The nature of hacking has changed in recent years with the change in usage of computing devices. How has hacking changed? In the early days of hacking, the primary purpose of hacking was to disrupt the workflow of an organization, business or government. At the time, we had PC computers and mobile devices, smart phones and tablets were not in wide usage. Viruses, worms and Trojan Horses were the common types of malware. It was relatively easy to disrupt a person’s usage of computers by damaging the operating system which was stored on a hard drive. The operating system is copied from the hard drive into memory and runs from memory. Thus, a virus can be loaded in memory and change the files resident on the hard drive. This causes the PC to be unusable because the operating system has been changed. Current computing devices such as smart phones and tablets have the operating system “burned” into a chip and cannot be changed unless the chip, called a SoC (Software on a Chip), is rooted. Even though the operating system is burned into a chip it can be changed by erasing the code from the chip electrically (EEPROM) and reloading the OS into the chip. Now, most hackers are after information and would rather steal information to either use it for monetary gain or to affect the operations of the government. For example, ransomware is currently the most dangerous type of malware in existence. The hacker can encrypt an organizations data and then blackmail them to provide the key to decrypt the data. Hackers will steal medical information to scam Medicare. Other hackers will steal emails to embarrass political opponents.
Privacy? How is privacy now being affected by the high-tech companies. Currently, Google, Amazon, Twitter and Facebook collect information on every member they have. You agree to this collection and usage of your information when you sign the EULA to join any of these groups. If you want to join you have to agree to allow them to collect this information or you can’t use their platform. Is this fair? Whether or not it’s fair, it is legal. Once the companies collect the information, they can use it any way they choose. They can sell it to other companies, to politicians, to academics for research purposes. Why is this collection of information important and valuable? Any security expert is never interested in what people say but rather what they do. Sales and marketing experts also find focus groups and questionnaires less than completely accurate. Politicians rip their hair out at the inaccuracies of polls. Remember the polls for the presidential race in 2016 had Hillary Clinton winning the election handily, in a landslide? Donald Trump won despite all the polls saying otherwise. It is a truism in security that words always lie but actions can never lie. In the case of polls, many people said they would vote one way and then actually voted differently when they got into the booth.
Another aspect of Privacy. How do the high-tech companies manipulate data to suit their own ends? Do not make a judgment call on these companies’ political leanings, simply explain them in order to be accurate in your hypothesis. For example, it’s been reported in the news that a majority of Google’s high-level management leans to the liberal side and tend to support Democrats. This is not a judgment, simply what’s been reported in various press outlets. One professor reported in a congressional hearing that Google deliberately manipulates the sites that come up in a Google search in order to change voting patterns. https://amac.us/liberal-professor-warns-google-manipulating-voterson-a-massive-scale/ Is this possible? Is it desirable or dangerous for a private company to have this kind of power? If not how can we stop it through legislation? How would you write a law to stop high-tech companies from gathering and using this information? Should these high-tech companies have this kind of power whether they wield it or not?
Individual privacy vs. law enforcement. Every law enforcement officer including AG Barr, James Clapper, former DNI, and other law enforcement and intelligence service leaders have decried the ability of citizens to encrypt their data in a manner that prevents law enforcement from reading their emails or cracking the password. The current standard in encryption is PKI. With PKI it is impossible to crack the password and decrypt a message even though the code that encrypts the message is open source and publicly available. Having the source code of the PKI algorithm does not help in cracking and decrypting the message. The only option for law enforcement when they have a phone such as the iPhone from the San Bernardino terrorist is to try to guess the password. However, Apple and Android have both made it impossible to guess a password enough times to open the phone. iPhone and Android phones both have a feature that will “brick” the phone after a certain number of unsuccessful guesses at the password. When trying to crack the password for the phone acquired from the San Bernardino terrorist, the FBI realized they couldn’t do it and tried to use the court system to force Apple to install a back door into their phones and provide a master key to the FBI. This effort failed. Congress has tried many times over the years to assist law enforcement by passing a law that would require all companies building communications hardware, developing communications apps or encryption software to include a backdoor in their systems. Privacy advocates, usually composed of private citizens, have managed to defeat such legislation thus far. Privacy advocates have managed to make legislators understand that providing a master key to law enforcement guarantees that hackers will discover the backdoors and either steal the master key or develop their own. Develop a hypothesis as to whether it would be better to have a back door into every system with a master key held by law enforcement or is it better to enable private citizens to keep their communications private.
Intellectual property vs. the Internet. Intellectual property still exists in the age of the Internet and is still protected under the law. However, since it is possible to download or copy and paste almost anything off the Internet intellectual property has been abused more and more often. There have been numerous examples of literary prizes awarded and then rescinded over plagiarism and theft of intellectual property. Currently China is open and above board about acquiring intellectual property. The government of China will not allow any company, particularly American companies, to conduct business in their country unless the company agrees to give up any intellectual property regarding the products they sell in China. Younger students today don’t think there is anything wrong with copying information off the Internet and presenting it as their own work. I have had discussions with students in which they proposed the idea that since they searched for the information on the Internet and then found it, they could copy it and present it as their own work. The concept of intellectual property seems to be falling by the wayside due to the Internet. Develop a hypothesis as to whether we should continue or even strengthen intellectual property laws, or should we simply abandon intellectual property laws and make anything that is posted on the Internet fair game.
