Editor’s note: I attended the recent RNT Cyber Ethics conference at Metro Tech’s Springlake Conference Center on behalf of the Oklahoma Center for the Advancement of Science & Technology. My question up-front was “why cyber ethics” vs. “cyber security?” I got my answer from keynote speaker Jonathan Kimmitt from the University of Tulsa. Below is an article I wrote on behalf of OCAST, with an abbreviated version published in today’s editions of The Oklahoman:
Life-and-death consequences can result from decisions made by computer network administrators to keep their systems secure from outside attackers, said Jonathan Kimmitt, chief information security officer for the University of Tulsa.
Exhibit A: The Wannacry ransomware cyber attack on medical facilities across Great Britain in the spring of 2017 that crippled the ability of state-run hospitals to provide medical care.
Wannacry put lives of patients in British hospitals at risk because of delays in surgeries and urgent care, Kimmitt told an audience at the recent RNT Cyber Ethics Conference 2018 at the Metro Technology Center Springlake conference center.
Kimmitt was the first of several keynote speakers and session leaders to address the ethics of cyber security at the two-day conference, sponsored by RNT Professional Services, a Norman-based company that provides cyber security risk assessments, training and security project management.
“It really does come down to ethics and decision making,” Kimmitt said. “If I were to release everyone’s information out into the world, would that be ethical? I would say it’s not. But if I allowed a system to be vulnerable, which caused someone to release that information, is that the same thing?”
In the Wannacry cyber attack, network administrators shared in the blame because they delayed updating their computer servers with Microsoft-recommended patches that would have kept the malware at bay.
“We had a bunch of server administrators in the U.K., who had that mentality, who said ‘we’re not going to update our servers, we’re not going to make any changes,’” Kimmitt said. “Those who are in IT hear that all the time. Well, their machines were unpatched, and, therefore, they got ransomware.”
Other conference speakers followed with similar themes.
Kevin Owens, principal at Spokane, Wash.-based Cerberus Cybersecurity, LLC, outlined how Russian cyber attackers took down much of the electric grid in Ukraine by using “spear-phishing” tactics to gain an administrative password
In spear-phishing, attackers use personal information gathered online about targets to disguise themselves as a trustworthy friend or entity.
“The No. 1 thing that you guys can learn is we’ve got to learn to defeat spear-phishing,” Owens said “This is the No. 1 way these guys are getting in. We need to train users.”
Tom Vincent, banking, compliance and data security/privacy attorney at GableGotwals, conducted a session on the importance of ensuring data security and privacy in a corporate setting.
“More and more it’s a financial issue,” Vincent said, citing a case where a pharmacy lost a $1.4 million judgment because personal data of a single customer was released by an employee. “You should not have security and privacy be an afterthought.”
There are many examples that show the importance that ethical decision-making plays in maintaining data security, said Teresa Rule, President of RNT Professional Services.
“When I was 11 years old, my cousin Susan’s diary was stolen by my other cousin and he read it out loud,” Rule said. “She was very embarrassed, but only the people at the dinner table heard it. But now if you were to steal someone’s electronic diary, it goes global. Remember Sony? Ashley Madison?”
“If you are the owner of a business or someone who is responsible for protecting data and you are not taking due diligence you are not being an ethical citizen.”
Jim Stafford writes about Oklahoma innovation and research and development topics on behalf of the Oklahoma Center for the Advancement of Science & Technology (OCAST).