6. Increasing Internationalism: Governance, Laws, and Ethics – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Chapter 6. Increasing Internationalism: Governance, Laws, and Ethics

We have all been witness to the rise of trans-nationalism in the commercial world and an increase in the free circulation of goods, people, and ideas regardless of national borders. The world of information systems presents the same evolution. Services, networks, information infrastructures, hardware architectures, and application development are occurring in recognition of a world of increasingly nomadic users, mobile components, modular computer software and hardware, outsourced applications, and fluidly exchangeable information. Large digital infrastructures are being deployed as a result of the success of the Internet. An internationally interdependent and interconnected Web provides ubiquitous access and communication.

Information globalism equals increased exposure

This growing internationalism has also changed the world of cybersecurity, generating new forms of digital aggression. As presented in the earlier chapter on cyberwar, cyberterror, and cybercrime, the world has entered into a new era where conflicts will be less associated with physical territoriality and increasingly concerned with the rejection of traditional value systems and porous international boundaries.

The exciting news is that ubiquitous and global interconnectedness – local area networks, wide area networks, ad hoc networks, wireless, and hybrid networks – has spawned entirely new industries, invigorated more traditional ones, and launched new opportunities for dialogue, education, and a heretofore unprecedented age of collaborative scientific and engineering discovery.

The global interdependency that is visible in information system infrastructures is also expanding into the critical infrastructure sectors, such as the financial, energy, transportation, and telecommunication sectors. The effects of vulnerabilities, whether deliberate or accidental in origin, can potentially cascade from one information system to another, thus creating catastrophic effects on the reliability, availability and security of information systems across international boundaries.

The dark side of this globalism is that this same ever-present interconnectivity also provides a primary channel for exploiting information system vulnerabilities on a more widespread level. Efforts in recent years have focused largely on deploying technologies, such as firewalls and intrusion detection systems, to address security weaknesses. Yet, despite massive efforts in recent years to deploy technical security components to information system architectures, networks, and software, only partial success in stopping the acts of a hostile party – whether a terrorist, an adversary nation, organized crime, or a mischievous hacker – has been the result.

So, here is the simple formula for expressing the exposure caused by today’s information environment:

Ubiquitous Interconnectivity = Globalized Vulnerabilities

The global information society has a wide variety of stakeholders, ranging from large corporations and governments to individuals and non-governmental organizations. Each group of stakeholders is facing its own unique cybersecurity challenges, while at the same time also attempting to cope with the issues on an international scale.

Although organizations may vary greatly regarding their unique cybersecurity challenges, all of them face a common requirement to maintain and manage their individual identities and reputation, to retain effective ownership of their information assets, and to protect their interests. All organizations must rely on others when executing their business processes, and consequently, have a fundamental interest in understanding and trusting the security and dependability (e.g. the trustworthiness) of their partners, as well as their own ability to generate a reasonable level of trust.

In this new international information society, open and transparent dialogue is essential for negotiating rules of governance, laws, and ethical practices that are essential to the development and implementation of clear, acceptable, and congruent security policies.

Following the lead of good governance

Many consider this an elementary fact: The path to cybersecurity must follow corporate governance.[39] It must align with the larger organizational structure and governance processes. No organization can solve its cybersecurity challenges without ensuring the direct involvement of their governance structure, such as CIOs.

To understand cybersecurity governance, one must first have an understanding of governance itself. The IT Governance Institute defines it as:

 

...the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

 
 --ITGI (2003)

The principles for governance and its application for security derive from regulatory drivers, corporate direction and policy, standards, and other sources, such as social structures and behaviours. Policies, standards, and processes can be instituted to create an environment that fosters information security.

Cybersecurity is not just a technical issue, but it is often handled as if it were. In reality, information security is a business and governance challenge which includes the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Cybersecurity governance is a subset of an organization’s overall governance programme.

