0011 Budny 10:00 L21 ETHICS AND ENGINEERING Victoria Dulla (vjd13@pitt.edu) INTRODUCTION The hacking of private systems has become a major issue around the world, with groups such as Anonymous and Wikileaks releasing information to the web. The data that is released ranges from social security numbers to private government documentation. With each new attack software engineers are challenged to stop them. This is why my company has been researching and developing quantum encryption, an unbreakable system of security. It works by sending unique quantum keys to users and only allow that specific user to decrypt it. This is run on a local scale through quantum teleportation. When an outsider attempts to “unlock” the encoded data without the correct key, the data locks itself and can’t be opened. This unbreakable system caught the attention of the Sony corporation, who has had recent media coverage for all of the wrong reasons. SITUATION In recent years the Sony corporation has been the victim of numerous cyber attacks, all devastating to the company. The first attack happened in 2011, when the PlayStation Network was hacked, and as a result, numerous user’s credit card information was released online. The most recent attack came in 2014, when hackers released the information of employees, their emails, and full length films onto the web for all to see [1]. This attack was thought to be the work of North Korea, who was upset over the release and production of the film, The Interview, which was about the assassination of their leader Kim Jong Un [1]. The company was extremely unprepared for an attack that large, due to the company spending less money than advised on security and the security team ignoring reports of violations, so therefore suffered the consequences accordingly [2]. Sony contacted my company following this latest attack with inquiries about the readiness for implementation of the encryption system. We explained to them that the system was still in development and that research was still ongoing. A proposal was made for a system to be developed with Sony in mind, one that we would work alongside their current head of security to tailor to Sony’s needs. We were given the funding we needed to increase research and development, and a time frame in which we needed to perfect the product, with the promise that we would be properly paid on top of the research funds. However, if we were to go over budget or not have a perfected product with-in the specific timeframe, the additional funding would come out of our profit, reducing it significantly. We continued research at an increased pace and numerous challenges arose, each with their own setbacks. This in turn caused us to reach the University of Pittsburgh, Swanson School of Engineering 1 Submission Date 2015-11-03 deadline of our given timeframe, and the limit of our research budget, much quicker than was originally anticipated. With the deadline fast approaching, Sony’s head of security asked what the current status of the system was, and whether or not it was ready for implementation. At the time, it was nearly perfect, but it had one major flaw. The system would not always make the the data inaccessible when faced with an outside threat, which meant that in random cases or when the server was overloaded, the system was easily accessible and completely vulnerable for attack. Although this flaw was present, Sony’s head of security told me to implement the system as planned, due to the deadline and budget limit having come, and there being an expressed need for the new system of encryption. I expressed concern over the implementation of the system, explaining that it is still vulnerable to attack in certain cases, that it was not yet quite ready for use, and that the risk of being hacked was still not completely diminished. In response I was warned that the longer I delayed the implementation, the less profit my own company would make in the end, and that it would be in my best interest to just implement the system as is without any additional research or work. DILEMMA At that point I was faced with an ethical dilemma, whether I should postpone implementation and lose the profit my company would be gaining, or implement a system that I know to be flawed and risk it being hacked with devastating consequences. On a smaller scale, if I were to postpone the project, my company would be gaining less profit and would not be able to pay my fellow co-workers and I our full salaries. We have been focusing on our contract with Sony, and while we have had other smaller projects, it has been our main source of income over the timespan of this project. With profit being diminished the company could be at risk of being unable to pay employee salaries and be forced to lay-off people that aren’t working specifically on the Sony project, and possibly even the employees working on the Sony project. This would be detrimental to employees’ home lives, and could seriously affect their families and where they live. This could also mean that there is a chance that the project could be even further delayed or remain unfinished, which would not be good for anyone involved. On a much larger scale however, if we were to go through with the implementation of the system, Sony could face another major hack, completely unprepared due to the faith in our “unbreakable” system. This could cause numerous amounts of private documents and data to be released, possibly on a larger scale than that Victoria Dulla of any of the previous attacks. This could have numerous amounts of backlash, including but not limited to: the stock in Sony dropping, millions of consumers’ identities and credit card information to be stolen, private data of