As the West braces itself for the expected wave of cyber attacks from Russia, in retaliation for the unprecedented sanctions it has imposed on the Russian economy, I am painfully aware that some of the hackers involved may have been trained in the West. Perhaps some of them were even trained by me.
Cybersecurity is taught in two stages. First comes “red team” craft: how to attack, infiltrate and destroy computer systems. Then we teach the “blue team” defensive posture. The bad stuff comes first so students know what they are up against.
Each semester, a few creeps will ask me how to hack their lover’s phone, and the class turns to relationship therapy. Amusing as that may sound, though, such questions are harbingers of more serious problems. Some students appear more interested in what the hackers are up against. Others attend the offensive classes, but never even show up for defence.
Some of those students are from UK or US companies whose ethics are questionable. Some are from nations that are centres of global cybercrime, or, like Russia, are openly hostile to liberal democratic values. I note that Osama bin Laden’s training as a mujahideen fighter in Afghanistan was conducted by US special forces.
As teachers, we’re mostly unaware of moral hazards lurking beyond our classrooms. Brain drains and misuses abound. Loyalty, supervision by professional bodies and Hippocratic oaths make weak safeguards. But is such wilful ignorance really an option in cybersecurity?
One root issue is that there are no “ethics” in “ethical hacking” – literally: the subject is not part of the syllabus. Officially, we give no guidance beyond the parochial legal caution to stay out of trouble – mainly to defend the university against liability.
This absence of personal or social values raises the question of whether we should be teaching hacking at all. Apparently, there’s lots of “demand”. But demand for what? To prepare more guards for the corporate castle? To help law enforcement or intelligence workers beef up penetration, surveillance and forensic skills? To help teachers, journalists, politicians protect their digital lives? To turbocharge activism by teaching do-gooders to hack the bad guys?
All these kinds of students attend my class, but the ones I worry about most are obviously the future cyber-criminals and enemy cyber-warriors. I know they are there; I just don’t know who they are. And neither, necessarily, do they – not until they graduate, cannot get a legitimate job, perhaps get deported, and discover that their skills are in great demand elsewhere. Perhaps there is more we can do to help students find the right kind of jobs, but that is for another article.
Remember “Prevent”? This was the UK government programme whereby, from 2011, we in UK higher education were all supposed to contribute to safeguarding the nation against radicalisation. Perhaps it was the resentment caused by our weeks of unpaid compulsory “training”; perhaps it was that parts of the agenda (regarded as instructions to spy on and ethnically profile students) were struck down in court in 2019. In any case, it fizzled out. But along with it went many laudable attempts to bring up discussion of cultural values, propaganda and vulnerability to recruitment.
Within that framework, I would not know how to even start talking about cybersecurity today. Is demand for it actually created because we teach software engineering badly; shouldn’t we give more attention to building things better instead of fixing up the things we build fast and cheap? Why is the UK government engaging in a foolish tussle with end-to-end encryption, the bedrock of security, while Europe pushes in the opposite direction to enshrine privacy as a right? What to say about the Israeli NSO company – author of the controversial Pegasus spyware that allows governments to monitor smartphones – when half my students think it should be banned and the other half would like to work for it?
I look out for the well-being of all my students wherever they hail from, whatever their politics and wherever they are headed. But should I keep a closer eye on some nationalities than others? To raise these concerns risks accusations of politicisation or racism, but cybersecurity is inevitably a maelstrom of challenging ethics because computers affect so much of our lives. For the same reason, it is inseparable from global politics.
To reframe this argument in terms that financialised institutions can understand: do the profits made by educating students from potentially hostile groups and towards potentially hostile ends outweigh the risks doing so brings to the educating nation’s economic and national security?
I’d say yes – but only if we fully realise the meaning of “ethical hacking”. My students don’t just learn hacking skills from me. I also work hard to diffuse “liberal” values, such as democracy, mutual respect, tolerance of dissent, individual rights to privacy and equal economic participation. I also try to instil deep scepticism towards the technological dystopia that some states and corporations are building.
But is this enough? As I watch freedom under siege in Ukraine, and as we all prepare for the apparently inevitable Russian cyber onslaught, I can’t help but wonder.
Andy Farnell is a visiting and associate professor in signals, systems and cybersecurity at a range of European universities. His latest book, Ethics for Hackers, will be published later this year.