Managing a Business/Business Ethics
1. How would Marx analyze the events recounted in the case? How would Smith analyze these events? How would
Locke analyze these events? To what extent, if at all, are these analyses correct?
How would Marx analyze the events recounted in the case?
MARX WOULD SEE THE EVENTS
-recruitment was based on RACE,
-recruitment was based on discrimination
BOTH AGAINST THE LAWS OF THE LAND AND HUMANITY.
-selection of candidates for skilled position were
-selection of candidates for skilled position were
BOTH MORALLY BELOW THE HUMAN DIGNITY.
MARX WOULD PREFER
-selection of candidates for skilled position should
Be on merit.
-selection of candidates for skilled position were
MARX WOULD PREFER
An affirmative action program
A central premise underlying affirmative action is that, absent discrimination, over time an employer’s workforce, generally, will reflect the gender, racial, and ethnic profile of the labor pools from which the employer recruits and selects. An affirmative action program is a management tool designed to ensure equal employment opportunity, and includes those policies, practices, and procedures that the organization implements to ensure that all qualified applicants and employees are receiving an equal opportunity for recruitment, selection, advancement, training, development, and every other term, condition, and privilege of employment.
Staff employees and applicants for employment are covered by the organization’s affirmative action program.
All the organization employment practices are covered, including selection, promotion, compensation, transfer, training and development, and other terms and conditions of employment.
An affirmative action program contains quantitative analyses designed to evaluate the composition of the organization workforce and compare it to the composition of the relevant external labor pools; action-oriented programs with specific practical steps to address underutilization of minorities and women (if women and minorities are not being employed at a rate to be expected given their availability in the relevant external labor pools); internal auditing and reporting systems to measure the organization’s progress in hiring minorities and women; and mechanisms to monitor the organization’s employment decisions in order to evaluate the impact of those decisions on minorities and women.
Yes. Under the Federal regulations, the organization is required to collect and analyze data on the race and sex of employees and applicants for employment, in order to identify areas where the percentage of minorities and women employed is less than would be reasonably expected given their availability. The organization is required to establish placement goals for hiring women and minorities in those areas.
The organization to make good faith efforts to remove identified barriers, expand employment opportunities, and produce measurable results.
Good faith efforts include broad advertising of job openings; supplemental inclusive outreach efforts to ensure that all qualified candidates, including minorities and women, are represented in applicant pools; and careful monitoring of outreach, recruitment, search and selection practices to ensure that equal opportunity is provided at every stage of these processes.
“Affirmative Action ”refers to a variety of actions specifically required by Federal affirmative action regulations designed to ensure equal employment opportunity. Affirmative action is undertaken for minorities, women, individuals with disabilities, and covered veterans (special disabled veterans, recently separated veterans, Vietnam era veterans, and any other veterans who served on active duty during a war or in a campaign or expedition for which a campaign badge has been authorized), although setting placement goals applies to minorities and women only. “Diversity ”refers to the broader Laboratory community value of appreciating the contributions of all employees. A diverse workforce is one which includes the demographic groups reflected in the general population, encompassing differences in race, ethnicity, sex, religion, national origin, age, physical/mental abilities, marital status, parental status, veteran status, sexual orientation, socioeconomic level, educational background, lifestyle, and the myriad of all other demographic characteristics. Valuing diversity in the workplace leads to an environment, which maximizes the potential of all employees.
3. In your view, should government prohibit economic activities like growing and selling marijuana? Why or why
not? What sorts of business activities should government prohibit; what sort should it not prohibit? Justify your
position fully. Identify the ideology implied by your position.
Some degree of government regulation of private business is necessary in the general interest of people in the society. Such control is exercised by all countries in the world including countries like the USA, which are supposed to be the most capitalist of all the capitalist countries very staunch belief in democratic system of government.
