Results tagged “cyber ethics” from Securing GovSpace

A flurry of articles have appeared recently regarding "tech etiquette," also described as "email etiquette," "computer etiquette," and a bunch of related names. Author Virginia Shea even took the concept a step further and created a new word "Netquette," and offers 10 Core Rules of Netquette."  

Many of the articles offering tips are even more specific, such as "Blackberry etiquette," which typically address texting with cellphones as well.

What caught my attention over the holidays was an article called "25 Rules of Tech Etiquette" from Jon Chase at Switched.com. Take for example, rule #6

"Why should I bother using CC for group e-mails when I can just put everyone in the To: ?

E-mail was partly devised to mimic the old paper trails of office protocols of yesteryear. So, if you want to communicate directly with just one person, send that person an e-mail and CC (carbon copy) anyone else that you think should be notified, but that you don't necessarily expect to reply. If you're starting a conversation among all those people, then you'd put them all in the address bar. If you're sending a party invite to a small group of people, then you might CC your list. But heaven help you if it's more than a half-dozen e-mails. The height of e-mail stupidity is to CC a string of 50 e-mail addresses. That's what BCC (blind carbon copy) is for."

The overall list is pretty interesting, as are all of these various technology etiquette lists. From cell phone use in restaurants to texting in work meetings, they describe when it's ok to be upset with friends, family and co-workers and when it's not. These lists provide some helpful guidance, but be careful - some of the lists also contradict each other.          

 We know our society has a problem when comedians get involved. Check out this YouTube video (at home on your own time of course) from Greg Schwem on tech etiquette to grasp the issues pretty quickly - with a smile.

So what's my point? Besides the many articles on our new President's Blackberry usage and bringing this hot topic to your attention, there are real questions, issues and lessons here for policy makers and technology staff. Some governments and companies around the world have even formally banned blackberries from meetings. Is that the right approach, or do we change the culture at work best through tech etiquette training or do we just leave this topic alone and let the masses figure it out?

 My view: we probably need fewer polices in these areas, but better training for staff on expectations for the use of technology. Several organizations, like Motorola, have even condensed their policies down to far fewer pages so that end users can better understand the do's and don'ts on the net at work. In Michigan, we are re-writing many of our acceptable use policies now to include Web 2.0 and social networking topics. However, it remains to be seen if the policies actually get shorter.

 Nevertheless, I seriously doubt that we'll get to level that Jon Chase does in his 25 rules - nor should we, in my opinion. The central question that governments around the globe need to answer is this: Is a policy required or is this tech ettiquette? We can't have a policy for every situation; we need to rely on common sense, right?

What are your thoughts?

One side note: Starting tomorrow, I will become Michigan's Acting Chief Technology Officer and Director, Infrastructure Services Administration within the Michigan Department of Information Technology (MDIT). Trent Carpenter, will become our Acting Michigan CISO. As mentioned in Government Technology Magazine, I will stop blogging on security and start blogging on infrastructure, integration, and innovation if/when the position becomes permanent. I also plan to write a future blog on the transition of roles in government. Stay tuned and thanks for reading.   

In an interview with a British newspaper The Daily Telegraph, Andy Burnham, the UK Culture Secretary, said that the Internet could be given cinema-style age ratings as part of an international crackdown on offensive and harmful online activity. The interview offers several specific, but somewhat controversial, proposals that look likely to be implemented in the near future.   

Calling the Internet "quite a dangerous place," the Cabinet minister also said, "... I think we are having to revisit that stuff seriously now. It's true across the board in terms of content, harmful content, and copyright. Libel is [also] an emerging issue.... There is content that should just not be available to be viewed. That is my view. Absolutely categorical. This is not a campaign against free speech, far from it; it is simply there is a wider public interest at stake when it involves harm to other people. We have got to get better at defining where the public interest lies and being clear about it."

International cooperation is viewed as essential by the UK Culture Secretary, and the new Obama administration offers new opportunities. "The change of administration is a big moment. We have got a real opportunity to make common cause," he says. "The more we seek international solutions to this stuff - the UK and the US working together - the more that an international norm will set an industry norm."   

