Ethical Implications of Security Vulnerability Research for Critical Infrastructure Protection

Bibtex

@Select Types{,
  
   
  
   
  title    = "Ethical Implications of Security Vulnerability Research for Critical Infrastructure Protection", 
  author    = "Livinus Obiora Nweke and Stephen D. Wolthusen", 
  doi    = "https://doi.org/10.30844/wi_2020_z4-paper2", 
  abstract    = "Security vulnerability research (SVR) involves searching for security flaws in a system. Such activity is likely to raise ethical concerns which need to be considered. For example, if a security researcher discovers a vulnerability in a critical infrastructure that can be exploited by an attacker; what is the right thing to do? Based on ‘duty of care’ principle and the fact that a public disclosure would force the critical infrastructure operator to quickly address the issue; going public with the discovery seems to be the right course of action. However, based on ‘do not cause harm to others’ principle, a public disclosure could badly affect the reputation of the critical infrastructure operator. Also, there is the possibility that the disclosed vulnerability could be exploited by an attacker before the operator is able to resolve the problem. The question would then be: is public disclosure still the right thing to do? This type of situation raises an ethical dilemma because a critical infrastructure is a system that is essential for the maintenance of vital societal functions and any attack against such an infrastructure would have a devastating effect. In this paper, we examine the ethical implications of SVR for critical infrastructure protection using the three normative ethical theories. First, we review the state-of-the-art of ethics in SVR. Then, we investigate how the three different normative ethical frameworks would respond to a hypothetical scenario relating to security vulnerability in a critical infrastructure in order to provide guidance for security researchers involved in SVR. Finally, we present a discussion on how a security researcher would make an ethical decision when confronted with an ethical dilemma. We observe from this study that a security researcher could rely on the three different normative ethical frameworks to reason about the best course of action during SVR for critical infrastructure protection.

", 
  keywords    = "Security Vulnerability Research, Ethics, Ethical Implications, Critical Infrastructure Protection", 
}

Abstract

Abstract

Security vulnerability research (SVR) involves searching for security flaws in a system. Such activity is likely to raise ethical concerns which need to be considered. For example, if a security researcher discovers a vulnerability in a critical infrastructure that can be exploited by an attacker; what is the right thing to do? Based on ‘duty of care’ principle and the fact that a public disclosure would force the critical infrastructure operator to quickly address the issue; going public with the discovery seems to be the right course of action. However, based on ‘do not cause harm to others’ principle, a public disclosure could badly affect the reputation of the critical infrastructure operator. Also, there is the possibility that the disclosed vulnerability could be exploited by an attacker before the operator is able to resolve the problem. The question would then be: is public disclosure still the right thing to do? This type of situation raises an ethical dilemma because a critical infrastructure is a system that is essential for the maintenance of vital societal functions and any attack against such an infrastructure would have a devastating effect. In this paper, we examine the ethical implications of SVR for critical infrastructure protection using the three normative ethical theories. First, we review the state-of-the-art of ethics in SVR. Then, we investigate how the three different normative ethical frameworks would respond to a hypothetical scenario relating to security vulnerability in a critical infrastructure in order to provide guidance for security researchers involved in SVR. Finally, we present a discussion on how a security researcher would make an ethical decision when confronted with an ethical dilemma. We observe from this study that a security researcher could rely on the three different normative ethical frameworks to reason about the best course of action during SVR for critical infrastructure protection.

Keywords

Schlüsselwörter

Security Vulnerability Research, Ethics, Ethical Implications, Critical Infrastructure Protection

References

Referenzen

1. Alexander, L., Moore, M.: Deontological Ethics. The Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/archives/win2016/entries/ethics-deontological (2016)
2. Bonde, S., Firenze P. A framework for making ethical decisions, (2013), https://www.brown.edu/academics/scienceand-technology-studies/framework-making-ethical-decisions
3. Carle, S.: Crossing the line: Ethics for the security professional (2003), https://www.sans.org/reading-room/whitepapers/hackers/crossing-line-ethicssecurity-professional-890
4. Dittrich, D., Bailey, M., Dietrich, S.: Building an active computer security ethics community. IEEE Security & Privacy 9(4), 32–40 (2010)
5. Driver J.: Normative Ethics. The Oxford Handbook of Contemporary Philosophy (Sep 2009), https://doi.org/10.1093/oxfordhb/9780199234769.003.0002
6. Fieser, J.: “Ethics”, The Internet Encyclopedia of Philosophy, ISSN 2161-0002, https://www.iep.utm.edu/ethics/, (2020).
7. Forbes: (Nov 2018), https://www.forbes.com/sites/thomasbrewster/2019/11/18/huaweibeats-google-in-offering-220000-to-hackers-who-find-android-backdoors/
8. Fuster, G.G., Gutwirth, S.: Ethics, law and privacy: Disentangling law from ethics in privacy discourse. In: Proc. Technology and Engineering 2014 IEEE Int. Symp. Ethics in Science. pp. 1–6 (May 2014). https://doi.org/10.1109/ETHICS.2014.6893376
9. Gartner: Emerging technology analysis: Bug bounties and crowdsourced security testing (2018)
10. Gotterbarn, D., Miller, K., Rogerson, S.: Software engineering code of ethics. Communications of the ACM 40(11), 110–118 (1997)
11. Gotterbarn, D., Brinkman, B., Flick, C., Kirkpatrick, M.S., Miller, K., Vazansky, K., Wolf, M.J.: Acm code of ethics and professional conduct. ACM (2018)
12. Hursthouse, R., Pettigrove, G.: Virtue Ethics. The Stanford Encyclopedia of Philosophy, https://plato.stanford.edu/archives/win2018/entries/ethics-deontological (2018)
13. IEEE: Ieee code of ethics (Feb 2014), https://www.ieee.org/about/corporate/governance/p7- 8.html
14. ISSA: Issa code of ethics, https://www.members.issa.org/page/CodeofEthics (2020)
15. Leiwo, J., Heikkuri, S.: An analysis of ethics as foundation of information security in distributed systems. In: Proceedings of the Thirty-First Hawaii International Conference on System Sciences. vol. 6, pp. 213–222. IEEE (1998)
16. Matwyshyn, A.M., Cui, A., Keromytis, A.D., Stolfo, S.J.: Ethics in security vulnerability research. IEEE Security & Privacy 8(2), 67–72 (2010)
17. Rescorla, E.: Is finding security holes a good idea? IEEE Security Privacy 3(1), 14–19 (Jan 2005). https://doi.org/10.1109/MSP.2005.17
18. Sassaman, L.: Ethical guidelines for computer security researchers: “be reasonable”. Lecture Notes in Computer Science 6054, 250 (2010)
19. Schneier, B.: The ethics of vulnerability research (2008), https://www.schneier.com/blog/archives/2008/05/the-ethics-of-v.html
20. Schrittwieser, S., Mulazzani, M., Weippl, E.: Ethics in security research which lines should not be crossed? In: 2013 IEEE Security and Privacy Workshops. pp. 1–4. IEEE (2013)
21. Shou, D.: Ethical considerations of sharing data for cybersecurity research. In: International Conference on Financial Cryptography and Data Security. pp. 169– 177. Springer (2011)

Most viewed articles

Meist angesehene Beiträge

GITO events | library.gito