The most common way of regulating private businesses in most of the countries is through its system of taxation and tariffs. These are fixed by the government to support and promote certain type of industries and business practices, and discourage others. In particular there is heavy regulation of foreign trade in form of these tariffs as well as other non tariff barriers like direct restriction on import or export of certain items, or specifying other conditions that restrict international business activities.
In addition to this there are many other laws that regulate business and industrial activities. These include the very general laws of contract that affect business transactions, or law directly intended towards regulating businesses. These deal with issues like, monopolistic practices, consumer safety and and protection of consumer interest, conditions and terms and employment, and industrial safety.Another very important objective of government is to protect the environment.
All these laws are necessary to prevent and control deliberately unethical business practices on part of businesses, to protect the consumers and employees from unfair use of economic power by big companies, and to factor in impact of activities businesses and consumers on others external to thee relationship between them.
This is a complex issue that has been the central principle for many a philosophy and even more writings on the subject. There is much to be said for the market to act as its own regulator. The Classically Liberal approach that allowed a sense of laissez faire to guide the relationship between government and business has many positive points. The market is a living and breathing entity and government control helps to take away from its overall effectiveness. However, the abuses historically seen when there is little or no industrial oversight are too challenging to ignore. I think that a balance has to be struck between where business can prosper and flourish, but also one where business is geared towards the improvement of the life of all individuals which includes worker, owner, and management.
From the point of view of an economist, the only time when government regulation is appropriate is in the case of what is called "market failure." There are two major kinds of externalities that can be addressed by regulation:
2. Lack of competition
Externalities (at least negative ones) are things like pollution, where there are hidden costs associated with some economic activity. There are hidden costs to pollution because it costs money to clean up, or it can cost money to cure people made ill by it. These costs are not reflected in, for example, the price of a car that pollutes or electricity produced by a polluting power plant.
This is the classic case for government intervention. The government can impose a variety of regulations to prevent the externality. These regulations should interfere as little as possible with the market. So, for example, an economist would say the best way to prevent greenhouse gas emissions is to tax the carbon content of fuels. If the government did so, the price of the fuel would reflect the pollution it causes. This would fix the market failure without government actually intruding on the market by telling businesses what to produce, how to produce it, etc.
So: government should regulate in the case of market failure. If it does, it should impose regulations that do not interfere with market processes any more than is necessary.
Moral reason why
Throughout the world, governments engage in social and economic regulation of their citizens’ lives. Economic regulation, in particular, has come into focus during the past decade, mainly because such regulation has been associated with falling productivity rates in many industrialized countries. But social regulation by government also is being discussed when drug abuse legislation, censorship of pornography, and similar matters are considered.
Most types of government regulation involve the setting up and enforcement of standards for conducting legitimate activities. My concern here is with government regulation of business or economic affairs by municipal, county, state, and Federal politicians and bureaucrats.
During the past few years, the case for such regulation has been spelled out in fairly clear and general terms. I wish to examine the arguments which are based on moral considerations, since it is such arguments that matter in the defense of the authority of the state to treat its citizens in various ways.
Government regulation differs from government management. Management involves the administration of the properties and realms which the government owns. For example, the national parks and forests are managed by government, not regulated. So is the interstate highway system. In contrast, toy manufacturing, which is an activity of private business, is regulated by government, as are the manufacture and sale of many foods and drugs, the production of cars, and the practice of law, medicine, and other occupations.
There are some gray areas, to be sure. The government regulates broadcasting, but it also manages the airwaves. The electromagnetic spectrum was nationalized in 1927, and the federal government has been leasing out the frequencies which private broadcasters use. So there is a combination of management and regulation which is carried out by the Federal Communications Commission.
In addition, there is government prohibition, mainly in the criminal law, in which some actions are regarded as intrinsically evil, such as murder, theft, embezzlement, and fraud. These activities are forbidden, not regulated, while toy production or mining is regulated, but not forbidden. The writing of novels, news reports, and scientific articles, in turn, is left fairly free of government interference.
But here, too, there are some gray areas, such as the prohibition on the sale of certain drugs over the counter. Nevertheless, for all practical purposes, the three categories are clearly distinguishable—regulation, management, and prohibition.
