Cybersecurity Ethics in the United States of America

Ethics describes the way people want to best live their lives. With regards to technology, ethics describes the way people use technology to live well. Many people across the world believe that ethics must be included in teaching within technical disciplines. ^[1]

Cybersecurity refers to defending networks, computer programs, and systems from malicious actors who seek to damage such infrastructure. Malicious actors use cyberattacks for different reasons, including stealing information or money, or damaging a victim's reputation. ^[2]

There are a few key ideas in cybersecurity ethics that the Association for Computer Machinery (ACM) made to serve as guidelines for people working in cybersecurity.

1. People who work in cybersecurity should respect others' right to privacy, act honestly, and avoid treating other unfairly.
2. It is critical for those in the cybersecurity industry to do their jobs the best they can and be as competent as possible.
3. People who work in the computer science industry should help those in their field to improve, make their coworkers' working lives better, and make the world a better place. ^[3]

Background

The prevalence of cyberattacks can be found everywhere, including in the United States. Many people in the United States believe that they lost their ability to control of their personal data, and others are concerned that companies and government organizations could be unable to protect any data that they gather. About 50% of Americans do not believe that social media websites and the US government can effectively safeguard their data.

There are also concerns among Americans that private and public entities are unable to keep their data safe from malicious actors who seek to steal such information. Specifically, less than one third of Americans do not believe that the US government is able to keep their information safe from malicious actors, and less than a quarter of people who use social media believe that social media companies can keep their data safe. ^[4]

Cyber Warfare and the United States

Cyber warfare can be defined as activity conducted by a person, group of people, or a country designed to harm other entities' (ex. countries, groups of people) networks and their computers. Cyber warfare includes targeting public assets (ex. power grids), safety assets (ex. traffic lights), military assets, and/or financial assets.

Types of cyber warfare include sabotage, spying, economic damage, propaganda, denial of service (DOS), power grid, and surprise attacks. Sabotage includes trying to steal highly valued information, such as social security numbers, bank account information, etc. Spying includes monitoring enemies to steal their secrets. This can be done using botnets or other kinds of cyberattacks to try and get access into a computer before stealing such information. Economic damage can consist of disrupting computers needed in the economy, such as banks, systems of payment, stock markets, etc. Stealing/disrupting such systems can allow hackers to steal money and prevent others from reaching money that they might need. Propaganda can include revealing information that a country's government might find humiliating or by spreading false information to a country's citizens in the hopes of turning the population against the government. A denial of service attack involves hackers passing many fake requests to a website, causing it to be unable to provide services for real users. Such attacks can disrupt important websites used by members of a country's military, scientists, government officials, etc. Attacks on a country's power grids can prevent a country from using important systems, possibly causing many people to die. In addition, the ability to communicate via the internet would be very difficult. Surprise attacks can involve large scale attacks that completely surprise the enemy and cause massive damage. Such attacks can be used as a first step before attack an enemy physically.

Cyber warfare can occur for different reasons. These can include civil, hacktivism, generating more money, research, and military purposes. By disrupting civil assets, an enemy could negatively affect people working and living in the victim country, possibly causing them to turn against their government. Hacktivism is when hackers conduct cyber attacks to promote a certain way of thinking. Those who conduct cyberattacks can steal money and enrich themselves. They could also work for a government and get paid to hack other entities. In research, cyber attacks could be used to solve problems that a country is facing. For example, if they are unable to find a cure for a certain disease, they could steal the necessary data to create a cure. The military of a given country would engage in cyber warfare in order to greatly reduce an enemy military's ability to interfere with that military's operations. ^[5]

Lieutenant Colonel Pete Kilner, a former US Army soldier, believes that the introduction of cyber warfare should result in people reevaluating the morality of war with adversaries. His reasoning is that current rules of war do not provide appropriate moral guidelines on cyber warfare because such rules were created from outdated preconceived notions. During a war, Kilner asserts that soldiers should adhere to three basic guidelines: proportionality, necessity, and discrimination to avoid violence towards civilians and reduce collateral damage.

Kilner notes that some countries in the eastern hemisphere who are enemies of the United States do not consider war in an at peace/at war mindset, like some Western countries do. He also states that America's enemies are willing to conduct continuous cyber warfare, while America and its allies have trouble determining the morality of using cyber warfare as a tool to combat its enemies, despite not being legally or publicly fighting said enemies. Kilner acknowledges that cybersecurity personnel working for the United States occasionally do not work within the confines of standard military ethics, while also mentioning that said workers are being constrained by taking more actions because the US is not officially fighting its enemies. Another challenge to cyber warfare that the US faces, Kilner points out, is the ability to make American citizens believe the US government when it declares that an enemy is attacking the country via cyber warfare.

