Cybersecurity Ethics in the United States of America

Cybersecurity refers to using rules, technologies, methods, and humans to safeguard companies and other entities by preventing important data from being stolen or compromised. ^[1]

Ethics is a set of rules that people follow in their daily lives. ^[2] There are a few key ideas in cybersecurity ethics that the Association for Computer Machinery (ACM) made to serve as guidelines for people who have jobs involving computer systems.

1. People who work in cybersecurity should respect others' right to privacy, act honestly, and avoid treating others unfairly.
2. It is critical for those in the cybersecurity industry to do their jobs the best they can and be as competent as possible.
3. People who work in the computer science industry should help those in their field to improve, make their coworkers' working lives better, and make the world a better place. ^[3]

This article will discuss cyber warfare, hacking, and surveillance in the United States and will include ethics related opinions from different people on these topics.

Background

The prevalence of cyberattacks can be found everywhere, including in the United States. The Pew Research Center says that there are concerns among Americans that private and public entities are unable to keep their data safe from malicious actors who seek to steal such information. According to the Pew Research Center, specifically, less than one third of Americans do not believe that the US government is able to keep their information safe from malicious actors, and less than a quarter of people who use social media believe that social media companies can keep their data safe. ^[4]

According to a survey conducted by the Pew Research Center, in the next 5 years, 51% believed that a large cyberattack would likely occur targeting public assets, while 48% believed that a large cyberattack would likely occur targeting monetary systems (ex. banking). The survey states that 18% believed that the American government can effectively defend against cyberattacks targeting government organizations, and 13% believed that the American government can effectively defend against cyberattacks targeting public assets. The survey reports that 9% believed that American companies can effectively defend against cyberattacks targeting their systems. ^[5]

With regards to surveillance, American citizens are generally against being observed without their consent. Another Pew Research Center survey conducted revealed that 88% of those surveyed value not being observed/eavesdropped on without their consent. ^[6]

Cyber Warfare and the United States

Displaying different warning messages and hexadecimal values.

Background

Cyber warfare can be defined as activity conducted by a person, group of people, or a country designed to harm other entities' (ex. countries, groups of people) networks and their computers. ^[7] Cyber warfare includes targeting public (ex. power grids), safety (ex. traffic lights), military, and/or financial assets. Types of cyber warfare include sabotage, spying, economic damage, propaganda, denial of service (DOS), power grid, and surprise attacks. Sabotage includes trying to steal highly valued information, such as social security numbers and bank account information. ^[8] Spying includes monitoring enemies to steal their secrets. ^[9] This can be done using botnets or other kinds of cyberattacks to try and get access into a computer before stealing such information. Economic damage can consist of disrupting computers needed in the economy, such as banks, systems of payment, stock markets, etc. ^[10] Stealing/disrupting such systems can allow hackers to steal money and prevent others from reaching money that they might need. Propaganda can include revealing information that a country's government might find humiliating or by spreading false information to a country's citizens in the hopes of turning the population against the government. ^[11] A denial of service attack involves hackers passing many fake requests to a website, causing it to be unable to provide services for real users. ^[12] Such attacks can disrupt important websites used by members of a country's military, scientists, government officials, etc. Attacks on a country's power grids can prevent a country from using important systems, possibly causing many people to die. ^[13] In addition, the ability to communicate via the internet would be very difficult. Surprise attacks can involve large scale attacks that completely surprise the enemy and cause massive damage. Such attacks can be used as a first step before attacking an enemy physically. ^[14]

Opinions on the Ethics of Cyber Warfare

Lieutenant Colonel Pete Kilner, a former US Army soldier, believes that the introduction of cyber warfare should result in people reevaluating the morality of war with adversaries, reasoning that the current rules of war do not provide appropriate moral guidelines on cyber warfare. ^[15] He states that such rules were created from outdated preconceived notions. ^[16] During a war, Kilner asserts that "soldiers should attend to three principles: necessity, discrimination and proportionality. Soldiers should employ violence only as necessary to accomplish their military missions. They should discriminate between legitimate and illegitimate targets, directing their violence only at enemy combatants." ^[17]

