On the Morality of Teaching Students IT Crime Skills: Extended Abstract

This talk was presented at a joint session of the CCERC and SACLA 2016 conferences. The official printed version of the talk is contained in the SACLA proceedings.

In a nutshell the talk indicated how, in many disciplines, it has been necessary to teach students skills that may be used for the benefit or to the detriment of society. Is is indeed true that many (or perhaps most) technologies and skills are not inherently good or bad, but are open for use or abuse --- and one cannot exclude knowledge from the curriculum purely based on the fact that such knowledge can be abused. One of the solutions often applied in the teaching context is to not teach students how to abuse such knowledge, which requires that those who want to abuse it need to actively acquire that missing piece of the puzzle on their own. This may be a simple step, but typically requires premeditation --- and thus limits impulsive abuse of the knowledge and provides an opportunity for reflection.

However, in many cases teaching offers a safe environment where students' ability to abuse such knowledge or skills is actively developed. The medical student (and, in particular, the surgical student) is familiarised with the structure of the body in the finest detail which makes it possible to make safe incisions when performing an operation. The nerves and organs that are vulnerable during such procedures (and hence have to be navigated around) form part of this education. And such students are afforded the opportunity to practice the skills on cadavers and later under supervision of seasoned surgeons --- opportunities that are not available to the 'ordinary' criminal without a significant prior investment is such knowledge is to be used for criminal purposes. The surgeon necessarily has the knowledge to abuse this knowledge and commit, say, a murder leaving minimal traces. Yet, while a relatively high number of surgeons are educated each year, abuse of surgical skills is not a common occurrence. The total benefit society derives from having skilled surgeons far exceeds the negative consequences of teaching them surgical skills.

In computing similar needs for 'dangerous' skills exist. Penetration testers, for example, need skills to hack into systems that are on par (or, preferably, exceeds) the skills of the best criminal minds. In a slightly more indirect way, computer security professionals and digital forensic scientists needs a deep understanding of how criminals breach system security --- an abstract overview of principles is typically not sufficient to become a proficient security or forensics specialist.

The paper argues that the controls on the abuse of such specialised knowledge often exist in the best possible form when professional communities form. To be a surgeon is something different from having surgical skills. And the route to become a surgeon includes becoming (and being) a medical doctor. Those communities are not only regulated by laws and professional codes of conduct, but members the community form professional (and collegial) associations with other members of the community. Being a community instills a culture in the community --- and patient wellness is an inherent part of the values of such a community. Moreover, abusing the specialised skills often means that one will be ostracised from that community and loose the recognition and respect that members of such a community enjoy.

In computing the context is very different. Ironically, one of the few communities that articulate and discuss their values is the traditional hacker community. Acting outside the boundaries of a hacker community also typically implies expulsion from the community with a concomitant loss of access to the latest information about vulnerabilities and exploits. Unfortunately, there is no need for a criminal to become a member of such a traditional hacker community to abuse criminal skills. There is no progression through layers of communities where more accountability is assigned as one is entrusted with more skills.

It is worth pointing out that these 'layers' are not typical hierarchical orderings --- one of the specific limitations on professionals' actions is their knowledge of the boundaries within which they are allowed to function. A general practitioner is, in many instances, trained (and permitted) to perform surgery. However, relatively few general practitioners do. To perform surgery, or other activities (of which the details are not important for this paper) such as performing lumber puncture and to insert central intravenous lines or even authoritatively reading an electrocardiogram are avoided by most general practitioners. However, some acquire the skill, perform these activities regularly and are professionally accountable. However, a general practitioner who suddenly one day decides to try to perform such an activity exceeds the boundaries of professional and knowingly acts outside the value system of his or her community.

In contrast, there are hardly any limits on what someone knowing something about computing is allowed to do (from the perspective of some relevant community). There are few boundaries that, if crossed, would lead to expulsion from any given community. And, where (formal or informal) expulsion can (in theory) happen, expulsion has no practical consequences.

In addition, the working conditions of many computing professionals have changed significantly over the years. They are no longer the specialists in white coats with privileged access to the computer room. They are no longer the 'magicians' who 'miraculously' solve other users' problem. They have become the custodians of corporate systems that are often experienced as obstacles in other employees' working lives. (Consider the propensity of IT management to enforce regular password changes despite the overwhelming evidence that such enforced changes weaken rather than improve the security of computing systems; such senseless rules frustrate users --- in particular when it causes them to be locked out of systems at critical points in their work; such policies alienate the employees in general from computing employees.) In addition, computing work has become much more project based and employees move from one project to the next, without becoming part of the organisations where they work. This is very similar to the experience of migrant labourers who move from one job to the next --- often going where the (agricultural or other) season creates a demand for labour. Hence computing professional are often excluded from being full community members of the organisations where they work at any given moment.

This leads to a situation where no effective positive control (such as community values) applies to many computing professionals. Work conditions may make them the disgruntled employee or insider, which is known to be one of the biggest risks facing corporate systems.

Under these conditions it seems inappropriate to provide the general computing student with the skills to do harm. As noted above, any skill may be abused. To teach a general community about hacking, malware and similar concepts in an abstract manner is indeed required. However, transferring skills that can be directly used for harm (rather than good) is best left to happen once any given individual is embedded in a suitable community. As a specific example, the penetration testing community understands the value of trust --- without being trusted they will not be able to function as penetration testers. This value will be wide ascribed to in such a community. The penetration tester who abuses knowledge and access undermines the value of trust, and will be ostracised from the community. The penetration testing community is rather small (and do meet regularly), which means a person expelled from the community is unlikely to be employed in that industry ever again. Hence, the controls to entrust the individual with hacking skills do arise once the individual becomes a true member of that community. Arguably, similar arguments apply to other contexts where employees need the ability to use 'dangerous' skills.

The conclusion is therefore that it does not seem justifiable to provide the greater computing community with the skills to do harm; when such skills are 'instilled' some thought should be given to the community in which the skills may be applied. In the end increased professionalisation of computing careers is required. However, this will not be sufficient --- it needs to be augmented by a proper sense of community.

Unfortunately this conclusion leaves one with another dilemma: To become a member of a specific community, one typically needs the appropriate skills. Not teaching those skills to the greater population, limits entry into the community. At this stage it seems many individuals interested in working in such fields where such a community is essential tend to acquire the skills on their own. However, this source of self-taught skilled applicants leads to a constant shortage of appropriately skilled employees in those fields. It also means that someone with a limited, but targeted skill set is often more likely to find employment in such an industry, rather than an educated professional who has been exposed to the larger computing milieu, including a formal exposure to computing ethics.