Cyberterrorism vs. cyberwarfare. The only known instance of cyberterrorism in the world today is the Stuxnet worm which was installed on computers in Iran to disable their nuclear reactors which can produce weapons grade fissionable material to enable Iran to develop a nuclear warhead. The Stuxnet worm was discovered by Kaspersky Labs which produced and marketed one of the most effective antivirus programs in the world. Kaspersky Labs traced the origins of the Stuxnet worm to the CIA. The Stuxnet worm was developed specifically to infect centrifuges in Iran’s nuclear plant to disrupt their nuclear development program. It has been reported that Israeli security agencies were heavily involved in the mission to load the worm. A few years later, an NSA employee took various malware and tools home that the agency used in their cyber operations and loaded it on his personal computer. The computer had Kaspersky Labs antivirus loaded on it and alerted Kaspersky to the infection as antivirus programs are supposed to. It was reported that Israeli agents which were employed by Kaspersky reported that Kaspersky had ties to the Russian government. Shortly thereafter, US intelligence agencies released a report that Kaspersky had connections with the Russian government and recommended that Kaspersky antivirus and all other Kaspersky products be banned from Federal government computers. Considering the timing and sequence of events was Kaspersky banned because they had ties to the Russian government or were they banned because they exposed the Stuxnet worm and the CIA’s attempt at disabling the Iranian nuclear program? Some people would say that the CIA’s development and use of the Stuxnet worm was cyberwarfare. Others would say it was cyberterrorism. Which was it? Support your answer with research.
Edward Snowden, traitor or hero? Edward Snowden was a contractor for the NSA and a former employee of the CIA. Snowden released thousands, if not millions of documents proving that various American intelligence agencies were violating their charters if not actually violating laws by gathering telephone conversations, emails, messages and various other communications of American citizens. Some people believe that Edward Snowden is a whistle blower against the super-secret intelligence agencies by leaking those documents. Other people believe Snowden is a traitor for violating American laws and fleeing to Russia in order to claim asylum and remain out of prison. Develop a hypothesis as to whether Snowden is a whistle-blower or a traitor and support that hypothesis with research.
Wikileaks. Wikileaks is an international non-profit organization headed by Julian Assange, an Australian Internet activist. Wikileaks is responsible for releasing numerous news leaks and classified material from anonymous sources including the documents leaked by Edward Snowden. When the Bank of America cut off Wikileaks donation accounts the hacker group Anonymous hacked the Bank of America and forced them to reopen the Wikileaks account so that Wikileaks could continue to accept donations. Develop a hypothesis supported by research as to whether Wikileaks is essential to a free society or has Wikileaks damaged countries such as the United States through their release of confidential information. Remember that nothing Wikileaks has released has ever been proven to be false. Should Wikileaks be allowed to continue to exist? Does it provide a valuable service to average people by keeping them informed? Or should Wikileaks be shut down due to the damage it has caused various governments, high placed officials and organizations?
Child protection in cyberspace. The Internet has become an integrated component of the learning process of children. Children have neither the maturity to understand the consequences of their actions, nor the knowledge to protect themselves so it is up to us to protect children when they are accessing the Internet. Dangers to children lurk on the Internet from sex traffickers to kiddie porn developers to simply cyber-bullying. There are numerous laws currently in place to protect children. It is not possible in today’s learning environment to restrict children from accessing the Internet. That places any child so restricted at a terrible disadvantage in the learning process. Plus, these children will have to learn about the dangers so that they can be responsible adults and protect themselves when they grow mature enough to do so. Develop a hypothesis and support with research. Are we going far enough with our current laws or do we need to expand the current protection laws in place? If you believe we should expand the laws, what laws would you pass to enhance our children’s safety?
Ethical vs. Legal in cyberspace. We all know that there is quite a large difference between laws and ethics. What may be lawful may be ethical and what is ethical may often be illegal. Are the laws governing cybersecurity currently on the books enough to guide cybersecurity professionals or would you say there are large gaps between ethical conduct and lawful conduct. It is unlikely that congress will be able to pass any laws materially affecting the conduct of cybersecurity professionals. Apart from the partisan divide in Congress, the Senate and the President which virtually guarantees that very few laws will get passed there is also the fact that politicians are not tech-savvy enough to know what laws are necessary in today’s environment. It is a known fact that very few people will follow a rule or law unless there is a detrimental effect from failure to follow that law. If the penalties are not sufficiently large many people will not modify their behavior. The only way to get people to follow laws is through the threat of force. Only the government can apply force. If we assume that laws cannot or will not be passed to govern behavior of cybersecurity professionals then we must fall back on ethical behavior. We must develop a code of ethics. What would be your recommendation for a code of ethics governing the behavior of a cybersecurity professional and is there any way to enforce that code of ethics?