Problem 5: Are You An Insider Threat?

Let’s begin with a perspective from an anonymous hacker: 

“The front lines of Net – that’s where most of us spend our time. Life gets crazy out there, a virtual wild, wild, west. Almost anything goes in cyberspace.

I liken our online world to another American gold rush – the new frontier. It’s true that history seems to repeat itself. We boldly go where others are afraid or ill-equipped to go. We’re the white knights. The few, the proud, the ones willing to stick our necks out and get our virtual hands dirty.

Or, if you prefer, we’re living in 1930’s Chicago all over again – with mob rule. There’s minimal policing going on, and people often take matters into their own hands. It seems like an impossible task, but when the going gets tough – you’ll find out what you’re made of. We do what we do to survive in this dog eat dog digital world. We didn’t create this situation. I’m not happy that I was dealt this hand, but I’m making the most of it. It is what it is. Somebody needs to protect the homestead, right? Truth be told, things are getting worse.

Cyber ethics? Hello! Most hackers I know think those two words are an oxymoron. Rules are for kids, or other people we need to keep in a box.

What? Policies? Are you kidding me? Those rules don’t apply to us. Sure, pros understand that children need to be protected, child porn is wrong and yada, yada, yada, but beyond that… I don’t have time for lectures. But let me tell you something, we’re dealing with experts, hardened criminals. We fight fire with fire baby.

Look, this is the big leagues. Not some single-A farm team out in the bushes. We’re not in some global game of Halo. We’ve got real work to do. The bad guys are getting dangerous – real dangerous. They don’t understand our civil, respectful way of life. They just keep hitting us hard.

Sure, it’s tough. I’m tired. There are no time outs. We get a little sleep, when we can, but then we’re right back on it. We have to be right every time. Cyberspace never sleeps. This is war baby. Cyber war –  All is fair in love and war.”  

We’re moving on to problem #5 for hackers – I mean security pros. Many security professionals call themselves hackers – in the best sense of the word. No, I’m not talking about malicious hackers, black hat hackers or crackers  (the bad guys), although I’ve never know anyone to call themselves a cracker.

But security professionals often identify each other as “hackers.” It’s a bit like walking around a football locker room. All the football coaches call each other coach.  Or like the classic scene from the movie Spies Likes Us, with Chevy Chase and Bob Hope, where everyone calls each other doctor.  

Take for example, our respected colleague Johnny Long, who leads Hackers for Charity. Johnny is using his computer security skills for good and now helping teach children in Africa how to use computers and more. He is an excellent role model for an ethical security professional – I mean hacker. By the way, Johnny is a great speaker, so if you’re looking for a great security presentation, contact him.

OK, so what’s the problem with the anonymous hacker’s perspective? Let’s discuss the next topic in our series on why security professionals fail.

Problem #5 for security pros: Hackers undervalue cyber ethics and accountability

Oftentimes, security pros quietly think they are above Internet laws, company rules and regulations. As the cyber police, bending (or breaking) a policy may seem acceptable, as long as no one catches you in the process. Sometimes, it may even seem to be required – like the state police needing to speed to catch a car going 100 miles per hour.

 It’s easy to identify with parts of this anonymous hacker’s worldview.   Cyber security experts typically describe themselves as white hat hackers who must have freedom to enforce the law. “Bending the rules” may seem like the best way to help others online and/or get your job done. Certain jobs may even promote cyber offense in our international cyber war. Nevertheless, if you are not in the military or the Department of Defense (DoD), I challenge you to read John Pescatore’s article on mixing cyber offense and defense. There are also many other good blogs on this topic.

Beyond cyber war and the good guys having the right tools to catch the bad guys, there can be a tendency to ignore “more mundane” acceptable use directives. That is, security staff can download copyrighted material (movies and games), view porn at work, look at information that is private (like promotions, raises or other data from management), “borrow” passwords or delete log files to cover their tracks, etc. These acts may almost be viewed as “the spoils of war.” Hackers come across this data once as part of their job, and later they become accustomed to accessing it freely.

The trouble is that actions have consequences. This is a slippery slope. Or, more bluntly, “the road to hell is paved with good intentions.” Many experts point to the need for better and more thorough training (which I support), but Darth Vader was well trained. (If you’re not familiar with the Star Wars movies or books, the talented, good Anakin Skywalker becomes the most evil and dangerous adversary of all – Darth Vader.)

