Ethics In Technology And Cybersecurity
20 minute read | Last updated 18-Jun-2018 | 
Security, Rant
Mornings With Mark no. 0070
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Morning, everybody. How you doing today? It’s Monday episode. This is episode 70 of mornings with Mark. Thank you again for your continued support as always. This is a two-way discussion, especially with today’s episodes topic. Hit me up online at Mark NCAA in the comments down below or a by email me at Markin.
CA what I wanted to talk to you about today was ethics and technology and specifically in cybersecurity. The reason why this topic came up across my radar this morning was Ramona Pringle from the Ryerson nominal MSA for CBC News covering on Google decision about project Maven. So this was a project a contract that they had on with the Pentagon in the US and a number.
Is there a eye experts Am Express significant concerns with how their work was being used within the military and internally, they had a long discussion enough for debate. Google came out with a set of principles has the larger question of what’s right, what’s wrong? I don’t have any answers for the of course.
This is not going to be one of those shows where it’s like you should be doing this. This is what I wanted to do was highlight these challenges because as you know on the show, we’ve covered number of times how to get started in cyber security and I’ve covered a little bit about what working in cybersecurity is like but this is not a topic that I really had a chance to dive into and to share with you because I think it’s an absolutely critical one.
So not just for technology but for cyber security as well have so we have that Google a project Maven an AI example another examples with AWS no recognition video service. So it’s a video analysis and things like facial recognition of one of the use cases right on the site was you can use it for law enforcement technologies Azure had a similar thing on where they’re back ending and some government departments in the Ice immigration enforcement and has a lot of questions around these use cases of technology and you’ll hear a number of arguments and some of them have Merit.
Some of them don’t have an interesting one that always comes up as saying that you know technology is neutral. It’s how you use it. That is different and while I’m not sure I believe that 100% And I can give you numerous examples of that. So a lot of the controls and technologies that we use in cybersecurity can be used both in a malicious manner as well as in a positive defensive manner that we see that with malware we see that was cyber-crime.
But you also see that bigger level around enforcing certain ideals on a community or population profiling or censoring a community or population. There’s a lot of ways of this stuff can go bad even though it can do good. So there’s a lot of argument for that. You’ll Technologies newfield’s how you use it.
Let me give you an example of a personal example that I’ve dealt with in my I was working for a large organization and we were implementing a web proxy doesn’t sound like much to take a security proxy. I’m so this is a device that sits between your users in the internet.
And the goal is to do a whole bunch of security scanning to make sure that bad content isn’t going to users desktop standby bad content in this context. I mean things like malware and malicious JavaScript in today’s world. It would be no crypto mining JavaScript viruses and malware implants things like that and then vice versa to make sure that no sensitive data was leaving the organization that shouldn’t be and that’s where things get a little bit trickier because in order to do both those actions you need to look at all the traffic that is coming in and out of your organization that also means personal information that also means personal activities because people use the internet I’m going to check on those recipes to share and communicate with friends on social networks.
Download games to research new stuff to look at health issues to do their banking for any number of things and the larger question, you know, what level of privacy can they expect when they’re on a corporate Network going out and I know there’s the law and what I’m talking about the law or talking about what’s moral right or what’s ethical that’s different than with legal is a very different line and you’ll see companies all the time.
But there’s a larger question that you need to wrestle with. Someone who are deploying us technology the discussion came up because somebody from HR had mentioned like to wait a minute if you can track what users are doing online. Can we use that for HR investigations? I told her discussion ensued and this is absolutely critical to any sort of Ethics employment around on that has ethical twinge that have you need to discuss the stuff.
You need to put some weight and transparency behind it in order to Hash this stuff out because it whatever you choose you need to be explicit about what you’re doing. So the question came up, okay, if you got this web proxy and play sit still looking at all the web.
What can we use it for HR? And if so, what are the boundaries around that even if you’re not using it for HR investigations the fact that is running and can say hey Marcus surfing Facebook 3 hours a day Mark went and checked out this, you know this site about sex or this about a health issue or this that again thing who is looking at it.
