“With great power comes great responsibility.” Any of us who grew up on Marvel Comics—or those who know any of the eight Spider-Man movies—recognize the Peter Parker Principle. Sadly, the principle is not commutative: The terms cannot be swapped out, one for the other. It would be comforting to find evidence that “with great responsibility comes great power.” In pondering the issues surrounding cybersecurity/ethics/privacy for a panel discussion, however, I could only come up with evidence that the power of protective/preventive/detective mechanisms and policies is seriously limited. The “aha” moment helped me understand why NIST is so careful about not claiming cybersecurity certification power. There are no guarantees that implementing the 110 security requirements contained in NIST SP 800-171, for example, will prevent proprietary information from escaping into the wild for unobserved use by adversaries. Doubling the number of security requirements as proposed in the current (version .06) draft of the DoD’s cybersecurity maturity model certification does not offer uncompromised delivery guarantees either. The “great responsibility” is broadly shared. And our “great power” is limited—and also shared.
Tensions arise when we try to balance cybersecurity, ethics, and privacy. The balancing act challenges us with more questions than answers:
- Is it corporate overreach to expect employees to treat personal computing devices as organizational devices that are subject to remote erasure if lost or stolen even if those devices are partially subsidized by a monthly allowance? At what point does the employee “fess up” to the device being out of his or her control—even if that means losing precious family photos that have not been backed up?
- Is it reasonable to expect that employee keystrokes be captured when using corporate-owned equipment? What liability does the organization thus incur with respect to protecting passwords or other personal information?
- Whose responsibility is it to ensure the security of routers and other communications equipment when an employee is working from home?
- How should an individual manage reporting of his or her own possibly at-risk behavior, that of a co-worker, or that of the organization?
Most of us want cybersecurity, ethics, and privacy in our lives; accountability is not always as comfortable. As scientist and Nebula Award science fiction writer David Brin has pointed out, “When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else”. I certainly expect my children to monitor their elementary school-age children’s online activity without stressing over my grandchildren’s privacy. But I don’t share my passwords with any family members. (Granted, this could be a problem if something untoward happened to me or my memory.) I also hold my children accountable for protecting their children, especially when they’re home.
It gets trickier with adults in work situations. There are limits to how much oversight we can claim:
“The principles of privacy and data protection must be balanced against additional societal values such as public health, national security and law enforcement, environmental protection, and economic efficiency.”
–Omar Tene and Jules Polonetsky
These principles and values must also be balanced or negotiated with considerations of cost, convenience (AKA productivity, at least sometimes), and corporate culture/risk appetite. Legal constraints like the Stored Communications Act limit corporate rights to observe employee digital behavior without due written notification (policy) and acceptance by the employee (and perhaps advice of counsel). Policies that address and enforce password length, blacklisted (or whitelisted) resources, separation of duties, and least privilege are low-cost, high-impact techniques for promoting cybersecurity and privacy without producing the ethical dilemmas associated with using technology to track and monitor individuals. Having the power to use technology to control others doesn’t help them accept greater responsibility for how they use technology. Rather, wielding such controlling power can lower morale and encourage passive-aggressive resistance or sabotage.
As companies negotiate the balance of power and responsibility with respect to cybersecurity, ethics, and privacy, a few axioms can help guide the way home:
- Learn from others.
- Seek alternatives.
- Prepare for unknowns.
- Know your limits.
- Be reasonable.
- Do no harm.
- Get started.
Share the power. Share the responsibility.