The Code of Honor

A comprehensive and practical framework for ethical practices in contemporary cybersecurity

While some professions – including medicine, law, and engineering – have wholeheartedly embraced wide-ranging codes of ethics and conduct, the field of cybersecurity continues to lack an overarching ethical standard. This vacuum constitutes a significant threat to the safety of consumers and businesses around the world, slows commerce, and delays innovation.

The Code of Honor: Embracing Ethics in Cybersecurity delivers a first of its kind comprehensive discussion of the ethical challenges that face contemporary information security workers, managers, and executives. Authors Ed Skoudis, President of the SANS Technology Institute College and founder of the Counter Hack team, and Dr. Paul Maurer, President of Montreat College, explain how timeless ethical wisdom gives birth to the Cybersecurity Code which is currently being adopted by security practitioners and leaders around the world.

This practical book tells numerous engaging stories that highlight ethically complex situations many cybersecurity and tech professionals commonly encounter. It also contains compelling real-world case studies – called Critical Applications – at the end of each chapter that help the reader determine how to apply the hands-on skills described in the book.

You'll also find:

• A complete system of cybersecurity ethics relevant to C-suite leaders and executives, front-line cybersecurity practitioners, and students preparing for careers in cybersecurity.
• Carefully crafted frameworks for ethical decision-making in cybersecurity.
• Timeless principles based on those adopted in countless professions, creeds, and civilizations.

Perfect for security leaders, operations center analysts, incident responders, threat hunters, forensics personnel, and penetration testers, The Code of Honor is an up-to-date and engaging read about the ethically challenging world of modern cybersecurity that will earn a place in the libraries of aspiring and practicing professionals and leaders who deal with tech every day.

