Portfolio + Store - Cybersecurity and Hippocratic Oath

Cybersecurity and Hippocratic Oath

07/30/2023 :: Jeremy Pickett :: Become a Patron :: Buy Me a Coffee (small tip) :: @jeremy_pickett :: Discussion (FB)

It feels like a profession such as Cybersecurity should be governed by a set of principles and oaths that lead to obvious truths and governing actions. That would be a very nice thing indeed. However many lines of thought do not appear to substantiate that premise, so a bit more care must be taken. What is cybersecurity, what is an oath like the Hippocratic Oath, and how would it apply to Cybersecurity?

TLDR: Professions generally have codes of conduct that encapsulate their duties to society. One of the most enduring examples is the Hippocratic Oath taken by physicians, binding them to ethical practice. Today, as digital infrastructure becomes ever more vital, the field of cybersecurity requires a comparable oath to align and obligate its practitioners to core values and the public good. This oath would connect cybersecurity to longstanding philosophical principles and explicitly articulate the profession's responsibilities towards both individuals and society as a whole.

Historical Context of Oaths

Oaths have ancient roots as solemn promises, often invoking divine witness, to commit to moral standards and duties. Early professional oaths like the original Hippocratic Oath for medicine and the Justinian Oath for law provided ethical guidance in fields that were vital to public order and welfare. Guilds extensively used oaths to transmit specialized knowledge and expertise, ensure quality standards were upheld, and build public confidence and trust in skilled trades from medieval times onwards.

Indeed, philosophy isn't always straightforward but it is a fascinating subject to delve into. The relationship between oaths like the Hippocratic Oath, and modern cybersecurity practices is an intriguing intersection of ethics, technology, and the development of professional standards.

The Hippocratic Oath, which dates back to ancient Greece, serves as an ethical code for physicians. It includes promises to respect patient privacy and to use one's skills for the benefit of the patient. You can draw some comparisons between this and the ethical considerations of cybersecurity. Like medical professionals, cybersecurity experts also have to deal with sensitive information and have a duty to protect it [Baker, F. and Meyer, B., "The Ethics of Medical Privacy: a Cypherpunk's Perspective," Computers, Freedom and Privacy, 1998. Proceedings.](https://ieeexplore.ieee.org/document/747680).

The idea of a professional oath in the realm of cybersecurity is appealing. The concept of ethical hacking has already been established, which includes adhering to principles like obtaining permission before probing systems and keeping discovered vulnerabilities confidential [M. K., Manikandan. "Ethical hacking." International Journal of Computer Science and Mobile Computing, vol. 3, no. 4, 2014, pp. 535-537](https://www.ijcsmc.com/docs/papers/April2014/V3I4201499a71.pdf).

Applying this to the idea of an oath for cybersecurity professionals, it would likely include promises to act in the best interest of those they're protecting, to respect privacy, and to avoid malicious actions. This would align with the spirit of the original Hippocratic Oath, promising to use skills and knowledge to do no harm.

On the other hand, oaths like the Hippocratic Oath have been criticized for being somewhat outdated and not fully addressing contemporary ethical dilemmas [Davis, Kenneth. "Hippocrates, the Hippocratic Oath, and the Pythagoreans." Journal of the History of Ideas, vol. 26, no. 2, 1965, pp. 289-296](https://www.jstor.org/stable/2708049). Similarly, a cybersecurity oath could face the challenge of remaining relevant in an area of technology that changes rapidly. New ethical questions may arise that the oath does not address. This is an area that would benefit from continual review and adaption as our understanding of technology and its ethical implications evolves.

Philosophical Foundations

Ethicists like Aristotle and Immanuel Kant emphasized that professions having specialized knowledge and techniques comes with a duty to utilize that power responsibly for the benefit of society. Concepts like social contract, virtue ethics, accountability and transparency form the basis for professional oaths, as debated by philosophers from Sissela Bok to Onora O'Neill. Core values of justice, preventing harm, and human rights underpin many professional oaths. Cybersecurity in particular must be grounded in defending human dignity, trust, and democratic principles.