The reality is that the smarter you are, the more you advance as a cyber security expert, the farther you go as a hacker, the greater your temptation will be. As you learn what the enemy does and how they do what they do (in order to stop them), the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he/she take a bit of the money while no one is looking? It seems so easy, so close and perhaps even innocent.

Sadly, I have seen very talented computer pros disciplined for inappropriate behavior at home or work such as stealing property, downloading files or distributing child porn. I personally know technically savvy staff members who are in jail, and I must say that I never would have guessed that certain “experts” would turn to the dark side. Additionally, I have read and heard about dozens of such cases. People are blinded to their own deceitfulness.

The subtlety of this topic is that moral erosion happens gradually. How much money is enough? Many run background checks, but who can you really trust? Here are some soul-searching questions:  Do you act with genuine integrity at home and work? Are your actions violating polices and laws? Pressing further: Are you an insider threat?

We claim to be focused on risk management, and yet I never cease to be amazed at how security pros underestimate the online risks they are taking in their personal and professional lives. They risk their job, reputation, marriage, family or even jail time. Bottom line, they think they will never be caught doing whatever they’re doing in cyberspace.

Solution #5: Seek accountability, find a good mentor & practice virtual integrity

There seems to be two different (unspoken) schools of thought amongst security practitioners regarding cyber ethics:

1)      Go with the flow, practice situational ethics and don’t lecture me.  (See anonymous hacker’s interview above as an example.) This is not just a view that the ends justify the means, but also a renaming of right and wrong activities. For example, stealing becomes “downloading files” or lying becomes “protecting oneself.” Or, I’ve earned the right to break rules.

2)      Develop meaningful ethical boundaries and a heart-felt code of conduct that provides the foundation for everything the security professional does.

Of course, even if you profess #2, you may tend to practice #1. No one is perfect. And yet, in my experience, few experts in our field want to talk openly about cyber ethics for security professionals, except for academic purposes. Breakout sessions on ethics seem to get the least attendance at security conferences, if they appear at all on agendas. If cyber ethics is discussed, presenters often offer material for children, privacy settings on Facebook and/or topics like Chinese censorship.

Meanwhile, others at home and work are watching. Security staff members complain that the enterprise isn’t catching the vision of cyber urgency, but end users quietly wonder why the cyber police do the very things they forbid others from doing. They watch and hear as their much admired security pro is hypocritical regarding acceptable use policies, illegally copying movies and songs, bypassing security controls, or worse.

Lone Rangers Are Dangerous: We All Need Help

I realize that this is not a popular message for the hacker community to hear, but we all need partners who hold us accountable. Of the seven problems I am discussing,  hacker ethics is perhaps the most difficult for readers to accept. I fully expect to receive several sincere rebuttals. But while there are certainly many in the security community who are wonderful examples in this area, I think we all need to examine our motives and actions.

I often get asked why I wrote the book Virtual Integrity.  While a full answer to that question requires another column, I am in the second camp. Ethics is important, not only my children when on Facebook, but perhaps even more vitally for veteran security professionals who know how to beat the system. Don’t get me wrong, I am tempted and make mistakes like everyone else. I have come to realize that “there but for the grace of God go I.” No doubt, we are all susceptible to slip and being honest about our challenges is a start. 

Here are a few other ways to help in this area:

1)      Seek advice from respected colleagues regarding practical ethical behavior as a security pro. Find one or more accountability partner(s) who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists, athletes, and other experts are accountable to teachers or coaches. Everyone who strives to improve needs accountability.

2)      Find a trusted mentor who you admire in the industry. Make yourself accountable to this person regarding the direction of your professional career decisions.

3)      Practice these seven habits of online integrity. After identifying your core beliefs and ethical boundaries, surf your values.

Several years ago I was having lunch with John Stewart (Cisco VP and CSO) between sessions at RSA. We were discussing assorted security war stories. I asked him what motivates exemplary cyber ethics for his staff. He said something to the effect: if pros know that they will be held to account, they will usually act responsibly.

 I agree with John’s point. The more you want to grow in your career, the more you should seek out someone who can hold you accountable for your actions. If we are accountable to our management, spouse, family members, and/or others we trust, we will enhance our careers and be less likely to follow the primrose path.

A final thought, “trust but verify” was a signature phrase of Ronald Reagan to describe Cold War treaty verification and other activities. But occasionally we need to follow Reagan’s advice, do some soul-searching and ask ourselves: Are you an insider threat?

Next time: Don’t give up. Learning perseverance from an Ironman Triathlon champion.