Something about cyberconflict that makes sense to me now is the need for an expanded version of Just War Theory to account for its complexities. For example, reasons such as ambiguity in who is involved with the conflict and where attacks come from. The traditional approach to warfare would have specific people attacking from a single area or location, but due to anyone having the potential to be a malicious actor and cyber-attacks coming from any place with enough technological capability, that older style isn’t effective in a new setting. Another example is how the Just War Theory cannot account for the scope of attacks. With attacks like Stuxnet, while there is a specific target, there is potential for it to spread and cause unintentional damage that is not part of the conflict. This then culminates with how new agreements on cyberconflict need to be enforced for new ethical regulations of action. Concepts such as attacks to resolve conflict and return to the status quo, and emphasis on removing, and preventing entropy within the Infosphere are necessary principles for cyberconflict. This is opposed to a traditional perspective of attacks being in retaliation, or simply out of a sense of self-satisfaction. In conclusion, this module effectively taught me about the ethical components of cyberconflict and the necessary changes that need to be implemented for proper engagement of cyber warfare.

First, read “The Real story of Stuxnet.” [backup download: stuxnet-ieee-spectrum.pdf]

Your question to answer is: Was the Stuxnet attack an act of cyberwarfare? If so, can it be ethically justified? If not, why not?

The Stuxnet cyberattack was an act of cyberwarfare. The purpose of the cyberattack was to attack an Iranian uranium enrichment facility. Therefore, an argument that due to the attack being directed to a form of infrastructure within Iran, it can be deemed as an act of war and in the context of Stuxnet, an act of cyberwarfare.

However, even if it was an act of cyberwarfare, it can’t be ethically justified due to the multiple negative consequences that resulted from it. The reason for this conclusion is that Stuxnet has several variants such as Flame, Duqu, and Gauss, which are powerful tools that are now in the hands of the public due to leakage over time. This in turn presents the opportunity for cybercriminals not only to reverse engineer them but to use their different aspects to commit cybercrimes easily. Furthermore, with its known capabilities, it could also be a blueprint for other nations to create even more complex forms of malware that can be used for cyberwarfare. Coupling this with the fact that companies are still decades behind when it comes to cybersecurity awareness, creates an optimal environment for more frequent and destructive cyberattacks that all stem from this single event.

Through your work in this module, you should have gained a robust and multifaceted understanding of ethical concerns about whistleblowing and loyalty, and gained experience using ethical principles to think through whistleblowing and loyalty issues in a cybersecurity context. Next, we’ll be turning to cyberconflict to talk about how cybersecurity tools can be used as weapons, and whether that is ethical. 

Before going on to the next module, take a minute and write down:

• Something about whistleblowing and loyalty that makes sense to you now that didn’t before, or
• Something about whistleblowing and loyalty that you thought made sense before that you realize now does not, or
• Something that you’re still trying to figure out about whistleblowing and loyalty.

Aspects of whistleblowing and loyalty that make sense to me now that didn’t before is the idea of whistleblowing being a loyal act and that the layers of loyalty are complex with organizations. Whenever I knew about acts of whistleblowing, I perceived the whistleblower as someone who only had personal reasons to out a company in that way. While personal reasons are still a large factor as to why someone would blow the whistle, that choice may also be from their loyalty to the organization’s principles and having a desire to have it improved by having information disclosed. There are also factors such as having no other outlet for the information to be released, even if that information is of value to the public for concern or safety. With loyalty, there is flexibility in what relationship it goes to and the existing amount. In organizations, there is no obligation to be loyal, but people can be tied to the values of an organization, or simply choose to blindly follow without considering potential harms. This then ties back into how whistleblowing can be loyal due to an organization’s principles which can extend to protecting the public, but still go against an organization by outing it in this specific way.

Overall, after this module, I now understand how whistleblowing can be a moral act due to valuing the public’s concern, and how employees have varying loyalty that affects the decision to whistleblow in the first place.

Through your work in this module, you should have gained a robust and multifaceted understanding of the professional ethical requirements in cybersecurity fields, and gained experience using ethical principles to think through professional ethics issues in a cybersecurity context. Next, we’ll be turning to whistleblowing to think through what you should do if you see something unethical. 

Before going on to the next module, take a minute and write down:

• Something about professional ethics that makes sense to you now that didn’t before, or
• Something about professional ethics that you thought made sense before that you realize now does not, or
• Something that you’re still trying to figure out about professional ethics.

