How Far Should IT Practitioners Go to Police Corrupt Data?FBI Director James Comey Worries about Manipulated Information
One of FBI Director James Comey's biggest concerns is the manipulation of information stored on government, business and private computers.
"It's not just even the loss of data. Increasingly, we are worried about the corruption of data," Comey said at a Boston College cybersecurity conference on March 8. "Think about the harm someone could do by an intrusion at a blood bank and changing blood types, an intrusion at a financial institution and changing just a few digits in the holdings of an institution."
The topic of data manipulation is also one advanced by Intel Security Group Senior Vice President Chris Young, who wrote in a recent blog: "We rely on big data to drive decisions, so the small data going into our big data models must have full integrity. When it's manipulated, it's turned into a weapon and used against us. Big data isn't the problem, but when big data becomes bad data, then small data is the big story. Weaponized data is the next threat vector challenging all of us in cybersecurity. In fact, I submit that weaponized data is the newest form of advanced persistent threat."
And it's the responsibility - the ethical duty - of IT and IT security practitioners to assure data and systems integrity, one of the three core principles of IT security known as CIA: confidentiality, integrity and availability. "An essential aim of computing professionals is to minimize negative consequences of computing systems, including threats to health and safety," reads the Association for Computing Machinery Code of Ethics and Professional Conduct.
Most of what Comey and Young refer to is the unauthorized manipulation of data: Hackers, for instance, altering data for financial, political or social gains, or a boss instructing a computer specialist to change data to falsely show a company is in a stronger fiscal position than it is.
But in this era of fake news, what about data that weren't manipulated, but based on wrong assumptions or outright lies? Should IT and IT security practitioners who protect their governments, businesses and society against manipulated data do the same for data based on "alternative facts?"
Do No Harm
Like physicians' Hippocratic Oath - "do no harm" - the ACM Code of Ethics states that computer professionals must avoid harming others: "'Harm' means injury or negative consequences, such as undesirable loss of information, loss of property, property damage or unwanted environmental impacts."
I raise this concern because of what's happening in the federal government, at agencies such as the Environmental Protection Agency, with a new administrator - Scott Pruitt - who's a climate-change denier. An overwhelming number of published studies - 97 percent - document that climate change is real. Climate change is fact.
Pruitt is beginning to staff key jobs at the EPA with other skeptics of climate change, according to The New York Times, a view that may not be shared by the vast majority of the agency's professional staff and scientists.
[A check of EPA.gov shows that the scientifically acceptable definition of climate change that describes the impact of humans on greenhouse gas emissions remains on the agency's website, three weeks into Pruitt's tenure as its administrator.]
Scientists overly concerned that climate change information might vanish in the Trump administration frantically began copying U.S. climate data in the run up to President Donald Trump's inauguration on Jan. 20, according to a number of published reports, including this story in the Washington Post. "Scientists are right to preserve data and archive websites before those who want to dismantle federal climate change research programs storm the castle," Michael Halpern, deputy director of the Center for Science and Democracy at the advocacy group Union of Concerned Scientists, told the Post.
But what should be the responsibilities of the IT and IT security professionals at the EPA and other government agencies in assuring the integrity of data stored in government computer systems or used to produce reports or transact business if they know the information is based on falsehoods? Should they block use of such information in computer systems?
When the authors of the ACM Code of Ethics referenced "unwanted environmental impacts," they likely were not thinking of data administrators or systems developers becoming a line of defense against devastating floods caused by climate change. It's the integrity of the computing environment they're referencing. Still, should codes of ethics be viewed like the U.S. Constitution, open to new interpretations as situations change as the years progress?
'Nothing to Do with IT'
Security technologist and author Bruce Schneier says IT and IT security practitioners should not police false information if the data were not manipulated. "It has nothing to do with IT," he said. "I don't think the IT community has any responsibility because it has no jurisdiction here. There's nothing the IT community can do if you decide to write lies in newspapers. There's nothing the IT community can do if you misquote me. If someone sneaks into your copy, and makes a change, yeah, I can make a system to detect that, but that's not what we're worried about."
But privacy and cyber law scholar Peter Swire is more nuanced than Schneier when evaluating the role of the IT and IT security practitioner in handling intentionally created false data. He doesn't suggest IT and IT security practitioners should ride roughshod over senior government officials who create data based on false assumptions, but they shouldn't ignore the distortion of facts, either. "The ethical and legal burden on the IT professional becomes greater when that kind of falsification is involved," says Swire, a law and ethics professor at George Tech who served as chief counselor for privacy in the Bill Clinton administration and on President Barack Obama's Revie Group on Intelligence and Communications Technology.
What are your thoughts on the role of IT and IT security practitioners in managing information used in information systems based on false assumptions? Please share your thoughts below.