computer ethics arises because there is a policy vacuum about how computer
technology should be used. Computers provide us with new capabilities and these
in turn give us new choices for action. Often, either no policies for conduct
in these situations exist or existing policies seem inadequate. A central task
of computer ethics is to determine what we should do in such cases—that is, to
formulate policies to guide our actions.
Unfortunately, although the rich
field of ethics offers us a way to consistently and coherently reason about
specific ethical issues, the gap between these approaches and a practical
ethical framework is tremendous.
US Academic Standards In 1947, the
Nuremberg Code was the first call for informed consent and voluntary
participation in research experiments. The World Medical Association’s Medical
Ethics Committee responded in 1954 by writing the Declaration of Helsinki,
which was completed and adopted in 1964. This declaration addressed research
protocols involving humans in terms of risks and benefits, informed consent,
researcher qualifications, and so on, and informed a set of standards, or good
clinical practices (GCPs). More than a thousand laws, regulations, and
guidelines worldwide now protect human research subjects.
In the US, one of the most
well-known cases of medical research abuse involved experiments on low-income
African-American men infected with syphilis in Tuskegee, Alabama. These
experiments began in 1932, and although researchers learned in the 1940s that
penicillin was an effective treatment, they quietly withheld this information
so doctors could see how the disease affected patients as the disease
The Belmont Report describes three
basic ethical principles and their application:
Respect for persons, participation
as a research subject is voluntary and follows from informed consent.
Individuals should be treated as autonomous agents, and their right to decide
about their own best interests respected. Individuals with diminished autonomy,
incapable of deciding for themselves, are entitled to protection. Beneficence,
do not harm. Maximize possible benefits and minimize possible harm.
Systematically assess both risk and benefit. Justice, each person should
receive an equal share in treatments and benefit of research according to
individual need, effort, societal contribution, and merit. There should be
fairness of procedures and outcomes in selection of subjects.