Where are the boundaries in this is one area where I find cyber security teams that I talked to fall down a lot. Is that the internal process and sharing that internal process with teams? Like HR I’m with legal with the larger user Community is how you use these tools.
So you normally has a cyber security worker or those on the team have the ability to do a lot of crying a lot of invasive actions within the scope of your job, right you need to do this investigation you need to go through and forward and then figure this out you need to be able to stay here the boundaries in which were allowed to do that here is where we won’t step over the line and if you step over the line, here’s how we police ourselves.
Are really complicated issues hear another example, so we have that proxy issue trying to discuss like we should we use it for HR and what are the boundaries around the admin staff on the cyber security team. How can they look at traffic? When will they look at traffic? I’m in what we’d settled on for us just to close that story was that the system would do everything pretty much automated it only raise the flag at which point of human wood log in to check things so we can say you know, first week was being done automatically based on these criteria win.
One of those criteria was triggered than a human would do a first-level investigation. And if there was something they’re bringing other team members from different teams in order to make sure that more people were looking at it. So one person could go Rogue. No not a ton of people died because that Bridges to my second issue.
Is that a lot of the time especially if you’re doing something like forensic investigation. There’s a temptation to brief everybody on a team or the priests your boss. Do you have to I can talk to the number of Investigations where all my boss knew was I was working on an investigation that I gave a number two.
The case number blocks a dedicated axe man hours. It’s going to impact the rest of my work for the following ways. I’m reporting to legal on this. I’m reporting to HR on this here the contacts there you need information about the case talk to them because I’m not in a position to let you know.
So I was working Jeep Leon on some cases. My boss was essentially blind to it and that’s okay and that similarly goes to other issues around sharing information. There’s this push to share everything and collaborate which is amazing, but there needs to be some times be boundaries around sensitive information and you should not be hesitant.
You should not be reticent to say, hey, wait a minute. This information is sensitive and I can only share it on a true need-to-know basis not a want to know. I feel like I’m one of the cool kids cuz I need to know I feel like I need to know actual need to know there’s a lot of gray areas.
It’s all gray area. There is nothing but gray area when it comes down to the stuff because in cybersecurity you will be dealing with these technologies that have a wonderful upside. 4 defense that have a horrid Horrid downside in the hands of the wrong people and you are trusted with a new organization to be working with these Technologies to be using them within some sort of ethical guidelines with in some sort of moral boundaries.
You need to know what those are for the organization urine. You need to understand how to be transparent about when you’re up against those boundaries when you go over them what happens how that goes around now that’s going to be different for everybody. But as a cybersecurity professional at somebody thinking about getting into cybersecurity you need to understand that this is going to be a part of your day is going to be a part of the discussion.
So we go back to that original Google example that Ramona had written about and I’m in a link to that below and I’ll sweetie. As always and they these are scientists working cyber security in a I wear uncomfortable with the potential uses of their Technologies based on the contract, right? They had a contract with the military and they were providing technologies that could be used in Melissa’s wife.
Sara Lee being used but they could be used in that way and all they had was some of these words saying oh, don’t worry. We won’t use that in a negative way that team and that company decided that they were no longer comfortable with that that’s taken steps. Now their decision is on them Paso value judgment here, but I think it’s important that you need to be prepared for these types of discussions throughout your career because they’re going to come up again and again and again and remember there’s a difference between what you can legally get away with time and what you should be doing.
What you feel is right to be doing and what your organization should be doing in feels right doing these are all gray areas, but the only way to get through them is discussion getting it out in the open and tackling and as always the same with the show, that’s how I like to approach it.
Hit me up online at Mark and CIA and the comments down below where we’re seeing this and as always by email me at Mark and D. CA me at Mark n. CA let me know how you tackle it. Have you had a particularly hairy situation that you had to work your way through that the community could learn from That’s a critical way to share as well, even though everybody can have different values different morals to for not fixing.
That’s fine. We all live in different communities, but we all share the same challenge of upholding them and living to them and working through the situations when were confronted the topping runs against them. So let’s get that discussion going on. It’s a big deep topic for a Monday, but I know you’re out for it.
