CSE-08: Cybercrime & Cybersecurity as Moral Obligation | Cybersecurity Ethics

Cybersecurity Ethics — Week 3 · Module 08

Cybercrime & Cybersecurity as Moral Obligation

Spinello's argument: cybersecurity is not a technical role with ethical implications. It is a moral obligation that uses technical means.

13 slides~13 minSpinello Ch. 6

Slide 2 of 13 · The frame

Cybersecurity as Moral Obligation

Why the distinction matters: instrumental cybersecurity stops at the budget line. Moral cybersecurity does not. The first lets you say "we did what was funded." The second asks whether what was funded was enough.

Slide 3 of 13 · Crime actors

Cybercrime Actor Taxonomy

Slide 4 of 13 · The attribution problem

You Cannot See Who Is Attacking You

Why this matters ethically: hack-back, retaliation, and "active defense" all assume you know who you are responding to. If you do not, the response harms innocents. Attribution uncertainty is the central reason most offensive responses are ethically problematic.

Slide 5 of 13 · The hack-back debate

"Hack-Back" — The Hard Argument

The case for

Defense alone consistently loses; attribution and retrieval may sometimes require entering attacker infrastructure. Some argue narrow active-defense provisions could improve deterrence.

The case against

Attribution is unreliable, escalation risk is severe, infrastructure is shared (innocents on the same nodes), private actors have no warrant authority. DOJ has consistently advised against it under existing CFAA.

The professional consensus: the major incident-response codes — Ethics FIRST in particular — explicitly prohibit hack-back. The professional ground is firm even where the political debate is not.

Slide 6 of 13 · Ransomware ethics

The Ransomware Pay-or-Don't-Pay Question

Professional reality: the decision is rarely the security team's alone — legal, executives, board, sometimes regulators. The security pro's role is to surface the full picture honestly. "I did not make the call" is not release from the analysis.

Slide 7 of 13 · The moral weight

Defending What You Cannot Personally See

The user you protect

Customers, patients, citizens, employees. Typically no way to evaluate your work. Benefit when you do it well; bear consequences when you don't.

The fiduciary frame

Spinello argues this asymmetry is the same condition that makes medicine, law, engineering professional. The professional bears a duty toward those whose interests they cannot consult.

The cost

Doing the work well sometimes means doing it against organizational pressure to move faster, reduce friction, or accept inappropriate risk.

Slide 8 of 13 · Critical infrastructure

When Defending Crosses Into Public Safety

The professional implication: security work in critical infrastructure sectors carries elevated moral weight. The codes' "public welfare paramount" language was written with sectors like these in mind.

Slide 9 of 13 · Reference case

Reference Case: Colonial Pipeline (2021)

What happened

In May 2021, the DarkSide ransomware group compromised Colonial Pipeline through a single compromised VPN credential lacking MFA. Colonial proactively shut down operations to prevent spread; the pipeline carried roughly 45% of US East Coast fuel supply. Multi-state fuel shortages, panic buying, emergency federal response within days.

The professional questions

Was the security architecture proportionate to the criticality? Were known controls (MFA, network segmentation) implemented? Was the ransom payment (subsequently partially recovered by FBI) defensible? Each is a question the security profession was asked to answer publicly.

The lesson: the absence of basic controls (MFA on a remote-access account) had consequences far exceeding the company's own footprint. The moral frame asks whether "appropriate to our risk" was the right standard or whether the standard should have been "appropriate to the public's exposure."

Slide 10 of 13 · The CFAA today

Crime Definitions Are Moving

CFAA narrowing (Van Buren 2021)

Already covered in CSE-06. Significant: violating terms-of-service is no longer per se a federal crime.

DOJ policy revisions

Department of Justice has updated charging guidance to deprioritize CFAA prosecutions targeting good-faith security research.

State law variation

State computer-crime statutes have not uniformly updated. Federal narrowing does not bind state prosecutors.

The practical implication: what is criminal cyber conduct depends on jurisdiction, prosecutorial discretion, and current case law. The security professional cannot rely on a five-year-old understanding of CFAA scope.

Slide 11 of 13 · The defender's ethics

Spinello's Defender's Ethics

Three obligations the moral frame imposes on the security professional. The course's prior reference cases (Sony BMG, Apple v FBI in CSE-01; NSO Group in CSE-02; Equifax in CSE-03; Aaron Swartz in CSE-06) each map onto failures of one of the three.

Slide 12 of 13 · CSF anchor

CSF Mapping — PR.AT Plus All Five Functions

PR.AT — Awareness/Training

The moral frame is what awareness training should communicate — not just "do not click links" but "you defend people you do not see, who depend on you doing the work right."

All five Functions

The moral frame unifies Identify/Protect/Detect/Respond/Recover. Without it, CSF is a checklist. With it, CSF is a discipline.

v2.0 Govern

CSF v2.0 added Govern as a sixth Function precisely to make the moral and organizational layer explicit. Spinello's argument and CSF's evolution converge.

Slide 13 of 13

Module 08 Takeaways

1Cybersecurity is a moral obligation, not just a service. The asymmetry between practitioner knowledge and user vulnerability is the foundation.

2Crime actors span opportunistic, organized criminal, hacktivist, insider, nation-state, terrorist. Different threats need different responses.

3Attribution is uncertain. The uncertainty is not a footnote — it is why most offensive responses are ethically problematic.

4Hack-back is rejected by professional codes (Ethics FIRST explicitly). Pay-or-don't-pay on ransomware is fact-specific and shared with leadership.

5Critical infrastructure elevates the moral weight. Colonial Pipeline (2021): a single missing MFA control had national fuel-supply consequences.

6Defender's ethics: proportionality, honesty, care — the three obligations that explain the recurring failure modes in this course's prior cases.

Next up: CSE-09 — the Cyberspace Solarium Commission. Where the moral obligation meets US national strategy.