Cybersecurity Ethics | Ethics in IT

Slide 1 of 33 | ETH-W1-03 | Week 1

Cybersecurity
Ethics

Privacy vs. Safety • Incident Types • Perpetrators • Reasonable Assurance • Forensics

Warehouse memo: In November 2014, attackers identifying themselves as the Guardians of Peace breached Sony Pictures Entertainment. They leaked unreleased films, executive salary data, medical records of employees and their children, and private communications. The FBI attributed the attack to North Korea. The ethical questions began long before attribution: what did Sony owe its employees? What did Sony owe the public? What do defenders owe the people they fail to protect?

33 Slides ETH-W1-03 Week 1 Ethics in IT

Slide 2 of 33

The Core Tension in Security Ethics

Security work involves genuine ethical conflicts -- not just technical problems. The conflicts do not resolve themselves automatically.

Privacy vs. Safety

Monitoring employees more thoroughly improves threat detection and reduces insider risk. It also surveils every communication, movement, and activity of people who have done nothing wrong. More visibility = more security. More visibility = less privacy. There is no setting on this dial where both values are fully satisfied.

Transparency vs. Security

Publicly disclosing a vulnerability informs users and creates pressure for patches. It also gives malicious actors a roadmap before patches are deployed. Organizations that never disclose incidents erode public trust. Organizations that disclose immediately may increase harm. Neither extreme is defensible.

Individual Rights vs. Collective Protection

Decryption backdoors for law enforcement help intercept criminals and terrorists. They also create vulnerabilities exploitable by anyone who finds the backdoor. Sacrificing the privacy of millions to prosecute thousands is a utilitarian trade that requires explicit ethical justification, not technical rationalization.

The Professional's Position

Security professionals are not neutral technical operators. Every architecture decision, every monitoring configuration, every disclosure timeline is an ethical choice about which values to prioritize. Pretending otherwise just means making those choices without acknowledging them.

Slide 3 of 33

The Trade-Off Framework

Structuring security decisions that involve competing values. Neither extreme is the answer -- the question is where you draw the line and why.

Identify the Values in Conflict

Name them explicitly. "We are making a choice between the privacy of 5,000 employees and the security of company intellectual property." Not "we are implementing a DLP solution." The technical language often obscures the ethical content of the decision. Make the conflict visible before making the choice.

Assess the Proportionality

Is the privacy cost proportional to the security benefit? Logging every keystroke of every employee to catch occasional insider threats is disproportionate. Logging access to documents containing trade secrets is proportionate. Proportionality requires knowing both the realistic threat level and the realistic harm from the monitoring itself.

Apply Minimum Necessary

Collect only the data, apply only the monitoring, and retain only what is necessary to achieve the stated security objective. Scope creep in surveillance -- deploying monitoring for security and then using it for productivity tracking, performance evaluation, or union-busting -- is an ethical violation that undermines trust in the security function itself.

Disclose the Trade-Off

The people whose rights are being constrained should know the nature and extent of that constraint. Employee monitoring policies should be clear, specific, and acknowledged -- not buried in an employment handbook alongside vacation policy. Informed acceptance is different from coerced acceptance under information asymmetry.

Slide 4 of 33

Security Incident Types

Each incident type carries distinct ethical dimensions -- for both the perpetrators and the organizations that failed to prevent them.

Data Breach

Unauthorized access to and exfiltration of data. Can involve sensitive personal data, financial records, intellectual property, or national security information. The ethical obligations of the breached organization begin at architecture (was the data protected appropriately?) and continue through disclosure (were affected parties notified promptly and honestly?).

Ransomware

Malicious encryption of systems with demand for payment. Uniquely raises questions for victims: does paying the ransom fund criminal operations? Does refusing to pay when patient data is held hostage expose hospitals to additional legal and ethical liability? The ethics of payment involve the criminal ecosystem, not just the immediate incident.

Insider Threat

Malicious or negligent actions by authorized users. Creates tension between monitoring (which might detect and prevent) and privacy (which surveillance inherently compromises). Also raises due process questions: how much evidence is required before restricting an employee's access based on behavioral analytics?

Supply Chain Attack

Compromise through trusted third-party software or hardware. SolarWinds: malicious code inserted into a software update served to 18,000 organizations including US federal agencies. The ethical obligation of software vendors to their customers, and of customers to users who depend on their security posture, is directly implicated.

Slide 5 of 33

Who Attacks and Why It Matters

Understanding perpetrator motivation and sponsorship shapes the ethical analysis of both the attack and the response.

Financially Motivated Criminals

Ransomware operators, data brokers selling stolen credentials, BEC fraud. The ethical analysis is straightforward: deliberate harm for profit. More complex is the supply chain of enablement -- bulletproof hosting providers, cryptocurrency mixers, and dark web marketplaces that support criminal operations without directly executing them.

Nation-State Actors

Government-sponsored espionage, sabotage, and influence operations. The ethical complexity is high: some nation-state cyber activity (espionage against military targets) may be comparable to traditional intelligence gathering. Some (attacks on hospitals, civilian infrastructure) crosses widely recognized ethical and legal lines. Attribution itself is ethically significant -- false attribution creates international incidents.

