In our modern day world, many professionals take an oath as they enter the workforce. Most notable is the Hippocratic Oath, which medical professionals take as they complete their education. The Hippocratic Oath centres around ethics with regards to the treatment of patients. “Do no harm” is a common theme present in the oath, and arguably, the most identified aspect of it.
Do no harm. We, as security practitioners, have the ability to do great harm. By the nature of our profession, we have access to parts of the world that very few do. With that access, comes the ability to affect the environments we protect in very powerful and intimate ways. A fact we should not take lightly.
Conversely, we are defending our environments against those who think differently than us. The ability to think like a criminal, to adopt the mindset of the attacker, is sometimes necessary in understanding the motive that drives them into our environments in the first place.
When Chris Roberts accessed the internal systems of multiple United Airlines flights, he did so under the premise of “ethical hacking.” Reports suggest that over a number of years, Roberts used access to the in-flight entertainment network to observe the inner workings of the airliner's systems. Roberts has claimed that he did not intend harm, and that he had contacted United multiple times to report the vulnerabilities, with little movement from the airline.
If reports prove to be correct, Roberts discovered a major security vulnerability that could have been used by a malicious actor to wreak havoc, arguably at levels greater than 9/11. The levels of synchronisation that would be possible with modern technology make this a truly terrifying scenario.
The very fact that we are discussing this in so much detail is beneficial, even outside the airline industry. United has already taken the measure of instituting a bug bounty programme. I am hopeful that others will follow suit and be more responsive to vulnerabilities disclosed to them by ethical hackers.
Yet, we cannot ignore that fact that in this case, a large number of innocent lives were put in extreme danger. Hacking, ethical or not, is an imperfect art. Systems can be affected in unexpected ways. Reports have surfaced that Roberts may have been able to issue commands to the engines of one of the airliners he hacked into. It's possible that a climb command was issued, causing the plane to roll, likely because it was sent to a single engine. I wonder if this was truly Roberts' intent, or if he did not fully consider the impact of changing the operating parameters of a single engine.
There are other implications to these actions. Others may be empowered to attempt similar feats or to even exceed them. The brashness of live tweeting a dangerous hack perpetuates the bravado often present in the security industry. A bravado that serves no real purpose.
The events of the past year and the many conversations around the industry about ethical hacking have left me conflicted, but resolute. Conflicted about how far we should go to protect our way of life, but resolute that our first duty as security practitioners is to the people and organisations we are protecting. Chris Roberts' intentions were admirable, his frustration understandable, but I believe his actions violated a core ethical line.
The idea of an oath or a code of ethics that applies to scientists and engineers is not a new one. There are many examples of oaths taken by engineers present throughout the 20th century. Many modern engineering societies require them as part of membership. An example that is pertinent to the IT security world is the (ISC)2 Code of Ethics, a requirement of any (ISC)2 certification.
Of great interest to this writer is the story of Joseph Rotblat. Upon his receipt of the Nobel Peace Prize in 1995, he called for a voluntary Hippocratic Oath that applies to scientists. The physicist argued that the understanding of ethics was of particular importance to younger scientists as they entered the profession. His argument can also be applied to the cyber-security industry, considering the social responsibility that comes with the power we have over information technology and the users depending on it in everyday life.
Joseph Rotblat weaved a personal oath into a lifetime of work in support of humanity. He called for other scientists to take an oath as he did. Perhaps it's time to take another look at an oath for scientists and engineers, one which cyber-security professionals can uphold.
Contributed by Stephen Cox, chief security architect, SecureAuth.