CSE-01: Cyberethics Overview | Cybersecurity Ethics

Cybersecurity Ethics — Week 1 · Module 01

Cyberethics Overview

Cyberspace breaks ordinary moral intuition. This module explains why — and gives you the four-part lens you'll use for the rest of the course.

13 slides ~13 minutes Spinello Ch. 1

Slide 2 of 13

Why Cyberspace Breaks Ordinary Moral Intuition

Four structural features that did not exist in the moral environment our ethical traditions were built for.

Old frameworks need translation. Aristotle could not have answered "is it ethical to share this photo with one friend who could share it with billions?" The question did not exist.

Slide 3 of 13 · The field

What Cyberethics Actually Is

A branch of applied ethics. Not a separate moral system — the application of moral reasoning to the distinct conditions of networked technology.

Why the distinction matters in security: "everyone in our company writes their password down" is descriptive. "No one should write their password down" is normative. "European admins use password managers more than US admins" is comparative.

Slide 4 of 13 · The course's central frame

Lessig's Four Modalities of Regulation

From Lawrence Lessig, Code and Other Laws of Cyberspace (1999); rewritten as Code: Version 2.0 (2006). The single most-cited model in cyberethics.

The insight: all four constrain behavior. In physical space, law and norms dominate. In cyberspace, code dominates — and code is written by engineers. That makes engineering decisions ethical decisions whether anyone framed them that way or not.

Slide 5 of 13 · The famous claim

"Code is Law"

DRM that prevents copying is more binding than copyright law that forbids it.

The implication: the engineer who implements an access control list is writing law for that system. Whoever picks roles-to-permissions made a power-distribution decision wearing a technical costume.

Slide 6 of 13 · The toolkit

Four Ethical Frameworks (Quick Reference)

You will see all four invoked in cybersecurity arguments. Knowing the names lets you see what is actually being assumed.

Slide 7 of 13 · The hard case

When the Frameworks Disagree

A vulnerability researcher faces full disclosure vs. coordinated disclosure. Each framework has an answer.

Framework	Recommends	Reasoning
Utilitarian	Coordinated disclosure (after patch)	Greatest total well-being if attackers don't get a head start
Deontological	Tension — competing duties	Duty to inform vs. duty to not enable foreseeable harm. Reasonable Kantians land on either side.
Virtue	Coordinated with timeline	What the responsible professional does — honesty plus prudence
Contractualist	Coordinated disclosure	No one would consent to "vulns dropped without warning" behind a veil of ignorance

Slide 8 of 13 · Reference case

Sony BMG Rootkit (2005)

A canonical Spinello case — what happens when a corporation enforces copyright through code.

The Lessig analysis: Sony chose code to enforce law (copyright). The architecture overrode user consent. Utilitarian harm dwarfed gain. Deontology: users were used as means to anti-piracy ends without meaningful consent. The engineer who wrote the cloaking code did an ethical act, line by line.

Slide 9 of 13 · Reference case

Apple v. FBI (2016)

All four Lessig modalities collided. None was decisive.

How it ended: the FBI withdrew the request after an unidentified third-party vendor provided an unlock method (later attributed by reporting to Azimuth Security; never confirmed). The legal question was never resolved. The ethical question continues.

Slide 10 of 13 · The professional layer

Why Security Professionals Have Codes

The frameworks tell you how to reason. The codes tell you what your profession has agreed reasoning produces.

Slide 11 of 13 · The CSF bridge

How This Module Maps to NIST CSF

Cyberethics is not separate from the framework — it is what the framework requires you to think about.

Slide 12 of 13 · The course ahead

Where the Rest of the Course Takes This

Slide 13 of 13

Module 01 Takeaways

Six anchors for everything that follows.

1Cyberspace breaks ordinary moral intuition through anonymity, reproducibility, action at distance, and persistence.

2Cyberethics is applied ethics — descriptive, normative, comparative. The course is mostly normative.

3Lessig's four modalities — law, norms, market, code — constrain behavior. In cyberspace, code dominates.

4"Code is law" means engineers make rules whether they admit it or not. The neutrality claim is incoherent.

5Four ethical frameworks — utilitarian, deontological, virtue, contractual — usually agree, sometimes don't. The disagreements are where real decisions live.

6Sony BMG (2005) and Apple v FBI (2016) are reference cases for the rest of the course.

Next up: CSE-02 — The Security Professional's Role. Spinello Ch 2 + the four security-specific codes (ASIS, ISACA, GIAC, Ethics FIRST).