Cybersecurity Ethics

This course examines ethical issues relevant to ethics for cybersecurity professionals, including privacy, professional code of conduct, practical conflicts between engineering ethics and business practices, individual and corporate social responsibility, ethical hacking, information warfare, and cyberwarfare. Students will gain a broad understanding of central issues in cyberethics and the ways that fundamental ethical theories relate to these core issues.

 

A Framework for Duty: Reflecting on Cybersecurity Ethics

Entering PHIL 355E, I expected a straightforward review of rules and regulations pertinent to the cybersecurity field. My background, with a decade in the Navy’s submarine force as a Fire Control Technician and four years as a civilian engineer, was built on a clear understanding of duty, precision, and adherence to a strict code of conduct. I believed I had a solid foundation in professional responsibility. This course, however, provided something far more valuable. It did not just give me a list of rules; it provided a series of sophisticated ethical frameworks that transformed my understanding of a professional’s role in a complex, interconnected world. This semester has been a crucial bridge between my technical understanding of cybersecurity and the human-centric principles necessary for a meaningful career. It has equipped me with the language and analytical tools to navigate the profound ethical dilemmas I will face in the perspective fields of threat intelligence and digital forensics.

The first major shift in my perspective came from the modules on privacy and data ethics. My prior view of privacy was largely individualistic, focused on personal diligence like using strong passwords and being careful what one shares. The concepts of Luciano Floridi’s “informational friction” and James Grimmelmann’s “privacy as product safety” fundamentally changed this. I now understand that privacy is less about an individual’s actions and more about the inherent design of the systems we use. The case study on Google Street View was a perfect example of how a system’s architecture can erode privacy by default. For a future threat intelligence analyst, this is a critical insight. It moves the focus from simply blaming a user for being compromised to analyzing the systemic vulnerabilities—often intentionally designed into platforms for profit—that enable attacks to succeed. The subsequent module on data ethics, with its critique of the “notice and consent” model and the fallacy of “anonymized” data, reinforced this: our responsibility is not just to react to threats, but to advocate for systems that are designed with user safety and dignity as a core principle, not an afterthought.

The modules on corporate social responsibility, professional ethics, and whistleblowing provided a clear hierarchy for a professional’s loyalties. Contrasting Milton Friedman’s shareholder-focused view with Melvin Anshen’s theory of an evolving “social contract” crystallized the modern corporation’s obligations. The Equifax breach served as a stark example of a company failing its social contract and externalizing the cost of its failures onto a helpless public. This led directly to the core lesson of the professional ethics module: a professional’s primary allegiance is not to their employer, but to the public welfare, as mandated by the ACM, IEEE, and NSPE codes of ethics. Bill Sourour’s story, “The Code I’m Still Ashamed Of,” was a powerful, personal account of what happens when this duty is ignored. For someone with a military background, where the chain of command is paramount, the concept of “critical loyalty” from Oxley and Wittkower—where whistleblowing can be the highest form of loyalty to an organization’s principles—was a profound and necessary framework for navigating the more ambiguous ethical landscape of the corporate world.

Finally, the modules on cyberconflict and information warfare provided the ethical language to analyze the modern battlefield. As an FT in the Navy, my role was focused on the employment of weapon systems. The concepts from these final modules expanded my definition of what a “weapon” can be. Michael Boylan’s analysis of “dual-use infrastructure” clarified why it is nearly impossible to wage a “clean” cyberwar without harming civilians, as the systems that support a military are the same ones that support society. Similarly, Alexis Madrigal’s description of Facebook as a “machine” for propaganda showed that a social media platform’s architecture, driven by engagement, can become one of the most effective weapons in information warfare. For a perspective career in threat intelligence, this is an essential realization. It moves the analysis of a cyber operation beyond the purely technical and into the ethic-strategic, forcing questions about proportionality, discrimination, and the societal consequences of the digital tools used by state and non-state actors.

This course has fundamentally reshaped my understanding of what it means to be a cybersecurity professional. My time in the Navy gave me a deep respect for protecting critical systems and information, but this class provided the ethical frameworks to understand who and what I am truly protecting. If I am fortunate to work in threat intelligence and digital forensics, I will not only be analyzing technical vulnerabilities but also the human and societal harms that result from their exploitation. This course has equipped me with the right ethical questions to ask, ensuring that the foundations of my future career are built not just on technical competence, but on a clear and unwavering commitment to the public I will be serving.