Ethics and Engineering with a Secruity System

advertisement
0011 Budny 10:00
L21
ETHICS AND ENGINEERING
Victoria Dulla (vjd13@pitt.edu)
INTRODUCTION
The hacking of private systems has become a major
issue around the world, with groups such as Anonymous and
Wikileaks releasing information to the web. The data that is
released ranges from social security numbers to private
government documentation. With each new attack software
engineers are challenged to stop them. This is why my
company has been researching and developing quantum
encryption, an unbreakable system of security. It works by
sending unique quantum keys to users and only allow that
specific user to decrypt it. This is run on a local scale
through quantum teleportation. When an outsider attempts to
“unlock” the encoded data without the correct key, the data
locks itself and can’t be opened. This unbreakable system
caught the attention of the Sony corporation, who has had
recent media coverage for all of the wrong reasons.
SITUATION
In recent years the Sony corporation has been the victim
of numerous cyber attacks, all devastating to the company.
The first attack happened in 2011, when the PlayStation
Network was hacked, and as a result, numerous user’s credit
card information was released online. The most recent attack
came in 2014, when hackers released the information of
employees, their emails, and full length films onto the web
for all to see [1]. This attack was thought to be the work of
North Korea, who was upset over the release and production
of the film, The Interview, which was about the
assassination of their leader Kim Jong Un [1]. The company
was extremely unprepared for an attack that large, due to the
company spending less money than advised on security and
the security team ignoring reports of violations, so therefore
suffered the consequences accordingly [2]. Sony contacted
my company following this latest attack with inquiries about
the readiness for implementation of the encryption system.
We explained to them that the system was still in
development and that research was still ongoing. A proposal
was made for a system to be developed with Sony in mind,
one that we would work alongside their current head of
security to tailor to Sony’s needs. We were given the
funding we needed to increase research and development,
and a time frame in which we needed to perfect the product,
with the promise that we would be properly paid on top of
the research funds. However, if we were to go over budget
or not have a perfected product with-in the specific
timeframe, the additional funding would come out of our
profit, reducing it significantly. We continued research at an
increased pace and numerous challenges arose, each with
their own setbacks. This in turn caused us to reach the
University of Pittsburgh, Swanson School of Engineering 1
Submission Date 2015-11-03
deadline of our given timeframe, and the limit of our
research budget, much quicker than was originally
anticipated. With the deadline fast approaching, Sony’s head
of security asked what the current status of the system was,
and whether or not it was ready for implementation. At the
time, it was nearly perfect, but it had one major flaw. The
system would not always make the the data inaccessible
when faced with an outside threat, which meant that in
random cases or when the server was overloaded, the system
was easily accessible and completely vulnerable for attack.
Although this flaw was present, Sony’s head of security told
me to implement the system as planned, due to the deadline
and budget limit having come, and there being an expressed
need for the new system of encryption. I expressed concern
over the implementation of the system, explaining that it is
still vulnerable to attack in certain cases, that it was not yet
quite ready for use, and that the risk of being hacked was
still not completely diminished. In response I was warned
that the longer I delayed the implementation, the less profit
my own company would make in the end, and that it would
be in my best interest to just implement the system as is
without any additional research or work.
DILEMMA
At that point I was faced with an ethical dilemma,
whether I should postpone implementation and lose the
profit my company would be gaining, or implement a system
that I know to be flawed and risk it being hacked with
devastating consequences. On a smaller scale, if I were to
postpone the project, my company would be gaining less
profit and would not be able to pay my fellow co-workers
and I our full salaries. We have been focusing on our
contract with Sony, and while we have had other smaller
projects, it has been our main source of income over the
timespan of this project. With profit being diminished the
company could be at risk of being unable to pay employee
salaries and be forced to lay-off people that aren’t working
specifically on the Sony project, and possibly even the
employees working on the Sony project. This would be
detrimental to employees’ home lives, and could seriously
affect their families and where they live. This could also
mean that there is a chance that the project could be even
further delayed or remain unfinished, which would not be
good for anyone involved. On a much larger scale however,
if we were to go through with the implementation of the
system, Sony could face another major hack, completely
unprepared due to the faith in our “unbreakable” system.
This could cause numerous amounts of private documents
and data to be released, possibly on a larger scale than that
Victoria Dulla
of any of the previous attacks. This could have numerous
amounts of backlash, including but not limited to: the stock
in Sony dropping, millions of consumers’ identities and
credit card information to be stolen, private data of
employees to be released, the private work of the company
to be released, a loss in profit, and possible legal action
against Sony for damages due to stolen identities and a loss
of privacy of their consumers. Not only that, but my
company could also face possible legal action against us
from Sony and the public, for implementing a system that
was not ready to be used, as well as the credibility of the
company and our system of encryption being ruined. Also, I
could be fired for saying that the system was ready for use,
and giving the go ahead to implement it. Faced with this
dilemma I decided to look to outside sources for help.
privacy of users, and would there-by break this principle in
the code of ethics. The second principle, client and
employee, applies in the sense that I must report on any
problems or failures to Sony [4]. Breaking this would mean
that I am knowingly withholding information from Sony
about the system and I would not be being honest about the
situation. The third principle, product, states that we should
have given the project realistic expectations of time and
funds, so that a situation such as this shouldn’t arise [4].
