Why there should be pre-emptive ethics training for privileged users -TEISS® : Cracking Cyber Security
Human Factors / Why there should be pre-emptive ethics training for privileged users
15 June 2018
Elevated privileges demand elevated accountability. I recommend pre-empting the inevitable problem of admin credentials misuse by training users that they’re held to a higher professional standard.
One of the aphorisms that I was raised on was the rule “just because you can do something doesn’t mean that you should.” It’s an easy rhetorical technique for parents to use to teach their children concepts like accountability, consequences, responsibility, and empathy. “Sure, you can throw a rock at that squirrel. Should you? Are you wanting to inflict violence on an innocent animal? What does harming a defenceless animal make you?” I know I used the rule on my own kids from an early age. “Yes, you have the ability to do a thing. That ability alone doesn’t mean that you have any right or reason to do that thing. Should you? Or not? Explain why.”
I realize that pushing my children to articulate (and then defend) moral and ethical positions annoyed the heck out of them. It annoyed me too as a kid. That’s normal. It is, however, an effective way to teach and to reinforce concepts and standards of behaviour that kids will need to employ throughout their lives.
They need to understand that their society has rules and that deliberately violating those rules may have severe consequences. Accidentally violating rules may carry consequences, too, so it’s crucial to know what the society’s rules are. There are certainly times and places where it’s both morally right and necessary to violate a rule; what’s important is to understand the circumstances, make an informed ethical judgment, and then accept the results without trying to weasel out.
Through my work as a volunteer with the Boy Scouts, I’ve discovered that a surprising number of young men were never taught these principles at home or at school. I’ve noticed the same lack of ethical preparation as a commander of military personnel and as a manager of businesspeople. In all of these cases, I’m absolutely not arguing that people who weren’t deliberately taught applied ethics as children are inherently unethical or morally bankrupt. Rather, I’ve found that a great many people enter the workforce without having first been conditioned to understand that possessing an ability does not in and of itself justify using that ability.
Put another way: just because you were top of the class in maths doesn’t mean you’re entitled to break the encryption on the school’s servers.
Case in point: on 1st May, NBC News’s Ben Popken published a story about a security engineer at Facebook who ‘…took advantage of his position to access information he then used to stalk women online.’ The story broke over the weekend thanks to Jackie Stokes of Spyglass Security. Word followed that Facebook took her reports seriously and initiated an internal investigation.
This isn’t an isolated incident. It occurs much more often than people in our community would like to admit. Giving people training and access to sensitive information always opens up the possibility that someone will mis-use their elevated access for unauthorized purposes. One of the more egregious cases in recent memory came up five years ago when NSA officers used their access to surveillance data to spy on current and potential romantic partners. The offenders nicknamed their violations ‘LOVEINT.” As the Washington Post’s Andrea Peterson described it:
‘… this type of snooping is by no means unprecedented. There are plenty of cases in which local law enforcement officials have been accused of abusing their access to databases to acquire information about potential romantic interests.
‘Most of the NSA violations were self-reported, and each instance resulted in administrative action of termination. The LOVEINT violations involved overseas communications, according to officials who spoke to the Journal.’
See, there’s the thing … this isn’t just a typical story of how power can corrupt a person. These examples aren’t stories of people who abuse their authority for either personal gain or to harm others. These are stories of deliberate systems access abuse. Put another way, both the anonymous Facebook engineer and the NSA ‘LOVEINT’ crew were granted privileged access to information in order to perform certain necessary and appropriate work functions.
The Facebook engineer was supposed to unmask cybercriminals; the NSA officers were supposed to analyse national security threats. Their skills and access – their ‘ability’ if you will – were granted by their respective employers to do good works … and only authorized good works, under controlled conditions, strictly by the book. Any other use of that ability was prohibited.
“You’re nicked, bucko. We know you’re the guy what broke the encryption on the school’s servers. Come on quietly and don’t make me get the woofer involved.”
I’d very much like to interview these subjects, if only to confirm my suspicion that they were never taught as children the ethical principle that having ability isn’t sufficient justification for using that ability outside of its intended function. I’d be willing to bet a fiver that some of these folks didn’t realize that they were violating organisational regulations until after they were caught and the nature of their prohibited actions was explained to them by a steely-eyed HR person … right before they were escorted off the property.
As I mentioned, I meet a lot of young people that have – for myriad reasons – never received any sort of grounded education in basic professional ethics. You’d think that this is all common sense, but there really is no such thing; people learn right and wrong from their environments. What’s acceptable in one culture won’t necessarily be tolerated in another. Unfortunately, it usually takes a traumatic event – like the termination of an employee – to register with folks who entered the job mentally unprepared.
That’s why I’m a strong advocate for deliberate, pre-emptive ethics training for people who hold elevated systems and information access. I introduced my own ‘IT leaders’ performance expectations’ program for my civil servants back when I ran an IT support organisation. I reproduced our expectations counselling form as a free template in my book High Tea Leadership. . We employ an advanced version of this training practice at OCC for all of our ‘privileged users’ as a condition of assignment: before any colleague can be granted admin rights, they must be trained and must acknowledge in writing that they understand that they’re held to a higher standard of professional conduct.
‘It’s important that you understand where the “red lines” are when it comes to the proper use of your elevated credentials. Don’t make me get the woofer involved.’
The intent of this sort of pre-emptive training is to hold a one-on-one with all users in order to explain the organisation’s expectations up-front about its intent and security requirements. ‘Yes, we’re giving you elevated privileges and access, but only to perform your required work functions in accordance with all governing regulations and not for anything else. We pre-emptively eliminate the possibility of a misunderstanding or any ethical grey area. Abuse of one’s access will not be tolerated, full stop.‘
By making this expectation clear at the outset, we police up those few people who never learned the lesson through other means. Our intent (and yours should be, too) is to minimize to the greatest extent possible any privileged users blithely venturing past the borders of acceptable ethical conduct because they mistakenly believe that their ability to do so will somehow justify their actions. That’s not how our company works. It’s not how the NSA or Facebook works. I’d wager that it’s not how your organisation works either.
 A humourous spycraft phrase meaning ‘Love Intelligence,’ in the way that ‘Signals Intelligence is referred to as ‘SIGINT.’
 Feel free to use it as you see fit. The annotated version starts on page 119 as Annex 2.