Cybersecurity Profession's Duties

Safeguarding personal data privacy against unauthorized access or exposure upholds individual rights and agency. Lax security erodes human dignity. Preventing fraud, identity theft and exploitation is fundamentally about forestalling real harm to people. This aligns with the precautionary principle obligating anticipation of risks. Ensuring fair and equal access to digital systems promotes justice, while discrimination enabled by security lapses violates ethics. Thoughtfully implementing cybersecurity measures fosters public honesty and trust in technology, whereas deceptive practices betray these expectations. Taking accountability for failures demonstrates maturity as a profession, along with a commitment to transparently correct shortcomings.

Meaning of Proposed Cybersecurity Oath

A single solemn sentence committing to moral cyber conduct on behalf of the public good based on the above duties would appeal to virtue, articulate the mission, and acknowledge a higher purpose beyond technical expertise. This could be voluntarily adopted by practitioners, companies, and even societies worldwide as a shared charter.

An oath cannot solve every ethical challenge but formalizes aspirations and tethers a profession to enduring principles. It stimulates ongoing re-evaluation of practices against the oath to maintain relevance and fill gaps. This would allow the cybersecurity field to declare its alignment with human rights and social responsibility.

Cybersecurity involves protecting internet-connected systems like computers, networks, programs, mobile devices, and data from unauthorized access or damage through proven security practices. This includes very specific, which are applicable to the time of this writing (2023):

Implementing firewalls, antivirus software, encryption, and access controls to create barriers against threats
Monitoring systems and data flows for anomalies indicating potential attacks
Establishing authentication methods like passwords, multi-factor authentication, and biometrics to verify legitimate users
Conducting vulnerability testing and risk assessments to identify weaknesses and improve defenses
Developing comprehensive cybersecurity policies, plans, and employee training to ensure organizational readiness
Tracking cyber threats globally to anticipate emerging risks from hackers, criminal groups, and state-sponsored actors

These are transitory technologies. They may or may not be obsolete, however, they indicate an example of controls that currently exist which may translate to future state. A firewall may not always be a firewall, but a logical separation of systems is logically sound. The relationship between security and persons, individuals, and society is of paramount importance.

Relation of cybersecurity to a person

At an individual level, effective cybersecurity upholds people's rights to privacy, safety, fair treatment, and access to information by:

- Securing personal data like financial information, medical records, emails, and social media posts from criminal hacking and unauthorized sharing, as protected under data privacy laws like GDPR and CCPA. Lax security exposes people to fraud, discrimination, stalking, and identity theft, as seen in major breaches like Equifax.

- Preventing takeovers of accounts, smart devices in homes, or medical devices like pacemakers which could endanger lives. Car cybersecurity defends against attacks on brakes or steering. Personal cyber hygiene like strong passwords prevents many threats.

- Enabling access to e-government services, online banking, social media, and email which have become integral to participation in modern life. Attacks that take down websites deny availability.

- Building public confidence to adopt new technologies by demonstrating security measures exist against risks like surveillance, manipulation, or unauthorized tracking. Independent security testing often required.

Relation of cybersecurity to society

For societies at large, cybersecurity preserves:

- Economic stability by safeguarding e-commerce sites, stock trading systems, and payment networks like Visa's which move trillions of dollars daily. Attacks freezing financial transactions could be catastrophic. Ongoing hacking of cryptocurrencies shows challenges.

- National defense against cyber warfare designed to infiltrate power grids, weapons systems, and government data as outlined in the US Cyber Command mission. Alleged state-backed attacks like SolarWinds demonstrate global tensions.

- Democratic elections against misinformation campaigns, voter record hacking, and compromised voting systems which undermine credibility. More paper backups and audits recommended by experts to bolster protections.

- Rule of law by prosecuting cyber criminals operating globally like Russian ransomware group REvil which was disrupted through international law enforcement cooperation. Laws must also keep pace with evolving technology.

