Cybersecurity as an ethical obligation
An ethical obligation is a standard that defines a moral course of action. Many professions are subject to comprehensive sets of ethical obligations which, if violated, may lead to sanctions. For example, the Code of Medical Ethics adopted by the American Medical Association sets forth the values to which every physician commits himself/herself as a member of the medical profession. The State Bar of California has issued advisory opinions regarding the ethicality of hypothetical attorney conduct. The advisory opinions cover ethicality of attorney blogging, social networking, virtual law office, and other ethical matters.
In the recent years, there has been a steady increase in the number of organizations including cybersecurity obligations in their ethical codes. To illustrate, the advisory opinion “confidentiality and technology” issued by the State Bar of California states:
“An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”
Considering the importance of modern technology, we can expect that the number of organizations imposing ethical cybersecurity obligations to their members will continue increasing. However, the inclusion of such ethical obligations raises some concerns. The purpose of this article is to examine these concerns in detail (Section 2) and propose recommendations on how organizations can address them (Section 3). Finally, a conclusion is drawn (Section 4).
2. Concerns related to cybersecurity ethical obligations
Below, we will examine three main concerns related to cybersecurity ethical obligations, namely, uncertainty caused by broad obligations (Section 2.1), easy circumvention (Section 2.2), difficulties related to monitoring compliance (Section 2.3).
2.1 Uncertainty caused by broad obligations
Clauses containing cybersecurity ethical obligations often include broad terms, such as “appropriate steps,” “sufficient measures,” “reasonable efforts,” and “undue risk.” Since such terms are so broad, they are close to meaningless. For instance, let’s discuss the aforementioned advisory opinion which requires each attorney in California to take appropriate steps to ensure that his or her use of technology does not subject confidential client information to an undue risk. It is not clear whether the appropriate measures include steps such as strong passwords, up to date anti-virus software, regular information security awareness training, and incident response policies. Furthermore, if a person implements a large number of steps, but fails to implement one important step, he/she may still be deemed to have taken “appropriate steps.” This is because the term “appropriate steps” does not mean “all possible steps.” In the field of information security, a single information security weakness (e.g., the use of a weak password) is sufficient to allow a perpetrator to compromise an entire network.
2.2 Easy circumvention
Cybersecurity ethical obligations are often easy to circumvent. For instance, New York’s Rules of Professional Conduct require lawyers to “keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.” One can easily prove compliance with this obligation by subscribing for a few information security journals and regularly attending courses in the field of information security. However, neither the journals nor the courses guarantee that the person is kept abreast with the benefits and risks associated with technology. The only way to check the compliance with such an ethical obligation is to require lawyers to pass information security tests.
2.3 Difficulties related to monitoring compliance
Many organizations have not adopted procedures for accurately assessing the compliance of their members with the applicable ethical cybersecurity obligations. By adopting such procedures and publishing comprehensive information about them, organizations will facilitate the pre-assessment compliance with ethical cybersecurity obligations. The procedures may, for example, include a detailed list of criteria used for compliance assessment, questionnaires, and interviews.
3. Addressing the concerns related to cybersecurity ethical obligations
The three concerns mentioned in the preceding Section can be addressed by adopting specific obligations (Section 3.1), adding anti-circumvention mechanisms (Section 3.2), and establishing procedures for monitoring compliance (Section 3.3).
3.1 Adopting specific obligations
Organizations can specify their cybersecurity obligations by listing the minimum measures which should be taken to ensure compliance. Such measures may include confidentiality agreements, vulnerability scanning, security awareness training, secure disposal of equipment, disaster recovery planning, information backup, data classification, password security, lock-out of inactive computing devices, securing network infrastructure, incident response planning, and incident reporting. Each of the specific obligations included in an organization’s ethical code shall be thoroughly elaborated.
A good example of specific cybersecurity obligations can be found in a Massachusetts law (M.G.L. c. 93H) which requires persons collecting certain personal information to employ information security measures, including:
“Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; and
Encryption of all personal information stored on laptops or other portable devices.”
By requiring persons collecting personal data to use encryption, the law ensures that the personal data collected by them will be protected from unauthorized access. Other measures which are suitable for protecting personal data include information hiding and password-protected lossless compression. Information hiding refers to a process of hiding information, e.g., by dividing information into parts which must be assembled for the information to be used. Lossless compression is a type of data compression which allows the original data to be completely reconstructed from the compressed data. Since lossy compression reduces files by permanently eliminating information, it may lead to loss of important personal information. Lossy compression may be suitable for compressing personal information only if (i) the information is in the form of video or images and (ii) the distortion of the compressed videos or images is imperceptible.
3.2 Adding anti-circumvention mechanisms
The best way to avoid circumvention of ethical obligations is to impose anti-circumvention mechanisms, such as information security audits by independent experts. Such audits will allow organizations to find out whether their members comply with the applicable cybersecurity obligations or they just ensure “paper compliance” (e.g., having security policies, but not implementing them in practice). Information security audits can take two forms, namely, manual audits and automatic audits.
Manual audits may include security vulnerability scans, reviews of access controls, and conducting interviews with staff members. Automated audits may include software-generated audit reports, automatic monitoring of computer systems, and automatic reporting of incidents.
Irrespective of its type, each audit should be based on audit guidelines which indicate the objectives, methodologies, and deliverables of the audit as well as the tools used for conducting the audit. If the audit is performed manually, the guidelines should be in the form of a statement of work (SOW) provided in advance by the auditor. The tools used for conducting an audit can range from simple checklists of tasks that should be completed during the audit to advanced vulnerability assessment tools designed to identify flaws in computer systems.