I will first present the main arguments in support of government regulation of business. Then I will consider some responses. (One could ask whether government should manage forests, beaches, parks, or the airwaves, as well as whether there should be any prohibition of any human activity at all, as anarchists might ask, but our concern here is with regulation.)
Creature of the State: This argument for government regulation of business, made prominent by Ralph Nader and others, holds that because corporations are chartered by states, corporate commerce should be regulated. In this view, the state charter actually “creates” the corporation, and government should regulate the behavior of its “dependent,” the corporation.
Market Failure: The second moral argument for government regulation of business recognizes that a free market usually enables people to do the best that can be done. On the one hand, free markets encourage maximum efficiency. On the other hand, free markets foster responsible conduct, and encourage the production of goods and services which are of value to members of the community.
But advocates of the “market failure” approach contend that there are some serious exceptions. They assert, following John Stuart Mill, that the free market often fails to achieve maximum efficiency—that it sometimes wastes resources. They often cite the example of utility services. If there were free competition among utilities, “market failure” advocates hold, there would be much duplication—different companies putting up telephone and electric poles, waterlines, etc., side by side, which would be a waste. So it is argued that it is important for government to restrict competition and thus correct market failures.
The second type of market failure, identified by John Kenneth Galbraith in The Affluent Society, is that markets misjudge what is important. To wit, markets often don’t respond to real needs—for medical care, libraries, safety measures at work, health provisions, fairness in employment and commerce, and so on. There fore, governments should remedy market failures with regulatory measures. Such measures include zoning ordinances, architectural standards, safety standards, health codes, minimum wage laws, and the whole array of regulations which have as their expressed aim the improvement of society.
Rights Protection: Another “justification” for government regulation of business is the belief that government is established to protect our fights, and that there are many rights which go unprotected in a free market. How do we know there are such fights? Different sources for these rights have been provided in the philosophical community.
Some, for example Alan Gewirth of the University of Chicago, rely on a Kantian deduction of both freedom and welfare fights from the very nature of human action. Some make use of intuitive moral knowledge—e.g., John Rawls of Harvard University and Henry Shue of the University of Maryland. Others, such as Steven Kelman of Harvard University, use a theory of benevolent paternalism. Some thinkers, such as A. I. Melden of the University of California at Irvine, even make use of a revised Lockean approach.
The substantive position of all these philosophers is that employees, for example, are due—as a matter of right—safety protection, social security, health protection, fair wages, and so on. Consumers, no less, should be warned of potential health problems inherent in the goods and services they purchase. In short, these thinkers contend, it is the fight of all those who deal on the market to receive such treatment. It should not be left merely to personal caution, consumer watchdog agencies, or the goodwill of traders. Government, having been established to protect our fights, should protect these rights in particular. Thus, it is held, government regulatory activities are the proper means by which this role of government should be carded out.
Judicial Inefficiency: The last argument for regulation that we will consider rests on a belief in the considerable power of the free market to remedy mistakes in most circumstances. But advocates of regulation point to one area where this power seems to be ineffective—pollution. Kenneth J. Arrow of Stanford University has most recently spoken about the need for regulation to overcome judicial inefficiency. His case goes roughly as follows:
Usually one who dumps wastes on the territory or person of another can be sued and fined. Alternately, the permission of the potential victim of such dumping can be obtained, payment for the harm can be made, and so on. But in a wide variety of cases, this is not a simple matter or even possible. Pouring soot into the atmosphere, chemical wastes into lakes, and so forth, may cause harm to victims who cannot be identified. Nor would just a little emission usually cause anyone harm, so it is a matter of the scope and extent of the emission—there is a threshold beyond which emission becomes pollution.