Kilner notes that countries in the eastern hemisphere who are enemies of the United States do not consider war in an at peace/at war mindset included in the international rules that govern war. ^[18] He also states that America's enemies are willing to conduct continuous cyber warfare, while America and its allies have trouble determining the morality of using cyber warfare as a tool to combat its enemies, despite not being legally or publicly fighting said enemies. ^[19] Kilner acknowledges that cybersecurity personnel working for the United States occasionally do not work within the confines of standard military ethics, while also mentioning that said workers are being constrained by taking more actions because the US is not officially fighting its enemies. ^[20] Another challenge to cyber warfare that the US faces, Kilner points out, is the ability to make American citizens believe the US government when it declares that an enemy is attacking the country via cyber warfare. ^[21]

According to Kilner, the presence of nations not involved in cyber warfare with America's enemies can also be challenging because any cyber operations the US undertakes can also interfere with the cyberspace of these nations. ^[22] As a result, it is extremely difficult to attack an enemy via cyber warfare without affecting other countries not involved, and much of the fighting that occurs in such a war occurs in neutral nations. ^[23] For example, when North Korea launched a cyber attack on the company Sony, the cyber attack traveled through routers on five continents. ^[24]

Kilner believes that it is important to determine who the cyber attacks will target (civilians or people in the military). ^[25] He writes that while a conventional war separates civilians from soldiers, cyber warfare makes this separation more nuanced. ^[26] A lot of cyber attacks pass through networks owned by civilian companies. ^[27] In addition, a lot of people participating in cyber attacks, both in the US and in other countries, are civilians. ^[28] In cyberspace, an enemy can be classified as anyone with an internet connection and the desire to harm the US by creating and spreading cyber attacks. ^[29]

To address these issues, Kilner believes that it is necessary to make appropriate changes to the rules governing how war is conducted, considering greater corporate influence in the world and the widespread use of the internet. ^[30] Kilner cites a collection of people with legal backgrounds living in the West who worked together to create the Tallinn Manuals, which provide recommended guidelines for cyber warfare. ^[31] Despite the consideration of creating new laws that govern cyber warfare, Kilner believes that the pace at which this is occurring is too slow. ^[32] He believes that updating the rules that govern warfare should begin with an examination of the nature of modern day wars. ^[33] He argues for such conversations to occur in the public domain because war occurs on behalf of the citizens of a country, and the use of cyber warfare is no longer secret, so it should be included in such public discourse. ^[34] Kilner states that based on people's views of cyber warfare, people with legal backgrounds can create a new set of laws that are consistent, understood by all, and are morally sound. ^[35] He concludes that the US should take a leading role in creating internationally followed laws that address the morality of cyber warfare. ^[36]

Jamil N. Jaffer, a senior vice president at a company named IronNet Cybersecurity and as the National Security Institute at George Mason University's law school's executive director, believes that the US government should increase the power and resources given to government entities who attack America's enemies through cyberattacks. He also asserts that the US must increase its defensive capabilities to minimize the negative effects of cyberattacks. According to Jaffer, the US government should accomplish this task by giving aid in real time to private companies that provide important infrastructure with the goal of greatly increasing their defenses against cyberattacks. Jaffer states that this method of defense will result in the need for the US government to gather and provide top secret intelligence quickly and on a large scale and work with private companies in mitigating cyberattacks. ^[37]

Hacking in the United States

Someone engaging in hacking.

Background

Hacking can be defined as using technology, such as computers, smart phones, networks, and/or tablets, to gain unauthorized access to another party's device or network. ^[38] This other party can be a person, group of people, company, a government organization, or other type of organization. While hacking itself is not always used for malicious purposes, this article will discuss hacking used by malicious actors. ^[39]

As hacking has gotten more sophisticated and the technology for hacking has improved, it has become easier for malicious actors to use hacking to steal information from victims. In 2021 for example, over 800,000 complaints were sent by Americans to the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI) about malicious cyber activity, which went up by 7% year over year. The total amount of loss from this malicious activity was more than $6.9 billion, which went up by 64% from the year prior. ^[40]

Opinions on the Ethics of Hacking

To counter the threat of hacking, Paul R. Kolbe, the director of the Intelligence Project at Harvard Kennedy School's Belfer Center for Science and International Affairs, believes that the United States should understand that it is in an era of continuous malicious hacking and should rethink the nature of such hacking as combating a disease that does not have a cure. He additionally believes that the United States should attempt to build a strong defense against malicious hackers by keeping track of data flowing between government and corporate networks rather than a single line of defense against malicious hackers. He states that government agencies and corporations that provide software products should be held more accountable for major cybersecurity breaches because such weaknesses in security can put American society as a whole at risk of further attacks. Kolbe believes that the US should also counter its enemies' cyber systems by penetrating their most important systems, stating that weaknesses are not found by checks but by penetrating said systems. He concludes by saying that America should be willing to meet with its enemies to agree on how to appropriately behave in cyberspace to lessen the chances of malicious hackers harming critical infrastructure that could affect society as a whole. ^[41]