employees to be released, the private work of the company to be released, a loss in profit, and possible legal action against Sony for damages due to stolen identities and a loss of privacy of their consumers. Not only that, but my company could also face possible legal action against us from Sony and the public, for implementing a system that was not ready to be used, as well as the credibility of the company and our system of encryption being ruined. Also, I could be fired for saying that the system was ready for use, and giving the go ahead to implement it. Faced with this dilemma I decided to look to outside sources for help. privacy of users, and would there-by break this principle in the code of ethics. The second principle, client and employee, applies in the sense that I must report on any problems or failures to Sony [4]. Breaking this would mean that I am knowingly withholding information from Sony about the system and I would not be being honest about the situation. The third principle, product, states that we should have given the project realistic expectations of time and funds, so that a situation such as this shouldn’t arise [4]. Problems happen, but we possibly underestimated the amount of time the project would take, and therefore caused this entire dilemma in the first place. Finally, the last principle that applies is profession, which states that the engineer can not give any false claims about the system and is responsible for dealing with and fixing any issues that may arise in the system [4]. This means that by knowingly implementing a system that has a bug such as ours, I am not only making a false claim that the system can not be hacked, but I am neglect my duty as engineering by not fixing the issue. CODES OF ETHICS I began by looking at the codes of ethics at my disposal. First, I consulted the code created by the National Society of Professional Engineers. I focused my reading on the following topics outlined in the purpose, “Act for each employer or client as faithful agents or trustees”, “Avoid deceptive acts”, and “Conduct themselves honorably, responsibly, ethically, and lawfully so as to enhance the honor, reputation, and usefulness of the profession” [3]. The first topic, concerning being faithful to the employer, tells me that no matter what I have to report the current status and condition of the system to Sony, because that could influence any decisions made about the system itself and its implementation. The next topic explained that I can not falsify any data that I am presenting to Sony, in order to make the system appear to be working. If I were to give Sony false data saying the system was working, it would not only break the code of ethics, but I could risk losing my job when it was found out that the data didn’t accurate represent what was happening in the system. Also I found out that in the code there are profession obligations that must be upheld. The thing that stood out to me particularly was that engineers should be guided by the highest standards of honesty, meaning that I have to say whether or not the system will work, and explain why that is [3]. This means that no matter what I have to be truthful about the current status of the system and update Sony about the course of action being taken. Next I consulted the Software Engineering Code of Ethics and Professional Practice. This states the software engineers must uphold eight principles, most of which apply in their own way to the situation [4]. The first principle is public, meaning that I can only approve software created if it meets standards, or as the code states, “…safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy, or harm the environment.” [4] This means that by implementing the system without it working perfectly, it could diminish the ETHICS IN SOFTWARE ENGINEERING Apart from looking at codes of ethics, I had to consider ethics in engineering itself. In software engineering, it is recommended to consider the ethics of the client the system is being created for, rather than the company creating the system, just as Neil McBride states in his paper, The Ethics of Software Engineering Should be an Ethics for the Client, “We must understand the nature of the domains we engage with and the facts concerning the ethical problems associated with them [5].” This means that I should consider the needs of Sony over the needs of my own when making this decision, and ultimately make the decision that would best benefit Sony, but also communicate with Sony the issues that are occurring and how they could be harmful to the company, so that they may have a hand in making a decision that could possibly affect their company negatively. Not only that, but it is ethical to consider the quality of the work being produced as it is a representation of yourself and the company you work for [6]. As Ruth Chadwick states, “From some points of view, however, quality does have ethical aspects. Insofar as development of a product of poor quality has the potential to adversely affect the interests of users, it is an ethical issue. [6]” This leads me to understand that putting out a system that is problematic is unethical in itself, due to the fact that it would go against the expectations that the users and Sony have for the system. It also would be an ethical issue if the faulty system were to be hacked and data was released to the public, because it would infringe on the privacy of all of the users in the system [6]. That infringement of privacy would be detrimental to any and all who are involved. 