Now since emission into the public realm can involve judicial inefficiency (culprit and victim cannot be brought into contact), when the activity which can lead to public pollution is deemed to be sufficiently important, regulation is said to be appropriate. This general idea derives from the moral viewpoint that some things important to the public at large must be done even if individuals or minorities get hurt. So long as general supervision of such harms is available—so long as cost-benefit analyses guide government regulation—then public pollution is morally permissible.
All these arguments can be elaborated upon, but let us proceed to outline the responses to them that favor deregulation.
4. From an ethical point of view, what recommendations would you make to Brian? Explain your
recommendations in terms of the moral principles that you feel are involved.
We often hear of the "hacker" who breaks into a system and steals credit card numbers, releases a destructive worm or maybe defaces a website. What do you think about his actions? Are they ethical? Unethical? I think most of us would agree that this constitutes unethical behavior. What about us though? How are our actions viewed when we, in defense of our clients networks or our own networks, engage in activities similar to the above mentioned hacker? I will briefly talk about several systems of ethics and then we will apply them to situations that we as IT security personnel face. Hopefully this will give you a framework for making ethical decisions within the framework of this job. We will find through this analysis that we have to hold ourselves to an even higher standard than that to which we hold the average computer users or even hackers.
A Basis for Ethical Decisions
Jeremy Bentham and John Stuart Mill created Utilitarian Ethics in the 19th century. The basic premise is that actions that provide the greatest amount of good over bad or evil are ethical or moral choices. For example if you told a lie to protect someone's life that would be considered a good ethical choice under the Utilitarian Ethics system. Less harm is done by the lie than by telling the truth and putting a life at risk. Beware though, for this system of ethics leads us down the road of "The end justifies the means" kind of thinking. Over the years since Bentham Stuart created Utilitarian Ethics there have been different interpretations of it. One says that if in a particular situation that the balance of good will be greatest if a particular action is taken then to take that action. The example already given would be appropriate for this variation of Utilitarian Ethics. The next major viewpoint on Utilitarian Ethics would take the stance that it is not the action which produces the greatest good for a particular situation but the action that produces the greatest good 'over all like situations' in a society that should be taken. Going back to our example of the lie to save a life, we would find that with this alternative interpretation we would judge that over all lying is more harmful 'to society and the overall good' than not. This being the case we would not lie to save the life but tell the truth as overall it is less harmful in the long run.
The Rights Approach
The Rights Approach is based on the principle that individuals have the right to make their own choices. A short list of some of the related rights to choice that you would have under this system of ethics would be right to truth, privacy, the right not to be injured, the right to what has been agreed (such as society's laws being fairly administered for and against us). To judge the right and wrong or moral vs immoral of our actions under this system we would have to ask ourselves how our actions affect these rights of those around us. The greater the infraction our actions cause against those around us the more unethical those actions are. Emanual Kant created this ethical system in the 18^th Century. Emanual Kant also as part of this came up with the Categorical Imperative that would tell us that all moral rules that we live by should be universal. For example if it is immoral to lie then you should never lie under any circumstances.
The Common-Good Approach
Plato, Aristotle, and Cicero were the beginning of the Common-Good Approach, which proposes that the common good is that which benefits the community. That as members of a common body that what is good for that body is good for us. This type of system is where we get health care systems and public works programs. In a practical application of it we would look at our actions in light of how our actions would affect the common good of society or our community. For example stealing would never be ethical because it would damage (take resources away from) society or our community. An interesting note reflecting back to Utilitarian ethics is that in some situations stealing would be the ethical thing to do.
Ethics in Conclusion
The study of ethics as you can see does not give us a clear-cut black and white answer to our problems as computer and security professionals. Your answer as to what is right or wrong can change depending on what system of ethics that you follow. Sometimes even within a single system of ethics your answer from one situation to the next might not be the same. Most definitely what you consider ethical will not always be what someone else considers ethical if they derive their answers from a different ethical framework than you do. A prime example of this is the very hackers that we guard against, or are we guarding against ourselves. This makes it important that as members of our professional community we adopt a common code of ethics that applies to our professional behavior. On the next page are two Codes of ethicical behavior that some computer and IT professionals have adopted.