My view is that, despite the very negative reaction by those commenting on the article, several of the proposals mentioned by the Culture Secretary will be coming soon - probably in 2009. The question is whether Internet ratings will be voluntary. This interview offers a glimpse into what the current thinking is regarding Internet decency. As with other aspects of the Internet, the international challenges are immense, but UK experts are obviously working closely with their US counterparts on specific next steps.   

Web ratings would be a significant, and very controversial, development for the public sector and for society as a whole. All online content would need to be classified (similar to movies but in real-time at sites like YouTube). Opponents argue that any rating systems will be biased and flawed.

No doubt, the new technology and processes required by the masses would be overwhelming. There are great arguments against government intervention. Current laws around Internet piracy can't even be enforced. What new enforcement police will be put in place? What happens to rating violators? Who decides what's what? What about sites that cross into mutiple categories (like newspapers). Is this approach "big brother" from government? How can we monitor real-time blogs, health sites, or other content that falls into various shades of gray?

I agree that the obstacles are huge, and yet I (reluctantly) support aspects of Andy Burnham's position - with voluntary participation. The negative attacks are unfair and don't offer workable solutions. We can't keep doing the same things and expect different results online. We must provide mechanisms for families to surf their values and not let a minority of "bad actors" exploit the Internet. While it would be best if the technology tools existed now to maintain one's integrity online without government involvement, our problems are getting worse - not better. A few weeks back, I wrote about ISAlliance's newly proposed cyber security social contract, which would also help if implemented.   

What we need is easy-to-use technology to help move pragmatic proposals forward. No doubt, the big Internet players like Microsoft and Google are also involved in planning efforts. Proposals should start off with voluntary standards and extensive new training by ISPs. However, I agree with opponents that technology and legislation alone will not solve our Internet decency problems. We need to win the hearts and minds of the majority online. And yet, we also need to police the bad actors online. Setting appropriate standards (like speed limits on highways) is an important step.

If you want to learn more about this topic and detailed proposals, I recommend visiting The Family Online Safety Institute (FOSI).  While you're at it, visit the site that lists panel summaries from their recent FOSI conference.

What are your thoughts on web ratings?           

Too many questions from too many people. The surveys just keep rolling into CIO and CISO mailboxes - along with those tempting offers. I must get at least five survey requests a week.

Does this sound familiar? "We'll enter you in our drawing for a free (something), if you fill out our 15 minute survey." Or have you seen this one, "The first 25 people to respond will get a $25 gift card to (somewhere)."  

 What do I do? I almost always delete them. You should to - unless you know who you're really dealing with and have a good reason to answer. Here's why:

 1) First, and most important, do you really know where your precious data is going? Many of these surveys come from marketing firms or companies that we have never heard of before. Even if the request supposedly comes from a reputable company, are you sure that they are the ones asking the questions? Better to be safe than sorry.

2) How is the information really going to be used? Most requestors claim that your information will remain anonymous and will not be tracked back to you. How do you know that this true? I know of examples where this was not the case. What assurances do you have?

3)  What information are they asking you to provide?  I've received surveys asking detailed questions about network architectures, the versions of security products we use, even the frequency of patch updates on firewalls or actual IP addresses implemented. We don't even give out some of this information to our own staff, why would I want to give this information away for a free cup of coffee? Might this request be coming from a hacker? Even if it isn't, could it be used by someone at that company who has less than good intentions?

4)  Is this just a marketing ploy to get your contact information? A few years ago, I filled out  a few surveys - only to receive phone calls from salespeople who asked about the data I had provided. When I answered any questions with a less-than-perfect response, I was "enlightened" into how their new product would solve all of my problems.

Once I asked, "What happened to the anonymity I was promised or the statement that the data was just going to be used in aggregate for determining national trends?" There was silence on the other end of the phone, along with a denial that anything wrong had happened.

