Ethical Dimension Of Disclosing Cyber Threats By Large Corporations Essay Examples
Type of paper: Essay
Topic: Company, Corporation, Business, Ethics, Information, Entrepreneurship, Finance, Community
Background of the problem 4
Utilitarian approach to the problem 5
Normative Interpretation 8
In the light of tremendous technological growth, a variety of cyber-attacks and corporate data breaches became one of the hottest concern of the contemporary business agendas. In 2014 only international business community experienced a number of high-end cyber assaults on large corporations (Harrington, 2014). Major resultant impacts of these attacks included leak of the personal records and financial information of their customers. Subsequently, a large portion of this data was sold on the black market and utilized by the users. For instance, high-profile analysts from Hold Security Group announced that this research then managed to get more than 400 million account credentials of the corporate users from the black market just within four weeks of preliminary research (ibid.).
Furthermore, the criminals are becoming more daring, leading to more devastating impact on corporate reputations, not to mention his huge financial losses incurred by the business in the USA and worldwide (Harper, 2011). Despite the fact that the corporations are devising and implementing complex security measures, the cyber threat is still a serious problem to them. However, the most important questions lie not in technological, but in the ethical sphere. In particular, the overwhelming majority of the today's market behemoths do not have well-developed ethical policies regarding their publicity in this context. In other words, it is both conceptually and practically unexplored whether corporations should inform all stakeholders about pending or successfully accomplished hacker attacks.
The objective of this paper is to explore ethical foundations of this issue from the positions of utilitarianism, normative ethics, and consequentialism. To be more specific, the paper argues that under any circumstances the company should always disclose successful penetrations to their system networks to the customers and other concerned parties.
Background of the problem
Corporate hacking has become one of the most important concerns of the security analysts nowadays. Although growing Internet commerce provided many useful benefits to the community, at the same time it brought a great many of different threats, including financial and, in some circumstances even security related aspects. To illustrate, in March 2015 an unknown hackers division managed to hack eBay, with more than 230 m users’ passwords, physical addresses, phone numbers, privileged usernames and other sensitive data completely compromised (VPN Pick, 2015). Despite the fact that the company managed to protect financially sensitive information of its users (company report says that the info was encrypted and stored separately), huge concerns about possible identity theft became one of the hottest topics on the company forum. On November 24, 2014 a group of hackers known as the Guardians of Peace successfully broke Sony corporate network, wiping out its corporate service and leaking huge amounts of privileged company documents into the web (Harrington, 2014). As a result of this leakage, controversial policies of Sony regarding its antipiracy measures, lobbying in the United States Congress and some compromising personal emails of the company employees became available to the general public. Despite the fact that the hackers claimed the attack to be pure extortion, as a result of this penetration the company decided to cancel the release of 'the Interview' movie, which plot became publicly known (ibid.). Finally, 4 billion dollars of Citigroup in 2011 be positioned as a successful assault on the internationally respected financial institution (Harrington, 2014). The hackers obtained classified information about 200,000 customers (ibid.)
The facts mentioned above are based on the corporate press releases. However, the unanimous opinion of the analysts is that the overwhelming majority of cyber-attacks are made with the objective to extort money from the corporations, while only the tiniest portion of them target on attracting public attention or pursuing political objectives (Freedman & Mann, 1997). Therefore, the hackers usually do not publicize the facts about successful penetration, before some sort of settlement with the attacked corporation is reached. Consequently, the corporations are left with two viable alternatives. Firstly, they may decide to inform the general public about the existing threat or to utilize all their technological resources to tackle the problem. The second scenario involves negotiating with the hackers, paying the ransom and continuing operations as if nothing had happened. Generally, the second scenario seems to be more favorable to the business community for several reasons (Harper, 2011). Primarily, the reputation remains unaffected, as several market studies show that in the event the breach becomes publicly known, a significant outflow of the existing and potential consumers is likely to happen (Harrington, 2014; Harper,2011). Secondly, the company does not need to spend huge money on hiring technology specialists to neutralize the vulnerability.