The Code of Ethics
From "A Guide to Forensic Testimony"
1. Technology is important to modern society.
2. Technologists must take care not to endanger the life, health, safety, and welfare of the public.
3. Technologists should demonstrate competence and due care in their technical duties.
4. Technologists must maintain and update their technical skills.
5. Technologists should avoid conflicts of interest.
6. Technologists should be honest and forthright in their dealings with others.
7. Technologists should be honest about their limitations, acknowledging errors and correcting them.
8. Technologists should refrain from discriminating against individuals based on race, religion, age, gender, or national origin.
9. Technologists should give proper credit to others for their work and honor property rights, including copyrights and intellectual property.
10. Technologists should help the public understand technology and support the professional development of peers.
Ten Commandments Of Computer Ethics
From The Washington Consulting Group and the Computer Ethics Institute
1. Thou Shalt Not Use A Computer To Harm Other People.
2. Thou Shalt Not Interfere With Other People's Computer Work.
3. Thou Shalt Not Snoop Around In Other People's Computer Files.
4. Thou Shalt Not Use A Computer To Steal.
5. Thou Shalt Not Use A Computer To Bear False Witness.
6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.
7. Thou Shalt Not Use Other People's Computer Resources Without Authorization Or Proper Compensation.
8. Thou Shalt Not Appropriate Other People's Intellectual Output.
9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are Designing.
10. Thou Shalt Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow Humans
Stopping Worms and Automated Exploits by Forced Inoculation!
What would you as a computer security professional do if you had the ability to preemptively stop the spread of a worm by patching or inoculating systems in the wild? You have the capability to patch a known vulnerability before a malicious worm has the opportunity to take advantage of it. In essence what we are talking about is releasing a worm of our own that isn't malicious but benign.
Lets take a look at this proposition through the filters of a few of our ethical systems. "Utilitarian " ethics could take us down both roads. On the one hand, if releasing a benign worm that patched a vulnerability would benefit us more than it hurt others, then we would be justified. The other competing view of Utilitarian ethics would take is that in general releasing worms has a cumulative negative impact. Therefore we should not do this regardless of the reason or situation of the moment.
The "Rights Approach" ethical system would be much more unequivocal about the matter. The Categorical Imperative would hold that your intent didn't matter but the act of breaking into and modifying someone else's computer with out their consent would be an unethical act against that person. Unethical acts are never justified regardless of the reason.
The "Common Good System" of ethics would give us a radically different perspective on the situation. We are all aware of the cost in general that self-replicating worms have cost us as a community. We have all been affected whether as a nation in dollars of revenue lost or as a company that has been financially hurt in reacting to a worm infecting their systems and affecting their connectivity to the Internet. Or affected as an Internet community of individuals that have been inconvenienced by the slow down or even total loss of service that can be experienced when a new worm is rampantly spreading. Under the common good system of ethics we would balance the benefit to the community vs. the harm to the individual. There is a overwhelming case for the community over the individual in this situation. The individual has their privacy infringed on but no malicious actions are taken against them or their systems. Judged against the potential loss of millions or even billions of dollars in the community and countless individual hours of inconvenience that other individuals in the community would have to deal with, and then we could say that this would be a clear decision for the community. No individual's loss of privacy could possibly balance the good that the community as a whole would gain.
Example: Code Red vs. Code Green and CRclean
We all know about the Code Red worm and its variants. Even now long after it was released we see it daily hit our firewalls and reported in our log files. It randomly scans the Internet from infected hosts looking for unpatched IIS web servers on port 80 to infect using a IIS buffer overflow vulnerability. In response to Code Red a German named Herbert HexXer released a counter worm called Code Green. Soon after that MarKus Kern released DRclean, which is another counter worm. Below you can see the release letters that these gentlemen posted to the Security Focus mailing list.
Code Green Release Letter
Herbert HexXer posted to the mailing list on the Security Focus website about his Code Green worm release.
hello guys ...
