Over on the CISSPforum, we are having a little discussion about codes of ethics.
Somebody noticed that:
> Yes, that's the writing on the site, but shouldn't it be "competent
> service to principals"?
And, good grief, he's absolutely right.
In a sense, the Website is correct: we should competently serve the moral principles of our profession. (Even if it sometimes means we disappoint our principal employers, since the society and ethics canons come first 🙂
Yes, there will often be a difference between what's expected of us as CISSPs and as employees, & the degree of the variance may be unpredictable.
Imagine adding a disclaimer to one's CV or cover letter, something like 'Please note that as a CISSP, I am committed to following the (ISC)2 Code of Ethics at all times.'
<humor> Do principals have principles?
Are principals principled?
We have the principal principles set forth powerfully in the Canon (or is that cannon?)
Hopefully loose cannons will recognize the Canon and respect its principles! </humor>
It appears ambiguities lurk deeply in the English lexicon; and what of Ethics?
Ambiguities lurk there, too. What may seem deontologically unethical to one person may be perfectly acceptable to someone else.
For a Hacktivist, for instance, it may seem perfectly acceptable to use LOIC against his sociopolitical targets. However, those who enforce legislation would likely take a dim view of that action and proffer charges if they catch the perpetrator.
Moreover, would it be ethical or unethical for a CISSP in the employ of an Agency, acting under authority, to use knowledge to degrade the infrastructure of an adversary, whether non-state or state? After all, we are to “Protect society, the common good, necessary public trust and confidence, and the infrastructure”; and to “Act honorably, honestly, justly, responsibly, and legally.”
Quite complex. An excellent question, Rob!
"Actually, I am currently working (with a colleague) on a presentation on exactly that issue: the ethics of active defence. (I'm pretty sure I have a solid argument that yes, in some cases you can degrade the infrastructure of an adversary, and argue that it is for the good of society.)"
By the same token, the adversary could use the same argument, notions like "society" and "good" are very broad ranging.
I suppose the test is that of the legal challenge - if the adversary's society is relying on electricity to power its hospitals, as well as its centrifuges for more nefarious purposes, then the principle of "Do No Harm (or As Little Harm As Possible)" or would have to be applied -- launch DDoS against the installation, degrade its capacities, but spare the grid to which the hospital is attached. Easier said than done, though.
So when the inevitable discussions arrive, "the Degrader" can argue in an international tribunal that he exercised due diligence and due care.
Thank you for tagging me @denbesten. Apologies for the delay here, I was out of the office yesterday. I will forward this along to our team.
This is an interesting topic but hardly a new one. The ethics philosophy has been discussed throughout history by all sorts of “deep thinkers.” The only true novelty of this discussion is that we are now applying it to the “cyber” world but otherwise, it’s a one-for-one swap of the same conversation.
I think, at its most basic form, ethics defines what is good for individuals AND society. To be more specific, it is what determines right or wrong as agreed upon by the majority of the collective group of people that are impacted – stakeholders if you will.
The hacktivist example is clearly unethical behavior no matter how strongly that one individual’s, or group’s, feelings are. Why? Because there is legislation on the record that states it is illegal (aka wrong). Those laws have been proposed through an accepted process, negotiated by representatives elected by the people (usually), and ratified for the good of the society. There is also a legal method to challenge and change laws that doesn’t include “taking the law into your own hands.”
Problems arise when individuals or small groups, whose views are often borne from limited personal experience, bias, and a narrow view of the world, think they are somehow smarter or better suited to decide what is right and wrong than the larger collective or those in a position to see the big picture.
I would argue that ethics is only complex if you choose to make it so. Do what is right and legal in the society you live, respect others, don’t take what’s not yours, and live by the Golden Rule. Of course, there are questionable situations but if you know the law then at least there is a framework to guide your decisions.