If organizations, whether governmental or commercial, are to make any progress in securing their information assets, cybersecurity must become an integral component of core business operations. And the only true means of accomplishing this goal is to highlight it as part of the existing internal controls and policies that constitute corporate governance. So, let’s take a look at organizational approach to security, the impact within the enterprise, and a recommendation for an improved cybersecurity programme.

Table 1. Security programmes and their impacts

Standard Cybersecurity Programme

Impact

Improved Cybersecurity Approach

Leadership and the Board of Directors limit governance to business profit and do not include cybersecurity governance in their portfolio.

When cybersecurity is not considered integral to the governance structure, resourcing and contributions will be limited.

Leadership and the Board of Directors consider cybersecurity governance to be part of the overall governance portfolio.

Cybersecurity is the responsibility of the CIO, CISO and/or the IT Department and cybersecurity actions are handled within their sections.

Cybersecurity becomes limited to a small segment and does not permeate the enterprise.

The CEO, COO, CFO and other leadership team members include cybersecurity on the regular organizational update agenda.

CIO, CISO, and/or the IT Department develop cybersecurity policies based on their best assessment of the risk.

Cybersecurity is looked upon as a technology issue and the business risk to the enterprise is not considered. Policies may be boilerplated and not integrated into the organizational culture.

The CEO, COO, CFO and other leadership team members are involved in setting the acceptable cybersecurity risk profile for the enterprise.

Cybersecurity operates in a silo with all cybersecurity-related activity occurring within the IT or security department itself.

There is no enterprise level accountability for cybersecurity; cybersecurity is not considered critical to the larger business mission.

Executive leadership considers cybersecurity part of the organizational structure and holds managers accountable across the enterprise.

Cybersecurity policies exist, but do not include processes for enforcement or accountability.

Without clearly defined accountability at all levels, cybersecurity enforcement becomes impossible to implement and individuals do not accept responsibility for their role in a cybersecurity-related incident.

Policies are written with enforcement mechanisms built in; members at all levels of the organization are held accountable for any cybersecurity-related incidents.

Cybersecurity is considered a technology issue. Cybersecurity products are purchased ad hoc without analysis of business need and performance metrics.

The organization may have a false sense of cybersecurity, since there are no mechanisms in place to determine the true effectiveness and the ROSI of the products or services.

Cybersecurity services and technology is procured and implemented after a full analysis of the organizational needs; periodic reviews are conducted to evaluate continued effectiveness of cybersecurity measures.

The cybersecurity section does not base their cybersecurity programme on recognized standards; there are no performance metrics or processes for regular evaluation of programme effectiveness.

Lack of mechanisms for evaluating the cybersecurity programme effectiveness result in a fragmented, inefficient approach to cybersecurity and no means to determine the true cybersecurity posture of the organization.

Cybersecurity is integrated into the organizational culture and is standards-based. A robust set of enterprise metrics have been developed, are collected and analyzed for continuous improvement.

The proliferation of laws

 

‘It all started with Enron.’

 
 --Kathleen F. Brickey (2001)

The corporate misdeeds and front-page violations of the requirements for information protection, whether personal or corporate, have ushered in an era of unprecedented legal outpourings addressing information security. Courts and legislators have responded to these headline catching violations, such as the accounting scandals of Enron and WorldCom[40] and the carelessness with personal information of the US Veterans Administration[41], with laws such as Sarbanes Oxley (SOX) and new standards for protecting personally identifiable information.

This increase in the number of laws has profoundly impacted organizations by requiring them to manage information in a secure and compliant manner and holding them accountable for ethical behaviour and due diligence in cybersecurity.

Ethics in an information society and a minimum standard of due care in cybersecurity

In most nations across the world, the information age has already significantly changed many features of daily life – from communication via mobile phone to online banking. Consequently, the changes as a result of advances in information technology are both positively and negatively affecting family and work life, educational opportunities, and access to information. Ethics in an IT-based information society in the broadest sense is another form of applied ethics focused on studying and analyzing the social and ethical effects of information technology.

