Recently I attended the 2011 ISSA International Conference. At it I was honored as the 2011 ISSA Professional of the Year. This was somewhat of a surprise when they first announced it, and was greatly appreciated. I also had the privilege of being recognized as the chair of the ISSA International Webinar Committee. Finally I was asked to give the opening speech at the 2011 ISSA International Awards Reception. This presented the issue of what to talk about. At first I thought I would talk about the changes to the Common Criteria Certification process that are being pushed <strong armed / coerced> by NIAP into the other certifying agencies, then there were the new attacks (Zeus, Spy Eye, Duku), then there was the New New proposed legislation, finally there was the subject of Ethics. Ethics is a particularly interesting topic as the security industry is always concerned about addressing issues in a constantly changing environment. It is easy to follow a set of ethics if the environment is consistent, however if the environment changes will those ethics still apply or do they need to evolve? As a matter of fact there was a recent ISSA journal article on Security Professionals Ethics. Given this mass of ‘stuff’ I decided to write about Ethics.
Ethics typically reflect the rules or controls of a society. These rules and controls are typically enforced by a central organization. If there is no central organization or the rules can’t be uniformly enforced they will evolve. If this happens there may be a reversion of the enforcement back to the individual. Unfortunately there is always a lag between when something new is discovered and rules are created to cover the new item. In this case, the individual is ceded default authority to protect themselves. This having been said Ethics can still apply to the situation. In the past computer security professionals followed a set of professional and corporate ethics that included a foundation of:
- Secrecy – i.e. don’t talk about security {incidents, implementations, or issues}
- No Harm – don’t cause harm to {someone else’s system}.
The question in the article asked if we needed to evolve or change our ethics to deal with the changing environment. My initial response was that we had already, and will continue to do so. If we look at the past we can see the progression. Lets begin by taking a look at security from the 70’s to now (Please note there is overlap in timelines for some of the items and for the sake of this post I am crediting them with when they reached popularity as opposed to first starting).
Why are these items important? They show how and why we have evolved.
For example the Rainbow series provided the elements of security for products. It talked about features and strength of features that needed to be implemented. But it did not talk about security vulnerabilities in implementation. This indirectly gave rise to the Zardoz mailing list (not to be confused with the Zardoz found here, or the 1974 science fiction / fantasy film written, produced, and directed by John Boorman). The need for Zardoz was validated by the Morris worm (also known as Morris the Worm). Those on the list knew of the issues, and should have patched their environment. The Morris worm drove the creation of the CERT. The CERT, early on, helped manufacturers by providing a venue for them to get information about the security vulnerabilities in their product. As the CERT evolved it also became a clearing house for announcing patches; but it did not provide information for users about the vulnerabilities. This deficiency gave rise to Security Conferences and loose affiliations that discussed common needs in technology. Out of these conferences we saw security tools (such as firewalls, IDS, and even a demand for ubiquitous encryption) evolve. Sometimes the US government tried to help address issues, with items such as Clipper and Skipjack, however an unintended consequence of the security conferences was that there was now an active / vocal body of experts that could shed light on really bad ideas. These conferences also highlighted other deficiencies in security, such as the Product Certification process. Ultimately the conferences provided for the demise of individual government security certifications and the birth of the Common Criteria Certifications. The conferences further drove the creation of security organizations, which in turn contributed to the creation of published security guidelines.
By now you are probably wondering ‘How do these changes reflect a change in ethics’? In the 70’s corporate and professional ethics demanded secrecy around all aspects of security. The corporate and professional ethics from the 70’s have gradually evolved to enable us to disclose information and work together on solutions so that we can not only survive but we can innovate and surpass our individual boundaries. In the end it is important to remember that while our environments are evolving we must re-examine our ethics and see if they also need to evolve.
Posted
Oct 31 2011, 12:25 PM
by
Michael F. Angelo
Filed under: Security, CERT, Skipjack, ISSA, Keynote, Rainbow books, Professional of the Year, Morris the Worm, Conference, Clipper, NIAP, Opening speech, Common Criteria Certification, Duku, Zeus, Ethics, Zardoz, Morris worm, Spy Eye, Rainbow series