Ethical Responsibilities and Legal Liabilities of Network Security Professionals

F. Smith & D. Bailey

Each massive embrace by American society of a new technology has been accompanied by an increase in tort litigation. The high moral ideals of tort law sustain the search for redress of injuries and wrongs suffered by victims of the systemization and automation of technology. Both profits and losses tend to the extreme in times of great speculation in an unregulated economic environment - conditions which characterize the enormous growth in computer networking going on at the present time in our casino economy. All too often tort litigation has fallen from its honorable tradition into the troughs of bogus claims for phantom injuries and ridiculous risks, only to bottom out in an underworld orchestration of faked accidents, attested to by unqualified experts and corrupt professionals. The tradition of computer network security professionals has not had to answer to any great moral outcry for social redress of the lack of security in the networks. Keeping secret the degree and kind of vulnerabilities of evolving computer network technology has only recently begun to be seriously questioned.

Public law enforcement has thus far been largely ineffectual in deterring or even detecting criminal abuses of network resources. Reliance on technical solutions for preventing and redressing criminal and civil wrongs may prove to be more harmful to individual and group liberties than the imaginative attempts to use the criminal and civil law traditions. There is admittedly a counter intuitive aspect to the rules which have long served the tort tradition. Holding security professionals increasingly liable in direct proportion to the increase in their recognized abilities to provide adequate security may seem odd. Nevertheless, it is sensible to require them to be ever more vigilant in anticipating and avoiding unintended adverse consequences and ever more responsible for proactive security measures, as more durable and nondurable precautions are proven to be effective.

The anticipated storm of civil litigation flowing from the Y2K crisis can be expected to create a critical mass in both the number of new computer literate lawyers and in their experimentation with and confidence in the use of tort law for computer security failures and other Y2K related litigation. Among the risks that prudent network security professionals need to be concerned with, as they plan to deal with the millennium bug, is the growing risk of legal liability for security failures. An excellent place to begin to redesign computer security with an explicitly ethical component is to reconsider the responsibility for adequate disclosure of known or suspected risks of vulnerability and the general instability of the network architecture.