Companies Should Consider Cybersecurity a Matter of Ethics

Consumers are beginning to wonder, is it ethical to market and sell technology that leaves consumers and their homes vulnerable to hackers?

by Thomas Lee, San Francisco Chronicle / September 5, 2017
Previous Next

(TNS) -- A couple of years ago, a reader took issue with a column on cybersecurity. Why are we developing technology that connects everything in your home to the Internet, I asked, when we can’t even stop hackers from stealing credit card numbers or the latest episode of “Game of Thrones”?

The reader’s query: What are we supposed to do? Not innovate? Stop all progress?

Well, not exactly. But perhaps we should think twice about creating software or devices for consumers we can’t adequately protect. Cybersecurity should not just be a matter of technology but also one of morality. Is it ethical to market and sell technology that leaves consumers and their homes vulnerable to hackers?

Malcolm Harkins thinks these are worthy questions. Harkins spent 24 years at Intel Corp., rising to the position of chief security and privacy officer. Given the increasing number and audacity of hacks, he thinks we have reached a tipping point of sorts where corporations need a fundamental rethink of cybersecurity.

And Harkins really does mean fundamental. He argues that companies should formally classify protecting consumer data and privacy as a social responsibility, akin to combatting climate change, fighting poverty, or promoting diversity. Codifying cybersecurity into a company’s ethical DNA is the only way, he argues, to force businesses to weigh consumer safety and privacy risks before creating new products and services.

“We are focusing on the wrong things,” said Harkins, now chief security and trust officer for Cylance Inc. in Irvine. “Companies and boards should act on behalf of shareholders and society.”

Companies should ask themselves ‘Should we do this?’ versus just doing it, Harkins said.

In America, especially in Silicon Valley, we place a premium on the future, not the present. We equate new with better. We frequently create technology for the sake of creating technology.

At the same time, hacks are only getting more frequent and daring, from the 40 million credit card accounts stolen from Target to emails pilfered from Sony and the Democratic National Committee. And yet we’re already full steam ahead with autonomous vehicles, connected smart homes, and artificial intelligence.

There’s a multibillion-dollar industry of software security firms that claim they can protect this stuff. But in reality, they only offer patches and temporary fixes because the underlying architecture of the Internet was not supposed to manage so much data, said Basheer Janjua, founding chair and president of the CTO Forum, a group of top chief technology officers.

“The Internet was not originally designed for billions of people to be on it every day,” he said.

Making matters worse, the source code for popular technology like the Windows operating system is poorly written, said Junjua, noting hackers have frequently attacked flaws in Microsoft’s flagship product.

“We don’t do enough to protect customers,” Janjua said. “What is Microsoft waiting for? For Jesus to come down from heaven and fix these problems?” (Microsoft has drawn praise for the security features in Windows 10, its newest operating system, but older versions remain widely used and vulnerable.)

To go back to the drawing board would be costly and time-consuming, so companies choose to push forward and hope for the best, Janjua said.

That’s when cybersecurity becomes a matter of ethics.

Janjua asks: “Why are companies allowing consumers to interact with services and products that are not secure,” especially when they have the means to make them more secure?

What bothers Harkins the most is that many companies have now accepted hacking as just a cost of doing business. In a sense, they have already surrendered, he said.

Companies are saying, “‘We’ve got to accept that we are going to get hit,’” Harkins said. “You are giving up. You are going to have to compromise.”

Yes, nothing is 100 percent secure. But that doesn’t mean companies shouldn’t try. We know we can’t cure many diseases or completely eliminate poverty. However, people still attempt to do so.

An ethical code will force companies to rethink how they approach research and development. Instead of making stuff first and then worrying about data security later, companies will start from the premise that they need to protect consumer privacy before they start designing new products and services, Harkins said.

There is precedent for this. Many professional organizations like the American Medical Association and American Bar Association require members to follow a code of ethics. For example, doctors must pledge above all else not to harm a patient.

A code of ethics for cybersecurity will no doubt slow the pace of innovation, said Maurice Schweitzer, a professor of operations, information and decisions at the University of Pennsylvania’s Wharton School.

Ultimately, though, following such a code could boost companies’ reputations, Schweitzer said. Given the increasing number and severity of hacks, consumers will pay a premium for companies dedicated to security and privacy from the get-go, he said.

In any case, what’s wrong with taking a pause so we can catch our breath? The ethical quandaries technology poses to mankind are only going to get more complex as we increasingly outsource our lives to thinking machines.

That’s why a code of ethics is so important. Technology may come and go, but right and wrong never changes.

©2017 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.