5) Finally, might filling out the survey cause a conflict of interest? Government employees are not allowed to take gifts from vendors (above a nominal amount of say $10-$15.) Could that free game you receive for the survey be an ethical violation? Check out your government rules.

Before I end this piece, I want to add that some surveys are definately worth the time and attention. In Michigan, we take extra time and pay close attention to surveys from organizations like the National Association of State CIOs (NASCIO). For example, their Strategic Cyber Security Survey  provides valuable data from a trusted source. Other surveys from organziations like the FBI are worth the effort as well. I am not against all surveys, since we need the national data and overall metrics to improve.

I also fill out general information on a few selected magazine applications or other forms where I know where the data is going and how it is being used - but I am careful. In fact, our own Government Technology Magazine is a trusted source that should be taken seriously.  

Bottom line, when it comes to filling out security surveys coming by email from unknown sources, my advice hasn't changed in several years. Just say no. There are better uses of your time. 

What are your thoughts?     

The Internet Security Alliance (ISAlliance) is proposing a new model for protecting and defending critical technology systems and information.  These policy recommendations for the Obama Administration and the 111th Congress are called "The Cyber Security Social Contract."

In a 44 page document, the ISAlliance covers a broad range of issues ranging from defense to banking to higher education. The six page executive summary includes the following items:

- Overview of The Problem

- Government Must Embrace Some Inconvenient Truths

- The Cyber Security Social Contract

- Why the Internet is Different

- Why the National Strategy is Not Working

- Why the Regulatory Models Won't Work

- The Good News - We Do Know What Works

- Core Components of the Cyber Security Social Contract

I want to highlight the central piece of the Internet Security Alliance approach - the social contract. ISAlliance's model is based upon the agreement between government and the utilities in the early 20th century to provide phone, power and light service to Americans. Here's an excerpt: 

"The utilities guaranteed to make the infrastructure upgrades necessary to provide universal service. In return, government essentially guaranteed a return on the required private investment economically sufficient to make the investments good business decisions. The utilities maintained the investments over time because they were also provided exclusive franchises for the service area."

The report goes on to describe why voluntary approaches and regulatory models are not working. The report offers several excellent solutions and lays out proposed government roles, business roles and incentives for businesses that implement best practices.   

My response - I like the Internet Security Alliance proposal. We do need to move in this direction. I certainly encourage you to read their full report. 

Although these recommendations are far-reaching, my only criticism is that that they may not go far enough. We also need a social contract regarding cyber ethics with all Americans. The conduct of each person online is actually our weakest link. I offer an outline for a new national strategy on cyber ethics in the appendix of my book, Virtual Integrity. Just as we do for emergency preparedness,  we must engage individuals, families, non-profits, K-12 schools - as well as universities, businesses and the others mentioned in this plan.

Bottom line: We do need to take bold action. This social contract is a good idea.

What are your thoughts?   

Over the past month, the Pew Internet & American Life Project  has released the results of several new polls on how Americans use their technology. The latest report, Networked families, describes the central role now played by the Internet and cell phones:

"The survey shows that these high rates of technology ownership affect family life. In particular, cell phones allow family members to stay more regularly in touch even when they are not physically together. Moreover, many members of married-with-children households view material online together."

A report released last month on work called Networked Workers, describes how pervasive the use of the Internet has become in the United States.

"The majority of employed adults (62%) use the internet or email at their job, and many have cell phones and Blackberries that keep them connected even when they are not at work."     

There is good news and bad news in these reports and poll numbers. Most workers think that increased connectivity makes them more productive, but the majority also think that these tools also add stress and new demands to their lives.

Digging deeper, Pew has two separate reports regarding work. One covers Email at work. Again, respondents recognized the good and bad aspects of email. Interestingly, the polls show that spam is less a problem at work than with personal email accounts.

Another report covers Wired Workers: Who They Are and What They're Doing Online. There are many positive aspects to this report, as well as a darker side mentioned.

