How Does the Code of Ethics Relate to Security?
Perhaps a better question would be: how does the Code of Ethics not relate to security. Security issues should be addressed throughout the ethics document. The Code of Ethics acts as a multi-edged sword for management and system administrators. First, the Code will immediately prevent some of the common abuses of the system that have historically occurred simply due to lack of company direction ("Gee...I didn't know that I shouldn't setup an FTP server on my computer here at work"). Secondly, in the event that an administrator is questioned as to why they took the actions they did, their arguments can be strengthened by the official guideline under which the actions were invoked. Also, if a user asks why they have been reprimanded for using the computer systems in an unwanted manner, the administrator need look no further than the code for support.
Let's suppose the company says, "Thou shalt not view pornography on the company computer network at any time". Let's also say that this company employs several students who are still attending University. Because of this, the company has made allowances for their employees to use the computers for school-related work. Now let's say that one of these students is taking a fine-arts course in Styles of the Moguls in Performance art. During the course of this students' studies, they must view their course notes online, and these notes contain several rather graphic pictures of what some artists consider to be a stunning study of the nude human body. How do we deal with this? My point is this: there is no silver bullet that will encompass all possible uses under all possible circumstances. We must instead provide generic guidelines that prevent the specific problems that have occurred without overloading the reader with too much information.
Perhaps a good model to follow would be that of one of the major University's computer departments, as many of them, due in no small part to various political forces they must endure, have very good guidelines for their users. Universities are very interesting cases because most claim to be bastions for higher learning, places where people can explore beliefs of themselves and others, where challenging the norm is not only expected, but required. Because of this, computer usage policies must be as liberal as possible, allowing students to explore and research as they see fit, but must also be sensitive to the highly political nature of the institution. As much as the administration would like the public to believe that freedom of expression is unlimited in the academic environment, it stands to reason that because the vast majority of funding comes from government and corporations special considerations will be made to appease these organizations to ensure continued funding. Litigation is also increasingly becoming a concern as organizations such as the RIAA crack down on services like Napster.
How then do we go about writing a useful and enforceable Code of Ethics? If the rules are sufficiently general (without being unnecessarily ambiguous) they will allow the maintainers to take a proactive approach to enforcement. If a special case like the arts student example above does occur, it can be dealt with at the time. Of course, the key to a successful proactive system is the empowerment of the enforcers. A basic assumption must be made, that the enforcers are fundamentally "for" the goals of the company and the ethics document. If this is true, then they must be trusted to act in the interest of their employers, and not abuse their powers. At the very least, there must be two separate levels of administration: 1. The system administrators, and 2. A higher power with the final say. The sys admins are, as always, the first and best line of defense when dealing with infractions of the code of ethics. Generally speaking, they will be the first ones to notice a problem, so they should naturally be the first to deal with a given problem. The vast majority of the problems encountered will be dealt with at this level, as most people cannot be troubled to escalate the complaint higher.
I think a brief discussion into the psyche of the average user may be in order. It should be noted that I am in no way an expert on the human mind, nor the behaviors that the mind dictates, so all of the following discussion will be drawn simply from my observations and dealings directly with users.
First off, most users are generally unwilling to escalate matters past the initial confrontation because of the hassle and attention that such a step would involve. But why would they wish to avoid further conflict? Often the users are perfectly aware that they have bent or broken the rules in the first place, and being talked to by the sys admin is merely a formality. Escalating the complaint to the next level would simply be ridiculous and a waste of everyone's time. Once caught, many will avoid that practice simply because they have been caught and suspect that it is easy to be caught again. Also, in the case of less socially redeeming infractions such as viewing pornography or downloading illegal copies of programs from the Internet, the user will realize the social embarrassment that they would incur if the incident is brought to light.
Secondly, it is entirely possible that a user be simply ignorant of the policies in place, and once they are set straight by the admin they will never break the rule again. If these situations are dealt with properly, the user will leave the admin's office with not only a better understanding of the company's usage policy/code but will also likely feel more responsible for their future actions and will, in a situation where the activity could be deemed unacceptable, err on the side of caution.
At the University I attend, the system administrators deal will several infractions a day, ranging from simply the printing of non- research information on the public printers, to users who regularly go over their disk quotas. Each case is dealt with as a fresh and clean incident, with none of the previous problems reflecting on how the current situation is dealt with. Most events are simply "Your account has been temporarily suspended because of such and such a reason; please come to our office and we will sort things out". Occasionally, however, there are certain difficult cases that must be dealt with at a higher level.
One such case was related to me by Rod Johnson, the head of the Undergraduate Computing Science system. A certain student blatantly ignored the rules on several occasions and as a result was causing a significant disruption to another student. Here's what happened:
To address the perpetual shortage of available terminals during crunch time, the Department instituted the policy that any student who left their terminal X-Locked for a period of 15 minutes automatically had a logout button added to their screensaver that allowed students that were in the lab and needed a terminal the ability to use the machine. One student, for our purposes "Joe", left his terminal locked for well over 15 minutes. Another student, "Frank", was waiting patiently in the lab for a terminal to become free so he could work on his assignments. Rather than simply clicking the Logout button and closing Joe's session, Frank contacted the lab admins and asked what he should do. The admin on duty said that he would go in, save all of Joe's work and then log him out. Once this happened, Frank was told that he could use the terminal. All was happy, right?
Unfortunately not. When Joe returned to find his terminal taken, he became verbally abusive to Frank. Even after Frank had explained that all of Joe's work had been saved prior to logout Joe simply kept ranting. After venting to no avail for several minutes, Joe found another terminal free and immediately logged in. Within five minutes, Frank noticed that his machine had slowed to a crawl. When Frank ran "top", he discovered that Joe had essentially fork bombed his machine. Not wishing to push matters further in the lab, Frank sent another e-mail to the administrators explaining what seemed to have happened, and logged out.
Sadly, this incident took a turn for the worse. In the following days, every time Frank logged into a machine, Joe mysteriously appeared and the machine slowed to a crawl. Desperate for a solution, Frank turned to the administrators, who in turn started monitoring the habits of Joe. After a very short period of time it was obvious that Joe had a program lurking to find out where Frank was, and then fork bomb the machine.
Joe's account was immediately frozen, and he was left with a stern message to come speak to the administrators immediately. Upon confrontation Joe outright denied the whole incident, and when confronted with the logs of his activity he claimed that it was a network project gone awry. This time being particularly for the students, the administrators re-instated Joe's account with a very clear message: "If this happens again, we're not going to take it in such a light manner".
Now, at this point at least 95% of the users would smarten up and put their grudge behind them. Not so with Joe. Not five minutes after he left the office the program was started again with the same affect on Frank. Once again the account was suspended, and this time Joe came in nostrils flaring and breathing flaming death. Because the administrators only have the power to suspend accounts, they are not allowed nor are empowered to discipline such misuse of the system. Joe was escalated to the second and final level of the two-tier proactive system, where the management (in this case the Departmental Supervisor and the Head Systems Administrator) reviewed the case, and decided to take action against the student. A board of inquiry was held, and Joe still denied all responsibility for the events up until the verdict was about to be passed (at which point he confessed and asked for lenience).
The second tier in the enforcement process is, by nature, seldom used. It should be invoked in only the most extreme circumstance, and each case should be dealt with in the utmost gravity and concern. While there are not many Joes out there, your policy enforcement should be prepared for them nonetheless.
In next week's column I will outline exactly what issues should be addressed in a Code of Ethics, as well as describing two or three of the most common enforcement methods.
SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)