Ethics of Vulnerability Search and Research

"It seemed that they were left ethics at the door."
Donn Parker, "Rules of Ethics in Information Processing", 1968

“It seems that when people entered the computer center, they left their ethics at the door.”
Donn Parker, "Rules of ethics in information processing", 1968

There are weaknesses in everything: in our bodies before viruses and the passage of time, in our memory and mind. The software we create is also imperfect.

In this article I will try to address the issue of ethics of searching and researching vulnerabilities.

Probably, humanity throughout its history has sought vulnerabilities in various areas. For example, medicine. In the picture below, doctors-scientists study the body of the deceased, in order to understand how the human body works or works.
')

Anatomy lesson Dr. Tulpa. 1632. Rembrandt

In my opinion, there are a lot in common in the history of medicine and the history of studies of vulnerabilities in software. Medical scientists have recently been found guilty of medical research, because such works were contrary to the ideology of the state-church. Over time, mankind became convinced of the need for medical research and experimentation, but at the same time certain rules and recommendations for such research were developed. For example, Nuremberg Code (1947) (1) or “The Belmont Report. Ethical Principles and Guidelines for the Protection of Human Subjects of Research, 1979. (2)

Information technologies are so closely intertwined with all aspects of our life that it is absolutely impossible to imagine the present without them. However, in all technologies there are vulnerabilities, the use of which is a threat to humans.

Why are we looking for vulnerabilities?

People may have completely different motives for finding vulnerabilities and list some of them:

- curiosity;
- research interest;
- mercenary interest;
- desire to become famous, earn a reputation;
- range of personal motives;
- do a good deed.

An interesting situation from the point of view of ethics, when a person possesses relevant qualifications for finding vulnerabilities, but does not do so, and circumstances may force him to do so.

I propose to look for an answer to this question to consider Heinz’s somewhat modified dilemma:
A woman dies from a particular form of cancer. There is only one medicine that, according to doctors, could save her. This is a newly discovered drug. Making medicine is expensive. But the pharmaceutical company has appointed a price 10 times more.

The husband of a sick woman, Heinz, went around all his acquaintances, borrowed as much as he could, and used all legal means, but collected only about half the amount. He applied to a pharmaceutical company for help and asked to lower the price of the medicine, or sell it on installments. But the company replied that it was not going to change its pricing policy.
And then Heinz decided to hack the company's corporate network, steal the formula of the drug and the method of its manufacture, pass this information to the one who can make medicine for his wife.

Should Heinz Steal the Cure? Why?
If Heinz had not loved his wife, would he have to steal the medicine for her?
Suppose that not his wife dies, but a stranger. Should Heinz steal medicine for someone else? Why yes or no?

Most importantly: there is no “right” solution to this dilemma! If a person believes that a pharmaceutical company needs to be hacked, it cannot be called more moral or less moral. The whole question is how decisions are made (3)

In this respect, the position of Bruce Schneier (4) is interesting, he says:

Question of ethics to vulnerability research. It is not a question of vulnerability or research.

For me, the question is not whether vulnerability research is ethical. If someone has the ability to analyze and better understand the problem, the question is whether it is ethical for him not to conduct vulnerability research.

Probably, one can partially agree with the above opinion that the central question is not to investigate or not to investigate software for vulnerability, but how ethical it is for a given researcher to do such work, whether he can conduct such research, and how ethical is the research itself, while of course there is the question of the applicability of the law.

What codes of ethical conduct exist in IT?

- “IEEE Code of Ethics” ; (five)
- “ACM Code of Ethics and Professional Conduct” ; (6)
- Software Engineering Code of Ethics . (7)

Principles of ethical vulnerability research

The authors of the article “Empirical Research and Research Ethics in Information Security” (8) provide the following list of principles for ethical research in the field of information security:

- Do Not Harm Humans Actively;
- Do Not Watch Bad Things Happening;
- Do Not Perform Illegal Activities to Harm Illegal Activities;
- Do Not Conduct Undercover Research.
-------------------------------------------------- -------------------------------------
- Do not harm people;
- Do not stay away;
- Do not take illegal actions to stop illegal acts;
- Do not conduct secret research.

The Australian Council for International Development (ACFID) lists ten questions (9) that must be answered before starting a general study:

When planning research, consider:

1. Is the study necessary and valid? What are you looking for and why does it matter?
2. Is the study well planned? Does it connect to a specific work program in your organization? Do researchers have relevant knowledge for research?
3. What is the context in which the research will be conducted? How does this context affect research design?
4. How does the methodology and analysis fit the context and what is being researched?
5. What are the potential harms and benefits for researchers and participants that may arise from research?
6. What information about the study will be provided to participants? How to obtain and ensure free and informed consent throughout the research process?
7. Are there any other parties or partners involved in the study? What are their interests in research? Who will benefit directly or indirectly from research?
8. How do you plan to protect confidentiality and anonymity? What will happen to the data? How will access to them be organized and ensured their protection?
9. Did researchers receive training, information and assistance related to ethical issues?
10. How will the results be distributed and used? Will participants have access to validate and obtain research results? What happens when the study is completed?