"Some 17% of Internet users (and 11% of all Americans) say they know someone who has been disciplined or fired because of his or her use of the Internet on the job." 

 In my opinion, coverage of these reports has been somewhat limited, probably due to the coverage on the upcoming election. Still, there was some mainstream press coverage. USA Today offered this report back in September: Study: American workers tethered (with mixed feelings) to work via tech. One man who was interviewed for the report said,

"If everybody also threw their BlackBerrys away, I would too," he said, chuckling. "The only problem is, in my industry, it makes me more competitive."

Initial coverage of family use of the Internet has been more positive. CNet claimed, "The Internet is no 21st-Century Boob Tube."

Overall, there weren't many surprises in these new poll numbers or Pew reports. One thing to keep in mind is the law of averages. That is, some people are spending much more time online than these numbers indicate. (Of course, others are spending significantly less.) Still, there were no shocking numbers that grabbed headlines nation-wide.

I plan to discussing these poll numbers further in future blog entries. Meanwhile, what's your opinion on these reports? 

Three college students from the Massachusetts Institute of Technology (MIT) were ordered on Thursday to keep quiet on how they developed the ability to hack into the Boston subway system's payment system and add hundreds of dollars to their payment cards. A federal judge issued a gag order to prevent the students from revealing the security holes they found.

The Associated Press described the situation in detail in weekend newspapers, but this story was overshadowed by the Olympics. Here's an excerpt:

The basic details of the vulnerabilities in the Massachusetts Bay Transportation Authority's two primary payment cards -- CharlieCard and CharlieTicket -- are already floating around the Internet.

Those details were released prior to the students' planned talk last weekend at the DefCon hacker conference in Las Vegas. Electronic copies of the students' 87-slide presentation were included on CDs handed out to conference attendees before the conference officially began and before the transit agency filed its lawsuit. The MBTA sued the students and won a restraining order after the agency said it needed time to fix the problems. The students and conference organizers then canceled the talk. 

Another hearing is scheduled for Tuesday to decide if the students can release parts of their findings.

Meanwhile Internet blogs are full of commentary (both pro and con) regarding freedom of speech and whether the students should have revealed their hacking techniques. PC World started blogging on this topic last Weds.

Here's part of what they are writing: The complication comes down to one basic question: Should the students have given their full presentation to the MBTA in advance? The MBTA, for its part, now tells CNET News that the group agreed to do just that -- but never did.

The students tell a different story. Responding via the Electronic Frontier Foundation, the students say they had met with the MBTA and "understood that concerns were resolved." 

More details surfaced Friday by ZDNet's Richard Koman. He states that:

The essence is that MBTA itself included the MIT student's confidential report (PDF) to MBTA on their security weaknesses as an exhibit in their complaint and it is now a public document.

The students identify the problems:

• Value is stored on card not in a central database
• Anyone with a card can read and write to it
• No crypto signature algorithm
• No centralized card verification   

There will be plenty more blogs and opinions on this topic floating around cyberspace in the coming days and weeks. I find the debate raging over "free speech" to be somewhat off track. Rather, what about a discussion on the the ethics and morality of these students revealing ways to steal or hack into critical infrastructure. Whether or not we have the constitutional right to say (or write) something is only a part of the question.  We have the legal right to do many things that aren't wise. In this case, their actions may or may not be against the law (if they didn't actually steal). But revealing this information at a public conference, while Boston officials were not pleased or content, seems wrong to me. 

We've entered a dangerous new time as a technology industry - where it's cool to hack and find ways to break into digital systems. The new way to make a name for yourself, get noticed and have five minutes of fame is to hack into critical infrastructure.

I know the counter arguments. No doubt, many research projects can help uncover holes and help us improve security. But the actions taken by the students in this situation raise many ethical and moral questions.

This information is now all over the Internet. Many "copy-cat" young hackers are developing new ideas and similar game plans. Despite obvious security flaws in the Boston subway system, I have a hard time seeing how this trend is helping America. I do see how it helps the three students from MIT.     

What are your thoughts?