While it is certainly possible to look at ethics in an information society from the perspective of various ethical philosophers, it is also equally relevant to look at ethics in this context as a much broader set of standards of professional and personal conduct.

The foundation of ethics in an information society is the recognition that information technology has magnified, altered, or even created new ethical challenges. Some longstanding ethical challenges, such as paedophilia, are made worse through the use of information technology, while other wholly new ethics violations have emerged. War, terrorism, and crime have long existed – what has changed or emerged is the development of new and modified ways of using information technology to conduct these activities.

The means of addressing these challenges, which are fundamentally ethical, is further complicated by the global nature of the information age. Efforts to address information society challenges are forcing nations to consider consistent and mutually-agreed upon standards of conduct and mechanisms for protection and legal recourse.

The foundation of information ethics is formed on the basis of the moral practices and principles of individuals, as well as on the standards of the organization. Ethical challenges that traditionally face organizations include irresponsible decision-making, issues of confidentiality, privacy, fraud, misuse, liability, sabotage, and corporate proprietary information – and these are the same for both information and non-information technology based environments.

Some of the recent emphasis on ethics is the result of increased public scrutiny which accompanies highly-publicized information-related incidents, such as cases of fraud, intentional and unintentional exposures of personal information, and successful attacks against corporate structures.

Ethical codes[42] have been also established for information security professionals, computing professionals, and security and software engineers. There are many examples of these ethical codes, such as:

  • The Institute of Electrical and Electronics Engineers Code of Ethics (IEEE)

  • The International Information Systems Security Certification Consortium (ISC)2 Code of Ethics

  • The Software Engineering Code of Ethics and Professional Practice

  • Association of Computing Machinery (ACM) Code of Ethics and Professional Conduct, and

  • The British Computer Society Code of Conduct.

Each of these ethical codes of conduct have several shared elements: (1) the requirement to act in the public interest, (2) duty to clients consistent with the public interest, (3) honesty and integrity in the practice of the technical and/or security profession, and (4) maintaining a level of proven competence in the technical and/or security profession.

While the law persuades individuals to be ethical through penalties or deterrents, organizations can also encourage ethical behaviour through practice, process, and standards. Businesses, in particular, generally care about ethics, because they care about what their principal stakeholders consider to be ethical and because unethical practices, if uncovered, can often have a major impact on the business.

Due care and due diligence requires leaders to execute their business and security-related requirements in a manner such that a prudent and careful person would find appropriate. Protection of essential information and information system assets is one demonstration of due care.

By today’s standards, however, merely meeting the due care principle is often not sufficient. Increasingly, demands are being made upon organizations to act with transparency, integrity, and in accordance with prevailing principles of ethical behaviour. Expectations of information protection are rising with every highly-publicized violation, whether intentional or unintentional. Information security stakeholders are increasingly educated, understanding well the degree to which their action or inaction may cause or prevent harm.

The anticipation for due care is only one element of the anticipation for ethical cybersecurity behaviour. The other consequence for consideration is the level of personal and organizational liability that can result from a purported breach of due care and diligence in information security. The increasing number of cases of civil litigation is evolving into an effective platform from which to establish standards of cybersecurity and accepted levels of risk.

References



[39] Corporate governance is concerned with the organization’s leadership structure, board of directors, and management and how these control and lead the enterprise.

[40] In the early 2000s, two major financial scandals captured the headlines. Enron falsified profits and disguised debts totalling over $1B dollars; WorldCom overstated its cash flow and improperly booked funds. Both defrauded both employees and stockholders.

[41] In 2006, a laptop belonging to an employee of the US Veterans’ Administration containing the personal data of over 26 million active duty and retired military was stolen. The VA and the employee were both accused of improperly protecting personal information.

[42] A code of ethics is a framework for exercising ethical decision-making by a professional. They are not intended to be fully comprehensive, but rather to provide a starting point for making ethical conduct determinations. A code of ethics is not intended to serve as a substitute for good judgment.