I hope you have a fantastic day and I’ll talk to you online and I’ll see you on the show tomorrow. Morning, everybody. How you doing today? It’s Monday episode. This is episode 70 of mornings with Mark. Thank you again for your continued support as always. This is a two-way discussion, especially with today’s episodes topic.
Hit me up online at Mark NCAA in the comments down below or a by email me at Markin. CA what I wanted to talk to you about today was ethics and technology and specifically in cybersecurity. The reason why this topic came up across my radar this morning was Ramona Pringle from the Ryerson nominal MSA for CBC News covering on Google decision about project Maven.
So this was a project a contract that they had on with the Pentagon in the US and a number. Is there a eye experts Am Express significant concerns with how their work was being used within the military and internally, they had a long discussion enough for debate. Google came out with a set of principles has the larger question of what’s right, what’s wrong? I don’t have any answers for the of course.
This is not going to be one of those shows where it’s like you should be doing this. This is what I wanted to do was highlight these challenges because as you know on the show, we’ve covered number of times how to get started in cyber security and I’ve covered a little bit about what working in cybersecurity is like but this is not a topic that I really had a chance to dive into and to share with you because I think it’s an absolutely critical one.
So not just for technology but for cyber security as well have so we have that Google a project Maven an AI example another examples with AWS no recognition video service. So it’s a video analysis and things like facial recognition of one of the use cases right on the site was you can use it for law enforcement technologies Azure had a similar thing on where they’re back ending and some government departments in the Ice immigration enforcement and has a lot of questions around these use cases of technology and you’ll hear a number of arguments and some of them have Merit.
Some of them don’t have an interesting one that always comes up as saying that you know technology is neutral. It’s how you use it. That is different and while I’m not sure I believe that 100% And I can give you numerous examples of that. So a lot of the controls and technologies that we use in cybersecurity can be used both in a malicious manner as well as in a positive defensive manner that we see that with malware we see that was cyber-crime.
But you also see that bigger level around enforcing certain ideals on a community or population profiling or censoring a community or population. There’s a lot of ways of this stuff can go bad even though it can do good. So there’s a lot of argument for that. You’ll Technologies newfield’s how you use it.
Let me give you an example of a personal example that I’ve dealt with in my I was working for a large organization and we were implementing a web proxy doesn’t sound like much to take a security proxy. I’m so this is a device that sits between your users in the internet.
And the goal is to do a whole bunch of security scanning to make sure that bad content isn’t going to users desktop standby bad content in this context. I mean things like malware and malicious JavaScript in today’s world. It would be no crypto mining JavaScript viruses and malware implants things like that and then vice versa to make sure that no sensitive data was leaving the organization that shouldn’t be and that’s where things get a little bit trickier because in order to do both those actions you need to look at all the traffic that is coming in and out of your organization that also means personal information that also means personal activities because people use the internet I’m going to check on those recipes to share and communicate with friends on social networks.
Download games to research new stuff to look at health issues to do their banking for any number of things and the larger question, you know, what level of privacy can they expect when they’re on a corporate Network going out and I know there’s the law and what I’m talking about the law or talking about what’s moral right or what’s ethical that’s different than with legal is a very different line and you’ll see companies all the time.
But there’s a larger question that you need to wrestle with. Someone who are deploying us technology the discussion came up because somebody from HR had mentioned like to wait a minute if you can track what users are doing online. Can we use that for HR investigations? I told her discussion ensued and this is absolutely critical to any sort of Ethics employment around on that has ethical twinge that have you need to discuss the stuff.
You need to put some weight and transparency behind it in order to Hash this stuff out because it whatever you choose you need to be explicit about what you’re doing. So the question came up, okay, if you got this web proxy and play sit still looking at all the web.
What can we use it for HR? And if so, what are the boundaries around that even if you’re not using it for HR investigations the fact that is running and can say hey Marcus surfing Facebook 3 hours a day Mark went and checked out this, you know this site about sex or this about a health issue or this that again thing who is looking at it.
Where are the boundaries in this is one area where I find cyber security teams that I talked to fall down a lot. Is that the internal process and sharing that internal process with teams? Like HR I’m with legal with the larger user Community is how you use these tools.