Hacktivists

Politically motivated attackers who believe they are acting for a just cause. Anonymous, LulzSec, and similar groups have claimed to expose corruption, defend free speech, and oppose repressive governments. The ethical question: does a just cause justify unauthorized access, data theft, and the collateral harm to individuals whose data is exposed in the process?

Insiders

Disgruntled employees, negligent users, and recruited moles. The insider threat creates ethical complexity for defenders: aggressive monitoring can detect and prevent, but it assumes guilt before evidence and creates a surveillance environment that degrades the trust relationship between employer and employee at scale.

Slide 6 of 33

The Concept of Reasonable Assurance

Perfect security does not exist. The ethical standard is reasonable assurance -- and defining what is reasonable is itself an ethical question.

What Reasonable Assurance Means

Security controls appropriate to the sensitivity of the data, the likelihood of relevant threats, and the organization's capacity to implement protections. A hospital storing patient data has a higher reasonable assurance threshold than a newsletter service storing email addresses. The standard scales with the harm potential of a breach.

What It Does Not Mean

It does not mean maximum possible security regardless of cost. It does not mean compliance with a minimum standard when the organization knows that standard is inadequate for their threat environment. It does not mean deploying controls and never testing them. Reasonable assurance requires both appropriate selection and operational effectiveness.

The Legal Standard

Courts and regulators use reasonable assurance as a legal standard. The FTC's enforcement actions against companies with inadequate security (Wyndham, LabMD) applied a reasonableness test: did the company implement security appropriate to the sensitivity of the data it processed? Failing the test creates both legal liability and ethical accountability.

When Organizations Fail It

Equifax (2017): a critical Apache Struts vulnerability was publicly disclosed. A patch was available. Equifax did not apply it for 78 days. During that window, 147 million Americans' sensitive personal data was exfiltrated. The failure was not technical inability -- it was operational negligence that violated the reasonable assurance standard.

Slide 7 of 33

Ethics of Incident Response

When a breach occurs, every decision in the response carries ethical weight. Speed, honesty, and scope of notification matter.

Disclosure Timing

Affected individuals have an interest in knowing promptly so they can take protective action. Organizations have an interest in completing forensics before disclosure to avoid inaccurate statements. Regulators impose mandatory timelines (GDPR: 72 hours to DPAs; state breach laws: typically 30-60 days). The ethical question is whether organizations meet those timelines or treat them as maximum rather than minimum targets.

Disclosure Scope

Who needs to know? Affected individuals, regulatory authorities, business partners whose data was compromised, law enforcement. Narrowing notification scope to limit reputational damage is an ethical violation when individuals who need to take protective action are excluded from that narrow scope.

Honesty in Disclosure

The content of breach notifications matters. Vague notifications designed to minimize alarm -- "we detected unusual activity and secured our systems" when 10 million records were exfiltrated -- are dishonest. Notifications should describe what data was involved, when, how, what the organization is doing, and what individuals can do to protect themselves.

Ethical Standard

Would you want this notification if you were on the list of affected individuals? That question filters out the minimum-effort, liability-minimizing disclosures from the honest ones. The standard is: give affected people what they actually need to protect themselves.

Slide 8 of 33

The Ethics of Concealment

Concealing incidents is not only illegal in most jurisdictions -- it is an ethical betrayal of the people whose data was compromised.

Uber (2016)

A breach exposed data of 57 million riders and drivers. Uber paid the attackers $100,000 through its bug bounty program to delete the data and keep quiet. The breach was concealed for a year. When discovered, Uber's CSO was criminally charged. Paying attackers to maintain concealment is itself a federal crime.

The Compounding Harm

Concealment prevents affected individuals from taking protective action during the window when they are most vulnerable. For the 57 million Uber users, a year passed during which their data was potentially being sold and used for fraud -- during which they had no opportunity to respond. The cover-up caused more harm than the breach.

Ethical Violation Analysis

The concealment is a direct violation of: the duty of honesty to affected users, the trust relationship underlying data collection, applicable breach notification law, and the professional ethics obligations of every security professional who participated in the cover-up or remained silent. "Following management's orders" does not apply here.

What Would You Do?

You are a senior security engineer at Uber in late 2016. You have just been told by the new CISO that the company is planning to pay the attackers and not disclose. You are asked to be involved in structuring the payment as a "bug bounty." What is your next action?

Slide 9 of 33 | Case Study

Case Study: Sony Pictures Hack

November 2014. The most publicly damaging corporate breach in US history at the time. A study in what organizations owe the people whose data they hold.

Attackers destroyed data on approximately half of Sony Pictures' servers, leaked roughly 100 terabytes of data, and exposed: unreleased films, the Social Security numbers of 47,000 past and present employees, medical records of employees and their dependents, executive salary information, private email communications between executives and talent, and extensive internal business documents.