Problems happen, but we possibly underestimated the
amount of time the project would take, and therefore caused
this entire dilemma in the first place. Finally, the last
principle that applies is profession, which states that the
engineer can not give any false claims about the system and
is responsible for dealing with and fixing any issues that
may arise in the system [4]. This means that by knowingly
implementing a system that has a bug such as ours, I am not
only making a false claim that the system can not be hacked,
but I am neglect my duty as engineering by not fixing the
issue.
CODES OF ETHICS
I began by looking at the codes of ethics at my disposal.
First, I consulted the code created by the National Society of
Professional Engineers. I focused my reading on the
following topics outlined in the purpose, “Act for each
employer or client as faithful agents or trustees”, “Avoid
deceptive acts”, and “Conduct themselves honorably,
responsibly, ethically, and lawfully so as to enhance the
honor, reputation, and usefulness of the profession” [3]. The
first topic, concerning being faithful to the employer, tells
me that no matter what I have to report the current status and
condition of the system to Sony, because that could
influence any decisions made about the system itself and its
implementation. The next topic explained that I can not
falsify any data that I am presenting to Sony, in order to
make the system appear to be working. If I were to give
Sony false data saying the system was working, it would not
only break the code of ethics, but I could risk losing my job
when it was found out that the data didn’t accurate represent
what was happening in the system. Also I found out that in
the code there are profession obligations that must be
upheld. The thing that stood out to me particularly was that
engineers should be guided by the highest standards of
honesty, meaning that I have to say whether or not the
system will work, and explain why that is [3]. This means
that no matter what I have to be truthful about the current
status of the system and update Sony about the course of
action being taken.
Next I consulted the Software Engineering Code of
Ethics and Professional Practice. This states the software
engineers must uphold eight principles, most of which apply
in their own way to the situation [4]. The first principle is
public, meaning that I can only approve software created if it
meets standards, or as the code states, “…safe, meets
specifications, passes appropriate tests, and does not
diminish quality of life, diminish privacy, or harm the
environment.” [4] This means that by implementing the
system without it working perfectly, it could diminish the
ETHICS IN SOFTWARE ENGINEERING
Apart from looking at codes of ethics, I had to consider
ethics in engineering itself. In software engineering, it is
recommended to consider the ethics of the client the system
is being created for, rather than the company creating the
system, just as Neil McBride states in his paper, The Ethics
of Software Engineering Should be an Ethics for the Client,
“We must understand the nature of the domains we engage
with and the facts concerning the ethical problems
associated with them [5].” This means that I should consider
the needs of Sony over the needs of my own when making
this decision, and ultimately make the decision that would
best benefit Sony, but also communicate with Sony the
issues that are occurring and how they could be harmful to
the company, so that they may have a hand in making a
decision that could possibly affect their company negatively.
Not only that, but it is ethical to consider the quality of the
work being produced as it is a representation of yourself and
the company you work for [6]. As Ruth Chadwick states,
“From some points of view, however, quality does have
ethical aspects. Insofar as development of a product of poor
quality has the potential to adversely affect the interests of
users, it is an ethical issue. [6]” This leads me to understand
that putting out a system that is problematic is unethical in
itself, due to the fact that it would go against the
expectations that the users and Sony have for the system. It
also would be an ethical issue if the faulty system were to be
hacked and data was released to the public, because it would
infringe on the privacy of all of the users in the system [6].
That infringement of privacy would be detrimental to any
and all who are involved.
2
Victoria Dulla
proceed with particular options would follow the code
ethically, and if not, determine exactly why that is. From
there I would look to articles on the ethics in engineering to
see what others in a similar situation may have done, or
would do. Finally, after considering all of the options and
resources I would make the decision, however hard that may
be.
LEGAL ACTIONS
To make a truly ethical decision, I had to consider what
would happen to Sony if the system were to be hacked. My
research then turned possible legal actions against a
company that has been hacked. I found that recently, the
Federal Trade Commission sued the Wyndham Hotel chain
because hackers were able to steal over 600,000 customer’s
information, and a United States appellate court ruled that
the FTC was able to sue Wyndham [7]. The court ruling
stated, “A company does not act equitably when it publishes
a privacy policy to attract customers who are concerned
about data privacy, fails to make good on that promise by
investing inadequate resources in cybersecurity, exposes its
unsuspecting customers to substantial financial injury, and
retains the profits of their business [7].” It stated that the
FTC can sue companies if: consumers were harmed by the
attack, there was no way the consumer could have avoided
it, and the company was not outweighed by other benefits to
consumers [8]. This ruling means that the FTC could
possibly sue Sony for the hack itself, which would be very
detrimental to Sony’s profits and image. This new ruling
weighed heavily on my mind as I came to my final decision.