- Privacy through data regulations like HIPAA and Sarbanes-Oxley which set cybersecurity standards to prevent breaches of sensitive information. Ethical standards evolve with things like facial recognition, social media monitoring, and digital contact tracing.

The underlying philosophical principles and ethics that make cybersecurity protections desirable for individuals and society include these axioms:

Respect for human dignity - People have inherent worth and rights like privacy that should be protected. Lax cybersecurity erodes basic human dignity.

Prevention of harm - One of the main duties of cybersecurity is preventing harm to individuals, organizations, and systems. The precautionary principle obligates anticipating and mitigating risks proactively.

Justice and fairness - Cybersecurity aims to distribute protections equitably. Discriminatory breaches or denial of service violate principles of justice.

Social contract - As part of the social contract, governments and institutions owe citizens cyber protections in exchange for their participation in the digital world.

Protection of the vulnerable - More vulnerable groups like children merit heightened cybersecurity defenses. The duty to protect those who cannot protect themselves is an ethical obligation.

Trust and honesty - Implementing cybersecurity signals organizational trustworthiness and honesty about risks. Deceptive practices erode public trust.

Accountability and transparency - Organizations have an ethical duty to acknowledge and take accountability for cybersecurity failures. Obfuscation violates public trust.

Shared responsibility - Cybersecurity is a shared responsibility between professionals, organizations, government, and individuals. No single group can shoulder the burden alone.

In essence, cybersecurity aims to uphold basic human rights, social obligations, and ethical principles. Neglecting cyber protections imperils these fundamental axioms at both individual and societal scales. Responsible deployment of cybersecurity expresses respect for human welfare and dignity in the modern technological age.

The Five Axioms of Cybersecurity

1. Implement cybersecurity measures that respect privacy, dignity, and human rights. I will not exploit vulnerabilities that erode basic freedoms.

2. Anticipate risks, prevent harms, and protect those vulnerable against malicious threats in cyberspace.

3. Promote justice, equality and fairness in providing cyber protections. No individual, community or organization under my care shall lack adequate security.

4. Social contracts uphold cyber safety on behalf of the common welfare. Publics trust shall not be betrayed.

5. Accountability and transparency for cybersecurity failures will result in defenses against future threats.

Cybersecurity is an instrument to enable human progress, justice and peace.

The Cybersecurity Oath

With integrity, implement robust cybersecurity to protect human dignity, prevent harm, promote fairness, honor the public's trust, and take accountability for securing the digital landscape upon which society now depends.

The condensed elements of this Hippocratic Oath for Cybersecurity are:

- Integrity - Committing to moral and ethical conduct

- Protecting human dignity - Respecting rights like privacy that enable human flourishing

- Preventing harm - Guarding against malicious threats and vulnerabilities

- Promoting fairness - Ensuring just and equitable access to security

- Honoring public trust - Fulfilling duties owed as part of the social contract

- Taking accountability - Accepting responsibility to address failures transparently

- Securing the digital landscape - Safeguarding the reliable functioning of modern tech infrastructure.

Additional Questions and Criticisms

1. How might a cybersecurity oath balance providing ethical guidance while remaining adaptable to rapidly changing technologies?

A cybersecurity oath needs to identify timeless guiding principles rather than prescribing specific technical implementations. For instance, upholding confidentiality, integrity, and availability of data is a technology-agnostic goal. The oath should be framed in terms of higher-level responsibilities like protecting privacy and human dignity. The implementation can evolve as technology advances.

However, some degree of specificity is also important. Terms like "robust security" must be defined based on current best practices to have meaning. A cybersecurity oath lacking any concrete grounding in real-world methods may come across as lofty but unrealistic. There is a balance to be struck between capturing enduring values and actionable duties.

Ultimately, the oath itself may remain stable, but professional codes of conduct would need periodic revision to translate principles into updated best practices. A regular review process led by ethics boards could ensure oaths stay relevant. But the oath should be the rock anchoring an adaptable cybersecurity ethics framework.

2. What are some key ethical dilemmas faced by cybersecurity professionals that traditional professional oaths may not adequately address?