The Attack Itself

The FBI attributed the attack to North Korea, motivated by Sony's planned release of "The Interview," a satirical film depicting the assassination of Kim Jong-un. The attackers used custom malware ("Destover"), overwriting the master boot record to destroy systems after exfiltration. The attack combined espionage, sabotage, and coercion.

What Was Exposed

Employee SSNs, dates of birth, and medical diagnoses. Children's medical records. Salary schedules for thousands of employees. Private executive emails, including communications that revealed racial and gender-based attitudes. Business plans and unreleased film content. None of this needed to be readable by anyone who gained access to Sony's network.

Slide 10 of 33 | Case Study

Sony Hack: Ethical Analysis

Three separate ethical failures. Not one. The attack was one; the security architecture was another; the response was a third.

The Attackers

Deliberate destruction of business systems. Theft and publication of private employee data that had no intelligence value -- children's medical records and salary data were published to maximize harm and coerce Sony. Publishing private communications to damage reputations. These actions are straightforward ethical violations regardless of stated political motivation.

Sony's Architecture Failures

The hack exposed that sensitive data -- employee SSNs, medical records, compensation -- was stored in accessible, unencrypted flat files across the network. No network segmentation isolated sensitive HR data from entertainment production systems. The security investment did not reflect the sensitivity of the data being held. The employees who trusted Sony with that data were failed before the attack began.

Third-Party Publishers

News organizations and individuals who downloaded and published leaked Sony data -- including employee medical records and salary data -- participated in causing additional harm to people who were already victims. The public interest argument for publishing executive emails does not extend to publishing private employee medical conditions.

The Lasting Question

What did Sony owe its 47,000 employees? They had no choice about whether Sony stored their SSNs and medical records. They trusted their employer with data the law required them to provide. When that trust was violated by an external attack, what was Sony's obligation -- in architecture (prevention), in response (notification), and in consequence (compensation)?

Slide 11 of 33 | Case Study

Sony: Did It Meet Reasonable Assurance?

Assessing Sony's security posture against the reasonable assurance standard before the breach.

1 Sony had been warned. A 2007 audit by PricewaterhouseCoopers found significant deficiencies in Sony's IT security practices. The findings were not addressed. Prior warning is a significant factor in the ethical and legal analysis of whether the reasonable assurance standard was met.

2 Security researcher Kevin Mitnick noted before the breach that Sony's security was visibly inadequate for an organization of its size, asset value, and geopolitical profile. Reasonable assurance requires security proportional to known risks -- Sony's risk profile was high.

3 Employee SSNs and medical records stored in plaintext across a network accessible to entertainment systems represents a fundamental data security architecture failure. The minimum necessary principle and basic encryption requirements were not met.

4 Sony's overall cybersecurity budget was estimated by industry analysts as below-average for a company of its size. The reasonable assurance standard includes resource allocation proportional to risk. Budget decisions are ethical decisions when they involve protecting people's sensitive personal information.

Slide 12 of 33

Digital Forensics Ethics

Forensic investigations involve the intersection of privacy, due process, and the integrity of evidence. All three require ethical attention.

Chain of Custody

Evidence integrity depends on documented, unbroken chain of custody from collection through court presentation. A forensic examiner who contaminates, modifies, or fabricates evidence is committing fraud -- the consequences extend not just to the defendant in a criminal case but to the integrity of the judicial process itself.

Objectivity

Forensic examiners are retained by one party. The ethical obligation requires reporting all findings -- including findings that do not support the client's position. A forensic report that selectively presents evidence to support a predetermined conclusion is not objective forensic analysis -- it is advocacy dressed as science.

Scope and Authorization

Forensic examinations must remain within authorized scope. A forensic investigation authorized to examine a specific suspect's workstation that expands to review the entire organization's email without additional authorization has exceeded its bounds -- potentially creating inadmissibility and personal liability for the examiner.

Incidental Discovery

Forensic examiners frequently discover evidence of crimes beyond the scope of the original investigation. What obligation does the examiner have to report separately discovered evidence? The answer varies by jurisdiction, engagement terms, and the severity of what was discovered. The examiner cannot simply ignore evidence of serious crimes.

Slide 13 of 33

Employee Monitoring Ethics

One of the most contested areas in workplace ethics. Technology has made surveillance cheap and comprehensive. That does not make it automatically appropriate.

What Organizations Monitor

Email content and metadata. Web browsing history. Application usage and file access logs. Keystrokes. Screen capture at regular intervals. Physical location via badge systems and webcam analysis. Communication sentiment via AI tools. Each layer represents a monitoring choice with a corresponding privacy cost.

The Legitimate Security Case

DLP systems that monitor for outbound transmission of sensitive data serve a legitimate security function. Access logs for systems containing sensitive data serve a legitimate audit function. Anomaly detection that identifies credential stuffing or lateral movement serves a legitimate threat detection function. These are proportionate to meaningful security objectives.

The Scope Creep Problem

Monitoring deployed for security quickly gets repurposed: productivity measurement, performance evaluation, attendance tracking, bathroom break timing. The security justification launders surveillance that would not survive ethical scrutiny on its own terms. Security systems used for HR purposes without disclosure is an ethical violation of the employees who were told the monitoring was for security.