... i have been developing a code, that should patch the isdapi-filter buffer overflow vulnerability (the vulnerability CodeRed is exploiting) discovered by eEye (walk through the code for details).
As I am on vacation tomorrow and I don't have the time to exessively debug the code, I posted this code here.
Perhaps some ppl might learn from this code (eventually someone could finish what I began[debug/testing]).
Be sure to know what you are doing, as this code uses `viral/worm'
techniques and could potentially cause damage.
THIS CODE IS DESIGNED FOR EDUCATIONAL PUPOSES ONLY;
REMEMBER THAT IT IS ONLY A BETA VERSION.
I will not take responsibility for any damage that might be caused by this code. Be sure to have understood the code and it's pupose before beginning to play with it. Feel free to modify the code at will, but don't blame me, in case something
should not work like expected.
Drclean Release Letter
Markus Kern also in a posting to securityfocus.com had this to say in his release of Drclean
Since we're at it ...
I wrote something similar a few weeks ago but didn't release it back then.
Well, here it is, may the curious enjoy it.
It's a passively spreading worm that patches the box and removes CRII. After installing an ISAPI filter it infects every host sending Code Red, it does not actively scan for vulnerable hosts which should prevent cisco crashes and all the other side effects of Code Red.
Since my assembler skills are limited the main part of the worm is written in C and only the exploit code is assembler.
It should be obvious that I take no responsibility for what you do with
this code. Although it doesn't contain any malicious code don't blame me if you hose your network or system.
-- Markus Kern - email@example.com
PS: The spreading mechanism is broken on purpose
In releasing the code for these two worms Kern and HexXer acted within ethical boundaries per our discussion of forced inoculations ethics. We should note that neither of these gentlemen actually turned the worm loose on the Internet. What they did was release the code with warnings about the dangers of the code on to the security mailing lists. Turning the code actively loose would have taken them into questionable territory ethically, as it would have put them at odds with our Rights Approach and possibly the Utilitarian systems of ethics. You can see this in the below breakdown of their actions.
• They created this code to fix a vulnerability that Code Red took advantage of.
o Creation of the code in and of it self is a perfectly harmless activity, given their motivation of creating a method of patching a security hole. They violated no individual's rights and did not impact the community in a negative way by the act of creation.
• They did not themselves use this code on any systems they were not authorized to access.
o Again this is ethical behavior under all of our ethical systems. They have not infringed upon anyone's privacy or rights.
• They did release it to the general public where someone else could use it in or release it to the wild.
o This would be the closest that they came to having to make a harder ethical decision. Under Kant's Categorical Imperative this could be argued to be their one unethical act. However under the other systems of ethics this could be argued to be well within good ethical boundaries.
o They did not act out of any malicious intent in creating these counter worms.
o If we count intent then there is no question that they acted ethically. I see no intent to create harm or disrupt the Internet by releasing their worms to the security lists. Ruffle some feathers by treading in a ethically challenging arena, possibly, but not cause harm.
I think that a little discussion of indirect consequences of actions would be appropriate here. Kerns and HexXer's direct actions have passed our ethical tests. However if we were to judge the potential actions of all who now have access to Kern's and HexXer's code we would find that on average someone most likely did use that code in an unethical manner. Thus the potential indirect repercussions from their actions are high. The possibility of someone modifying their code and inserting hostile payloads and then releasing them is very likely. We need to keep in mind though that these actions are not directly tied to Kern's and HexXer's. Any judgment about the ethical appropriateness should be levied against the individuals actually participating in the unethical activity.
My personal belief is that past a certain point, it is foolish to fear creating something new for worrying about people abusing your creation. An example of this could be the knife. How many people have died by being stabbed to death with a knife? I would hazard a guess that it is a fair number in the last one hundred years. Yet we still use knives everyday to cut our food, open boxes, cut rope and for a thousand and one other beneficial uses. Should the first person that sharpened a piece of metal have said, "No, it might be used to hurt someone"? Rather we should concentrate on what we intend to do with it and what our motivations in making it are as the basis for make ethical decisions about whether it is ethical.
