When ethics meets cybersecurity: how should vendor choose who to sell to?

When we talk about ethics in cybersecurity, it’s largely a matter of where researchers should draw the line so that their behaviour doesn’t start to resemble the black hats their tracking. But there are also serious choices to be made by the security vendors they work for in terms of who ultimately gets to use their products. After all, in the wrong hands, legitimate tools could make the world a darker place, and expose vendors to potential fines and reputational damage.

I spoke to some experts about this for an upcoming Infosecurity Magazine article.

Complexity is everywhere

Discussions around ethics and cybersecurity came to a head recently when WhatsApp launched legal proceedings against a well-known Israeli ‘cyber intelligence’ firm, NSO Group, alleging it had helped to develop and deploy malware that was subsequently used to spy on civilians in the Middle East and elsewhere.

Firms like these notoriously operate in a grey area, claiming they only sell their wares for legitimate law enforcement and intelligence uses. Yet what about the much larger market of ‘regular’ cybersecurity vendors? What controls have they, or should they have, in place to limit who gets hold of their kit? After all, deep packet inspection tools could be subverted by despotic regimes to monitor legitimate internet traffic, and IP address filtering to enforce rigorous state censorship, for example.

Trade association techUK has developed a lengthy guidance document for organisations not sure of where their legal obligations stand, and how to comply. But even then, programme manager, Dan Paterson, told me that it can be difficult for especially smaller vendors to conduct due diligence effectively, particularly in the tricky area of dual-use technologies.

No cause for concern?

Even if they can’t, there may be no cause for concern, according to Privacy International’s state surveillance program lead, Edin Omanovic. He told me that, in fact, current UK export rules rely too much on “non-binding and unenforced risk assessments”, which makes it easy for unscrupulous vendors to sell to hostile nations.

It’s a point echoed by Luta Security CEO, Katy Moussouris, who is helping the US government negotiate the global control regime known as the Wassenaar Arrangement. She suggested when I spoke to her that export controls in tech aren’t even really there to restrict the flow of goods outwards, but merely to give domestic governments a better understanding of what its companies are producing.

If that’s true, then what’s the harm? Well, there are still major risk calculations that organisations must undertake — and it’s not just about selling to authoritarian regimes, according to Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec).

“As with any other aspect of security, vendors need to consider risk when choosing their customers. Selling to the wrong customer might mean that a vendor has no way to support its product or resolve contractual disputes, resulting in wasted resources. It might mean that the vendor loses its unique IP, and ultimately its market position,” she explained to me.

“It might mean that the vendor loses the trust of many customers, if a new line of business opens those customers up to new threats. Even if there is no direct risk to the vendor itself, dealing with customers seen as unethical can still damage a business’s reputation. The vendor may still feel that going ahead with a sale is the right decision, but it needs to have weighed the risks beforehand.”

As with most things cybersecurity, therefore, it all boils down to risk management. And with CSR increasingly important in what is a crowded marketplace, ensuring you’re seen to be acting ethically is vitally important, even if export controls aren’t.