According to Kilner, the presence of nations not involved in cyber warfare with America's enemies can also be challenging because any cyber operations the US undertakes can also interfere with the cyberspace of these nations. As a result, it is extremely difficult to attack an enemy via cyber warfare without affecting other countries not involved, and much of "fighting" that occurs in such a war occurs in neutral nations. For example, when North Korea launched a cyber attack on the company Sony, the cyber attack traveled through routers on five continents.

Kilner believes that it is important to determine who the cyber attacks will target (civilians or people in the military). He writes that while a conventional war separates civilians from soldiers, cyber warfare makes this separation more nuanced. A lot of cyber attacks pass through networks owned by civilian companies. In addition, a lot of people participating in cyber attacks, both in the US and in other countries, are civilians. In cyberspace, an enemy can be classified as anyone with an internet connection and the desire to harm the US by creating and spreading cyber attacks.

To address these issues, Kilner believes that it is necessary to make appropriate changes to the rules governing how war is conducted, considering greater corporate influence in the world and the widespread use of the internet. Kilner cites a collection of people with legal backgrounds living in the West who worked together to create the Tallinn Manuals, which provide recommended guidelines for cyber warfare. Despite the consideration of creating new laws that govern cyber warfare, Kilner believes that the pace at which this is occurring is too slow. Kilner believes that updating the rules that govern warfare should begin with an examination of the nature of modern day wars. He argues for such conversations to occur in the public domain because war occurs on behalf of the citizens of a country, and the use of cyber warfare is no longer secret, so it should be included in such public discourse. Kilner states that based on people's views of cyber warfare, people with legal backgrounds can create a new set of laws that are consistent, understood by all, and are morally sound. Kilner concludes that the US should take a leading role in creating internationally followed laws that address the morality of cyber warfare. ^[6]

Hacking in the United States

Hacking can be defined as using technology, such as computers, smart phones, networks, and/or tablets, to gain unauthorized access to another party's device or network. This other party can be a person, group of people, company, a government organization, or other type of organization. While hacking itself is not always used for malicious purposes, this article will discuss hacking used by malicious actors. ^[7]

As hacking has gotten more sophisticated and the technology for hacking has improved, it has become easier for malicious actors to use hacking to steal information from victims. In 2021 for example, over 800,000 complaints were sent by Americans to the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI) about malicious cyber activity, which was a 7% year over year increase. The total amount of loss from this malicious activity was $6.9 billion, a 64% increase from the previous year. ^[8]

To counter the threat of hacking, Paul R. Kolbe, the director of the Intelligence Project at Harvard Kennedy School's Belfer Center for Science and International Affairs, believes that the United States should understand that it is in an era of continuous malicious hacking and should rethink the nature of such hacking as combating a disease that does not have a cure. He additionally believes that the United States should attempt to build a strong defense against malicious hackers by keeping track of data flowing between government and corporate networks rather than a single line of defense against malicious hackers. He states that government agencies and corporations that provide software products should be held more accountable for major cybersecurity breaches because such weaknesses in security can put American society as a whole at risk of further attacks. Kolbe believes that the US should also counter its enemies' cyber systems by penetrating their most important systems, stating that weaknesses are not found by checks but by penetrating said systems. He concludes by saying that America should be willing to meet with its enemies to agree on how to appropriately behave in cyberspace to lessen the chances of malicious hackers harming critical infrastructure that could affect society as a whole. ^[9]

A Politico article written by Kim Zetter reports that the United States government is cautious to engage in cyber warfare with Russia, despite the CIA and NSA spending lots of time infiltrating key computer networks in Russia. Experts in US cyber strategy believe that Russia and the US are equally unlikely to immediately order widespread damaging cyberattacks against each other. The US also does not plan to sabotage civilian infrastructure, according to Robert M. Lee, a former NSA employee who was a part of cyber warfare operations. He believes that the US would most likely send a message to Russia indicating its willingness to retaliate should Russia hack or try to otherwise disrupt American infrastructure. Rather, the US would continue to gather information about Russia, while trying to gain access to new infrastructure or gaining further access into already compromised key infrastructure would not occur. ^[10]

Surveillance in the United States

Surveillance refers to watching another person or entity (such as a business) for the purpose of obtaining evidence. It is one of the most frequent way that people in law enforcement investigate suspects to obtain evidence.

Surveillance can occur using fixed or electronic methods. Fixed surveillance occurs when people are being watched in person without their knowledge. Electronic surveillance occurs when people are watched using bugging, videotaping, wiretapping, etc.

From a legal standpoint, the US Constitution prevents people from "unreasonable searches and seizures", which includes surveillance. ^[11]

Since 2005, the National Security Administration (NSA) has been surveying Americans by intercepting their Internet activity and phone conversations since 2005. In 2013, media outlets reported that the NSA receives copies of all traffic that occurs through fiber optic cable networks.

