Imagine standing next to a railway track and seeing a runaway carriage hurtling down the line towards a group of ten workers. Oblivious to the danger, they will certainly be killed unless the train is diverted onto another track. Luckily, next to you is the lever controlling a set of points that can make this happen. But on the adjacent line is a single worker, also unaware of the danger, who will die as a result of your action. Do you intervene, thereby condemning the individual but saving the greater number of workers? Or allow fate to run its course and kill the ten?
This ethical dilemma is widely used to generate debate about morals, priorities and personal responsibility. Although not an exact analogy, I was reminded of it when reading the report by the UK’s Intelligence and Security Committee (ISC) of Parliament titled ‘Privacy and Security: A modern and transparent legal framework’, released on March 12th.
The report followed an 18-month inquiry, launched following the revelations by Edward Snowden, the former contractor for America’s National Security Agency and now living in exile in Russia. It found the UK intelligence agencies act lawfully and said the bulk collection of data by the government is neither mass surveillance nor a threat to individual privacy. Civil libertarians vehemently disagreed (so too commentators – scroll down at this Guardian link), with Shami Chakrabarti, director of Liberty, describing the ISC as “a simple mouthpiece for the spooks”.
But the ethical debate around cyber security and privacy is an interesting one. The report included exchanges between the ISC and representatives of three groups: Liberty, Justice and Big Brother watch. They suggested that terror attacks were “the price you pay to live in a free society”. It was at this point I found myself next to the train tracks with the control lever in my hand.
But the report also criticised the government’s cyber architecture. Piecemeal growth and sticking-plaster problem solving has led to a complicated and unfathomable legal and technical framework. Mistakes had been made, with consequences for individuals, and an accompanying document, the Report of the Interception of Communications Commissioner said that one employee of GCHQ (Britain’s cyber intelligence agency) had been sacked for unauthorised use of the systems.
The difficulty, as Professor John Naughton, a Cambridge University fellow, told the committee, is that the government essentially has to ask the public to “trust us”. But in the cyber security business, life is rarely that easy.
Who, exactly, should owners and operators of cyber networks trust? I can change a tyre on my car and could probably fill the screen wash after a Google-search and a bit of practice, but I rely on, and trust, the garage for an annual service. Where are the garages in cyber space? And where are the Haynes manuals?
A recent article in Forbes suggests we should not listen to those proclaiming “trust us” in cyber space and that the responsibility instead lies with us. There are no magic fixes, no silver-bullets, but there are, perhaps a few snake oil-salesmen for those unable or unwilling to take responsibility for their own systems. Rather than relying on external cyber security standards or products, it is the process by which a healthy and well-protected online presence is achieved that is important. Every business and every system is different. Sure, there are similarities and overlaps in some areas, but holistic security solutions cannot be outsourced. That process of taking ownership and thinking about cyber security starts with the CEO.
And CEO’s don’t get much bigger than President Obama. Speaking at the White House Cybersecurity Summit at Stanford University on February 13th he said: “it is one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm.”
There are many challenges in cyberspace: ethical, technical and legal to name just three. But the route to credible solutions starts with ownership and leadership. “The cyber world is sort of the wild, wild West,” suggested President Obama, “and to some degree, we’re asked to be the sheriff.”
This post was commissioned by XQ Digital Resilience.