A Politico article written by Kim Zetter reports that the United States government is cautious to engage in cyber warfare with Russia, despite the CIA and NSA spending lots of time infiltrating key computer networks in Russia. Experts in US cyber strategy believe that Russia and the US are equally unlikely to immediately order widespread damaging cyberattacks against each other. The US also does not plan to sabotage civilian infrastructure, according to Robert M. Lee, a former NSA employee who was a part of cyber warfare operations. He believes that the US would most likely send a message to Russia indicating its willingness to retaliate should Russia hack or try to otherwise disrupt American infrastructure. The US would continue to gather information about Russia, while trying to gain access to new infrastructure or gain further access into already compromised key infrastructure would likely not occur. ^[42]

Surveillance in the United States

Security cameras on a building.

Background

Surveillance refers to watching another person or entity (such as a business) for the purpose of obtaining evidence. ^[43] It is one of the most frequent ways that people in law enforcement investigate suspects to obtain evidence. Surveillance can occur using fixed or electronic methods. Fixed surveillance occurs when people are being watched in person without their knowledge. ^[44] Electronic surveillance occurs when people are watched using bugging, videotaping, wiretapping, etc. ^[45] From a legal standpoint, the US Constitution prevents people from being unfairly searched by law enforcement, which includes surveillance. ^[46]

Irina Ivanova from MoneyWatch states that analysis done by IHS Markit, a research company, reveals that the United States has more people per security camera compared to that of China: 4.6 vs. 4.1 people, respectively. ^[47] Such surveillance in America is most frequent in stores and places of work. A lot of cities in the US have also been increasing the number of surveillance mechanisms. In Baltimore, for example, police use surveillance from the skies to covertly monitor people. In Detroit, security cameras have been placed to watch people living in public housing. Additionally, police and Ring, a doorbell camera, cooperate to encourage people who own houses to purchase the doorbell camera, which Ivanova interprets as encouraging people to watch each other. ^[48]

Opinions on the Ethics of Surveillance

Elizabeth Goitein, a writer for the Brennan Center for Justice, is against the US government conducting surveillance against US citizens. She says that in 2021, the National Intelligence's director's office revealed that the FBI examined at most 3.4 million emails, texts, and phone calls by Americans without any warrants. Such activity is only allowed against foreign citizens who are not in the United States. Section 702 of the Foreign Intelligence Surveillance Act, passed by Congress after the September 11 terrorist attacks, was designed to increase the US government's right to survey other people. The law permits the NSA to gather data on any foreign citizen not in the US. Despite foreign citizens having the ability to communicate with American citizens and Congress requiring data that the government unintentionally collects on Americans be minimized, the NSA instead shares such data with the Central Intelligence Agency (CIA), FBI, and the National Terrorism Center. Such data is kept for a minimum of five years. Goitein believes that Congress should make it mandatory for government officials to get a warrant any time they want to examine section 702 data with regards to communications by Americans. She concludes by saying that despite such a bill not passing in Congress overall, passing such a bill would allow Americans' Fourth Amendment rights to be protected, while allowing the government to conduct surveillance on foreign citizens. ^[49]

Glenn Sulmasy, a law professor and head of department humanities at the US Coast Guard Academy, supports the US government using surveillance. More specifically, because of an increase in the threat of terrorism in the United States, Sulmasy argues, it is necessary for the US government to collect information on communications between Americans and foreign citizens. Since war against terrorism is ongoing, Sulmasy believes that the US government should change the ways it protects Americans. Sulmasy states that if surveillance of Americans continues, the executive branch of the government must inform Congress of such surveillance to avoid the misuse of power. ^[50]

