Ethics by Design

Ethics by Design

Every so often something comes along and disrupts the normal order of things, and out of that disruption a something new emerges. It’s certainly not a stretch to say that 2020 has brought plenty of disruptions with it, and according to a recent report by Gartner, businesses are starting “reset” how they operate and implement new strategies reliant on emerging, more sophisticated technologies. In the report, Gartner lists a number of predictions for what the future of business will look like. Perhaps the most startling prediction the report makes is the increase in workplace surveillance: “By 2025, 75% of conversations at work will be recorded and analyzed, enabling the discovery of added organizational value or risk.” Whether this prediction will turn out to be true is up for debate, however the tone of the report seems to imply there isn’t much we can do about it. The problem, of course, is that these changes don’t appear out of thin air. People create the change. This means, if Gartner’s prediction turns out to be true, we aren’t completely helpless and could even play a role in building new technologies based on the values and ethics people share. Just like there is a movement in cybersecurity to create technologies that are based on privacy by design, as we begin moving towards a new future, we also need to focus on creating technology based on an ethics by design that promotes the well-being and rights of individual

While the idea of having every conversation and interaction you have at work recorded and analyzed probably doesn’t sound to appealing to employees, Gartner’s report highlights the possible benefits this will have for businesses. As Magnus Revang, research vice president at Gartner, explained to Tech Republic, “By analyzing these communications, organizations could identify sources of innovation and coaching throughout a company.” This may certainly be true. In fact, organizations could even use this data to help improve the workplace for employees.

Of course, if we’ve learned anything in the past decade, the technology that is used for good can also be used for bad. And Revang recognizes the risk involved with this shift. “I definitely think there [are] companies that are going to use technology like this and misuse it, and step over the line of what you would call ethical or moral.” When used correctly, however, Revang belives the benefits of the this technology will outweigh any possible risks.

The problem with this argument, however, is that it assumes the problem is not with the technology itself, but the people who use it. According to Tech Republic, Revang believes “technology is inherently neutral, however the way an organization chooses to deploy and use a technology is another consideration.” What this way of thinking doesn’t consider, however, is that technology is built by people — people who are certainly far from neutral. As Joan Donovan, a social science researcher at Harvard University, recently put it, the technology we build encodes “a vision of society and the economy.”

Humans are flawed, and technology is stained with our flaws before it is even operationalized. So, when looking towards the future of technology in business, without designing these new innovations with an ethics in mind, our underlining biases and flaws will play a big role in the consequences this technology will have for our everyday lives. This has huge implications in every facet of society, and unfortunately, our ethical oversight structures are very weak to mitigate these threats.

There’s talk about privacy by design principles and there are AI-bias frameworks being developed. But, in order to create technologies that support our better angels and not our worse impulses, we need experts across all fields and sectors to work together in order to understand and develop ethics by design principles that can help build technologies that are not only useful, but that reflect the values and ideals for a more just and equitable society.

Cyber Death by Imagination

Cyber Death by Imagination

Behavioral economics teaches us that we are more fearful of immediate losses than future gains.  Conversely, we are also tend to choose immediate gains over protecting ourselves from future losses.  Especially when the type of loss is too foreign to us or is ever changing.  

We do have available to us a tool that doesn’t require a lot of tech to use but perhaps can do more to both enhance and protect our organization than any piece of software or hardware we might have:  our imagination.

When things are changing, you can’t rely on static measures or processes designed to defend against what today’s threats.  Because the use of technology as a business enabler is ever changing as is the nature of cyber threats, businesses need to take a dynamic approach to risk mitigation and transfer strategies and constantly imagine both the opportunities and the risks they may face tomorrow.

As a report from the UC Berkeley’s Center for Long-Term Cybersecurity and Booz Allen Hamilton states, “….failures of cyber defense in some cases — possibly the most important ones — [are] not necessarily a failure of operational rigor but equally or more so a failure of imagination.”

There are a number of tangible ways businesses can leverage the use of imagination in addressing the cyber risks that they may face.  One is through an incidence response simulation.  Get your team around a table.  Imagine a ransomware event has occurred.  What do you do?  Do you pay the ransom? How long will your systems be down?  How much business do you stand to lose?  Brainstorm other scenarios, focusing on ones that could take you out.  Risks that cause you to be shut down for an extended period of time or do irreparable harm to your ability to serve your customers or to your reputation.

