The Norm Coleman Web crash and full disclosure

The long view of security strategies for your network.

In the first of this three-part series, Becki True, CISSP and I recounted the story of the breach of security of the colemanforsenate.com Web site. This second column is also the product of close collaboration between True and myself.

* * *

What would have been the ethically correct decision in this case, and how can we know that it is ethically correct? The first stage of an ethical decision filter asks if our action violates laws. Did the other players in this incident of full disclosure break any laws? We are not lawyers, and am not qualified to provide legal advice, but 18 USC 1030(a), the Computer Fraud and Abuse Act of 1986 states that:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the first of this three-part series, Becki True, CISSP and I recounted the story of the breach of security of the colemanforsenate.com Web site. This second column is also the product of close collaboration between True and myself.

* * *

What would have been the ethically correct decision in this case, and how can we know that it is ethically correct? The first stage of an ethical decision filter asks if our action violates laws. Did the other players in this incident of full disclosure break any laws? We are not lawyers, and am not qualified to provide legal advice, but 18 USC 1030(a), the Computer Fraud and Abuse Act of 1986 states that:

"Whoever — (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains — (a) information contained in a financial record of a financial institution, or of a card issuer" is subject to fines and jail time. "The term 'exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter."

Former Senator's donor database exposed on Wikileaks

From this reading, we take it that the person(s) who downloaded the database seems to have violated 18 USC 1030(a).

In contrast, Attorney Jennifer Granick is the Civil Liberties Director at the Electronic Frontier Foundation and the Executive Director of the Center for Internet and Society at Stanford Law School. According to her, neither Richards nor Wikileaks.org broke the law. "Based on her knowledge of this case, as well as the law, Granick said it was legal for Richards to view the Web directory on which Coleman's donor list resided. "There has to be some kind of indication that information is locked away," she said. 

The next stage is to ask if your actions comply with the rules of the profession. Are there standards in the IT profession that were violated here? Many IT certifications and associations, especially those related to the security field do have such codes of ethics:
• (ISC)2
• EC-Council
• ISACA
• SANS
• ISSA

In our opinion a code of ethics should be required for all IT certifications, so all IT practitioners can be aware of the ethics of our profession. In our opinion, an IT professional should have taken action to notify the administrators of the Coleman Web site that there was a problem and sensitive information was vulnerable to exposure rather than exposing the vulnerability in public.

Normally, we also ask if our proposed action would be embarrassing if it were revealed to the public; in this case, the answer for the principals was clearly "No." However, we can state categorically that we would be ashamed of revealing someone else's vulnerability in public without intensive good-faith efforts to get the problem fixed. [MK adds, "When I discovered a major hole in Hewlett-Packard's MPE operating system in 1982, I reported it to headquarters, not to the press – and would have done so even if I had not been working for HP.]

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.