However, there is no guarantee that the hackers will never use the obtained data in future. In contrast to physical items, which can be successfully returned upon ransom payment, the hackers may store privileged information and use it if a more profitable option arises in future. Therefore, a variety of ethical issues become relevant under such scenario. Firstly, it is essential to understand for the companies whether they are ethically bound to inform all stakeholders about the breach. Secondly, if the answer is positive, it is important to understand whether some exceptions are applicable to the rule. The use of utilitarian and normative ethical frameworks are mostly recommended by the contemporary business scholars for analyzing such dilemmas (Jones, Parker & Bos, 2005).
Utilitarian approach to the problem
Theory of utilitarianism stipulate that any moral action is the one, which maximizes utility (Frederick, 2012). Utility is parsed into various theoretical and practical dimensions, but most commonly it includes pleasure, financial well-being and absence of any forms of economic or physical suffering (Duska, 2007). It is understood as a form of consequentialism that defines that not the action itself, but its consequences are of real importance for the decision-maker (ibid.). The theory was supported by works of Jeremy Bentham and John Stuart Mill.
Further works of the philosophers indicated that 'pleasure' should be construed as the pleasure of the entire community, but not of the decision-maker only (Frederick, 2012). Naturally, considering the fact about the corporate breach is both positive for the company from the financial and reputational points of view, but this statement is hardly consistent with the financial and personal interests of the corporate stakeholders. Moreover, an internationally acknowledged philosopher Karl Popper defines that the principle of maximizing pleasure should not override the principle of minimizing pain (Duska, 2007). Corporate customers and other stakeholders may enjoy some form of pleasure if they are not informed about some form of informational problems of the service provider, but the underlying problems may occur to be devastating to them.
Therefore, in order to understand whether intentional disclosure of the hacking attacks should be practiced by the international corporate institutions, possible consequences should be carefully examined. The practice demonstrates that the most widespread results of data leakage include financial fraud, identity theft, and extortion of the users, money laundering and other negative financial outcomes (Harrington, 2014). Furthermore, it is reasonable to assume that if a corporation fails to reach a settlement with the extortionists, they will pursue other methods of monetizing their attacks, which are always time and resource consuming. In the majority of cases, the most lucrative opportunity is to start selling or using obtained sensitive information for extorting or committing financial fraudulent activities (Harper, 2011).
On the other hand, if a company acting in good faith, timely and in an appropriate manner informs its customers and partners that their information was obtained by the non-intended recipients, and their cooperation with the company may completely neutralize the effects of the assault. A simple modification to the banking institution, change of password and other basic response measures will be sufficient to make the use of classified information impossible. A number of analytical studies showed that in order to process and utilize compromised personal information (each account should be processed individually), the criminals require significant time resources, while the users may change them, or notify their banking institution within several minutes (Harrington, 2014). Today, reliable technologies capable of averting the outcomes of a successful network breach are not available. Hence, the most recommended option for the companies is notifying the stakeholders.
Despite the fact utilitarian arguments may seem to be clear, they attracted a lot of criticism. Firstly, the critics argue that during his ignores justice (Jones, Parker & Bos, 2005), i.e. providing an opportunity to weigh pleasures and pains may lead to havoc in any corporate setting. Sometimes, disclosure of the breach will be immensely positive for the large number of customers while it will be unjust in general. Secondly, the utilitarian approach is often criticized for being 'too demanding' to a decision-maker (ibid.). Indeed, it does not provide any alternatives, but to act in a way, which purports positive consequences for the community. But, as observed by many scholars a life full of good deeds is always a hard life (Duska, 2007).in corporate parlance, it means that the companies may risk their financial existence while taking ethically consistent decisions.