Some emerging cybersecurity dilemmas involve tradeoffs between competing goods, not simple right-vs-wrong choices. For instance, encryption protects privacy but can also shield crime. AI can analyze threats efficiently but risks bias. Sharing data aids innovation but enables surveillance. The oath may outline ideals like justice but the judgment calls around such tension are messy.

In addition, digital connectivity introduces new vectors for harm like cyberbullying, election hacking, autonomous weapons with AI. Traditional oaths never addressed such issues. And organized cybercrime creates moral grey areas for white-hat hackers. A cybersecurity oath must grapple with complicating factors absent in old professional oaths.

However, the core spirit of such oaths - using knowledge ethically for human welfare - still applies. The details vary but the foundations of beneficence over maleficence, prudence and social responsibility remain relevant. The dilemmas arise in interpretation and implementation more than overt conflict with traditional oath values. A degree of flexibility is key.

3. Should taking a cybersecurity oath be mandatory or voluntary for practitioners? What are the pros and cons?

Requiring all cybersecurity professionals to take an oath would strongly signal the field's commitment to ethics. But forcing moral adherence has drawbacks. It may breed resentment, superficial compliance and divert focus from laws. Voluntary oaths appeal to individual conscience and peer expectations to motivate virtue. They allow more leeway for dissenting views.

Mandatory oaths do enable stronger accountability mechanisms like tying licensing to oath-compliance. But aggressive enforcement risks stifling innovation or driving unethical practices underground. If oaths are voluntary, professional associations must mentor and discipline those who violate them. Overall, voluntary oaths reinforced by culture and incentives may prove more dynamic and sincere.

However, during times of crisis like cyber warfare, mandatory oaths which prioritize public safety over individual choice may be warranted. Context matters. Oath-taking could be mandatory for public sector cybersecurity jobs but voluntary across the private sector. A hybrid approach may suit different situations, provided oaths themselves follow ethical principles of proportionality, consent and justice.

4. How could adherence to a cybersecurity oath be incentivized or enforced within organizations? Would peer accountability suffice?

Organizations can encourage oath-compliance by making ethics central to performance reviews, promotions and bonuses. Ethical decision-making must be valued in words and deeds. Adherence could also be linked to privileges like attending conferences. Public pledges by leaders signal priority.

However, over-reliance on incentives risks reducing morality to transactions. Peer accountability is more orienting - practitioner communities should collaboratively uphold standards by constructively critiquing choices. Ethics boards providing confidential counsel can reinforce this.

But internal measures alone are often insufficient, as competitive or corrupt environments easily erode ideals. External drivers like industry regulations, liability laws and consumer pressure provide additional momentum for oath-compliance. In the end, a web of incentives, peer engagement and external oversight combusts to effectively ignite organizational ethics.

5. What stakeholders need to be involved in formulating an industry-wide cybersecurity oath? What process should be followed?

A diverse ethics task force including cybersecurity experts across sectors, technology lawyers and ethicists, human rights groups, lawmakers and citizen advocates should draft the oath. Professional associations must champion the process but outside voices will strengthen it.

The oath content could be crowdsourced globally then refined by the task force through iterative review. All proposed drafts should be open for public comment. The process should emphasize transparency, diversity of thought and accommodating dissenting perspectives.

However, this inclusive approach risks an oath too watered down or vague for effectiveness. The task force will need to make difficult decisions on contested issues at some point. And global adoption may require accepting a lowest common denominator if oaths are country-specific. An open process is essential but determining the oath's final form will necessitate principled leadership by a respected ethics authority.

6. What are some challenges in global adoption of a cybersecurity oath across different cultures and legal systems?

A major hurdle is accommodating the diversity of cultural values and norms around the world. For instance, concepts of privacy differ across countries. And norms of professional behavior vary - expectations of transparency or accountability in the US vs China diverge. A universally agreed upon oath may be elusive.

However, there are also commonalities that cross borders. All cultures value stability, justice, trust to some degree. And a shared language around human rights provides a starting point. The oath should focus on high-level principles that resonate globally while allowing localized interpretation. A one-size-fits-all approach will not work but neither will country-specific oaths as cybersecurity crosses jurisdictions.