Example: Slammer, Stopping it Cold!
Recently we all saw the port 1434 worm called slammer overwhelm the Internet in just a few hours. One of the analysts that works at the same managed network security company as I do reverse engineered the slammer worm. After finding out how it worked he then created a utility that exploits a port 1433 vulnerability to remotely disable the slammer infected system. In my job we have seen multiple resurgences of this worm on clients networks over the weeks after it appeared. Using this tool, and I will call it a tool, allows us to disable a slammer infected system quickly so that it does not overwhelm the network, firewalls, and IDS devices. The infected system is still running but not able to communicate with the network because it's default route is now gone. It is now sitting and waiting on someone to come reboot and patch it.
My colleagues and I have discussed various methods of automating this process. If you have it sit as service on a system on the network it could launch against an infected system as soon as it detected an infected system trying to infect it in turn. The biggest question we ran into wasn't "how to do it?" but whether it was ethically appropriate to create an automated exploit against vulnerable systems. An exploit that has the capability of removing default routes from them or with a little work by a third party if they have access to the code of putting their own payload in to modify a vulnerable systems registry settings. Our decision based on that conversation was that it was a useful tool and that we should implement it. However we all held reservations as to releasing it openly on the Internet through security mailing lists or posting it on our website.
We did not decide that it would be unethical to do so. In fact it was created as a tool to fix a problem and we had no intentions of using it in an unauthorized manner. We then considered the ramifications of how other people view this same issue. Not all people use the same criteria for making ethical decisions. This is what creates the controversy over proposals to release worms onto the Internet to patch or inoculate systems in the wild or to stop infected computers from spreading a worm. Not all people agree that an action in the Common Good is an ethical action, but rather that it comes down to individual actions that do not trespass against any individual. The Rights Approach supports this view point. In our society, the two major viewpoints are probably the Rights Approach and the Common Good approach; republicans vs. democrats to draw a parallel. As a reputable managed security company we wish any controversy about us not to be focused on our ethics. Therefore, we make a decision that we can live with that is ethical under testing from as many ethical viewpoints as possible. Our conclusion was that we create the tool but do not release it to the general public.
Hack Back! Can and Should I do this?
Ethically, your answer can vary depending on the situation and the ethical system you chose to apply. Under Utilitarian Ethics we could again argue both sides of the question. On the one hand defending yourself against an aggressor would be good if the short-term benefits outweighed the harm. The other side of Utilitarian Ethics would say however that fighting or "attacking someone over the Internet" is overall a net loss on the scales of good and bad, therefore we should refrain. The Rights Approach gets interesting here in my interpretation of it. Under the Rights Approach if I attack someone it would be wrong no matter the circumstances. Under the Common Good system I interpret it to say that attacking would never be an ethical choice nor would counter attacking. The common good is not served by using the Internet as a medium of attack. All to often such as in a DoS attack, the attack will affect many other systems and networks other than the targeted systems. This is overall harmful to the community.
Example: Smurf Attack
Some time ago I was involved in responding to the port scan of a clients firewall. Following standard procedures we sent an abuse email to the ISP of the source IP responsible for the scan. The official response from the ISP was a brief email back that was very derogatory and profane. Very soon after that, in a matter of seconds, our company came under a Smurf DDoS attack.
Our total response to this incident at the time was to block the attack and gather forensic evidence. We had the capability to hit the attacking hosts and kill the attack that way, but we chose not to do that. Did I mention that upon later analysis of the attack we found no direct links between the ISP and the attacking hosts. The attacker sent spoofed ICMP requests to twenty vulnerable networks with our addresses as the originator.