Introduction: “Like Your Hair Is On Fire” ix

Chapter 1 One Code to Rule Them All? 1

In Case You Are Wondering Why You Should Care 3

Do We Need Ethics in Cybersecurity? 6

Long-Standing Models for the Code 9

Why the Need for the Code Is Urgent 11

Chapter 2 This Is a Human Business 15

Cybersecurity Is a Human Business 18

Humans Have Inherent Value 20

Humans Over Technology 21

The Solution to the Problem of Cybersecurity Is Principally a Human Solution 24

Character Costs and Character Pays 25

Case Study: When Security Is on the Chopping Block 27

Chapter 3 To Serve and Protect 33

We Need You on That Wall 35

Know Your Why— Purpose and People 37

Service Means Sharing: Sharing Starts with Good Communication 42

Sharing with the Broader Cyber Community: We Are All on the Same Wall 44

Checking In 46

A Final Example 47

Case Study: Responsible Disclosure of a Security Flaw 48

Chapter 4 “Zero-Day” Humanity and Accountability 51

Bad Decisions and Multiplication 52

Humans Are Flawed 55

Turning Vulnerability into Strength: It Begins with Humility 56

Being a Lifelong Learner 60

Handling the Mistakes of Others 62

Let’s Try to Avoid “Breaking Bad” 63

How to Develop a Reflective Practice 67

Case Study: To Pay or Not to Pay— A Ransomware Quandary 69

Chapter 5 It Begins and Ends with Trust 75

The Secret of Success 77

Trust Is the Currency of Cybersecurity 80

How Trust Is Built 82

When Things Go Bad 83

Building Trust Requires Courage 84

The Role of Leadership in Building a Culture of Trust 87

A Checklist for Building Trust 90

Case Study: A Matter of Trust and Data Breaches 93

Chapter 6 There Is Strength in the Pack 99

No Room for Know-it-Alls 103

Making Informed Ethical Decisions with Input 105

Why Teamwork Really Does Make the Dream Work 106

When Collaboration Breaks Down— Seeking Allies in Your Organization 110

The Power of Mentors 111

Beware of Rattlesnakes 115

Case Study: Graded on a Curve? The Security Audit Checkmark 117

Chapter 7 Practicing Cyber Kung Fu 123

Essential to Success: Patience, Wisdom, and Self-Control 128

Remember the Titanic 129

A Few Principles for Emergency Planning 131

Stay Calm, Cool, and Collected 132

Our Job Is Not Revenge 136

Develop Your Cyber Kung Fu 138

Case Study: An Open Door: Vigilante Justice 139

Chapter 8 No Sticky Fingers Allowed 143

If It’s Free, It’s for Me? 146

Avoid a “Robin Hood” Narrative 148

A Tragedy of “Free Information” 150

Intellectual Property Is Property 151

To Catch a Thief, We Must Train Like One 154

Choices Have Consequences 154

All I Really Need to Know I Learned in Kindergarten 156

Case Study: Something Borrowed and Something New 157

Chapter 9 It’s None of Your Business 163

Curiosity Can Kill the Cat 167

The Golden Rule Applied to Cybersecurity 169

Stay in Your Lane 170

Four Questions to Help Avoid Impropriety 172

Each Time You Cross the Line, It Becomes Easier 173

We Hurt Real Human Beings 175

An Outrageous Example of the Problem 177

Remember: We Are the Shield 179

Case Study: To Share or Not to Share? Investigating the CFO’s System 181

Appendix A: The Cybersecurity Code of Honor 185

Appendix B: Where Do We Go from Here? 189

Notes 191

Acknowledgments 193

About the Authors 197

Index 199

PAUL J. MAURER, PhD, is the president of Montreat College, a national leader in cybersecurity education and workforce development. After being approached by the NSA to create a curriculum on cybersecurity ethics for our nation’s students preparing for cybersecurity careers, Paul was convinced this book needed to be written. He speaks and writes frequently on a wide range of topics, but regularly does so on cybersecurity across the country.

ED SKOUDIS serves as president of the SANS Technology Institute College, the country’s leading provider of cybersecurity professional development. Ed began teaching at the SANS Institute in 1999 and has trained over 30,000 cybersecurity professionals in incident response and ethical hacking, codifying many of the practices used throughout the industry today. He is the recipient of the Order of Thor medal from the Military Cyber Professionals Association and is the author of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

Many professions—including medicine, law, and engineering—have long required their practitioners to embrace and abide by an overarching code of ethics and conduct. Cybersecurity, possibly due to its more fragmented and distributed nature, has never had such a code. The gap left by the absence of an ethical standard is a significant threat to the safety of consumers and businesses around the world.

In The Code of Honor: Embracing Ethics in Cybersecurity, Ed Skoudis, president of SANS.edu and Paul Maurer, president of Montreat College, deliver a comprehensive discussion of the ethical challenges facing contemporary workers, managers, and executives. This book explains and establishes ethical best practices for the tech industry. The need is so compelling that security practitioners and leaders around the world are currently incorporating this code into the fabric of their corporate culture and hiring policies.

You’ll take a deep dive into many of the high-stakes situations commonly encountered. Compelling case studies—called Critical Applications in the book—included at the end of each chapter demonstrate how to use the hands-on skills being explored within.

You’ll discover a complete system of cybersecurity ethics relevant to everyone from C-suite leaders and executives to ground-level cybersecurity pros. This carefully crafted framework of ethical decision-making in cybersecurity is rooted in timeless principles of ethics.

An essential resource for security analysts, incident responders, threat hunters, forensics experts, penetration testers, red teamers, security researchers, security architects, CISOs, and any other cybersecurity professional, The Code of Honor is timely and practical for the ever-increasing challenges that are rampant in the modern world of cybersecurity.

A blueprint for a comprehensive system of cybersecurity ethics

The Code of Honor: Embracing Ethics in Cybersecurity tackles the pressing need for an ethical framework in the rapidly evolving field of cybersecurity. As authors Ed Skoudis, a renowned cybersecurity instructor for SANS, and Dr. Paul Maurer, president of Montreat College, point out, cybersecurity has long been a domain without a unified code of conduct. This absence poses significant risks to both consumers and businesses worldwide.

This book is an absolute “must-have” for cybersecurity workers, managers, and executives who are in the tech world, but also for all those who work and run companies who serve the public, especially those kinds of essential services that we all engage in like healthcare, government, and commerce (including banks, airlines, grocery stores, etc.). An inescapable web of digital connections undergirds our lives. This creates enormous vulnerabilities and opportunities for corruption, which only highlights the need for a moral compass, a code of honor. Ethics is not something you just wake up one day and do, but rather it is a way of thinking that must be taught, practiced, and understood over time so that it can be fully developed within an individual, a team, and a company. This book provides a way forward through engaging discussions, best practice guidelines, and real-world case studies.

Rapid advancement and evolution in the cyber world have caused it to lag behind in the creation of an overarching ethical standard for the people who secure the underlying technologies. Without this, ultimately cyber cannot be trusted, chaos will be the norm, and the maturing of an industry will be stymied not to mention the loss of benefits that naturally grow out of a thriving field that is grounded in integrity.

Perfect for managers and executives who seek to sharpen knowledge of cyber ethics and security, The Code of Honor is also an indispensable guide for security analysts, incident responders, threat hunters, forensic experts, and penetration testers. It offers a sophisticated and hands-on framework for the integration of ethical standards from across the cyber world that takes into account the unique characteristics of this complex industry. This is a call to action for everyone in cyber to adopt a new code of honor to safeguard the digital world.