September 11, 2017

Cornell Researchers Highlight Ethical Lapses in Recent Cybersecurity Failures

Print More

The internet is everywhere.

From simple dial-up connections on bulky computers, the spread of internet access to watches, cameras, printers, refrigerators and televisions demonstrates the progress the computing industry has made. Connectivity is lauded for making our lives convenient and efficient.

However, the increasing frequency of malware attacks and data leaks suggests that advancements in cybersecurity are not keeping pace. As a testament to this fact, on Sept. 7, 143 million U.S. residents had personal information like their social security and driver’s licence numbers compromised from credit reporting agency Equifax. The Sun sat down with Prof. Stephen Wicker, electrical and computer engineering, and Prof. Emin Gun Sirer, computer science, to discuss related threats, ethical questions and solutions for the future.

A rising threat seems to be coming from malware known as ransomware. This past May, ransomware attacks impacted more than 10,000 organizations running Microsoft Corporation’s Windows operating system in over 150 countries. The malware responsible, WannaCry, was reportedly stolen from the U.S. National Security Agency in April.

Individuals, government agencies, academic institutions and businesses have all been victim to ransomware for nearly a decade. Such malware encrypts files on a computer and threatens to destroy them if a ransom, in bitcoins, is not paid within a certain period of time. Attacks have particularly affected hospitals, where doctors and nurses have lost access to patient records, putting lives at risk. In fact, earlier this year the Hollywood Presbyterian Medical Center in California paid $17,000 in bitcoins after being offline for a week due to malware attacks.

WannaCry originated from software the NSA used for data collection and surveillance that exploited vulnerabilities in Windows. Only after the software was stolen and used to carry out attacks did the NSA inform Microsoft of the vulnerabilities.

Incidents like these raise important questions about the origin of malware software and the ethical responsibilities of their creators.

Wicker’s research is primarily focused on information systems and networks, with a particular emphasis on ethics and the law. He said that people misunderstand the NSA lapse as a legal issue when it is actually an ethical issue.

“Do the individuals and organizations involved have an ethical obligation?” Wicker said. “I think so.”

Wicker acknowledges that it is obviously important to continue security surveillance, for example, to prevent terror attacks, but the tradeoffs need to be properly considered.

“There are other ways to do police work, in my opinion,” Wicker said. He said he believes the NSA should have informed Microsoft of vulnerabilities in their software earlier.

“The government’s obligation to build a secure computing infrastructure overrides the intelligence community’s desire to collect data,” Gun Sirer said.

Similar questions arise for those responsible for keeping these devices secure.

After becoming aware of the vulnerabilities, Microsoft issued a patch to users to secure the bugs, but not all users complied. Therefore, not all computers were secure due to a phenomenon known as the “free-rider” system.

“This ‘free-rider’ problem — some manufacturers and users choosing to enjoy the benefits of the internet without taking the time and effort to maintain secure computing systems — is unethical, and is a problem that will get much worse as the internet of things continues to grow,” Wicker said.

As opposed to the computers that run Windows, many internet-connected devices do not have dedicated engineering teams issuing security patches, leaving them vulnerable to hacks.

Gun Sirer believes that vendors should be responsible for security maintained on computers and objects connected to the internet of things. Furthermore, he feels that it is much more important to fix vulnerabilities than to keep them a secret.

Finally, important questions have been raised about the regulation of currencies like bitcoin because it seems to be the preferred mode of ransom payment.

“Since organizations behind ransomware are large and underground, many of them go through the route of encrypting and holding files for ransom but many also outright steal bitcoins,” Gun Sirer said.

Ransom payments are hard to track because people are very likely to pay them, especially hospitals who need immediate access to patient information. Additionally, without a central regulator that monitors the movement of coins, accurately tracking payments is nearly impossible. Finally, the coins are easily transferable between countries because they bypass traditional banking systems, allowing such attacks to spread easily.

Consequently, Gun Sirer’s research focuses on regulating and securing cryptocurrencies such as bitcoin. His team developed Volt technology, which enables people to override thefts and reclaim stolen tokens. In response to such attacks, Gun Sirer and his team have helped different Cornell entities, including the University Treasurer, develop a disaster preparedness plan to combat such attacks.

While the immediate consequences of attacks over the past few months have been severe, they have opened up debates both in the intelligence and computing communities on the ethical questions in cybersecurity. Both Wicker and Gun Sirer specialize in different areas, but agree on some common principles: that surveillance, while necessary, cannot override the need to secure the data of average citizens and that those responsible for building computer infrastructure need to keep it secure.