What Would You Do?

Your employer has deployed a keystroke logger as part of a DLP security solution. Your manager asks you to pull keystroke logs for an employee who has recently filed a discrimination complaint, looking for evidence of policy violations. What is your response?

Slide 14 of 33

Ethics of Penetration Testing

Authorized offensive security work is ethically distinct from unauthorized access. The authorization is not a formality -- it is what makes the work legitimate.

The Authorization Boundary

A penetration test is authorized access to specific, defined systems for a specific, defined purpose. The authorization document defines the ethical perimeter. Exceeding that perimeter -- even to find more vulnerabilities, even with good intentions -- is unauthorized access. The good intention does not change the legal or ethical character of the act.

Data Encountered During Tests

Penetration testers routinely encounter real customer data, employee data, and confidential business information during authorized engagements. Accessing that data beyond what is required to demonstrate the vulnerability is a privacy violation. Retaining, using, or disclosing that data beyond the engagement report is an ethical violation independent of the authorization for the test itself.

Social Engineering Ethics

Authorized social engineering tests -- phishing employees, impersonating IT support -- are legitimate security assessment techniques. They become ethically problematic when: employees are identified and disciplined based solely on test results without understanding of the training purpose, when tests are designed to cause distress rather than assess vulnerability, or when they extend beyond the agreed scope.

Third-Party Systems

Many enterprise environments share infrastructure. Testing authorized systems sometimes creates side effects on third-party systems that share the same cloud tenant, network segment, or service provider. When your authorized test actions affect unauthorized third parties, the ethical obligation is to stop, report, and assess before continuing.

Slide 15 of 33

Vulnerability Disclosure Ethics

One of the most actively debated ethical issues in security. Three main approaches, none without ethical costs.

Full Immediate Disclosure

Publish all technical details immediately upon discovery. Maximizes pressure on vendors to patch. Also gives malicious actors a detailed attack guide before patches exist and are deployed. Defenders of this approach argue that vendors with no disclosure pressure have no incentive to patch quickly. The ethical cost falls on users who cannot patch before exploitation begins.

Responsible Disclosure (Coordinated)

Notify the vendor privately. Allow a defined period (typically 90 days, per Google Project Zero) for a patch to be developed and deployed. Then publish technical details regardless. Balances vendor patch time against the indefinite concealment that benefits vendors who delay patching indefinitely. Most professional security community consensus supports this model.

No Disclosure (Vendor's Choice)

Tell the vendor and wait indefinitely for them to decide when and whether to disclose. This approach gives vendors full control over their reputation management -- which is not the same as full control over public safety. Vendors have strong financial incentives not to disclose. Users cannot protect themselves from vulnerabilities they do not know exist.

When a Vendor Does Not Respond

If you report a critical vulnerability affecting millions of users and the vendor refuses to acknowledge or patch it, the ethical obligation shifts. Indefinite non-disclosure while active exploitation may be occurring creates complicity in the harm. Documenting the notification timeline and disclosing after a defined waiting period is the defensible professional position.

Slide 16 of 33

Bug Bounty Ethics

Bug bounty programs create formal frameworks for coordinated disclosure. They also create ethical tensions of their own.

The Legitimate Function

Bug bounty programs incentivize external security researchers to find and report vulnerabilities in exchange for financial rewards, rather than sell them to malicious actors or publish them immediately. Well-run programs have defined scope, transparent rules, and consistent, fair payment. They extend organizational security capability.

Bad Faith Programs

Some programs use vague scope to avoid paying for valid findings. Some deny valid submissions as "out of scope" retroactively. Some make legal threats against researchers who report vulnerabilities in good faith. These behaviors undermine the entire vulnerability disclosure ecosystem and discourage responsible reporting from the security research community.

The Selling Dilemma

A researcher who finds a critical vulnerability can: submit to the affected organization's bug bounty (typically thousands of dollars), sell to a vulnerability broker (potentially hundreds of thousands), or disclose publicly. The financial asymmetry creates real pressure to sell rather than disclose. The professional and ethical standard is disclosure -- but the standard is not sustainable without reasonable compensation.

What Uber Did Wrong

Uber paid attackers $100,000 through its bug bounty program to cover up a breach -- not a vulnerability responsibly reported by a researcher. This is not a bug bounty payment; it is extortion disguised as one. It corrupts the legitimate function of bug bounty programs and constitutes obstruction of breach notification requirements.

Slide 17 of 33

Encryption and Government Access

The encryption backdoor debate is one of the most consequential policy and ethics disputes in security. It has not been resolved.

The Law Enforcement Argument

End-to-end encryption prevents lawful access to communications of criminals, terrorists, and child exploiters. Going-dark problem: as communications move to encrypted platforms, investigators lose visibility they previously had with wiretaps. Law enforcement agencies in the US, UK, EU, and Australia have pressed for mandatory backdoor capability.