An aspect of professional ethics that makes sense to me now is the respect for the public’s well-being and its importance in all forms of professional ethics. Within each code of ethics, there was an emphasis on preventing harm by ensuring that work had public welfare in mind and notifying an employer or client when there are potential harms. Furthermore, according to Armstrong, if there is a clash in what is wanted for a client or employer versus the public, then the option of whistleblowing is there to inform the public of potential harm. Applying a cybersecurity context only further supports the importance of public safety and confidentiality. A crucial factor of the cybersecurity profession is not only maintaining the data for users but also being a solid form of trust that the public can depend on. That adherence to serving the public is a fundamental part of every internal and external position. However, if there is little acknowledgment of the public’s safety when in a profession, there can be drastic consequences that can threaten lives, if not further. After going through this case study, I now have a deeper understanding of how professionals have to consider the effects of their work due to the potential impact it can have on the public and the present respect for their safety.

A plausible principle that can address the opacity of algorithms could be “Multi-Level Collaboration in the Creation of Algorithms.” This principle requires that companies need to collaborate with multiple parties when creating algorithms to ensure an ethical result for users. These entities include the company’s software designers who build the algorithm itself, ethicists who maintain moral integrity and guarantee that the algorithm is up to ethical standards, and policymakers who further ensure compliance with privacy and legal standards.

This principle should be included because it would be beneficial within a code of ethics for multiple reasons. First, there would be improved clarity on how algorithms work by forcing multiple parties to be involved in the process. This process would create an ethical blueprint for algorithms that could be used in the future. Next, the amount of data that is collected by companies would become more restricted due to the algorithm being restricted in what it could do to people. This would create a more natural environment with social media and less manipulation of people and their beliefs.

Now, while this principle would be an effective start, there would still be difficulties with the topic of transparency. For example, even though the users would be given some insight into algorithms, the propriety of algorithms would be an obstacle. The obstacle is related to companies having a choice on whether or not to share with the users how their algorithms work. However, this principle could be beneficial in tackling the issues mentioned by Tufekci by creating a better understanding of how algorithms work and generating a more transparent environment for users when they use social media.

Through your work in this module, you should have gained a robust and multifaceted understanding of corporate social responsibility, and gained experience using ethical principles to think through corporate social responsibility issues in a cybersecurity context. Next, we’ll be turning to professional ethics to think about what moral requirements you gain by becoming a cybersecurity professional. 

Before going on to the next module, take a minute and write down:

• Something about CSR that makes sense to you now that didn’t before, or
• Something about CSR that you thought made sense before that you realize now does not, or
• Something that you’re still trying to figure out about CSR.

First, read this article:  Is High Frequency Trading Ethical? [backup link].

Your question to answer is: Which of the four arguments that High Frequency Trading is ethical is the most convincing? Why? Which of the three arguments that HFT is unethical is the most convincing? Why? On the whole, do you think HFT is ethical or unethical?

Through your work in this module, you should have gained a good understanding of data ethics, and gained experience using ethical principles to think through responsible treatment of user data in a cybersecurity context. Next, we’ll be turning to corporate social responsibility to think about moral obligations that businesses have to the public.

Before going on to the next module, take a minute and write down:

• Something about data ethics that makes sense to you now that didn’t before, or
• Something about data ethics that you thought made sense before that you realize now does not, or
• Something that you’re still trying to figure out about data ethics.

First, read this article:  “This Time, Facebook Really Might be Fucked” by Rhett Jones.  

Your question to answer is: Why is it important to protect user data? If people agree to the data protection statements of social media websites, is there still something wrong with mining their data? Why or why not?

Protecting user data is necessary for any application that uses it in any way. It’s important due to the range of identifiable information that can be involved when on any site, especially social media platforms. Some of that information includes names, pictures, interests, beliefs, home addresses, and financial data. If this information is being put into the hands of companies, then efficient security practices are crucial for preventing breaches that can lead to identity fraud or other crimes that have a large impact on people’s lives.

This impact was shown with Facebook’s scandal with Cambridge Analytica, and how they allowed the third-party company to mine the personal data of fifty million accounts for around three years without users knowing. So, to answer the question of the ethics of data mining, while users agree to data protection statements on social media sites, there is still an ethical dilemma with data mining due to the lack of transparency given to users. In the case of Cambridge Analytica, users agreed to entrust their data to Facebook, not to a third-party company that took their data easily without any pushback. To ignore the data agreement of the users by involving another party completely undermines its purpose, even if data mining is slipped into it. Furthermore, users who know that their data is being mined still need to be aware of who has access to it and what it’s being used for to maintain transparency and ethical standards.