Indulge me for a minute.
Ethics in cyber security is a discussion that continues to develop.
There are numerous ethical standards out there, but can all of this be summarised neatly in once place?
I think it can, possibly…
Way back in 1942, during the first Golden Age of Science Fiction, Isaac Asimov proposed the Three Laws of Robotics. These laws, although probably intended to drive story plot lines, have survived the test of time. The laws are somewhat self-evident, and simple:
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.
So it occurred to me that these laws could probably be adapted to how we conduct ourselves during a penetration test.
Our work gives us access (and therefore the potential for influence) over client assets such as data, infrastructure, business reputation and continuity.
So how would Asimov’s laws look if applied to the conduct of a cyber security professional?
Here’s my proposal:
1. A penetration tester may not harm client assets or, through inaction, allow client assets to be harmed.
2. A penetration tester must obey the test scope and direction given by the client except where such orders would conflict with the First Law.
3. A penetration tester must protect his or her own professional reputation, as long as such protection does not conflict with the First or Second Laws.
Of course, Ambersail and companies like us are already bound by strict ethical and legal codes. For instance those required of us as CREST members.
However, I thought it would be interesting to see if it is possible to reduce everything down to those three simple laws.
Does it work? You decide.