References

1. ↑ “What Is Cybersecurity?” Gartner, Gartner, Inc., https://www.gartner.com/en/topics/cybersecurity
2. ↑ “The Importance of Ethics in Information Security.” Reciprocity, Reciprocity, 26 Feb. 2021, https://reciprocity.com/the-importance-of-ethics-in-information-security/
3. ↑ ibid
4. ↑ Olmstead, Kenneth, and Aaron Smith. “Americans and Cybersecurity.” Pew Research Center: Internet, Science & Tech, Pew Research Center, 15 Sept. 2022, https://www.pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/
5. ↑ Olmstead, Kenneth, and Aaron Smith. “Americans and Cybersecurity (3. Attitudes about Cybersecurity Policy).” Pew Research Center: Internet, Science & Tech, Pew Research Center, 15 Sept. 2022, https://www.pewresearch.org/internet/2017/01/26/3-attitudes-about-cybersecurity-policy/.
6. ↑ Madden, Mary, and Lee Rainie. “Americans' Attitudes about Privacy, Security and Surveillance.” Pew Research Center: Internet, Science & Tech, Pew Research Center, 17 Aug. 2020, https://www.pewresearch.org/internet/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/
7. ↑ “What Is Cyber Warfare?” Fortinet, Fortinet, Inc., https://www.fortinet.com/resources/cyberglossary/cyber-warfare
8. ↑ ibid
9. ↑ ibid
10. ↑ ibid
11. ↑ ibid
12. ↑ ibid
13. ↑ ibid
14. ↑ ibid
15. ↑ Kilner, Pete. “Ethics of Cyber Operations: ‘5th Domain’ Creates Challenges, Needs New Rules.” Association of the United States Army, Association of the United States Army, 21 Dec. 2017, https://www.ausa.org/articles/ethics-cyber-operations-%E2%80%985th-domain%E2%80%99-creates-challenges-needs-new-rules
16. ↑ ibid
17. ↑ ibid
18. ↑ ibid
19. ↑ ibid
20. ↑ ibid
21. ↑ ibid
22. ↑ ibid
23. ↑ ibid
24. ↑ ibid
25. ↑ ibid
26. ↑ ibid
27. ↑ ibid
28. ↑ ibid
29. ↑ ibid
30. ↑ ibid
31. ↑ ibid
32. ↑ ibid
33. ↑ ibid
34. ↑ ibid
35. ↑ ibid
36. ↑ ibid
37. ↑ Jaffer, Jamil N. “The Best (Cyber) Defense Is a Good (Cyber) Offense.” Newsweek, Newsweek Digital LLC, 14 Sept. 2020, https://www.newsweek.com/best-cyber-defense-good-cyber-offense-opinion-1531606.
38. ↑ “What Is Hacking?” Fortinet, Fortinet, Inc., https://www.fortinet.com/resources/cyberglossary/what-is-hacking
39. ↑ ibid
40. ↑ Thomas, Ian. “The FBI Is Worried about a Wave of Cyber Crime against America's Small Businesses.” CNBC, CNBC, 16 Dec. 2022, https://www.cnbc.com/2022/12/16/fbi-7-billion-lost-in-criminal-hacks-most-victims-small-businesses.html#:~:text=In%202021%2C%20the%20FBI's%20Internet%20Crime%20Complaint%20Center%20(IC3),compared%20to%20the%20previous%20year
41. ↑ Kolbe, Paul R. “With Hacking, the United States Needs to Stop Playing the Victim.” The New York Times, The New York Times, 24 Dec. 2020, https://www.nytimes.com/2020/12/23/opinion/russia-united-states-hack.html
42. ↑ Zetter, Kim. “'Not the Time to Go Poking around': How Former U.S. Hackers View Dealing with Russia.” Politico, Politico LLC, 12 Mar. 2022, https://www.politico.com/news/2022/03/12/cyber-russia-hacking-security-00016598
43. ↑ Wex Definitions Team. “Surveillance.” Legal Information Institute, Legal Information Institute, Oct. 2021, https://www.law.cornell.edu/wex/surveillance
44. ↑ ibid
45. ↑ ibid
46. ↑ ibid
47. ↑ Ivanova, Irina. “Video Surveillance in U.S. Described as on Par with China.” CBS News, CBS Interactive, 10 Dec. 2019, https://www.cbsnews.com/news/the-u-s-uses-surveillance-cameras-just-as-much-as-china/.
48. ↑ ibid
49. ↑ Goitein, Elizabeth. “US Surveillance of Americans Must Stop.” Brennan Center for Justice, Brennan Center for Justice at NYU Law, 20 May 2022, https://www.brennancenter.org/our-work/analysis-opinion/us-surveillance-americans-must-stop
50. ↑ Sulmasy, Glenn. “Why We Need Government Surveillance.” CNN, Cable News Network, 10 June 2013, https://www.cnn.com/2013/06/10/opinion/sulmasy-nsa-snowden/index.html