What would our ethical systems had to say about us responding to this attack in kind. Under the Utilitarian System we could have argued that more harm was done to our clients and us by the attack potentially denying our company the ability to provide security services if we had been totally taken down. Therefore we would have been justified by responding to protect our ability to provide services. Under the Rights System we would be acting in an unethical manner to respond by attacking. Also under the Common Good system we would have to make the ethical choice to not respond.
To complicate the situation even more is the fact that all the attacking hosts didn't intend to attack us. The attack was initiated by a third party and directed at us through networks that were vulnerable to being used in such a manner. The owners of these networks were not guilty of any intent to attack us.
In the real world what actually happened is that we did not attack back but gathered evidence and are now working with federal and state law enforcement agencies to legally and ethically respond to this attack. If we had blindly attacked back we would have been guilty of attacking companies that had not originated the attack against us. This would have a negative affect on our reputation as a ethical managed security company. Do you notice again that we touch on how it matters what others believe about our ethics?
Example: DoS ATTACK of World Trade Organization
In December of 1999 the World Trade Organization held a summit meeting. In an attempt to disrupt it a group of hackers calling themselves electrohippies tried to disrupt the WTO website by launching a DoS attack on the server hosting it. In this case the attack was not spoofed but rather launched from the server in the UK that the electrohippies had their own website on.
Conxion, the hosting service for the WTO website, redirected the DoS attack back at the originating source address. Brian Koref, senior security analyst at Conxion is quoted by Deborah Radcliff in her article on NWFusion.com saying "So we told our filtering software to redirect any packets coming from these machines back at the e-hippies Web server,"
According to Radcliff's article, industry response was mixed with many not approving of the retaliatory tactics. Especially if it is not clear who the attacker was.
The Utilitarian System would be fairly approving of Conxion's response. Stopping the attacker from affecting their client would be an appropriate ethical response. Even under the branch of Utilitarian Ethics that is more concerned with the broader aspects of the response rather than the specific incidence would not have as much problem in responding to the attack as Conxion did. Having a clear perpetrator and being able to narrowly target the attacker so that the effects don't bleed over to innocent parties makes this specific incident more clear cut in response. Under the Rights System of Ethics we would still not be justified in retaliating in this case. The Categorical Imperative is very unforgiving of circumstances. The Common Good System in general is going to say that launching Internet attacks is bad for the net community overall.
We can complicate the ethical response to this situation though. By moving to a more detailed look at the response Conxion made. Conxion did not launch an attack on the electrohippies server; instead they simply returned (redirected) the attacking traffic back to that server. If you make this distinction then what they did was not an attack but simply redirecting traffic packet for packet that had been sent to them back to the originating address. If you look at it like this, and I do realize that to some degree this is splitting hairs, you could justify doing so under all the ethical systems. It is no longer you attacking but the attacker, in an almost judo like way, attacking themselves.
We have looked briefly at a couple of different situations that can face us as computer security professionals. I think that the overwhelming conclusion that can be drawn is that we should not retaliate. That in most cases it is unethical behavior on our part to reply in kind. There are many defensive routes open to us to stop the affects of attacks or worms. Gathering evidence and responding through our society's legal system is a unquestioned ethical choice under all the ethical systems we have discussed in this paper.
Another fact that we need to face as professionals providing a service to our clients is that it matters how they perceive our ethical choices. If we release worms on the Internet or launch retaliatory attacks on attackers, many people will say "they are hackers pretending to be a reputable company." We have to work at and be seen as working to a higher standard. Do you think that law enforcement would take seriously any complaint that you filed against someone if you yourself are known for ethically questionable actions? It does matter how others perceive your ethical standards.
I would like to note for the record that I don't think that any one individual should release any worm whether it is beneficial or harmful. Possibly under the Common Good System of Ethics I could support the government or possibly a large community driven organization that is respected through out the industry to, with fair warning, release a worm that would patch vulnerable systems in the wild, thereby inoculating the Internet from harmful worms that would take advantage of this vulnerability. But this would be a choice of the community at large not of any one individual. It should also be done with fair warning so that responsible system administrators have the opportunity to patch their systems themselves.