There are also a number of questions from the article “Towards Community Standards for Ethical Safety” (10):

- where are the research results? (Eg, the owners of the secondary attacks, the researchers using the institution, or the general internet user.)
- Is there a way to achieve multiple benefits? (Eg, developing new defenses, while conducting a criminal investigation and assisting victimized network sites?)
- Who will benefit from the findings; authorities responsible for protecting their citizens; the researchers themselves; or the criminals who are perpetrating computer crimes?
-Is there any way to accomplish the desired research result (s)?

• The research results are designed to protect a certain circle of people, and if so, who are they? (For example, owners of infected hosts, victims of secondary attacks using a botnet, their own institution of researchers or an Internet user?)
• Is there a way to simultaneously obtain multiple benefits to society when studying the behavior of a criminal botnet? (For example, to develop new means of protection, helping to investigate criminal acts and help the infected network sites?)
• Who will benefit from the publication of research results and in what order: victims of criminal acts; authorities responsible for protecting their citizens; the researchers themselves; or criminals committing computer crimes?
• Is there any other way to achieve the desired research results?

Some conclusions and suggestions

Analyzing the above, we can say that there are at least two categories of questions that need answers.

Ethics researcher

Before starting, the researcher must ask himself the question: “ Will I not harm ?”.
After all, let's say that an interface of a working technological system that is accidentally “exposed” to the Internet becomes an object of research. Attempting to search for vulnerabilities in one case can lead to a short-term failure in production, in the other to an accident and, as a result, to possible human victims.

The second important issue, in my opinion, is the “conflict of interest” of the researcher.

I will try to clarify this premise: it is necessary to abandon the study if the researcher himself is interested in those or other results of the study. For example, a well-known information security specialist audits the security of a company whose controlling stake is owned by its close relative - the possible interest of such a specialist is obvious.

Third, privacy .
The information that the researcher received, he should not use for personal purposes or use any other image contrary to the law.

Fourth, professionalism - as far as the researcher is competent in the issue of finding and researching vulnerabilities. For example, is it possible to consider a first-year student of a technical university or an information security specialist with five years of experience working “on paper” as an expert in this matter?

I think that a minimal independent assessment is required, say, a certain “passing score” in the field of work. After all, no one allows a student studying a surgeon to perform operations on patients without some specific experience, including life experience.

Ethics of research

As part of the study itself, in my opinion, it is worth considering such a group of questions.

• Purpose of the study. As far as the goal meets the criteria of ethical research.
• For example, it is difficult to consider the purpose of the study of the safety of pacemakers to be ethical, when, according to the researchers themselves, the purpose of the study is to influence the price of the stock of the pacemaker manufacturer and make a profit on the difference and pay back the study. Interview with MedSec Holdings CEO Justine Bone.
• Selected research methodology - how much will it allow to achieve research objectives
• Border study . The researcher needs to understand exactly when to stop the work.
• Objectivity and completeness of the study . The study should take into account the factors relevant to the study, as well as the use of scientifically based methods. The financial model of a research company cannot give a full guarantee regarding the objectivity of the research, although in short positions it will make a profit, which in practice can lead to the transformation of safety research into an instrument of competition. Although it should be noted that the findings of the vulnerabilities of equipment St. Jude Medical, Inc., was confirmed by an independent expert in a US court. (see case papers Appendix A) (11)
• The chosen research methodologies will allow it to achieve the objectives of the research, to observe the principles of objectivity and completeness for this kind of research.
• Confidentiality of the study . If the "bad guys" get even incomplete research results - this can lead to dire consequences.
• And the most important question is how research violates human rights in the area of ​​privacy and security . People with pacemakers, having learned about their vulnerability, are unlikely to remain indifferent to this circumstance, but on the other hand, information about vulnerability cannot also be prohibited from being distributed. This is what the court decision says directly:

“The Claimant’s injunction request (Note: regarding such information) is not satisfied ... allowing the Claimant to continue selling products with significant security vulnerabilities, as described in detail in Muddy Waters reports and confirmed by a Bishop Fox analysis, see Appendix A. Thus, any such the injunction, endangers the lives and risks the health of thousands of unsuspecting consumers. ”

Given the above, we can suggest the use of such a checklist of research:

1. Is this study necessary: ​​what are the arguments “for” and what are “against”?
2. What is the true purpose of the study?
3. If you work for a company in the field of information security, are the research objectives consistent with the objectives of the company?
4. Do the researchers have the appropriate knowledge to conduct such a study?
5. Is the design adequate and is the methodology consistent with the research content?
6. Is there any other way to get similar research results?
7. What is the potential harm and benefit to researchers and participants that may arise from the study?
8. Are there any other parties or partners involved in the study? What are their interests in research? Who will benefit directly or indirectly from research?
9. Is there a “conflict of interest” around the study?
10. How do you plan to protect confidentiality and anonymity? What will happen to the data? How will they be accessed? How do you plan to organize data protection?
11. Did researchers receive training, information and assistance related to ethical issues?

Issues of ethics of search and research will always be, as the history of medical research shows that, at a minimum, a public institution should be formed to control research of information technology vulnerabilities.

It may also be worth expanding the review of the ethical boundaries of research on vulnerabilities in terms of working systems for their reliability and continuity of work, since if in a controlled research environment there will be a degradation of the IT service, it will be better if the same thing happens with a real unexpected attack by intruders.

It is hoped that social processes in the direction of ethical research on vulnerabilities will only develop. I believe that we can already observe this process in terms of disclosing information about vulnerabilities.

In the following article I will try to talk about the approaches and current practices in disclosing information about software vulnerabilities.