Ultimately, adoption will require much diplomatic dialogue and educational campaigns by cybersecurity leaders worldwide. Compromise and consensus-building will be essential. But universal buy-in is not strictly necessary - the momentum of major countries adopting an international oath could give it authority and gradually align professional norms globally.

7. How might a cybersecurity oath be designed to evolve alongside advances in technology like AI and automation?

The oath should be grounded in broad ethical goals like accountability, transparency, and human welfare - concepts not invalidated by technology changes. The specific security methods prescribed could be delegated to supplemental codes of conduct frequently updated by ethics committees.

Vested oversight bodies could solicit feedback from technologists to identify emerging issues and draft new codes accordingly. These groups must have diverse representation to account for different viewpoints. Public commentary periods before finalizing code revisions would also enhance responsiveness.

However, relying solely on reactive updating may be inadequate. The oath could mandate proactive evaluation of technologies through mechanisms like requiring ethical impact assessments before deployment. Overall, an oath empowering nimble governance while embedding foresight on risks can sustainably evolve alongside technological transformations.

8. Should separate, specialized oaths be crafted for sub-fields like penetration testing, cryptography, or critical infrastructure protection?

Role-specific oaths help translate general principles into practical duties tailored to different specialties. For instance, pentesters may pledge responsible disclosure of vulnerabilities, cryptographers could vow to protect algorithms from misuse. This level of guidance is useful.

However, excessive splintering risks diluting the universality of underlying values. Separate oaths should complement but not contradict or exempt professionals from the overarching oath. And cybersecurity sub-fields increasingly intersect today - siloed oaths could turn counterproductive. Specialized supplementary oaths may be worthwhile but should not fracture norms across the field.

In essence, a single foundational oath upholding the core mission plus ancillary oaths reinforcing specialized applications of ethics offer a balanced structure. The specifics vary but the shared fundamentals remain intact. Granular oaths should therefore align under the umbrella of an affirmed cybersecurity-wide oath.

9. How can diversity, equity and inclusion principles be embedded into a cybersecurity oath's values?

The oath can directly call out the goal of promoting access, justice and advancement in the field for women, minorities, and people from developing nations. Explicitly pledging to nurture diverse talent sends a clear signal.

Accountability mechanisms like requiring ethics reports on demographic diversity can also be built in. Oath-bound authorities overseeing implementation should exemplify inclusive leadership. Additionally, the panels drafting and updating codes of conduct must have diverse representation.

However, statements alone are superficial without meaningful change. The oath is a compass but purposeful policies, funding, education programs and reforms enabling equal opportunity are essential vehicles to drive progress. Oath-mandated actions like mentoring those underrepresented must accompany espoused ideals. Values instilled during oath-taking must have roots.

10. Beyond oaths, what other policy, education, and technology mechanisms are needed to realize ethical cybersecurity?

Oaths set expectations but governance, training and tools enact them. Strong laws disincentivizing unethical breaches are vital. Public-private partnerships can enhance threat data sharing and coordination. Universities should teach ethics alongside technical skills. And technologies enabling accountability like immutable logs will complement oaths.

Additionally, centralized ethics bodies providing confidential counsel and upholding standards are key infrastructure. Insurance policies that account for good cyber hygiene will drive compliance. Campaigns to improve cyber literacy in the general public also bolster an ethos valuing security.

However, adding more bureaucracy or technology does not inherently address the root problem - human moral judgment. The intent and integrity behind oaths, policies and tools ultimately determine their effectiveness. We cannot regulate and automate our way to virtue. Holistic education and leadership remain imperative.

#Cybersecurity #Ethics #HippocraticOath #Infosec #Oaths #Philosophy #History #Duties #Society #Principles #Virtue #Morality #Trust #Accountability #Transparency #Technology #AI #Adaptability #Culture #Diversity #Policy #Education #Leadership #Integrity #Responsibility

Page updated

Google Sites

Report abuse