CONCLUSION
In conclusion, the implementation of a faulty system of
quantum encryption would be an unethical decision to make.
My decision to postpone the system was made by
considering my options, consulting ethical codes, and
researching various topics concerning ethics in engineering.
I hope that other engineers can use my research to help when
they are faced with an ethical dilemma. In the end it matters
more how ethical, and overall beneficial to the situation the
chosen decision is, and that at the end of the day, you feel as
if you have made the right choice.
REFRENCES
DECISION
[1] V. Luckerson. (2014). “Everything We Know About the
Massive
Sony
Hack.”
Time.
(Article)
http://time.com/3612132/sony-hack-north-korea-interview/
[2] S. Frizell (2014). “Report: Sony’s Security Team Was
Unprepared
for
Hack.”
Time.
(Article)
http://time.com/3620288/sony-hack-unprepared/
[3] “Code of Ethics.” National Society of Professional
Engineers.
(Code
of
Ethics)
http://www.nspe.org/resources/ethics/code-ethics
[4] “Computer Society and ACM Approve Software
Engineering Code of Ethics.” Computer Society Connection.
(Code
of
Ethics)
https://www.computer.org/cms/Computer.org/Publications/c
ode-of-ethics.pdf
[5] N. McBride (2012). “The Ethics of Software Engineering
Should be an Ethics for the Client.” Communications of the
ACM. (Opinion) DOI: 10.1145/2240236.2240250
[6] A. Rashid, J. Weckert, R. Lucas (2009) “Software
Engineering Ethics in a Digital World.” Computer. (Article)
Vol. 42 Issue 6, p34-41. 8p.
[7] A. Greenberg. (2015). “Court Says the FTC Can Slap
Companies for Getting Hacked.” Wired. (Online Article)
http://www.wired.com/2015/08/court-says-ftc-can-slapcompanies-getting-hacked/
[8] B. Bastian (2015). “Computer Security and The FTC:
Suing Hacked Companies.” Security Metrics Blog. (Online
Blog)
http://blog.securitymetrics.com/2015/10/computersecurity-and-ftc.html.
After much thought I came to the conclusion to
postpone the implementation of the system, and talk to the
heads of Sony directly, even though it could be detrimental
to my company. Overall the outcomes of implementing a
system that is able to be hacked, one that simply isn’t ready,
would be more detrimental than if the implementation of the
system were to be postponed. Ethically, if the system were
to be implemented as it currently is, it would break
numerous parts of the codes of ethics and be unethical
engineering, as well as put everyone at risk of the vast
amount of consequences were the system to be hacked. By
postponing the system, I am putting the company at risk, but
employees could be reasoned with, and we could take on
more projects from other clients to fill the lack of the would
be profit. Although it would be tough, this is the best
possible decision that could be ethically made in this
situation.
ADVICE TO OTHER ENGINEERS
Making a decision that could effect the lives of others is
an extremely difficult one, but in the end it has to be done.
To any engineers faced with such a dilemma, I would advise
them to start by outlining the various options they have in
the situation. This helps by providing options to consider,
and makes it easier to determine the pros and cons of each
situation, along with the various possible outcomes of each.
Once a list of options and possible outcomes is created, look
to various codes of ethics to determine if the decision to
3
Victoria Dulla
ADDITIONAL SOURCES
B. Valiron, N.J. Ross, P. Selinger, S.D. Alexander, J.M.
Smith. (2015). “Programming the Quantum Future.”
Communications
of
the
ACM.
(Article)
DOI:
10.1145/2699415
“Cases and Scenarios.” Online Ethics Center For
Engineering
and
Science.
(Website)
http://www.onlineethics.org/Resources/Cases.aspx
C. Hurst. (2015). “The Quantum Leap into Computing and
Communication.” JFQ: Joint Force Quarterly. (Print article)
2015 2nd Quarter, Issue 77, p44-50
“Ethics Cases.” Texas Tech University. (Website)
http://www.depts.ttu.edu/murdoughcenter/products/cases.ph
p
G. Sanchez. (2015). “Case Study: Critical Controls that Sony
Should Have Implemented.” SANS Institute. (online)
https://www.sans.org/readingroom/whitepapers/casestudies/case-study-critical-controlssony-implemented-36022
ACKNOWLEDGEMENTS
Thank you to Nancy Koerbel, my writing instructor,
who helped me to come up with an appropriate scenario, and
answered any questions I may have had. I would also like to
thank Mike Cannizzaro and Jenna Rudolph for keeping me
on track to write the paper, Spotify for an endless supply of
movie scores to write to, and to Benedum Hall for being a
relatively
quiet
place
to
work.
4
Victoria Dulla
5
Download