Should I be worried about where my cybersecurity students will end up?

Teaching students to hack is necessary to show them how to defend against it – but we need to do more to instil ethics, says Andy Farnell  

March 17, 2022
Man with his hands on his head, students in fancy dress and sticks of dynamite against a backdrop of circuitry
Source: Getty/Alamy montage

As the West braces itself for the expected wave of cyber attacks from Russia, in retaliation for the unprecedented sanctions it has imposed on the Russian economy, I am painfully aware that some of the hackers involved may have been trained in the West. Perhaps some of them were even trained by me.

Cybersecurity is taught in two stages. First comes “red team” craft: how to attack, infiltrate and destroy computer systems. Then we teach the “blue team” defensive posture. The bad stuff comes first so students know what they are up against.

Each semester, a few creeps will ask me how to hack their lover’s phone, and the class turns to relationship therapy. Amusing as that may sound, though, such questions are harbingers of more serious problems. Some students appear more interested in what the hackers are up against. Others attend the offensive classes, but never even show up for defence.

Some of those students are from UK or US companies whose ethics are questionable. Some are from nations that are centres of global cybercrime, or, like Russia, are openly hostile to liberal democratic values. I note that Osama bin Laden’s training as a mujahideen fighter in Afghanistan was conducted by US special forces.

As teachers, we’re mostly unaware of moral hazards lurking beyond our classrooms. Brain drains and misuses abound. Loyalty, supervision by professional bodies and Hippocratic oaths make weak safeguards. But is such wilful ignorance really an option in cybersecurity?

One root issue is that there are no “ethics” in “ethical hacking” – literally: the subject is not part of the syllabus. Officially, we give no guidance beyond the parochial legal caution to stay out of trouble – mainly to defend the university against liability.

This absence of personal or social values raises the question of whether we should be teaching hacking at all. Apparently, there’s lots of “demand”. But demand for what? To prepare more guards for the corporate castle? To help law enforcement or intelligence workers beef up penetration, surveillance and forensic skills? To help teachers, journalists, politicians protect their digital lives? To turbocharge activism by teaching do-gooders to hack the bad guys? 

All these kinds of students attend my class, but the ones I worry about most are obviously the future cyber-criminals and enemy cyber-warriors. I know they are there; I just don’t know who they are. And neither, necessarily, do they – not until they graduate, cannot get a legitimate job, perhaps get deported, and discover that their skills are in great demand elsewhere. Perhaps there is more we can do to help students find the right kind of jobs, but that is for another article.

Remember “Prevent”? This was the UK government programme whereby, from 2011, we in UK higher education were all supposed to contribute to safeguarding the nation against radicalisation. Perhaps it was the resentment caused by our weeks of unpaid compulsory “training”; perhaps it was that parts of the agenda (regarded as instructions to spy on and ethnically profile students) were struck down in court in 2019. In any case, it fizzled out. But along with it went many laudable attempts to bring up discussion of cultural values, propaganda and vulnerability to recruitment.

Within that framework, I would not know how to even start talking about cybersecurity today. Is demand for it actually created because we teach software engineering badly; shouldn’t we give more attention to building things better instead of fixing up the things we build fast and cheap? Why is the UK government engaging in a foolish tussle with end-to-end encryption, the bedrock of security, while Europe pushes in the opposite direction to enshrine privacy as a right? What to say about the Israeli NSO company – author of the controversial Pegasus spyware that allows governments to monitor smartphones – when half my students think it should be banned and the other half would like to work for it?

I look out for the well-being of all my students wherever they hail from, whatever their politics and wherever they are headed. But should I keep a closer eye on some nationalities than others? To raise these concerns risks accusations of politicisation or racism, but cybersecurity is inevitably a maelstrom of challenging ethics because computers affect so much of our lives. For the same reason, it is inseparable from global politics.

To reframe this argument in terms that financialised institutions can understand: do the profits made by educating students from potentially hostile groups and towards potentially hostile ends outweigh the risks doing so brings to the educating nation’s economic and national security?

I’d say yes – but only if we fully realise the meaning of “ethical hacking”. My students don’t just learn hacking skills from me. I also work hard to diffuse “liberal” values, such as democracy, mutual respect, tolerance of dissent, individual rights to privacy and equal economic participation. I also try to instil deep scepticism towards the technological dystopia that some states and corporations are building.

But is this enough? As I watch freedom under siege in Ukraine, and as we all prepare for the apparently inevitable Russian cyber onslaught, I can’t help but wonder.

Andy Farnell is a visiting and associate professor in signals, systems and cybersecurity at a range of European universities. His latest book, Ethics for Hackers, will be published later this year.

POSTSCRIPT:

Print headline: Should I worry about where my cybersecurity students will end up?

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.

Related articles

Reader's comments (2)

ALL computer science students need to learn ethics! There is too much potential to do harm, deliberately or through unintended consequences of decisions made, in our craft to send them out without an understanding of ethical issues and how to address them. It's also a requirement to get a course accredited by the likes of the British Computer Society (BCS, in the UK) or the Association of Computer Machinery (ACM in the USA) for students to take and pass a module on the topic. I have the honour and pleasure of teaching this to our students. I teach them ethical theory, ethics and morals (and a bit of law), and we look at IT in society, cybercrime, and the future of technology. Throughout I teach them how to recognise an ethical quandary, equip them with the tools to analyse it and determine a course of action, and the ability to argue the case for the opinions they have reached. I cannot tell them what to think, but they ought to know how they reached their own conclusions and whatever they decided to do, be able to do it on purpose not just drift into it unthinking. It's surprisingly well-received by a bunch of students who thought they'd come to university to learn how to code... especially as the class is at 9am on a Monday morning! Delivering it in the first year means that they can apply these tools throughout their university careers, never mind beyond... ... and as I like to remind them, I cannot tell them what ethical dilemmas they'll meet during their lives, that when I was their age, the World Wide Web did not even exist and 'mobile phones' were the size of a house brick with a battery life measured in minutes! I can give them the tools they need to address the issues that they will meet... I once spoke at BSides Manchester on this, a talk called "What Colour is Your Hat?" - BSides is a wonderful anarchic 'hacking conference', and I spoke on how to decide where you stood ethically, how to argue the case for the decisions you make. Talk is on YouTube, search BSides & the title (don't think I'm allowed to put links here).
The late (and great) Donn Parker who sadly passed away in September and who contributed significantly to the cyber security field was also one of the authors of the 1966 ACM code of ethics (Communications of the ACM 11.3 (1968)) - He viewed security very much through an ethical lens.

Sponsored