Cybersecurity Ethics

Cybersecurity Ethics by Mary Manjikian. Routledge, 2018, 232 pp.

Dr. Mary Manjikian’s excellent textbook, Cybersecurity Ethics, delivers an eminently readable perspective for the experienced professional as well as a casual cyberspace consumer. Lest someone view the appellation “textbook” as a negative, the first three words on the flyleaf claim, “This new textbook offers an accessible introduction to the topic of cybersecurity ethics.” The book smashes those expectations over the fence in every instance, earning top ratings as a new textbook with an accessible introduction and fully covering the difficult field of cybersecurity ethics.

Manjikian avoids technical debates about access, malware, and network topology, which trip up casual cybersecurity readers, to focus entirely on the relevant moral debates. Cybersecurity Ethics’ textual components read easily while frequent sidebars illustrate ethical dilemmas; the book sticks to proven teaching essentials throughout. Learning objectives appear at every chapter’s beginning, discussion questions at the end, and recommended additional sources are suggested. Whether one is looking to amplify an existing class, personal knowledge, or course development material, Dr. Manjikian’s textbook clearly demonstrates a home-run choice.

The interesting framework applied through Cybersecurity Ethics helps lead the reader through a complicated subject. Although similar topics are covered during any traditional ethics course, the refresher Dr. Manjikian provides proves beneficial. She applies three ethical frameworks to every situation: virtue, deontological, and utilitarian. The consistent framework in every chapter demonstrates the three valid but different perspectives for moral dilemmas. Virtue ethics began with Aristotle and focus on agent-centered ethical treatments emphasizing selecting actions based on one’s personal character. Deontological ethics, founded by Immanuel Kant, relate to obligation-based principles, believing humans use logic-based reasoning to resolve ethical problems. The final frame, utilitarianism, was founded by Jeremy Bentham and popularized by John Stuart Mill. This ethical type sets standards through how actions affect outcomes, sometimes referred to as consequentialist theory. Each ethical standard illustrates positive and negative examples. Similar to typical cybersecurity, the ethical framework offers rule-based, knowledge-based, and behavior-based methods for ethical concerns.

Some professional certifications already claim an ethical basis, for example a Certified Compliance and Ethics Professional, which handles financial and healthcare concerns, or the Certified Ethical Hacker (CEH). For a cyberspace lens, Manjikian discusses ethical hacking standards if not following a CEH lesson plan. The chapter explores hacking motivation, internet proliferation concerns, and penetration testing. Examples such as ransomware, bug bounties, and the Electronic Frontier Foundation demonstrate ethical principles. One of the work’s clear objectives shows how a cyberspace professional’s ethical standards are built and where the author believes standards apply. While not a professional standard as clear as that of Samuel Huntington defining a profession of arms during The Soldier and the State (1957), Manjikian defines a base that others could certainly apply to a similar end.

Demonstrating an effective ethical framework requires excellent examples, subjects offering some moral confusion, and should challenge one to a clear path. Cybersecurity Ethics examines four areas in individual chapters: privacy, surveillance, piracy, and cyberwarfare. The first area examines privacy standards through identifying items requiring privacy from a legal, ethical, and regulatory standard. Defining privacy requirements depends on comparing public versus private cyberspace elements. The clear path developed to this point continues, while morally challenging examples include the Silk Road crime syndicate, social media concerns, and the Health Information Privacy Act (HIPAA).

The following chapters expand on privacy and surveillance through private and government violations. First, the chapter defines surveillance: “the unauthorized collection of personal or professional information” (p. 114). Thus, the work highlights potential scenarios like Cambridge Analytica’s improper data use or NSA’s previous cooperative, phone company agreements as opposed to typical user agreements, opening packaging containing binding legal agreements, or clicking the ubiquitous website “I agree” box. The chapter suggests several examples before defining ethical surveillance requirements to include target awareness, a safety-focused intent, a large scale, and an opt-out ability for targets. While surveillance normally centered ethically in debates, the European Union’s (EU) General Data Protection Regulation (GDPR) 25 May 2018 implementation date has focused the media on privacy rights in the short term. This action, approved in 2016, attempts to return personal data control to EU citizens for distributed items through rules on where data may be hosted, how it must be processed, and several other considerations. One of the most revolutionary GDPR items requires all organizations demonstrating public authority, engaging in systematic monitoring, or processing large scale, personal data to maintain a data protection officer (DPO). These DPOs will likely require standardized ethical cyberspace usage training, and a book like this could be foundational.

Finally, Manjikian considers piracy and cyberwarfare. This pair is roughly congruous if one considers economic gain based on criminal actions through cyberspace as piracy and political or diplomatic gain based on state-sponsored actions as cyberwarfare. As I demonstrated in Cashing in on Cyberpower (Lincoln, NE: Potomac Books, 2018), state and nonstate entities may mix and match goals to achieve desired end states. Dr. Samantha Ravich even mixes the two when defining cyber-enabled economic warfare as “a hostile strategy involving attack(s) against a nation using cyber technology with the intent to weaken its economy and thereby reduce its political and military power.”^[1] Piracy examples consider intellectual property theft through BitTorrent rather than direct financial gains. Financial cyberspace thefts appear as morally wrong here regardless of the framework. One could challenge a moral presumption of guilt for financial theft if transferred funds support a desired external outcome to be utilitarian. For example, sanctioning Russian individuals for malicious cyberspace actions, then using cyber tools to move funds from blocked bank accounts and confiscated funds to pay health care bills for hypothetical ex-patriots who were targeted with chemical weapons in a third country could be a cyberwarfare concern rather than piracy. Peer-to-peer applications like BitTorrent are examined as piracy as well as some bug bounties representing limited privateering if not the full sails, cannons, and impressment act common to America’s high seas.

From a cyber-professional perspective, the cyberwarfare chapter is underwhelming. The emphasis is on just war, the Geneva Convention standards, and Law of Armed Conflict. These are the traditional standards associated with any conflict and do not offer expanded considerations for cyber-based conflict, even from the excellent ethical framework used previously. Even a quick review of the Tallinn Manual’s standards for cyber-warfare would have offered something different.

Overall, Cybersecurity Ethics excellently fulfills the stated goal to provide an ethical framework and illustrate several current issues regarding cybersecurity through a new textbook. The construction was splendid, material assembled coherently, and sources presented thoroughly and accurately. This book is an excellent introduction to ethical processes associated with cyberspace. I would not recommend simply reading the work from cover to cover; however, for those more familiar with emerging cyberspace issues, the book will provide an efficient desk reference as well as a source of training for those new to any cyber organization.

Mark Peters