An organization called the Electronic Frontier Foundation (EFF) is against such activity by the US government by helping the party Jewel in its lawsuit against the NSA in order to prevent wiretapping without a warrant as well as hold the US government and its officials accountable for their actions. In September 2014, the American Civil Liberties Union (ACLU) and the EFF supported a neonatal nurse named Anna Smith in her lawsuit against the government's mass collecting of phone data on millions of American people. ^[12]

Elizabeth Goitein, a writer for the Brennan Center for Justice, is against the US government conducting surveillance against US citizens. She reported that in 2021, the director of the National Intelligence revealed that the FBI conducted searches against 3.4 million emails, texts, and phone calls by Americans without any warrants. Such activity is only allowed against foreign citizens who are not in the United States. Section 702 of the Foreign Intelligence Surveillance Act, passed by Congress after the September 11 terrorist attacks, was designed to increase the US government's right to survey other people. The law permits the NSA to gather data on any foreign citizen not in the US. Despite foreign citizens having the ability to communicate with American citizens and Congress requiring data that the government unintentionally collects on Americans be minimized, the NSA instead shares such data with the Central Intelligence Agency (CIA), FBI, and the National Terrorism Center. Such data is kept for a minimum of five years. Goitein believes that Congress should make it mandatory for government officials to get a warrant any time they want to examine section 702 data with regards to communications by Americans. She concludes by saying that despite such a bill not passing in Congress overall, passing such a bill would allow Americans' Fourth Amendment rights to be protected, while allowing the government to conduct surveillance on foreign citizens. ^[13]

According to Eric Tucker and Hannah Fingerhut of Associated Press (AP), only 28% of Americans surveyed from an AP-NORC poll in 2021 believe that the US government should engage in surveillance on international phone calls, compared to 49% in 2011. For domestic phone calls, only 14% of Americans in 2021 support such surveillance, compared to 23% in 2011. In 2021, only 27% of Americans surveyed in the previously mentioned poll believe that the US government should engage in surveillance on emails sent to another person living in another country, compared to 47% in 2011. Similarly, only 17% of Americans in 2021 from the poll believe in such surveillance on emails sent to another person living in the US, compared to 30% of Americans in 2011. Tucker and Fingerhut suggest that decreased American support for government surveillance can be attributed to the government receiving more authority to spy on Americans as well as an increase in technology that allows the government to spy on its citizens. Roughly 66.6% of American citizens are against the US government listening in on phone calls and viewing texts and emails without a warrant when such communication occurs in the United States. Roughly 50% of American citizens are against the US government spying on its citizens internet activity, including such activity by Americans, if not possessing a warrant. Despite most Americans being against government surveillance without a warrant, roughly 60% of Americans support the use of security cameras in public, so law enforcement can identify people acting suspiciously. ^[14]

Glenn Sulmasy, a law professor and head of department humanities in the US Coast Guard Academy, supports the US government using surveillance. He believes that in the modern era, new wars can be won by using new ways to collect information. Because of an increase of the threat of terrorism in the United States, Sulmasy argues, it is necessary for the US government to collect information on communications between Americans and foreign citizens. Since war against terrorism is ongoing, Sulmasy believes that the US government should change the ways it protects Americans. Sulmasy states that if surveillance of Americans continues, the executive branch of the government must inform Congress of such surveillance to avoid the executive branch from misusing its powers. ^[15]

1. ↑ https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf
2. ↑ https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html
3. ↑ https://reciprocity.com/the-importance-of-ethics-in-information-security/
4. ↑ https://www.pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/
5. ↑ https://www.fortinet.com/resources/cyberglossary/cyber-warfare
6. ↑ https://www.ausa.org/articles/ethics-cyber-operations-%E2%80%985th-domain%E2%80%99-creates-challenges-needs-new-rules
7. ↑ https://www.fortinet.com/resources/cyberglossary/what-is-hacking
8. ↑ https://www.cnbc.com/2022/12/16/fbi-7-billion-lost-in-criminal-hacks-most-victims-small-businesses.html#:~:text=In%202021%2C%20the%20FBI's%20Internet%20Crime%20Complaint%20Center%20(IC3),compared%20to%20the%20previous%20year.
9. ↑ https://www.nytimes.com/2020/12/23/opinion/russia-united-states-hack.html
10. ↑ https://www.politico.com/news/2022/03/12/cyber-russia-hacking-security-00016598
11. ↑ https://www.law.cornell.edu/wex/surveillance
12. ↑ https://www.eff.org/nsa-spying
13. ↑ https://www.brennancenter.org/our-work/analysis-opinion/us-surveillance-americans-must-stop
14. ↑ https://apnews.com/article/technology-afghanistan-race-and-ethnicity-racial-injustice-government-surveillance-d365f3a818bb9d096e8e3b5713f9f856
15. ↑ https://www.cnn.com/2013/06/10/opinion/sulmasy-nsa-snowden/index.html