So you normally has a cyber security worker or those on the team have the ability to do a lot of crying a lot of invasive actions within the scope of your job, right you need to do this investigation you need to go through and forward and then figure this out you need to be able to stay here the boundaries in which were allowed to do that here is where we won’t step over the line and if you step over the line, here’s how we police ourselves.
Are really complicated issues hear another example, so we have that proxy issue trying to discuss like we should we use it for HR and what are the boundaries around the admin staff on the cyber security team. How can they look at traffic? When will they look at traffic? I’m in what we’d settled on for us just to close that story was that the system would do everything pretty much automated it only raise the flag at which point of human wood log in to check things so we can say you know, first week was being done automatically based on these criteria win.
One of those criteria was triggered than a human would do a first-level investigation. And if there was something they’re bringing other team members from different teams in order to make sure that more people were looking at it. So one person could go Rogue. No not a ton of people died because that Bridges to my second issue.
Is that a lot of the time especially if you’re doing something like forensic investigation. There’s a temptation to brief everybody on a team or the priests your boss. Do you have to I can talk to the number of Investigations where all my boss knew was I was working on an investigation that I gave a number two.
The case number blocks a dedicated axe man hours. It’s going to impact the rest of my work for the following ways. I’m reporting to legal on this. I’m reporting to HR on this here the contacts there you need information about the case talk to them because I’m not in a position to let you know.
So I was working Jeep Leon on some cases. My boss was essentially blind to it and that’s okay and that similarly goes to other issues around sharing information. There’s this push to share everything and collaborate which is amazing, but there needs to be some times be boundaries around sensitive information and you should not be hesitant.
You should not be reticent to say, hey, wait a minute. This information is sensitive and I can only share it on a true need-to-know basis not a want to know. I feel like I’m one of the cool kids cuz I need to know I feel like I need to know actual need to know there’s a lot of gray areas.
It’s all gray area. There is nothing but gray area when it comes down to the stuff because in cybersecurity you will be dealing with these technologies that have a wonderful upside. 4 defense that have a horrid Horrid downside in the hands of the wrong people and you are trusted with a new organization to be working with these Technologies to be using them within some sort of ethical guidelines with in some sort of moral boundaries.
You need to know what those are for the organization urine. You need to understand how to be transparent about when you’re up against those boundaries when you go over them what happens how that goes around now that’s going to be different for everybody. But as a cybersecurity professional at somebody thinking about getting into cybersecurity you need to understand that this is going to be a part of your day is going to be a part of the discussion.
So we go back to that original Google example that Ramona had written about and I’m in a link to that below and I’ll sweetie. As always and they these are scientists working cyber security in a I wear uncomfortable with the potential uses of their Technologies based on the contract, right? They had a contract with the military and they were providing technologies that could be used in Melissa’s wife.
Sara Lee being used but they could be used in that way and all they had was some of these words saying oh, don’t worry. We won’t use that in a negative way that team and that company decided that they were no longer comfortable with that that’s taken steps. Now their decision is on them Paso value judgment here, but I think it’s important that you need to be prepared for these types of discussions throughout your career because they’re going to come up again and again and again and remember there’s a difference between what you can legally get away with time and what you should be doing.
What you feel is right to be doing and what your organization should be doing in feels right doing these are all gray areas, but the only way to get through them is discussion getting it out in the open and tackling and as always the same with the show, that’s how I like to approach it.
Hit me up online at Mark and CIA and the comments down below where we’re seeing this and as always by email me at Mark and D. CA me at Mark n. CA let me know how you tackle it. Have you had a particularly hairy situation that you had to work your way through that the community could learn from That’s a critical way to share as well, even though everybody can have different values different morals to for not fixing.
That’s fine. We all live in different communities, but we all share the same challenge of upholding them and living to them and working through the situations when were confronted the topping runs against them. So let’s get that discussion going on. It’s a big deep topic for a Monday, but I know you’re out for it.
I hope you have a fantastic day and I’ll talk to you online and I’ll see you on the show tomorrow.
