With Indiana Jones about to enter the space race in the Dial of Destiny, I am reminded of the great Tom Lehrer’s 1965 song about former Nazi scientist Dr. Wernher von Braun’s “apolitical” approach to the engineering of rockets. According to Lehrer’s parody, “’Once the rockets are up, who cares where they come down? That’s not my department,’ says Wernher von Braun.”
In that vein, to what extent should computer security professionals consider the application and use of their discoveries and works and the ethical and moral questions raised by generating the ability of governments and corporations to successfully invade privacy? Alternatively, to what extent should security professionals also consider the application of their work to prevent governments from “legitimately” peering into the activities of criminals, terrorists, pedophiles and other dangerous persons? And whose job it it to make such determinations? Once the tools are up, who cares where they come down? That’s not my department …
The recent proliferation of cyberattacks and the use of malicious software by state and non-state actors raises fundamental ethical and moral questions for information security professionals. The Washington Post’s Joseph Menn recently reported that the Israeli company NSO Group developed and sold a series of zero-click attacks on updated iPhones. The attacks exploited vulnerabilities in Apple’s iOS 15 and early versions of its iOS 16 operating software, which the Cupertino company asserted have since been fixed. This is in addition to a 2022 zero-click attack on iPhones called “PWNYOURHOME,” which exploited vulnerabilities in Apple’s HomeKit and iMessage code.
These exploits serve as a prime example of the controversies surrounding the sale of hacking tools to governments for both counterterrorism efforts and the suppression of dissent. Should InfoSec professionals care?
NSO Group and Zero-Click Attacks
The NSO Group is a cybersecurity company based in Israel that specializes in the development and sale of surveillance technology. One of its most notorious products is Pegasus, a sophisticated spyware that can infiltrate updated iPhones through zero-click attacks. These zero-click attacks require no interaction from the target, making them particularly effective and hard to detect. They can be used to gather sensitive data, intercept communications and even take control of the device. The company claims that its products are designed to assist governments in fighting terrorism and crime, but there is growing evidence that its technology has been used to target journalists, activists and political dissidents.
Pegasus Infections in Mexico
A report by the Citizen Lab in collaboration with the Mexican digital rights organization R3D (Red en Defensa de los Derechos Digitales) revealed Pegasus infections aimed at journalists and a human rights defender between 2019 and 2021. The victims included two journalists who reported on official corruption and a prominent human rights defender. Opposition politician Agustín Basave Alanís was also infected with Pegasus spyware in 2021. These infections occurred years after the first revelations of Pegasus abuses in Mexico and despite assurances from the current Mexican President, Andrés Manuel López Obrador, that the government no longer used the spyware and that there would be no further abuses. This follows similar reports on misuse of Pegasus software by regimes in Palestinian territories, targeting human rights organizations in Bahrain and a host of other groups.
The problem here is not the tool, per se. It is that the sale of the tool—even to liberal democracies—permits and encourages the use of the tool against pesky journalists, opposition parties and other opposition groups. For repressive regimes, such targeting occurs with impunity.
One of the primary ethical concerns in the sale of hacking tools to governments is the issue of control. NSO Group claimed that it only sells its products to legitimate governments and that it is not responsible for how its clients use the technology. However, the Mexican case raises questions about the company’s ability to control the end-use of its products and the extent to which it should be held accountable for potential abuses. Additionally, the lack of transparency in the sale of these tools and the absence of an international regulatory framework exacerbates the problem, allowing governments to use these tools with impunity. Once the rockets go up, who cares where they come down? It’s not just hacker tools. It is any tool or service in information security. At the end of the day, InfoSec professionals either protect data from prying eyes (defensive tools) or help see things that others don’t want to be seen (offensive tools). Should we care how these tools are being used, or should we simply be hired guns?
Morality and Ethics
The sale of hacking tools raises numerous moral and ethical concerns. On the one hand, it is argued that these tools can be employed for legitimate purposes, such as combating terrorism or tracking down criminals. However, the potential for misuse is significant, particularly when these tools are sold to governments with a track record of human rights abuses. The use of NSO Group‘s technology to target journalists and activists, for example, undermines the fundamental rights to privacy and freedom of expression.
Moreover, the use of hacking tools for surveillance purposes raises ethical questions about the balance between national security and individual privacy. In a world where governments are increasingly turning to digital surveillance to monitor and control their populations, information security professionals must consider the ethical implications of their work and whether their services are contributing to a broader erosion of civil liberties.
