This rapidgrowth has given rise to a variety of ethical challenges for researchersseeking to combat these threats. For example, if someone has the ability totake control of a botnet, can they just clean up all the infected hosts? Can wedeceive users, if our goal is to better understand how they are deceived byattackers? Can we demonstrate the need for better methods, by breaking somethingthat people rely on today? When one considers the implications of somethinglike botnet cleanup the blind modications and possible rebooting of thousandsof computers without their owners’ knowledge or consent this complexity becomesall the more obvious. To be effective, we must find ways to balance societalneeds and the ethical issues surrounding our e orts, lest we drift to theextremes| becoming the very thing we deplore, or ceding the Internet to themiscreants because we fear to act. In this paper, we endeavor to create adialogue on the ethical issues in computer security and the ethical standardsthat we intend to enforce as a community As students learn toprotect network services, they necessarily learn to attack network services,disguise their identities, et cetera. While a few colleges have gone as far asgiving students background checks before teaching hacking skills, some simplenew tactics can motivate students to employ their skills legally and ethically.
These tactics lead students to discover what is ethical for themselves, ratherthan being told what is or is not ethical. The Declaration ofHelsinki and Belmont Report motivated the growth of bioethics alongsidetraditional biomedical research. Unfortunately, no equivalently active ethicsdiscipline has paralleled the growth of computer security research, whereserious ethical challenges are regularly raised by studies of increasinglysophisticated security threats (such as worms, botnets, and phishing). In thisabsence, program committees and funding agencies routinely must judge theacceptability of research studies. Such judgments are often difficult becauseof a lack of community consensus on ethical standards, disagreement about whoshould enforce standards and how, and limited experience applying ethicaldecision-making methods. This article motivates the need for such a community,touching on the extensive field of ethical decision making, examining existingethical guidelines and enforcement mechanisms used by the computer securityresearch community, and calling the community to joint action to address thisbroad challenge. Honeypots were then infected and used to collect intelligenceon the botnet’s operation and control servers.
They “scouted these servers,revealing a wide-ranging network of compromised computers.” Gaining access tothe attackers’ C front end, they were able to “derive an extensive listof infected systems, and to also monitor the systems operator(s) as theoperator(s) specifically instructed target computers.” One year later, afollow-up report was published describing continued investigation of theseattacks dubbed the shadow network. In this latest report, theresearchers describe the principles used to guide their decisions.
Theseinclude collecting data from compromised computers with the owners’ consent,monitoring the C&C infrastructure enough to understand the attackers’activities and to enable notification of infected parties at the appropriatetime, working with government authorities in multiple jurisdictions to takedown the attacker’s C&C infrastructure, and storing and handling datasecurely. Arich body of research and a long history of ethical decision-making in otherfields have resulted in our current set of ethical guidelines for researchersand professionals. Table 1 lists the three existing ethical frameworks we focuson here. The World Medical Association’s Medical Ethics Committee responded in1954 by writing the Declaration of Helsinki, which was completed and adopted in1964.
This declaration addressed research protocols involving humans in termsof risks and benefits, informed consent, researcher qualifications, and so on,and informed a set of standards, or good clinical practices (GCPs). Morethan a thousand laws, regulations, and guidelines worldwide now protect humanresearch subjects. Since the first distributed attack networks were seenin 1999, computer misuse enabled by botnets, worms, and other vectors hassteadily grown. This rapid growth has given rise to a variety of ethicalchallenges for researchers seeking to combat these threats. For example, ifsomeone has the ability to take control of a botnet, can they just clean up allthe infected hosts? Can we deceive users, if our goal is to better understandhow they are deceived by attackers? Can we demonstrate the need for bettermethods, by breaking some-thing that people rely on today? When one considersthe implications of something like botnet clean up the blind modification and possible rebootingof thousands of computers without their owners’ knowledge or consent – thiscomplexity becomes all the more obvious.
To be effective, we must find ways tobalance societal needs and the ethical issues surrounding our efforts, lest wedrift to the extremes becoming the very thing we deplore, or ceding theInternet to the miscreants because we fear to act. In this paper, we endeavourto build expertise in practical decision making, as well as to suggest a pathtowards development of community standards and enforcement mechanisms governingbasic and applied computer security research.