The Daily Swig speaks to Jeroen van der Ham about how the FIRST code of ethics is helping to build trust across the security community

ethicsFIRST: Maintaining ethical behavior across the cybersecurity industry

Maintaining ethical practices within the cybersecurity space can sometimes be challenging, particularly considering the ever-evolving threat landscape.

Differing international laws and policies, government priorities, and the sheer volume of vendors and organizations can also muddy the waters when it comes to getting the job done without inadvertently crossing boundaries – legal or otherwise.

In response, a group of individuals from FIRST, the Forum of Incident Response and Security Teams, developed the ethicsFIRST team, a special interest group dedicated to creating and promoting a code of ethics framework for infosec professionals.

The guidelines are built on the idea of trustworthiness and state that cybersecurity workers have a duty to adhere to coordinated vulnerability disclosure, to inform those affected by a security incident, and to recognize jurisdictional boundaries.

These recommendations were written by members of the ethics team from across sectors, including vendors, government representatives, and other workers in the security field.

FIRST holds its annual conference next week, which will take place virtually in 2020 due to the Covid-19 pandemic.

The Daily Swig spoke to Jeroen van der Ham, co-chair of the ethicsFIRST group, senior researcher at NCSC-NL, and associate professor at University of Twente, Netherlands, ahead of the event to discuss managing behaviors, building trust, and maintaining ethical standards for the whole industry.

Jeroen van der Ham

Daily Swig: When was the ethicsfIRST team first formed, and was it a result of any specific incident?

Jeroen van der Ham: The ethics SIG (Special Interest Group) was formed in 2016 at the FIRST Conference in Seoul. A small group of experienced people from the community came together and thought it was important to develop a code of ethics.

There was no specific incident leading up to this, rather seeing many different developments such as the professionalization of incident handling, many different (international) policy developments, and the growth of the FIRST community making it necessary to make the implicit behavioral codes explicit.

INTERVIEW Collaborative bug hunting ‘could be very lucrative’ – Alex Chapman on the future of ethical hacking

DS: What are the core principles the team upholds?

JH: The ethics SIG is composed of many experienced incident handlers who cherish the community and the work that they do. This translates into the basis of ethicsFIRST: Trustworthiness.

All other elements of the code of ethics build on that to make for predictable behavior between security teams. The different duties explain what it means to form a trust relationship and what is expected from the different teams.

But the code also explains that sometimes duties conflict, and hopefully provide a means and vocabulary to explain decisions that must be taken, while still trying to maintain a trust relationship between different teams.

Ethics for Incident Response and Security Teams

EthicsFIRST is designed to inspire and guide the ethical conduct of all infosec team members. Its adherents are expected to uphold following duties:

  • Duty of trustworthiness
  • Duty of coordinated vulnerability disclosure
  • Duty of confidentiality
  • Duty to acknowledge
  • Duty of authorization
  • Duty to inform
  • Duty to respect human rights
  • Duty to team health
  • Duty to team ability
  • Duty to responsible collection
  • Duty to recognize jurisdictional boundaries
  • Duty of evidence-based reasoning

  • Source: ethicsFirst (PDF)

    DS: Can you talk more about the framework – how did you decide what to include?

    JH: The set of duties was a result of many discussions and cooperation in the FIRST ethics SIG. We started with looking at related codes, such as the ACM Code of Ethics, but also codes from the American Psychology Association or codes for accountants. Another important ingredient was the implicitly expected behavior in the security community.

    Finally, we were acutely aware of the international nature of our work, spanning many different cultures, so we also tried to take that into account.

    In the end we talked through many different dilemma’s experienced by the SIG members and tried to tease out the important duties that played, until we were happy that we had a reasonably complete set of important duties.

    RELATED FIRST updates guidelines for multi-party vulnerability disclosure

    DS: How does the ethics team interact with others in the industry, for example vendors or government agencies?

    JH: The ethics SIG is a group of security practitioners from vendors, government agencies, and others from the field, so there is no formal interaction, but rather input from all the different stakeholders that come together in this open working group.

    DS: Finally, what are the plans for the ethics team in the coming months/years? Are there any projects it is working on?

    JH: The ethics SIG is currently working on a collection of example cases that help illustrate the impact of the different duties. These can be used as an addendum to the Code of Ethics, and as a teaching tool. We are currently in the process of finalizing that and hope to publish early next year.

    READ MORE Terms of engagement: US computer crime laws out of step with changing attitudes to pen tests, ethical hacking