Would you be comfortable being hired to secure the communications of a drug cartel, a pedophile ring or a terrorist organization? Certainly not. But what about a corporation that is secretly dumping toxic sludge into waterways or willfully underreporting its earnings? Is it the job of the CISO or InfoSec professional to delve into the reasons the entity wants privacy and security? That is, should you care what they are securing or attacking, or is that someone else’s department? Oh, you want answers? Sorry. None forthcoming here.
The sale of hacking tools also raises several legal issues. While the NSO Group argued that it only sells its products to legitimate governments, the definition of “legitimate” is subjective and may vary depending on the country or organization. In some cases, the sale of these tools may violate international law, particularly when they are used to target individuals without due process or for political purposes. Additionally, the lack of a clear legal framework governing the sale of hacking tools makes it difficult for information security professionals to navigate the complex ethical and legal landscape. Security professionals should be aware of the legal implications of their actions, as they may face liability for aiding and abetting clients who use their services for illegal activities. In some jurisdictions, providing assistance, even indirectly, to individuals or organizations engaged in criminal activities can result in severe penalties, including fines and imprisonment. To mitigate these risks, security professionals should establish rigorous due diligence processes to vet clients and maintain strict ethical standards in their work. A case pending before the Supreme Court seeks to hold Twitter civilly liable for “aiding and abetting” certain terrorist attacks merely for failing to prevent the use of the service by those who perpetrated the attacks.
Understanding Client Motivations
It is crucial for computer security companies to understand and assess the reasons why their clients want to secure their systems or develop offensive capabilities. There are several ethically questionable reasons clients may have for seeking these services:
Political repression: Governments may use hacking tools to surveil and suppress opposition groups, leading to human rights abuses and the violation of civil liberties.
Corporate espionage: Private companies may engage in cyberespionage to steal trade secrets, intellectual property or other sensitive information from competitors.
Cyberwarfare: State actors may use hacking tools as part of their broader military strategy, potentially causing collateral damage and violating international law.
Blackmail and extortion: Criminal groups or individuals may use hacking tools to gather sensitive information for blackmail or extortion purposes.
Disinformation campaigns: State or non-state actors may use hacking tools to spread false information, manipulate public opinion or undermine trust in institutions.
In light of these potential motivations, information security professionals must develop strategies for vetting clients and their intentions to ensure that their services are not being used for nefarious purposes.
Should cybersecurity professionals look into the motives of their clients? What are the ethics of offensive and defensive cybersecurity? If we—who are moral and ethical—don’t help attack/defend this infrastructure, won’t the customer simply turn to someone else who is not as moral and ethical as we are? We are white hat (well, grey, maybe) hackers. If we don’t do it, will they turn to black hat hackers?
AI Tools: Unknown Functionality and Uses
The development of artificial intelligence (AI) tools in the cybersecurity industry adds another layer of complexity to the ethical considerations. These tools often rely on machine learning algorithms which can be opaque in their functionality and decision-making processes. As a result, developers may not fully understand how their AI tools work, what biases they may introduce or how they will be used by clients.
This lack of transparency can lead to unintended consequences and ethical dilemmas. For example, an AI-powered hacking tool may inadvertently target innocent individuals or be used by clients to conduct illegal activities without the developer’s knowledge. To address these concerns, developers should strive for greater transparency in their AI tools, collaborate with stakeholders to develop ethical guidelines, and continuously monitor the use of their tools to ensure they align with legal and ethical standards.
The sale of hacking tools, such as those developed by the NSO Group, raises a host of ethical, moral and legal concerns for information security professionals. The potential for misuse is significant and the consequences can be dire for individual privacy and civil liberties. To navigate this complex landscape, security professionals must develop strategies for vetting clients and their intentions, maintain strict ethical standards and be aware of the legal implications of their actions. Additionally, the rise of AI tools in the industry necessitates increased transparency and collaboration to ensure these tools are used responsibly and in accordance with international norms.
Ultimately, the onus is on information security professionals to ensure that their services contribute to a safer digital environment for all, rather than exacerbating existing inequalities and injustices. That may mean turning down (or turning in) clients. But this assumes that governments themselves are also not the problem—and they often are. At the end of the day, we should all care where the rockets go down. That is our department.