The Security Counter-Argument

There is no such thing as a backdoor only law enforcement can use. A technical capability for authorized government access is a vulnerability exploitable by any actor who discovers it -- hostile nation-states, criminals, rogue employees of the implementing company. Weakening encryption to enable lawful access weakens encryption for everyone, including the infrastructure law enforcement depends on.

The Apple-FBI Case (2016)

The FBI demanded that Apple write software to bypass the passcode lockout on the San Bernardino shooter's iPhone. Apple refused. The legal dispute was resolved when the FBI obtained access through a third-party tool, but the underlying question was not: can the government compel a technology company to build a capability that weakens its own product's security for all users?

The Professional's Position

Security professionals overwhelmingly oppose mandatory backdoors on technical grounds. The ethical question is separate: even if technically feasible, should a democratic government be able to compel a private company to build surveillance capability into products used by hundreds of millions of people globally who consented to no such thing?

Slide 18 of 33

Ethics of Offensive Cyber

Nation-states conduct offensive cyber operations. Professionals who build and operate those capabilities face distinct ethical questions.

Espionage vs. Sabotage

Traditional international law distinguishes espionage (stealing secrets) from sabotage (destroying systems or causing physical harm). Stuxnet, which destroyed uranium enrichment centrifuges in Iran, crossed from intelligence gathering to physical sabotage. The ethics of nation-state cyber operations mirror the ethics of other coercive state action -- and are subject to similar debates about proportionality, civilian harm, and lawfulness.

Civilian Infrastructure Attacks

Attacks on hospitals, power grids, water treatment systems, and financial infrastructure affect civilians who have no role in the targeted state's actions. International humanitarian law prohibits attacks on civilian infrastructure in armed conflict. Cyber operations against civilian infrastructure in peacetime occupy a legal and ethical gray zone that existing frameworks do not adequately address.

The Professional's Dilemma

A security professional employed by a government offensive cyber program operates under orders and legal authority. But professional ethics codes -- including (ISC)2 Canon 1 -- place public welfare above service to principals. The professional who builds a capability targeting civilian infrastructure must weigh that obligation against their employment obligation.

Tool Development Responsibility

The NSA's EternalBlue exploit was leaked and repurposed by criminal groups as the basis for WannaCry, which caused $4-8 billion in global damage including significant disruption to the UK National Health Service. Governments that stockpile vulnerabilities for offensive use bear some responsibility when those vulnerabilities escape containment and harm civilians.

Slide 19 of 33

Surveillance Capitalism

The business model of extracting behavioral data to predict and influence human behavior. The largest non-state surveillance operation in human history.

The Business Model

Users generate behavioral data through platform use -- every search, click, pause, and navigation. This data is analyzed to build behavioral profiles that are sold as prediction products to advertisers. The product is not advertising -- it is the ability to predict and modify user behavior. Users are not the customer; they are the raw material.

The Ethical Objections

Users did not meaningfully consent to participate in a behavioral modification operation when they agreed to use a social platform. The value exchange is opaque: users do not know what data is collected, how it is analyzed, or how it is used to influence their behavior and beliefs. The asymmetry of information and power is extreme.

Security Professionals in This System

Security engineers at surveillance capitalism companies protect the systems that collect, process, and analyze behavioral data. They are not neutral. The security of a system that causes harm does not neutralize the harm -- it protects the operation that causes it. This creates a professional ethics tension that security professionals in those environments must actively engage with.

Slide 20 of 33

AI in Security: Ethics

Machine learning is being deployed for both attack and defense. The ethical questions in both directions are unresolved.

Defensive AI Ethics

AI-based anomaly detection, user behavior analytics, and automated incident response systems make decisions that affect people. An employee flagged as an insider threat by a behavioral analytics system faces real consequences -- investigation, access restriction, potential termination. The model's confidence score is not due process. Human review before consequential action is an ethical requirement.

Offensive AI Ethics

AI-generated phishing emails are more convincing and far cheaper to produce at scale than human-crafted ones. AI-assisted vulnerability discovery accelerates attack timelines. Deepfake audio and video enable social engineering at unprecedented scale. The security community has an obligation to consider the second-order effects of deploying offensive AI tools -- including the criminal adoption of those same tools.

Autonomous Response

Automated incident response systems that block, quarantine, or terminate sessions without human review can disrupt legitimate business operations, harm users whose behavior triggered false positives, and make defensive actions at machine speed that create downstream consequences at human speed. Autonomous action requires careful scope limitation and override capability.

Attribution AI

AI-assisted attribution -- identifying the source of an attack -- carries the highest ethical stakes in offensive AI. Incorrect attribution based on ML pattern matching that triggers a retaliatory response is a geopolitically dangerous failure mode. The confidence of attribution must be commensurate with the consequences of acting on it.

Slide 21 of 33

Security and Civil Liberties

The post-9/11 expansion of security surveillance infrastructure created lasting tensions between national security and civil liberties that remain unresolved.