Not only do these types of simulations help you be better prepared to respond if they occur, it also helps you better define what risks you might face and what defenses to build to mitigate those risks.  This can therefore become the basis for your risk assessment (which, if you are simply focused on compliance you generally have to do anyway).

We often think of creativity when it comes to innovation and growth that are critical our long term success.  In the ever-changing world of cyber threats, we need to be equally creative when it comes to imagining and addressing risks what are crucial for our long term viability.

Remember Your First Password?

password_cartoon

We do need to make sure that we are using strong passwords, but guidance has changed on the need to continually change those passwords.  The National Institute for Standards and Technology (NIST), which codifies best practice cybersecurity controls, has updated their guidelines around digital identity.  Instead of forcing individuals to change their passwords frequently and/or require a special characters or passwords which are more gibberish, they recommend creating long passwords out of pass phrases, such as “NIST passphrases make passwords easy!”.  Long pass phrases are difficult to crack and yet memorable enough for the user.  

Still, remember not to use the same password twice (use of a log in manager can help you here).  Also, enable multi-factor authentication for applications which may have sensitive information (where you have to both key in a password and enter a code from your smart phone, as an example).

 

Paris Calling…..Faut-il répondre?

Paris Calling…..Faut-il répondre?

This week, Canada announced that, along with Microsoft and the Alliance for Securing Democracy, they will be leading an initiative to counter election interference as outlined in the Paris Call for Trust and Security in Cyberspace. The Paris Call is an international agreement outlining steps to establish universal norms for cybersecurity and privacy. The agreement has now been signed by over 550 entities, including 95 countries and hundreds of nonprofits, universities, and corporations. Nations such as Russia, China, and Israel did not sign the agreement, but one country’s absence is particularly notable—the U.S.

While the Paris Call is largely symbolic, with no legally-binding standards, it does outline 9 principles that the agreement commits to uphold and promote. Among these principles are the protection of individuals and infrastructure from cyber attack, the defense of intellectual property, and the defense of election from interference.

Non-Government Entities are Governing Cybersecurity Norms

Despite the U.S.’s absence from the agreement, many of the United States’ largest tech companies signed the agreement, such as IBM, Facebook, and Google. In addition, Microsoft says it worked especially close with the French government to write the Paris Call. The inclusion of private organizations in the agreement is a sign of the increasing importance of non-governmental entities in shaping and enforcing cybersecurity practices. The fact that Microsoft—and not the U.S.—is taking a lead on the agreement’s principle to counter election inference is a particularly strong example of how private companies are shaping the relationship between technology and democracy.

A Flawed Step, But a Step Nonetheless

Some organizations that signed the agreement, however, remain wary of private influence and how it might affect some of the principles of the Paris Call. Access Now, a non-profit dedicated to a free and open internet, raised concerns about how the agreement might give too much authority to private companies. One of the agreement’s principles, for example, encourages stakeholders to cooperate to address cyber criminality, which Access Now worries could be interpreted as a relaxing of judicial standards that would allow for an “informal exchange of data” between companies and government agencies. The non-profit also worries the principle concerning the protection of intellectual property could lead to a “heavy-handed approach,” by both private and public entities, “that could limit the flow of information online and risk freedom of expression and the right to privacy.”

On the opposite side, others have argued that the principles are more fluff than substance, fairy tales without specificity and accountability.

That being said, Paris Call is at the very least an acknowledgment that, similar to climate change, our global reliance on technology requires policy coordination on a global scale, involving not only nations, but the technology companies that are helping define our future, as well.  After all, it’s hard to imagine solving any global issue without a coordinated technology supporting us.  Paris Call may not be the right answer, but we probably should pick up and be part of the conversation.

Hacks Against Healthcare Industry on the Rise

Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.

WHO Malware Attempt

Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.

Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Ransomware Attack Against HMR

Unlike the attack on the WHO, a recent ransomware attack was successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.

Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.

Conclusion

 Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that.  The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access.  And certainly, make sure you are testing your incidence response plan.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog