Paul Maurer

You're listening to the Cyberwire Network, powered by N2K.

Ben Yellen

Hey, everybody. Dave here. Thanks for joining us here today for this Cyberwire special edition. Today, my caveat. Co host Ben Yellen speaks with Paul Maurer and Ed Scotus. They are authors of the Code of Embracing Ethics and Cybersecurity. Their new book offers a practical framework for navigating the ethical challenges facing today's cyber professionals. Here's their conversation.

So these two gentlemen are the co authors of Code of Embracing Ethics and Cybersecurity. And I thought we'd start at a very high level and just talk about your motivation for the book, what message you each were trying to convey, and whomever wants to get started, I'm happy

Paul Maurer

to jump in on that. We saw a gap. And anyone who's done higher education, particularly doctoral work, you know that a dissertation is about finding a gap and filling it. If you've done any book writing, it's the same. And so we think that there was a gap in the ethical teaching of cybersecurity. And. And I got a call from the National Security Agency asking for a curriculum. We had a long conversation and I suggested that we add a book to that project. They agreed with it. And so on behest of the National Security Agency, we agreed to do that. I reached out to Ed because I needed a co author on the book and someone who actually understood cybersecurity. I'm not a cybersecurity technical person, never have been, never will be, and very graciously came alongside to give it some cyber chops.

Ed Scotus

And for me, my involvement was based on 21 years of teaching cybersecurity, incident response and penetration testing. In that 21 year span, I taught over 40,000 students. And very frequently questions would come up about ethics, about various scenarios that would come up while handling cyber attacks or while conducting security assessments and penetration testing. So I would answer students questions in the classroom as well as those that arrive via email for a couple of decades. And when Paul approached me saying, hey, there ought to be a book, I said, that's great. I have a lot of experience. I can pull up all those old emails with all those questions and we can put them in a modern framework and hopefully impact some people's lives in a positive way by focusing on not only what individual practitioners need to think about for ethics, but also cyber leaders.

Ben Yellen

As a law guy myself, when I teach classes, I always get the question about whether law and ethics are intertwined in one way or another. What's the interplay between legal Principles, legal rules and ethics. I'm wondering if you could get into that, because I think sometimes there's a confusion there.

Paul Maurer

Yeah, I'd be happy to take a first shot at that. I think that an awful lot of ethics today is defined by law, but that's not historically the case. Over the course of two millennia, when you look at something like the Hippocratic oath or just war theory, that is something different than the law. And so what we aspire to do with this code of honor is to create a code of ethics for cybersecurity. That was something that transcends the law into a higher ethical, moral order.

Ed Scotus

Sure. Also, you know, I'd add to that that, you know, the law is established. That's all fine, and we want people to adhere to the law. But in the cyber world, especially with AI, things are moving so fast that the law trails. It just. It kind of has to, because new technologies are enabling new things, new decisions have to be made. So we thought it would be useful to put a framework together for decision making in light of rapidly advancing technology.

Ben Yellen

One thing that, and what I really enjoyed about the book is just talking about how much power and influence cyber professionals have. Can you talk about just that notion of power and kind of what responsibility comes with that power within organizations?

Ed Scotus

Sure. This always brings me back to the Spider man quote. Right, Uncle Ben. Yes. Uncle Ben said to Peter Parker, with great power comes great responsibility.

Ben Yellen

My alter ego, Uncle Ben. Y.

Ed Scotus

Very nice.

Ben Yellen

Yes.

Ed Scotus

I. I feel more Uncle Ben as I age myself here too. You know, I think that. That your average layperson doesn't understand the power that cyber security professionals have, or maybe they think of it as some sort of bizarre magic. But as a cybersecurity professional, you have access to all kinds of information that could be abused in very bad ways. You know, access to systems hacking capabilities, detailed information about how systems are put together and the vulnerabilities they have. So these folks are very trusted implicitly. And our book tries to make the point that we need to make sure that we have an explicit declaration of the need for trusting these individuals, and then a framework for them to exercise their duties in light of this great trust that we put in them.

Paul Maurer

Yeah. The thing I would add to that is that we see cybersecurity as the economic and security threat of our time. And as such, the number of people who are vulnerable to this is infinite. Everyone is vulnerable to this. And so the responsibility to protect the vulnerable is very, very great. And we think that it cannot simply be about technical education the human factor really is at the core of the cyber problem and the cyber solution. And so you have to have people who are ethically trained and ethically committed in order to do the full job.

Ben Yellen

I know this might be a difficult question, but we often talk about those gray zones where somebody faces a decision point, maybe they've discovered a vulnerability and they don't know exactly what to do. Is there one or two examples of kind of those gray zone moments that stick out to you, and that kind of gave you the most fuel for this writing?

Ed Scotus

Oh, sure, there are many different things. You know, there's a lot of gray zones in this cyber world.

Paul Maurer

And.

Ed Scotus

And that's why the book is built on different principles, one principle per chapter. You know, working for the common good, maintaining privacy, et cetera, et cetera. And Paul and I actually wrestled for about two years on this. Paul came and visited me in my office monthly, sometimes more than once a month. And we'd spend a day or two trying to figure out what these foundational principles are.

Paul Maurer

And.

Ed Scotus

And then, Ben, we ordered them to say, hey, these are the most important ones. And then, you know, they go in order of decreasing importance. And that was to kind of help people balance things out, because in any ethical dilemma, you are going to face multiple different principles. So we tried to place them in order to give a sense of where the. Where the decision should come out. And an example. You ask a specific example. Suppose you find a vulnerability. You're a cyber security researcher. Vulnerability researcher. You find a vulnerability in some system that thousands or maybe even millions of people rely on, and you disclose this responsibly. That is, you tell the vendor who makes the software that there's a problem here. That's all very good, and that's actually pretty easy from an ethical perspective. Here's where we get into a gray zone. What if the vendor doesn't respond? Or that they just keep dragging things out for long periods of time? While people have that exposure unknowingly, their customers are exposed to this vulnerability that you, the cybersecurity researcher, know about, but the vendor of the software isn't moving fast enough. What do you do then? Do you disclose publicly to force that vendor's hand? Well, that risks all of those people who use the software and their sensitive data. So we talk in the book about how to navigate situations like that and to reach out potentially to a trustworthy third party, perhaps in industry or in academia, that can help get the attention of a vendor. Also, just to help vet your own understanding of that vulnerability. So that's an example of sort of that gray zone and how to reach out to a mentor or another trustworthy person to help clarify.

Paul Maurer

We don't assume that this is easy and we don't assume that this is simple. We think that this is a muscle that has to be exercised and developed through practice and time. And there are no pat answers or there are many answers that are not clearly black or white or pad answers. And so that's where the critical thinking of human beings working together as a team is so critical to solving these problems.

Ben Yellen

How have you found reception just among technologists? I am also somebody who is not a technologist. I have no fluency in whatever it is the cybersecurity professionals do. But for people who have been in the field, have you found a positive reception to this book and to your framework?

Ed Scotus

Yes, I have. I've had many people come up to me and tell me that they found the book very understandable, very organized. You know, cybersecurity professionals are very busy people. There's a lot of technical information coming their way. The book, including appendices, is 190 pages long. The font is a friendly reading size and it's very structured. It also includes a whole bunch of case studies. And some of the case studies we go through and provide approaches and answers. And then every chapter ends with an open ended case study for interaction and discussion. So that seems to have hit the mark and I'm very pleased at that from what I'm hearing from our readers. Also, occasionally I will present this book to a friend or a former student of mine. And one of the things that I do, and I think you'll get a kick out of this, Ben, I'll say to them, hey, I wrote a book on cybersecurity ethics and I can think of no one who needs this book more than you.

Paul Maurer

And then I hand them an autographed

Ed Scotus

copy of the book.

Paul Maurer

Always gets a laugh.

Ben Yellen

The kiss of death. Yep, yep.

Ed Scotus

But there's a subtle thing here saying, hey, I think you might want to read this, you know, in a friendly way. In a friendly way.

Ben Yellen

So I feel like there's this conflict between immediacy and ethics. So. And you've talked a little bit about this. Things move very quickly and sometimes there are going to be decisions that technologists and even leaders have to make in a matter of minutes or seconds. You know, if you're a public sector worker, you're a secretary of a state agency and there's a ransomware attack, like you have to decide very quickly Whether you're going to pay the ransom or how you're going to recover your data. So can you talk a little bit about that conflict between the need for speed and ethics and kind of what principles go into making decisions in that context?

Ed Scotus

Ed sure. So this is why we talk about building the muscle of ethics. You know, starting with small, simpler things, but having that framework to view things through. We hope the book presents a clear, concise, ethical framework so that you can respond quickly by building up that muscle over time on the stuff that doesn't need immediate response, but you think through things carefully so that once that muscle is built, you then have a knee jerk reaction that will go in the direction of what is ethically sound. We also encourage people in the book to build up a relationship with a mentor, somebody that is known, trusted, maybe within your same organization or perhaps in another organization. Although we always say make sure you honor your non disclosure agreements appropriately there and then have that person available. Now they're often not available on a split second moment, but again they may be available right away or they've helped to build your ethical muscles over time.

Paul Maurer

The book includes the cybersecurity code. This is the code or the oath that we ask cyber students and cyber professionals to consider taking. And we encourage teachers to make this available to students, maybe even as a condition of finishing the program at their particular institution or a CISO in the workplace. And that code is a series of eight, relatively easy, very easy to read, simple, concise principles. And so even in the heat of decision making, you can have that code right in front of you and reference it in part be part of the decision making. And as Ed referenced over time, if you do that, if professionals do that, committed to that, then it becomes part of the automatic thinking rather than having to use a cheat sheet. But I think early on, I think having that code in front of the professionals is a very helpful cheat tool.

Ed Scotus

It is, and that code is in the book itself. But we also make it available on a website associated with the book and it looks really pretty and fancy. We had some really good artists lay it out.

Ben Yellen

I can attest to that, by the way, after having visited it.

Ed Scotus

I'm glad you like that, Ben. That means a lot to us. And we had some really good people on Paul's team that put that together in that format.

Ben Yellen

And then kind of the reverse question, talking about lack of immediacy, we have to turn to legislators and regulators. So oftentimes they are the ones who are going to be drafting actual policies and obligations and Compliance metrics. How do you think they should take into account your ethical principles, if at all? Do you think we should keep those domains separate? Or is this something where you'd be willing to advise state legislators on these ethical principles and how that can inform laws or regulations?

Ed Scotus

Paul, that is firmly in your lane.

Paul Maurer

Yeah, part of what I do is I am part of a group that speaks on intelligence and security issues at a global level and I speak on this book. I was in Madrid and El Salvador last year. I'll be in Warsaw later this year. And the audience for those forums is almost entirely parliamentarians, members of Parliament from 40 or 50 countries at each venue. And my encouragement to them is not to bake this into law in their countries, but to take responsibility for the security of their countries, meaning the education and training of the workforce of their nations to protect their nations, and that they ought not to forget the centrality of the human factor in that education. And that's what this book addresses, the human factor in critical decision making. Well done. In the interest of their nation or their businesses within their nation. And so I don't see this as a part of a legislative package. I see this as part of a legislator's overall responsibility to have their nation train their people holistically.

Ed Scotus

I think that's very well said. Also, we did try to write the book so that it is generally applicable around the world. You know, it's not written specifically with a mindset towards, say, the United States or Europe. It is written so that it has timeless principles in cyber issues that come up independent of culture or language or even legal framework within a country. We really tried to hold ourselves to that being a very wide open and widely applicable book. And that was part of that wrestling I talked about over the two year span of the creation of the book. What is specifically cultural or merely cultural, and what is universal.

Ben Yellen

You talk about taking two years to write a book and one thing that strikes me is a lot can change in two years. These days, every story is an AI story. And so, you know, two years ago, generative AI LLMs were not widely adopted. We were still kind of experimenting with them, and now I feel like I couldn't do without them. So I just was wondering if how you apply this to our AI future, Like what are some AI specific ethical issues that you're focusing on as this technology continues to grow so rapidly?

Ed Scotus

Oh, I, I that's such a great question, Ben. I really appreciate it. You know, as we were working on this book and with the penetration of AI into the Cybersecurity space as well as all technology space. So many principles that come up in the book lend themselves very much to the use of AI effectively. And I think about my own use of AI and my discussion about AI usage with other people. You know, if you look at our first main principle, it is that technology exists to, to support humans and not the other way around. And what I've been translating this to in my discussions about AI generally is to use AI to uplift human dignity and not the opposite, because it can be used very much for the opposite. So I now I read our book that we wrote and I look at the different principles and how they do apply directly in the AI space. And that first one is I think, one of the most critical. So I've done presentations over the last six months to a year in various places, in banks, in film production companies, in other organizations, emphasizing the principles we put in the Code of Honor book for cybersecurity and how they apply to AI. And that's been very well received there. Just thinking about use of AI in different things, I'm sure, Ben, you can imagine this, is this planned use for AI uplifting human dignity or not? And you can think about how that might happen in banking or how it might happen in film production or what have you. And I think that's a good thought exercise to have.

