(some of the references in this piece may read as a bit dated as the original version of the article was written late last year – so please forgive the somewhat 2010 tone).
Do you remember why you became a security professional? I doubt it was for the fame and fortune; it was probably because you saw all the risky things people did with their computers and said “I can get them to stop doing that, I can make the world a safer place”.
When I look to an organization that is charged with making the world the safer place, good or bad, the TSA comes to mind. Unfortunately the TSA is often accused of being security theater, making travellers feel safe but not actually accomplishing anything. In some cases, it goes beyond not accomplishing anything and actually causing harm, perhaps violating freedoms that all civilized societies should enjoy.
As an information security professional I believe many of intrusive security measures, such as back scatter x-rays, constitute security theater all the way through. When you layer on the concern that TSA has on occasion employed sexual predators and that children (and adults) can be touched in inappropriate ways, I am convinced that this harms society. This is compounded by the suspected medical risks of the x-ray back scatter technology and the TSA suggesting parents tell their children that Officer Bad Touch and his groping are just a game.
So where do we sit as information security professionals? As the importance of information technology continues to grow in our modern society, we can sometimes find ourselves in positions where we could cause harm. Perhaps it comes in the form of overbearing controls dressed up as security policy. Where do we put ourselves when it comes to bad practices that achieve nothing, upset users and cause harm to society?
I think Isaac Asimov got it right when he wrote the Three laws of Robotics in his short story Runaround. Asimov presented a set of rules for his fictional robotic creations that were both physically and intellectually powerful; a coded set of ethics that read as follows:
- A robot may not injure a human being or, through inaction, allow a human being to come to harm.
- A robot must obey any orders given to it by human beings, except where such orders would conflict with the First Law.
- A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
As a thought exercise I converted Asimov’s laws to rules for information security professionals. A set of ethics for all information security professionals that would read something like this (note that I use business as a stand in for organization, government or other entity):
- A security professional may not injure a business, or through inaction, allow a business to come to harm
- A security professional must follow the directives given by the business, except where such directives would conflict with the First Law.
- A security professional must protect the integrity of the security function as long as such protection does not conflict with the First or Second Law.
In simple terms, this can be read as protect the business and don’t let them do anything stupid unless they tell you otherwise but always ensure you follow the principles of good security.
Unfortunately, the scope of these laws is only sufficient to protect the business, it would still allow the security professionals do keep their business safe while doing bad things to anyone outside the entity they serve.
Asimov realized this too and added the zeroth law – “A robot may not harm humanity, or, by inaction, allow humanity to come to harm” – a law that superseded the first law.
The zeroth security law could appear as follows:
0. A security professional may not harm society, or, by inaction, allow society to come to harm
The formulation isn’t perfect (I’m sure one can twist the words), but the notion that security professionals are there to make the world a safer place and that the consequences of their actions need to be considered at multiple levels is an important one.
For those with a CISSP designation, the ISC2 Code of Ethics provides this guidance already; for the rest of us, perhaps there is a need for a general set of ethics, one that helps all security professionals, regardless of what domain they operate in, guard against security theatre and other poor practices.
If we engage in activity that improves our security but worsens other’s defences eventually the problem will come back to us magnified. So too is security theater bad, by its nature it is implicitly harmful through the false sense of security it brings, but if we see it becoming explicitly harmful, then I think we have an obligation as information security professionals to remind our peers and employers that they should hold themselves to a standard that protects society as a whole.
(Image used under CC from PhOtOnQuAnTiQuE)
Editor’s note: Updated the post due to formatting errors. My bad.