Mass Surveillance Programs

NSA programs revealed by Edward Snowden collected bulk telephone metadata on virtually all US domestic calls and intercepted internet communications of foreigners under Section 702. The programs were ruled partially illegal by federal courts. The ethical question -- whether mass collection of data on people who are not suspected of anything is justifiable by the security benefits -- remains contested.

The Chilling Effect

Surveillance of legal activity changes that activity. Journalists change how they communicate sources. Lawyers change how they discuss privileged communications. Activists change how they organize. The harm is not only to those directly surveilled -- it is to the functioning of a free society where certain activities require some degree of operational privacy.

The Snowden Question

Snowden was an NSA contractor who disclosed classified surveillance programs to journalists, believing the public had a right to know what their government was doing in their name. He was charged with Espionage Act violations and has lived in Russia since 2013. The ethics of his disclosure -- was it justified, was it the right method, did he bear the obligation to act -- is one of the most debated questions in security ethics.

The Professional's Obligation

Security professionals who build, maintain, or operate surveillance infrastructure are not ethically neutral operators. The capacity they build is used in ways they do not fully control. Professional ethics requires considering the purpose and likely use of systems, not just their technical functionality. The (ISC)2 Canon 1 -- protection of public good -- applies even when the employer is a government.

Slide 22 of 33

Forensics: Deeper Issues

Digital forensics intersects with criminal justice. The ethical obligations of forensic examiners have direct consequences for human liberty.

Expert Witness Obligations

A digital forensics examiner serving as an expert witness in criminal proceedings has an obligation to the court above their obligation to the retaining party. An expert who tailors testimony to support the client's position, rather than providing their honest expert opinion, is committing perjury and potentially contributing to a wrongful conviction.

Manufactured Evidence

Evidence can be planted on digital devices. The Casey Anthony case raised questions about the reliability of browser history evidence. The reliability of digital evidence depends entirely on the integrity of the forensic process. Examiners who do not follow established evidence handling protocols undermine the validity of results they present to courts.

Cross-Border Forensics

Evidence obtained in foreign jurisdictions may be subject to different legal standards. Evidence obtained through surveillance that would be unconstitutional in the US but was gathered by a foreign ally and shared does not automatically become admissible or ethically clean. The source and method of evidence gathering matters.

Anti-Forensics

Perpetrators use anti-forensic techniques -- file wiping, encryption, steganography -- to prevent evidence recovery. The ethics of anti-forensics depend on who uses them and why. A privacy advocate encrypting their own communications is different from a criminal wiping evidence of financial fraud. Context determines the ethical character of the same technical capability.

Slide 23 of 33

Incident Response Ethical Scenarios

Apply the frameworks. Identify the competing values and state how you would resolve the conflict.

1 During incident response for a ransomware attack, you discover that an employee's personal laptop -- which was connected to the network and became the infection vector -- also contained their personal medical records and family photos on the same drive. How do you handle that data?

2 Your organization has suffered a breach. Legal counsel advises delaying notification to "assess the full scope" -- which will take 45 days. Regulatory requirements mandate notification within 72 hours. Legal says the regulation is ambiguous on your situation. What do you recommend?

3 A penetration test discovers that your client is storing unencrypted patient data in a bucket accessible without authentication -- but this finding is outside your contracted test scope. The patient data belongs to a third-party healthcare provider who is not your client. What do you do?

4 During a forensic investigation, you find evidence that the employee you were asked to investigate is innocent -- but you find evidence that their manager committed the fraud you were investigating. Your engagement was scoped to investigate the employee. What is your obligation?

Slide 24 of 33

The Ethics of Hacktivism

Does a just cause justify unauthorized computer access? This is not a rhetorical question -- it is an active ethical debate with practical consequences.

The Argument for Hacktivism

Traditional civil disobedience (sit-ins, blockades, graffiti) involves visible, public acts of nonviolent resistance to unjust systems. Digital civil disobedience is analogous: disrupting the digital infrastructure of unjust actors to force accountability or raise awareness. In some cases, hacktivists have exposed genuine wrongdoing that had no other avenue to the public.

The Arguments Against

Hacktivism causes collateral damage -- individuals whose data is exposed in leaks were not all responsible for the wrong being protested. Attackers are not accountable for their targeting decisions in the way that traditional civil disobedience actors were accountable. The self-appointed judge who decides which organizations deserve attack is not democratically accountable to anyone.

Anonymous and HBGary

Anonymous exposed emails from security firm HBGary Federal after the firm's CEO claimed he had identified Anonymous members and planned to sell the information to the FBI. The emails revealed HBGary had been developing tools for disinformation campaigns. The ethical question: was the exposure of genuine misconduct justification for the method used to expose it?

Warehouse Question

If you had evidence that a company was systematically covering up environmental violations that were causing cancer in a nearby community, and every regulatory and legal channel had been exhausted without result, would unauthorized access to their internal systems to obtain and leak documentation be ethical? What is your framework for answering that question?

Slide 25 of 33

Security Research Ethics

The security research community has developed ethical norms over decades. Understanding them prepares you to participate responsibly.

