Zum Inhalt springen

Boring Cybersecurity Theory: Ethics (Make Your Choice)

Security ethics are guidelines for making appropriate decisions as a security professional. Being ethical requires that security professionals remain unbiased and maintain the security and confidentiality of private data. Having a strong sense of ethics can help you navigate your decisions as a cybersecurity professional so you’re able to mitigate threats posed by threat actors’ constantly evolving tactics and techniques. In this article, you’ll explore essential ethical principles that will help you make informed, legal, and responsible decisions when facing attacks – not just to protect systems, but to protect people.

But more than that, this article invites you to reflect on a deeper question:
– What decision will you take?
– Because in cybersecurity, your actions – and the ethics behind them – shape not only your impact on the world but also the kind of professional you become.

With great power comes great responsibility. – as dear Uncle Ben once said, Spider-Man (2002)

Ethical concerns and laws related to counterattacks

Now that you’ve explored how attacks work – and that one day you might have the skills, access, and authority to respond to them – it’s time to talk about something more controversial: counterattacks.

The idea of striking back may sound tempting. After all, if someone breaks into your system, shouldn’t you have the right to fight back?
But in cybersecurity, things are rarely that simple. What might feel like justice could quickly become a legal or ethical minefield.

So before you reach for your digital sword, let’s take a closer look at what a counterattack really means – and why, more often than not, professionals choose defense over revenge.

United States standpoint on counterattacks

You can’t fight fire with fire. – „The Dark Knight“ (2008)

In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among others. You can only defend. The act of counterattacking in the U.S. is perceived as an act of vigilantism. A vigilante is a person who is not a member of law enforcement who decides to stop a crime on their own. And because threat actors are criminals, counterattacks can lead to further escalation of the attack, which can cause even more damage and harm. Lastly, if the threat actor in question is a state-sponsored hacktivist, a counterattack can lead to serious international implications. A hacktivist is a person who uses hacking to achieve a political goal. The political goal may be to promote social change or civil disobedience.

For these reasons, the only individuals in the U.S. who are allowed to counterattack are approved employees of the federal government or military personnel.

International standpoint on counterattacks

The International Court of Justice (ICJ), which updates its guidance regularly, states that a person or group can counterattack if:

  • The counterattack will only affect the party that attacked first.
  • The counterattack is a direct communication asking the initial attacker to stop.
  • The counterattack does not escalate the situation.
  • The counterattack effects can be reversed.

Most organizations avoid counterattacking – and for good reason. It’s not just a matter of hitting back. The legal boundaries are fuzzy, the risks are high, and once you fire that digital shot, you can’t always control where it lands.

There’s a lot of uncertainty in defining what’s legal and what’s reckless. In most real-world cases, trying to “hack back” leads to more trouble – technical, legal, and reputational.

In 2006, the Israeli company Blue Security launched a creative anti-spam service. When users received spam, the system would automatically send opt-out requests back to the spammers – effectively overwhelming them with traffic.

It worked – for a moment.

But then a major spammer retaliated with a massive DDoS attack, not only targeting Blue Security but also hitting their DNS provider. The attack disrupted numerous unrelated websites.

A few weeks later, Blue Security shut down operations entirely. The cost of the counterattack proved too high.

In cybersecurity, smart defense beats risky retaliation – every time.

To learn more about specific scenarios and ethical concerns from an international perspective, review updates provided in the
Tallinn Manual online.

Ethical principles and methodologies

Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls – such as the CIA triad and others discussed earlier in the articles – to address issues of confidentiality, privacy protections, and laws. To better understand the relationship between these issues and the ethical obligations of cybersecurity professionals, let’s review the following key concepts as they relate to using ethics to protect organizations and the people they serve.

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard private assets and data.

Privacy protection means safeguarding personal information from unauthorized use. Personally identifiable information (PII) and sensitive personally identifiable information (SPII) are types of personal data that can cause people harm if they are stolen. PII data is any information used to infer an individual’s identity, like their name and phone number. SPII data is a specific type of PII that falls under stricter handling guidelines, including social security numbers and credit card numbers. To effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure private information, identify security vulnerabilities, manage organizational risks, and align security with business goals.

Laws are rules that are recognized by a community and enforced by a governing entity. As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization. To do this:

You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law.

  • Be transparent and just, and rely on evidence.
  • Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise.
  • Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape.

Let’s say you work for a hospital’s IT team. One morning, you discover that an employee accidentally sent a spreadsheet with patient data – including diagnoses and prescriptions – to the wrong email address. Oops.

Now, legally (thanks to HIPAA), that counts as a breach of protected health information (PHI). But beyond legal duties, there’s also an ethical question: Would you want someone to tell you if your personal medical info landed in the wrong inbox? Of course you would.

That’s where your role as a cybersecurity professional becomes more than just technical. You’re not just preventing incidents – you’re making sure your organization does the right thing when things go wrong. That includes owning up to mistakes, notifying affected patients, and helping rebuild trust.

As a future security professional, ethics will play a major role in your daily work. Knowing the relevant ethics and laws will help you make the right decisions if and when you face a security threat or an incident that results in a breach.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert