Albert Einstein once said, “If I had one hour to save the world, I would spend 55 minutes defining the problem and only five minutes finding the solution.”

So how can we even begin to define cyberspace and take baby steps towards enabling the good and disabling the bad?  This is part two of a three part series on cyberethics. Last time, I described the need for regular online cyber check-ups, similar to visits to our dentists’ or doctors’ offices.

Moving on, and attempting to follow Einstein’s advice, let's try to articulate some of our ethical problems that need to be addressed as we navigate through cyberspace.

Back in January 2011, I was invited to the Luther College Center for Ethics and Public Life in Decorah, Iowa. It was an eye-opening and rewarding experience. I was excited to engage in conversations with students, and I was able to discuss various cybersecurity and cyberethics topics with the faculty at Luther College. There were several opportunities for open discussions and a Q/A session regarding my book. I was especially impressed by Dr. Sören Steding, who is an outstanding professor and thoughtful leader.

But the main purpose of my visit was to present an evening speech on the import role of cyberethics in the 21^st century. Here's an excerpt, beginning with with this question:

How would you finish this sentence: “The Internet is…”

That is, how would you briefly describe the Internet, or cyberspace, or the World Wide Web? Here are some of the popular answers I’ve heard:

1. The Internet is the greatest invention since the printing press. Billions of users sending trillions times trillions of bits. It is now my new TV, my phone, and my must-have mobile device. Cloud computing lets me access information at anytime from anywhere on the earth with my smartphone. We’re heading for the Dick Tracy watch.

2. The Internet is a wonderful tool. It is infrastructure like a digital superhighway, a great multi-purpose communication device, quick access to specific news and sports, and more. It enables all of my new technologies to work together; it’s like a glue that packages my weather and social networks sites like Facebook or Twitter.

3. The Internet is fun—We can dream online. The Web offers global gaming and virtual worlds. I love Halo, World of Warcraft, Counter-Strike, and other games. My friends and I constantly find interesting and new things to do, and I’m never bored online. In virtual reality, I enter Second Life and travel to distant places without leaving my house. I can see things that I’ve only dreamed of where I live. I interact with exciting, fun people from around the world despite my tight budget.

4. The Internet is how We learn. 21st century education is about distance learning. I do all my research online. I take classes in Arizona while sitting at home in Michigan. Or, I just Google it. We multi-task. (PBS did a segment on how young people multi-task today and how that affects the brain. Teenagers typically do math homework, chat with friends, download Facebook pictures, and write term papers, and watch videos, all at the same time.)

5. Cyberspace offers new commerce. My friends love shopping online. We buy stuff from Amazon or Walmart.com. (Christmas sales were up over 15% this year.) We can search for jobs online and find new career opportunities on the other side of the country that we only dreamed about a decade ago. We can even shop for jobs.

6. The Internet is all about ministry. My church, or soup kitchen, or non-profit group, or mission team does so much online, and we reach out to other cultures. We communicate with others on the front lines in Africa or Vanuatu over the Internet. Our fundraisers or calls-for action can touch thousands of families globally and raise millions of dollars for the needy. We can tell amazing stories people need to hear.

But others might say — Hold on a minute. Is the Internet really only a force for good? What about Internet predators, child porn, plagiarism, identity theft, or other online crimes? Some are afraid of the Internet and online banking. Or, others worry about “big brother” and predict that the book 1984 is coming true.

Perhaps these people would finish the sentence:

7. The Internet is evil. I know people who are afraid of cyberspace, not because they can’t learn the technology or figure out how to use it, but because they fear the impact of being tempted, misled or even robbed online.

8. The Internet forces Information Overload: Too much data coming at me all at once, and we don’t know what to listen to or who to trust anymore. The Web is really people connected by computers. But do we really know these people and are they being honest? Are they being paid to say that? What are their motives? Which blogs should we read and which ones should we ignore? If you google: “When did Columbus discover America?” you will get different answers. Some viewed sources don't even believe that Columbus discovered America at all.

We could go on and on:

9. The Internet enables e-Government. We can reserve campground, renew my driver’s licenses or reserve a spot at a National Park campground online.

10. Cyberspace feeds my cravings for real-time sports and even fantasy sports teams.

11. Or the Internet takes up too much of my time. We can’t seem to turn it off or find work/life balance.

So how would I finish the sentence?

I believe the Internet is best described as an accelerator, like the gas pedal in your car. The World Wide Web is making almost everything go faster. While radio and TV played this role in the 20th century, the Internet is swallowing both—offering podcasts and videos on demand. Messages that took months to deliver centuries ago can now be delivered instantly. But in our brave new web, what is “viral” online today is often old news a week from now.

Like a gas pedal, the Internet is benign. Not a force for good or evil, but both good and evil now wage their battles online in the 21st century. It is our newest battle front. Just as the printing press vastly expanded the spread of ideas through books and enabled the Renaissance and Reformation, the World Wide Web is creating a new e-Renaissance in numerous areas.

As Americans, we worry about such hot topics as unemployment, wars overseas, rising levels of debt, local education, global warming, and perhaps Presidential politics. And yet, unless you’ve been the victim of cyber crime or published a book online, you probably haven’t thought very much about how cyberspace is impacting your life—in both positive and negative ways. The Internet both defines and reflects the culture we live in.

Which leads me to my second question: Why should society care about cyberethics? But before I answer that question, I want to provide a few basic definitions…

 »» Ethics are the rules or standards that govern conduct.

 How do I live my life and make my decisions? Everyone has ethics. One of the best ways of thinking about ethics is to take a quick look at what you believe and then think about how you would react when those beliefs are challenged. But to agree on ethics, we must agree on what is moral or the difference between right and wrong.

 So, if ethics is the study of behaviors and conduct and how what we believe affects how we live, then what is cyberethics? In cyberspace, what’s allowed on your network? What do we actually do? Are our actions different online than offline?

 These are vital topics in the 21st century because the norm is to have different ethical standards or boundaries for online life. We frequently hear, “It doesn’t count the same” or “People do or say things online anonymously that they would never to face to face with someone in real life.”

 Also: Who can we trust online and offline? Why? While many think cyberspace is separate or not as relevant as offline life, our online and offline lives are rapidly merging together as never before.

 How Can Society and Individuals Be Safe Online?

If the Internet is like the accelerator in your car, than cyberethics are the brakes. Our brakes help us maneuver through tough online turns and help reach the desired destination safely.

A teacher asked a class, “Why do we have brakes on a car?” A bunch of children raised their hands. One person blurted out, “To slow down!” Someone else said, “To stop!”

The teacher paused, smiled and said quietly, “We need breaks so we can drive faster without crashing. Brakes allow us to arrive at our destination safely and in one piece.”

The same is true of cyberethics. We need cyber brakes when we go online. Our cyberethics can inform and transform how we navigate through cyberspace.

Other Views on the Internet? 

 One respected researcher and colleague, Andris Ozols, answered the questions this way: "The Internet is a disruptor of time, space and linerarity.  It shifts and reorders traditional sequences and transforms the order of things." 

So how do you define cyberspace? What do you really like about the Internet, and what are the online problems that you worry most about? I'd really love to hear your thoughts.

 Next time, I’ll wrap up this mini-series with some action steps we can take regarding cyberethics at home and work.

  When we go to the dentist for our semi-annual checkup and teeth cleaning, we typically get asked a series of questions about recent patterns of personal behavior. After a few moments of small talk about the weather and traffic, my dental hygienist (abbreviated hereafter in this blog as DH) always jumps straight to the point:

DH – “Been brushing?”

Dan – “Yes!” (with confidence)

DH – “Flossing?”

Dan – (This time softer, with a sheepish frown and a bit of fear) “More often than before…”

DH – “How often?”

Dan – “Well… two or three times a week?” (I’m asking myself: why I’m afraid of these questions…)

DH – “Uh huh, I’d say that’s slightly exaggerated …” (As she looks at my teeth…)

Dan – “I know. I’ll do better next time…”

DH – (After a painful long pause, she continues with a smile and a bit of concern in her voice.) “You’ve come a long way from where you were, but stick with it. And don’t forget to use mouthwash.”

Dan – “Got it. Thanks.” (I offer a brief smile. I’m glad that she really does care and hold me accountable. After all, it’s my teeth we’re talking about.)

 A Cyber Check-up?

Does the scenario at the dentist’s office sound familiar? (Hopefully, you floss more than I do.)

If not, perhaps you can relate better to a regular physical at your doctor’s office. After the nurse gets your weight, pulse, blood pressure, temperature, etc, the doctor typically asks a series of questions about your diet and whether you’re getting enough exercise. Of course, good doctors are trying to go deeper than just today’s numbers on the chart and look at overall health trends. Adjustments are required when the pattern is leading in troublesome directions.

Perhaps it’s time for instituting a regular cyber check-up? No, I’m not talking about running diagnostics on your car or placing chips in your brain.

I’m talking about a regularly-scheduled, honest, open discussion about online life at home and work.

You may be thinking: Sure, I get the significance of the dentist’s and the doctor’s office check-up, but why is this online-life check-up so important? What issues need to be discussed? How does this impact business and government security? What’s at stake for my family and career?

This is the first in a series of three blogs on the personal and professional impacts of cyberethics. I'm starting with the scope of the challenges we face at home and work. Next, I'll be describing some current difficult “staff-oriented” security situations that government and business enterprises must address. Finally, I will conclude with a blog offering some potential solutions and hurdles to overcome moving forward.

Along the way, I will use a few excerpts from my book Virtual Integrity: Faithfully Navigating the Brave New Web. While the book was published in 2008, most of the online problems, trends and ethical challenges described have only increased in the past four years with the explosion in use of social media sites and mobile computing. The majority of Internet predictions made have already taken place (faster than I thought), and many blog readers are now always-connected to the Net.  I believe that children and adults need regularly refreshed cyberethics educational lessons, motivating challenges and even occasional reminders. In short, our shortage of online trust will only get worse unless these trends are reversed. 

Topics in Cyberethics: Almost Everything Online Is Included

Back in 2008, The Carnegie Institute held a forum entitled: Cyberethics: The Emerging Codes of Online Conduct. The expert speakers included Michael Getler, Rita J. King, Alex Koppelman and Steve Clemons. The cyberethics discussion mainly focused on online news and ethical issues in media, and yet the   topics ranged from our identity to using anonymity, from online news to the future of newspapers, from citizen journalism to “unaccountable” blogs, from information overload to policing truth and from Second Life (virtual worlds) to political campaigns.

Other interesting background articles on this cyberethics topic include an assortment of information systems pieces at Mississippi State University’s website and the Effect of Legal Ethics in a Business World. You can access the official office of government ethics website, and there are also plenty of private watchdog websites that oversee potential government ethics violations. Furthermore, almost everyone is aware of the major ethics violations stemming from news stories like Bernie Madoff, Libor-manipulation or the Enron scandal.

And yet, cyberethics factor into almost every policy and rule that government enterprises implement at the local, state and federal levels. Sure, improved awareness training is vital, but as I have repeated in several interviews, "Darth Vader was well trained."

The intentions of employees may be good, but what is actually happening on the ground (on the networks?) How are staff truly behaving and how are policies being enforced? For a partial range of potential issues at home and in the office, see this table entitled: "Cyber Conduct - Personal Consequences lead to Societal and Criminal Impact." This table was first published on page 86 of Virtual Integrity.

The truth is that the cyberethics and online activities of the workforce is a pivotal, foundational issue for every business and government organization. The often discussed “insider threat issue” pertains to not only internal “expert hackers” or professional bad guys trying to steal money and/or intellectual property, but all employees need to take notice. Each of us plays a role in defending the enterprise from cyber attacks, stopping malware (not clicking on bad links) as well as avoiding potential costly legal issues such as e-discovery wild goose chases, plagiarism claims and copyright violations.

Your Future Is At Stake

In addition, what I think most people miss is that their own family and career is at stake. In a worst-case scenario, I have seen staff lose their jobs, families divided, marriages torn apart or even people go to jail over ethical violations online. More often, online actions of personnel can cause problems for security teams, weaken the enterprise, cause a security breach or hurt someone’s reputation or their chances for promotion.

 But just as important as avoiding these negative consequences and staying out of newspaper headlines, I am starting to see online behaviors and the need for a regular cyber check-up as more and more like our dental or doctor’s office check-up. Yes, the wrong diet or lack of exercise or not flossing my teeth has negative ramifications in life. And the right diet and exercise and flossing can also strengthen overall health and enable positive things in the future.  

Just as my friends who run marathons tell me that they “feel it” later when they miss training days, I think we each feel it if/when we are engaged in ethical violations online – no matter how small. The individual and the enterprise will eventually suffer in some way. If the behavior continues, the eventual impact will only grow.

In the same way, balancing online and offline life, behaving in appropriate ways online at home and work, “surfing your values” and forming intentional good habits in cyberspace will lead to personal and professional success and enable the many good possibilities in our careers.

Next time, I’ll provide more specific online examples and explore the concept of online accountability further.

What are your thoughts on cyberethics? How does your business balance the people, process and technology aspects of cybersecurity?

“What’s the best way to become more engaged in this security buzz?”

This was just one question I was asked this past week in Illinois.  Like other events that I attended over the past year, plenty of people wanted to know how to become a cyber security professional. Several project managers, programmers and even call center specialists asked me how they could “get their careers retooled” in order to move into security. I am seeing this quite a bit around the world.

Why Illinois?

   I had the opportunity to travel to Springfield, Illinois, during this past week to speak at the Illinois Cyber Security Forum. This blog offers some of the highlights, random thoughts and lessons learned during the trip.

    I always enjoy comparing notes with other technology and security pros from around the country. I also learn from the questions people are asking, the level of interest expressed, the specific focus areas and what’s on their mind during the breaks as they urgently try to return emails and phone calls.

   My biggest take-away was the similarities we are facing regarding cyber as states and local governments and all levels of education. The conversations offered some good validation for me as well as many new professional contacts and follow-up actions.

More Background:

The event was held immediately following the Illinois Digital Government Summit, and well over two hundred people attended the Cyber Forum from all over Illinois and some surrounding states. I was invited to the event by Rafael Diaz, the Chief Information Security Officer for the State of Illinois. I’ve know Rafael for several years now, and he is a respected colleague who is doing excellent work in a very complex government environment. 

We can learn quite a bit from agendas. Notice the topics covered at the Illinois Digital Summit, the Illinois Cyber Forum as well as the upcoming Michigan Digital Summit:

The topics covered at the Illinois Digital Summit included

• BYOD
• Managed Services - Benefits and Challenges
• Application Modernization and Rationalization
• Health IT Today
• Business Intelligence - Making Sense of Data
• Mobile Device Management
• The CEO and CIO
• Cool Mobile Apps
• Future of Broadband in Illinois
• Big Data

The topics covered at the Illinois Cyber Security Forum included:

• Evolving Cyber Threat Landscape
• BYOD
• Security in the Cloud
• Mobile Workforce
• Big Data and Its Impact
• Exposing Online Information

Topics to be covered at Upcoming Michigan Digital Summit in early October 2012:

• BYOD - Opportunity and Peril
• Big Data - Learning to Leverage It
• Continuity of Operations and the Cloud
• Public Safety Technology
• The Global Threat Environment
• Citizen Engagement
• Virtual Desktop - Does It Save Money?
• A New World of Business Analytics

As you go through these lists, you see some definite trends emerging around BYOD, Big Data, cross-boundry sharing and various aspects of the serious security threat we face. Securing mobile and "The Cloud" are very hot right now.

In Michigan, we decided to not have a cyber summit in 2012, since we are sponsoring a Michigan Cyber Breakfast Series all over the state. You can view some of those videos here. We will be having a Michigan Cyber Summit in the fall of 2013.

The speakers in Illinois came from both the public and private sectors. I was very impressed with the excellent content at the event, and I noticed that more and more speakers are telling personal stories. I think this is a welcome development to help the audience relate to the complex topics related to cybersecurity.

Top messages:

           - BYOD + very mobile are hot

           - Big push on securing apps

           - The cyber threat is growing

           - More students are getting into cyber security

           - Business area leaders (as opposed to the technology leaders) are seeing the security need, but are asking specific questions related to their role(s)

           - Many questions regarding relevant cyber-awareness training that helps reduce risk

           - I was a bit surprised by the lack of public questions. However, questions were flowing rapidly at the reception after the event. Many people feel more comfortable asking questions in a 1x1 situation.

Most Surprising?

During one of my conversations, I was told that most of the technology and security professionals in the City of Chicago were spending their days last week feeding children breakfast and lunch at the public schools where the teachers were on strike. Wow! I applaud the dedication and “other duties as assigned.” These employees are to be thanked for their dedication. However, this situation also shows how government employees are pulled in multiple directions.  They must find it difficult to get their projects completed on time and on budget.

My overall impression is that state and local governments are dealing with very similar issues around the country – even if we have different governance models. Illinois is very decentralized in their technology management, while Michigan state government is centralized with IT governance. Nevertheless, as the agendas reveal – we are all facing similar challenges with cybersecurity.

One last thing: If you get to Springfield, Illinois, don’t miss the Abraham Lincoln Presidential Library & Museum. It is awesome!

Any attendees at the Illinois Cyber Forum want to share your thoughts?

Over the past few days, numerous news sources reported that President Obama is strongly considering an executive order on cybersecurity. Here’s a sampling of the news reports:

BloombergBusinessweek: Obama Weighs Executive Order to Defend Against Cyber Attacks

“The program, to be managed by the Department of Homeland Security, would establish cybersecurity standards that companies could voluntarily adopt to better protect banks, telecommunication networks and the U.S. power grid from electronic attacks, the officials, who have seen the draft, said on condition of anonymity because the document hasn’t been made public….”

Federalnewsradio.com: White House draft cyber order promotes voluntary critical infrastructure protections

“The White House so far has failed to get a bill passed by both houses of Congress to improve the cybersecurity of the nation's critical infrastructure, so they want to take an alternative approach.

The administration has created a draft executive order detailing how, within its authority, it would improve the information assurance of the nation's critical infrastructure, such as the power grid and financial industries.

The draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government….”

Theverge.com: After CISPA's failure, White House considers executive order to implement cybersecurity law

“With Congress unable to pass legislation strengthening cybersecurity in the US, President Obama is taking matters into his own hands. The Hill reports that the White House has drafted an executive order establishing an opt-in program that lays out best practices for companies operating critical infrastructure, such as railways and the water supply….”

Should We Wait?

Meanwhile, there are other groups, members of Congress and industry experts that urge more patience while a bipartisan deal can be struck. They point out that there are strong differences of opinion on what steps to take to help resolve major deficiencies. Here are some of those voices:

The Foundry (Heritage Foundation blog by Steven Bucci): A Cybersecurity Executive Fiat Is a Very Bad Idea

“… Is it wise to proceed on this issue by unilateral executive action? Absolutely not!

First, why did the Cybersecurity Act of 2012 fail to pass? Was it political spite, or election year partisan wrangling? Some might think that, because they believe that anyone who disagrees with them is clearly motivated by power politics. This is ridiculous. The reason the bill did not pass was because there are reasonable and serious policy differences regarding how the nation should approach the growing challenge of cybersecurity. These differing camps are not at opposite ends of the political spectrum, but are spread throughout the American ideological landscape….”

Richard Steinnon, a globally recognized author and cybersecurity expert, also wrote “There is no need for a cybersecurity executive order,” in Forbes.

A Sense of Urgency

However, it appears that unless a very quick deal is struck with Congress, an executive order will be issued soon. Back in July, the President issued a rare op-ed piece in the Wall Street Journal, regarding the serious cybersecurity situation we face as a country. Here’s how President Obama begins:

“In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.

Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.

Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.”

My View

While I am torn on this issue of an executive order, I certainly think cybersecurity action is needed soon. In a Governing Magazine article, Cyber Security Act’s Failure Leaves Infrastructure Vulnerable, by Steve Towns, I described my views in detail. Here’s one summary quote from the Governing Magazine Editor:

“Lohrmann, who now oversees all cyber and physical security for Michigan state government, won’t take political sides on the latest measure. But he’s adamant -- as are most other security professionals -- that more must be done to protect the nation’s critical infrastructure from attack.”

Trend: Cybersecurity Is Becoming Political

Which leads to the sad trend that I see developing now:  cybersecurity is becoming more political. Thehill.com wrote: “Democratic platform diverges with GOP on cybersecurity.” Here’s an excerpt:

“… The Democratic Party said it would continue this push to boost the security of the nation's critical computer systems and networks from hackers, terrorist networks and hostile countries looking to wreak damage against infrastructure that's key to public safety and the economy. 

"We will continue to take steps to deter, prevent, detect, and defend against cyber intrusions by investing in cutting-edge research and development, promoting cybersecurity awareness and digital literacy, and strengthening private sector and international partnerships," the platform reads. 

It's a far cry from the GOP platform approved at the party's convention last week. In their cybersecurity plank, Republicans argued that Obama's approach to cybersecurity has been too regulatory and reliant on defensive capabilities….” 

In summary, it appears that an executive order on cybersecurity is coming before our upcoming election day. We all want to know: What’s in that exec order? Will the actions taken last very long, and what’s next for cybersecurity in our nation? However, these questions may depend on how America votes on November 6.

What are your thoughts on an executive order on cybersecurity?