Paul Maurer

I would just add that while certainly AI has taken all the oxygen out of the room in so many technological discussions, it doesn't mean there's cyber's any less of the economic and security threat of our time. And so we're constantly asking ourselves the question, does that description still hold for cybersecurity? And we still think it does. AI certainly will help with some of the efficiencies in cybersecurity, but also has already and continue to continue to complicate the problems of cybersecurity. And so all the cyber experts I've spoken with about this question, you know, does this mean that the need for the human factor in cyber is diminished? Does AI diminish that? And the answer is a resolute no. We more than ever need people over technology to guide the use of technology.

Ben Yellen

I mean, you both were almost ahead of your time talking about doing things for the betterment of humans, of humanity. And now there's this breakdown that might be on the horizon between the humans and the machines. And so I think you came at this at the right time. In closing here, I kind of wanted to get into your personal reflections about the process of writing. This is There something that you learned about yourself, that you apply in your own life, that you're willing to share, or how have you integrated it into talking to other educators, talking to students? Like, what are the kind of core messages that just having spent so much time working on this, you try to get across?

Ed Scotus

Sure, if I could go first and then maybe Paul, you can round it up. So mine's going to be very personal. You know, having spent the time on this book to think about a framework for decision making, having been in the cybersecurity industry for 30 years, what I found is as we were working on the book and certainly since we've completed the writing, as I go through my job and issues come up, ethical decisions, you know, I have worked on that muscle for many, many years and I'll have an impression of like, this is the way I should do it. What the book has me doing though is going back, it's like, okay, why? Why do I have that gut reaction? And is that really the right reaction? So it's actually forced me to be more systematic as I make decisions. Or maybe I've made the decision and then I'm thinking about it after the fact. It's like, well, why did I do that? How does this adhere to the principles Paul and I have put in the book? So it's made me more self reflective on things. I think that's a good thing, right? We talk in the book a little bit about how when you get to the end of your day, you think about what it is that you did that day, revisit that, and if, hey, maybe you did something not right that day, what can you do the next morning to address that and steer the ship more in the right direction? So from a personal perspective, the process of getting through this book has made me more self reflective and I hope in reading the book, it would help our readers also do that.

Paul Maurer

I think for me it's less of a kind of a personal lesson and more of an observation of how the marketplace is responding to this narrative. We started a narrative about a decade ago at Montre College that goes like this, that the problem of cybersecurity is not principally a technical problem, it is principally a human problem. And therefore the solution to cybersecurity is not principally a technical solution, it is principally a human solution. If you don't have people of the right ethics and character as your cyber leaders and frontline operators, your technology doesn't matter very much. We actually value tested that in the marketplace by doing roundtables all over the country. To test that value proposition. And I was this is 2017, 16, 17, 18. And I was frankly quite surprised at the receptivity even among deeply technical people who really had maybe no religious or faith or kind of moral overtly bent to them that they were articulating. And so people agree with the human factor. And yet we knew from the very beginning that ethics books really never make the top the New York Times best selling list because ethics is hard. And so I think what Ed and I have discovered along the way, I've certainly seen is that you have to keep talking about this because not a lot of people naturally will talk about this part of the cyber equation. And we are for obvious reasons. And while it's being received very, very well, I think my observation is we have to continue talking about this out loud in order for this to sink in.

Ben Yellen

Well, the book is Code of Embracing Ethics in Cybersecurity. Paul, Ed, this was a real pleasure. Thank you for your contribution and thanks for joining us today.

That was my Caveat podcast co host Ben Yellen speaking with Paul Maurer and Ed Scotus about their new book, the Code of Embracing Ethics in Cybersecurity. Thanks again for joining us for this special edition of the Caveat podcast. If you're not familiar with Caveat, we hope you will check it out. You can find it wherever you get your favorite shows.