3.3 Establishing procedures for monitoring compliance
The procedures for monitoring compliance do not have to monitor all endpoints, networks, applications, infrastructure, systems, and processes. It is sufficient if the procedures monitor moderate and high impact segments. For example, a public web server which contains publicly available information and does not collect personal data may be regarded as a low impact segment. In turn, a database containing sensitive personal data (e.g., health data, credit card details, sexual orientation, biometric data, political and religious affiliations) should be regarded as a high impact segment. It should be noted that the monitored segments should also cover the cloud. Cloud monitoring can be a complex issue as information stored in the cloud is usually fragmented and dispersed in a large number of countries.
After deciding what segments to monitor, it is necessary to determine the monitoring intervals. Non-stop monitoring and reporting can be burdensome and require significant resources. The National Institute of Standards and Technology recommends the following monitoring intervals of analyzing collected log data:
|Low-impact segments||Moderate-impact systems||High-impact systems|
|At least once every 1-7 days||At least once every 12 to 24 hours||At least six times a day|
The results of compliance audits can generally be categorized into three categories, namely, (i) compliance, (ii) further evaluation needed, and (iii) lack of compliance. The first category indicates that the audited systems comply with the applicable ethical cybersecurity obligations. The second category indicates that the collected feedback needs to be further examined and additional assessment of the audited systems may need to be conducted. The third category signals that the audited systems are non-compliant.
More and more organizations include cybersecurity obligations in their ethical codes. The violation of these obligations may lead to financial, disciplinary, and reputational consequences. To protect their members from unjustified sanctions and to ensure the effective compliance with ethical cybersecurity obligations, organizations need to use specific cyber-security obligations, employ anti-circumvention mechanisms, and establish compliance monitoring procedures.
Persons willing to mitigate the consequences of unintentional non-compliance with ethical cybersecurity obligations can purchase cyber insurance. It will cover not only the damages caused by cybersecurity incidents but also the costs incurred in relation to the investigation and responding to them. Some cyber insurance policies may even cover the payment of ransom which needs to be paid to decrypt files encrypted by ransomware programs, such as CTB-Locker and TeslaCrypt.
1. American Medical Association, ‘AMA Code of Medical Ethics’. Available at https://www.ama-assn.org/delivering-care/ama-code-medical-ethics.
2. Bhatte, S., Bakal, J., ‘Privacy Protection for Video, Image, Text Transmission’, International Journal of Innovative Research in Computer and Communication Engineering Vol. 3, Issue 6, June 2015. Available at https://www.ijircce.com/upload/2015/june/71_PRIVACY.pdf.
3. Dimov, D., Juzenaite, R., ‘Insurance Against Ransomware Threats‘, 24 February 2017. Available at /insurance-ransomware-threats/#gref.
4. Fennelly, C., ‘IT security auditing: Best practices for conducting audits’, TechTarget, March 2003. Available at http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits.
5. Hamid, N., ‘Applied Cryptography for Cyber Security and Defense: Information Encryption and Cyphering: Information Encryption and Cyphering’, Idea Group Inc (IGI), 2010.
6. Huang, Z., Ayday, E., Lin, H., Aiyar, R., Molyneaux, A., Xu, Z., Fellay, J., Steinmetz, M., Hubaux, J., ‘A privacy-preserving solution for compressed storage and selective retrieval of genomic data’, Genome Res. 2016 Dec; 26(12): 1687–1696, 2016. Available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5131820/.
7. Hughes, D., Shmatikov, V., ‘Information Hiding, Anonymity and Privacy: A Modular Approach’, Journal of Computer Security, Volume 12, Issue 1, January 2004. Available at http://dl.acm.org/citation.cfm?id=1297694.
8. Jacobs, S., ‘Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance’, John Wiley & Sons, 2015.
9. Ries, D., ‘SAFEGUARDING CONFIDENTIAL DATA: Your Ethical and Legal Obligations’, Law Practice, 2010. Available at https://www.americanbar.org/publications/law_practice_home/law_practice_archive/lpm_magazine_articles_v36_is4_pg49.html.
10. SANS Institute, ‘Continuous Monitoring: What It is, Why It is Needed, and How to Use It?’, Available at https://www.sans.org/reading-room/whitepapers/analyst/continuous-monitoring-is-needed-35030.
11. Shukla, K., Prasad, M., ‘Lossy Image Compression: Domain Decomposition-Based Algorithms‘, Springer Science & Business Media, 2011.
12. Szczepanski, K., ‘Column: The ethical obligation of cybersecurity’, Buffalo Law Journal, 6th of September 2017. Available at https://www.bizjournals.com/buffalo/news/2017/09/06/column-the-ethical-obligation-of-cybersecurity.html.
13. The State Bar of California, ‘Ethics Opinions’. Available at http://www.calbar.ca.gov/Attorneys/Conduct-Discipline/Ethics/Opinions.
14. The State Bar of California Standing Committee on Professional Responsibility and Conduct Formal Opinion No. 2010-179. Available at http://ediscoverycalifornia.com/wp-content/uploads/2011/02/2010-179.pdf.
15. Zemliachenko, A., Kozhemiakin, R., Uss, M., Abramov, S., Ponomarenko, N., Lukin, V., Vozel, B., Chehdi, K., ‘Lossy compression of hyperspectral images based on noise parameters estimation and variance stabilizing transform’, Journal of Applied Remote Sensing, 8(1), 2014. Available at https://www.spiedigitallibrary.org/journals/JARS/volume-8/issue-01/083571/Lossy-compression-of-hyperspectral-images-based-on-noise-parameters-estimation/10.1117/1.JRS.8.083571.full?SSO=1.
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.