Academic Research Standards

Security research involving human subjects requires IRB review. Research involving live systems that might cause harm requires ethical justification commensurate with the benefit. The Tuskegee standard -- informed consent is not optional when research affects real people -- applies to security research as much as to medical research.

The Belmont Principles Applied

Respect for persons: study participants give informed consent. Beneficence: research maximizes benefits and minimizes harms. Justice: research burdens and benefits are distributed fairly. A security study that scans the public internet for vulnerable devices and attempts exploitation "for research purposes" may fail all three of these principles simultaneously.

Dual-Use Research

Security research that develops novel attack capabilities benefits defenders who understand the attack landscape and attackers who acquire the knowledge. The decision to publish, present, or release tools developed in security research requires explicit consideration of the harm potential in adversary hands versus the benefit to defenders. Not all security knowledge should be made public.

Slide 26 of 33

Security Community Norms

Professional culture in the security community has developed specific ethical norms that supplement formal codes of conduct.

Don't Be Evil

The informal security community norm that security knowledge is for defense, not offense against unauthorized targets. Professionals who use their skills against unauthorized systems, sell vulnerabilities to offensive actors, or support criminal operations are violating community norms regardless of whether they are violating their formal employer's code of conduct.

Help the Community

Sharing threat intelligence, publishing defensive tools, contributing to open-source security projects, and mentoring newcomers are community norms that strengthen collective defense. Hoarding vulnerability knowledge for personal competitive advantage undermines the security ecosystem that every professional depends on.

Report What You Find

Security professionals who discover significant vulnerabilities in systems they are not authorized to test -- through passive observation, third-party disclosure, or accidental discovery -- have a community norm obligation to report through appropriate channels rather than ignore, exploit, or sell. The report may be uncomfortable; it is the professional standard.

Support Newcomers

The security community has an unusually strong culture of mentorship and knowledge sharing, partly because the field benefits from a larger, more diverse pool of defenders. Gatekeeping -- using knowledge asymmetry to diminish or exclude newcomers -- works against collective security and reflects poorly on the individual and the profession.

Slide 27 of 33

Data Retention as an Ethics Issue

Keeping data longer than necessary creates security risk. That risk is an ethical issue, not just a technical one.

The Risk Accumulation Problem

Every day data is retained past its useful life, the breach risk of that data continues. Organizations that collect user data "because it might be useful" and retain it indefinitely are accumulating security risk without corresponding benefit. Retaining a 2015 customer database that you no longer actively use means that database is available to breach in 2025.

Data Minimization as Ethics

GDPR codifies the principle: collect only what is necessary, retain only as long as needed, delete when the purpose is complete. This is both a legal requirement in many jurisdictions and an ethical principle: not holding other people's data beyond the purpose for which they provided it is a form of respect for their privacy and autonomy.

Deletion Obligations

When a user requests deletion of their data, the organization has both legal (GDPR, CCPA) and ethical obligations to actually delete it -- not archive it, not de-identify it instead of deleting it, not exempt it under vague "legitimate interest" claims. Deletion requests are a privacy rights exercise, not a customer service problem.

Slide 28 of 33

The Zero-Day Market

A functioning commercial market for software vulnerabilities. The ethics are contested and the consequences are global.

How It Works

Vulnerability brokers (Zerodium, Exodus Intelligence) pay security researchers for previously unknown vulnerabilities. Prices range from tens of thousands to over $2 million for certain iOS chains. The broker sells to buyers: government agencies, law enforcement, military, intelligence services -- and, less advertised, to actors whose end use is not disclosed to the seller.

The Ethical Problems

A researcher who sells a critical vulnerability to a broker rather than reporting it to the vendor has chosen to leave millions of users exposed for financial gain. The buyer may use it to target journalists, dissidents, or civilians in armed conflict. The seller does not know and has no control over use. This is the arms dealer argument applied to software vulnerabilities.

Pegasus

NSO Group's Pegasus spyware was sold to government clients as a counter-terrorism tool. Forensic analysis by Citizen Lab and Amnesty International found it used against journalists, human rights activists, opposition politicians, and religious leaders in dozens of countries. NSO's position: we sell only to vetted government clients and cannot control how they use the tool. The ethical question is whether that position is sufficient.

Slide 29 of 33

Applied Ethics Review

Bring together the module's themes across three composite scenarios.

Scenario A: The Insider

An HR analyst notices that a colleague has been accessing files outside their normal work scope. She mentions it to the CISO informally. The CISO deploys keylogging on the suspect's workstation without telling HR, legal, or the employee. The keystroke logs reveal no misconduct -- but reveal highly personal information about the employee's health. What went wrong, and at what point?

Scenario B: The Breach

A healthcare company discovers a breach of patient records. Legal says: notify only the patients directly affected and only the minimum required by HIPAA. The CISO knows from forensics that the breach vector is still present and other patients may be at risk. Legal says closing the vector will reveal the breach scope. What is the professional ethical obligation of the CISO?