2 Victoria Dulla proceed with particular options would follow the code ethically, and if not, determine exactly why that is. From there I would look to articles on the ethics in engineering to see what others in a similar situation may have done, or would do. Finally, after considering all of the options and resources I would make the decision, however hard that may be. LEGAL ACTIONS To make a truly ethical decision, I had to consider what would happen to Sony if the system were to be hacked. My research then turned possible legal actions against a company that has been hacked. I found that recently, the Federal Trade Commission sued the Wyndham Hotel chain because hackers were able to steal over 600,000 customer’s information, and a United States appellate court ruled that the FTC was able to sue Wyndham [7]. The court ruling stated, “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business [7].” It stated that the FTC can sue companies if: consumers were harmed by the attack, there was no way the consumer could have avoided it, and the company was not outweighed by other benefits to consumers [8]. This ruling means that the FTC could possibly sue Sony for the hack itself, which would be very detrimental to Sony’s profits and image. This new ruling weighed heavily on my mind as I came to my final decision. CONCLUSION In conclusion, the implementation of a faulty system of quantum encryption would be an unethical decision to make. My decision to postpone the system was made by considering my options, consulting ethical codes, and researching various topics concerning ethics in engineering. I hope that other engineers can use my research to help when they are faced with an ethical dilemma. In the end it matters more how ethical, and overall beneficial to the situation the chosen decision is, and that at the end of the day, you feel as if you have made the right choice. REFRENCES DECISION [1] V. Luckerson. (2014). “Everything We Know About the Massive Sony Hack.” Time. (Article) http://time.com/3612132/sony-hack-north-korea-interview/ [2] S. Frizell (2014). “Report: Sony’s Security Team Was Unprepared for Hack.” Time. (Article) http://time.com/3620288/sony-hack-unprepared/ [3] “Code of Ethics.” National Society of Professional Engineers. (Code of Ethics) http://www.nspe.org/resources/ethics/code-ethics [4] “Computer Society and ACM Approve Software Engineering Code of Ethics.” Computer Society Connection. (Code of Ethics) https://www.computer.org/cms/Computer.org/Publications/c ode-of-ethics.pdf [5] N. McBride (2012). “The Ethics of Software Engineering Should be an Ethics for the Client.” Communications of the ACM. (Opinion) DOI: 10.1145/2240236.2240250 [6] A. Rashid, J. Weckert, R. Lucas (2009) “Software Engineering Ethics in a Digital World.” Computer. (Article) Vol. 42 Issue 6, p34-41. 8p. [7] A. Greenberg. (2015). “Court Says the FTC Can Slap Companies for Getting Hacked.” Wired. (Online Article) http://www.wired.com/2015/08/court-says-ftc-can-slapcompanies-getting-hacked/ [8] B. Bastian (2015). “Computer Security and The FTC: Suing Hacked Companies.” Security Metrics Blog. (Online Blog) http://blog.securitymetrics.com/2015/10/computersecurity-and-ftc.html. After much thought I came to the conclusion to postpone the implementation of the system, and talk to the heads of Sony directly, even though it could be detrimental to my company. Overall the outcomes of implementing a system that is able to be hacked, one that simply isn’t ready, would be more detrimental than if the implementation of the system were to be postponed. Ethically, if the system were to be implemented as it currently is, it would break numerous parts of the codes of ethics and be unethical engineering, as well as put everyone at risk of the vast amount of consequences were the system to be hacked. By postponing the system, I am putting the company at risk, but employees could be reasoned with, and we could take on more projects from other clients to fill the lack of the would be profit. Although it would be tough, this is the best possible decision that could be ethically made in this situation. ADVICE TO OTHER ENGINEERS Making a decision that could effect the lives of others is an extremely difficult one, but in the end it has to be done. To any engineers faced with such a dilemma, I would advise them to start by outlining the various options they have in the situation. This helps by providing options to consider, and makes it easier to determine the pros and cons of each situation, along with the various possible outcomes of each. Once a list of options and possible outcomes is created, look to various codes of ethics to determine if the decision to 3 Victoria Dulla ADDITIONAL SOURCES B. Valiron, N.J. Ross, P. Selinger, S.D. Alexander, J.M. Smith. (2015). “Programming the Quantum Future.” Communications of the ACM. (Article) DOI: 10.1145/2699415 “Cases and Scenarios.” Online Ethics Center For Engineering and Science. (Website) http://www.onlineethics.org/Resources/Cases.aspx C. Hurst. (2015). “The Quantum Leap into Computing and Communication.” JFQ: Joint Force Quarterly. (Print article) 2015 2nd Quarter, Issue 77, p44-50 “Ethics Cases.” Texas Tech University. (Website) http://www.depts.ttu.edu/murdoughcenter/products/cases.ph p G. Sanchez. (2015). “Case Study: Critical Controls that Sony Should Have Implemented.” SANS Institute. (online) https://www.sans.org/readingroom/whitepapers/casestudies/case-study-critical-controlssony-implemented-36022 ACKNOWLEDGEMENTS Thank you to Nancy Koerbel, my writing instructor, who helped me to come up with an appropriate scenario, and answered any questions I may have had. I would also like to thank Mike Cannizzaro and Jenna Rudolph for keeping me on track to write the paper, Spotify for an endless supply of movie scores to write to, and to Benedum Hall for being a relatively quiet place to work. 4 Victoria Dulla 5