Consequently, it is reasonable to conclude that the outcomes of nondisclosure will be always negative. Utilitarian interpretation of the ethical dilemma dictates that the company should always disclose the facts about hacking attacks without any alternatives. Scholarly works on this subject fully support this conclusion (Frederick, 2012), but at the same time they note that one major exception is also relevant (Frederick, 2012). In particular, scholarly community advocate that the companies (or other affected bodies) should not disclose any information relating security issues, if ensuing panic is expected to be significant. For instance, information about exploited vulnerabilities of the major banking institution may result in an unprecedented outflow of deposits, which may undermine the foundations of the national financial system. The situation with the attack on Morgan Stanley in 2011 is an apt illustration in this regard (Harrington, 2014).
The essence of normative ethics lies in its prescriptive nature. A rule which is fixed somewhere, known to ethical decision-makers and the recipients of their actions, and which value is commonly shared by those parties defines which action is ethical or not (Duska, 2007). Nowadays, even the highly developed system of the United States law of information does not mandate the companies to disclose the facts of successful hacking attacks against them (Harrington, 2014). Making such facts public remains the matter of their discretion. Therefore, under normative approach the use of these discretion should be regulated either by the legislative framework (which is not present in the any legal system nowadays, although the European Union's proposal is in the pipeline), by the professional associations' regulatory policies or by the internal constitutional documents of a corporate unit. Up to date, there is no verified data that constitutional documents of any corporation contain clauses which prescribe disclosing hacking attacks (Frederick, 2012). Furthermore, not a single professional association (e.g. American business Association, North America business Association, American Association of IT companies and many others) have clear positions regarding corporate disclosures, in spite of the fact that their regulatory policies are intricate and sophisticated.
Furthermore, for a specific rule to be considered ‘fixed’, there is no necessity for it to be reflected in writing. A rule may be deemed fixed if a relevant business community developed a custom, which is known to all key business participants of a specific industry (Duska, 2007). Nowadays, the statement that is disclosing all facts about hacking attacks gainsay the realities. The analysts share an opinion that the corporations must publicize the most flagrant attacks, which cannot be hidden without traces.
Contemporary and classic schools of normative ethics manifest that any act which is not regulated by some norms (either fixed or customary) is ethical by default (Frederick, 2012). Consequently, if a successfully concealed breach of its corporate network may be ethical in normative dimension. Thus, in the light of the obviousness of the inherently evil outcomes of the breaches, a corporate community of the USA is strongly recommended to regulate this matter legislatively (or at least quasi legislatively).
Secondly, the practice illustrates that the corporate world is perplexed by the newly discovered ethical dilemma - to tell their customers about the situation are not. Disclosure may help them to protect their personal finances or privileged information from further exploitation by the evildoers. At the same time, it may negatively affect corporate reputation, which always lead to huge financial (and reputational) losses. Utilitarian ethical dimension mandates the firms to follow straightforward policies in this regard - to disclose always.
The normative approach is more flexible, stating that non-revealing such facts may be tolerated from ethical points of view if the rules do not mandate the firms to act accordingly. However, in the light of the fact that utilitarian approach is more practice-focused and prevalent among the contemporary business ethics specialists, it is reasonable to conclude that unveiling successful cyber-attacks should become a 'best practice' ethical standard for the USA and international business communities.
Drahos, P. & Braithwaite, J. (2002). Information feudalism: who owns the knowledge economy. London: Earthscan.
Duska, R. (2007). Contemporary reflections on business ethics. Dordrecht, the Netherlands: Springer.
Frederick, R. (2002). A companion to business ethics. Oxford: Blackwell.
Freedman, D. & Mann, C. (1997). At large: the strange case of the world's biggest Internet invasion. New York, NY: Simon & Schuster.
Harper, A. (2011). Gray hat hacking: the ethical hacker's handbook. New York: McGraw-Hill.
Jones, C., Parker, M. & Bos, R. (2005). For business ethics. London New York: Routledge.
Harrington, S.L. (2014). Cyber security active defense: playing with fire or sound risk management? Richmond Journal of Law & Technology, 20,4, 1-42. Retrieved from http://works.bepress.com/cgi/viewcontent.cgi?article=1001&context=sl_harrington
VPN Pick. (2015). eBay hacked, all users requested to change passwords. Retrieved from http://vpnpick.com/ebay-hacked-users-requested-change-passwords/