Scenario C: The Researcher

A security researcher finds a zero-day in medical device firmware that could allow remote manipulation of insulin dosing. The vendor has no bug bounty program. Initial contact goes unreturned for 30 days. The researcher is being offered $500,000 for the vulnerability by a broker. What is the ethical course of action, step by step?

Slide 30 of 33 | Exercises

Practice Exercises

Written responses required for exercises 1 and 3.

1 Write a two-paragraph ethical analysis of the Sony Pictures breach, addressing: (a) what Sony owed its employees before the breach (reasonable assurance) and (b) what Sony owed its employees after the breach (disclosure and remediation). Use at least one formal ethical framework.

2 Map the Uber breach cover-up to the five (ISC)2 Code of Ethics canons. For each canon, state whether it was violated by the CISO's decision to pay attackers for silence, and why.

3 Your company is considering deploying an AI-based insider threat detection system that flags employees for investigation based on behavioral patterns. Write a one-page ethical impact assessment covering: the privacy tradeoff, the due process concern, the false positive risk, the scope creep risk, and the disclosure obligation to employees.

4 Take a position on the responsible disclosure debate: 90-day embargo vs. full immediate disclosure vs. indefinite vendor-controlled disclosure. Defend your position using at least two ethical frameworks, and address the strongest objection to your position.

Slide 31 of 33

Key References

Primary sources and authoritative references for the cases and frameworks covered in this module.

Sony Case Sources

US-CERT/FBI Flash Report on GOP Malware (December 2014). Anderson, Nate, et al., Ars Technica -- technical coverage of the breach artifacts. Senate Armed Services Committee Report on Cybersecurity -- Sony referenced in context of nation-state threat landscape. Sony Pictures v. John Does litigation documents.

Disclosure Policy References

Google Project Zero 90-day policy statement -- googleprojectzero.blogspot.com. ISO/IEC 29147 -- Vulnerability Disclosure standard. ISO/IEC 30111 -- Vulnerability Handling Processes. Coordinated Vulnerability Disclosure: A Practitioner's Guide, FIRST.org.

Employee Monitoring References

NLRB guidance on employee monitoring. EEOC guidance on electronic monitoring. APA report on workplace surveillance and employee mental health. Zuboff, Shoshana: "The Age of Surveillance Capitalism" (for broader context on behavioral data extraction).

Forensics Ethics

ACFEI Code of Ethics for Digital Forensics. SWGDE (Scientific Working Group on Digital Evidence) guidelines. Carrier, Brian and Spafford, Eugene: "Getting Physical With the Digital Investigation Process" -- foundational academic paper on forensic ethics in digital investigations.

Slide 32 of 33

Additional Cases for Discussion

Each case presents a distinct ethical dimension. Research one for your written assignment.

Equifax (2017)

147 million records. Known unpatched vulnerability. 78-day delay between patch availability and breach discovery. Executives sold stock before disclosure. Congressional testimony revealed systemic security failures. Reasonable assurance, disclosure ethics, and insider trading are all implicated.

Twitter (2020)

Attackers used social engineering to gain admin access and hijacked high-profile accounts to run a Bitcoin scam. The breach was executed by teenagers using basic social engineering. A platform with 350 million users had its entire admin control surface accessible through human manipulation with no meaningful additional authentication.

SolarWinds (2020)

State-sponsored attackers inserted malicious code into a software update. 18,000 organizations downloaded the backdoored update. The compromise was undetected for months. Supply chain security obligations of software vendors and the government's role in protecting critical infrastructure are central ethical issues.

Slide 33 of 33 | Summary

Module Summary

Security decisions are ethical decisions. The professional who treats them only as technical problems is making ethical choices without acknowledging them.

Reasonable assurance is the ethical and legal standard. Disclosure honesty is not optional. Authorization defines the ethical boundary of all offensive security work. The people whose data you protect have rights that survive the technical and commercial decisions of the organizations that hold that data.

8 Facts to Carry Out of This Lecture

1 Privacy vs. safety is a genuine trade-off. The ethical obligation is to name it, assess proportionality, apply minimum necessary, and disclose the trade-off to affected parties.

2 Reasonable assurance: security appropriate to data sensitivity, threat level, and organizational capacity. Failing the standard creates both legal liability and ethical accountability.

3 Sony Pictures: 47,000 employee records including SSNs and medical data exposed. The organization failed the reasonable assurance standard before the attack began.

4 Disclosure timing, scope, and content are all ethical choices. Notifications designed to minimize alarm rather than inform are dishonest regardless of legal sufficiency.

5 Authorization is what separates penetration testing from unauthorized access. Scope documentation is not a formality -- it is the ethical boundary of the engagement.

6 Responsible disclosure: notify the vendor, allow defined time for patching, then publish regardless. This balances vendor patch time against indefinite concealment that serves vendor interests, not user safety.

7 Digital forensics examiners have an obligation to the court above their obligation to the retaining party. Tailoring testimony to support the client's position is perjury.

8 Employee monitoring deployed for security cannot be repurposed for HR functions without disclosure. Scope creep in surveillance violates the basis on which employees consented to the monitoring.