COMPUTER SECURITY AND

ETHICS
We will now turn to ethical issues in computer and information security. In this section, the moral
importance of computer security will be assessed, as well as the relation between computer security and
national security.

The Moral Importance of Computer Security

Computer security is a field of computer science concerned with the application of security features to
computer systems to provide protection against the unauthorized disclosure, manipulation, or deletion of
information, and against denial of service. The condition resulting from these efforts is also called computer
security. The aim of computer security professionals is to attain protection of valuable information and
system resources. A distinction can be made between the security of system resources and the security of
information or data. The first may be called system security, and the second information security or data
security. System security is the protection of the hardware and software of a computer system against
malicious programs that sabotage system resources. Information security is the protection of data that
resides on disk drives on computer systems or is transmitted between systems. Information security is
customarily defined as concerned with the protection of three aspects of data: their confidentiality, integrity
and availability.

How does computer security pose ethical

issues?
As explained earlier, ethics is mostly concerned with rights, harms and interests. We may therefore answer
this question by exploring the relation between computer security and rights, harms and interests.

 What morally important benefits can computer security bring?

 What morally important harms or violations of moral rights can result from a lack of computer
security?
 Can computer security also cause harms or violate rights instead of preventing and protecting
them?

A first and perhaps most obvious harm that can occur from breaches of computer security is economic
harm. When system security is undermined, valuable hardware and software may be damaged or
corrupted and service may become unavailable, resulting in losses of time, money and resources.
Breaches of information security may come at an even higher economic cost. Valuable data may be lost or
corrupted that is worth much more than the hardware on which it is stored, and this may cause severe
economic losses. Stored data may also have personal, cultural or social value, as opposed to economic
value, that can be lost when data is corrupted or lost. Any type of loss of system or data security is
moreover likely to cause some amount of psychological or emotional harm.
Breaches of computer security may even cause grave harms like injury and death. This may occur in so-
called safety-critical systems, which are computer systems with a component or real-time control that can
have a direct life-threatening impact. Examples are computer systems in nuclear reactor control, aircraft
and air traffic control, missile systems and medical-treatment systems. The corruption of certain other types
of systems may also have life-threatening consequences in a more indirect way.
These may include systems that are used for design, monitoring, diagnosis or decision-making, for
instance systems used for bridge design or medical diagnosis. Compromises of the confidentiality of
information may cause additional harms and rights violations. Third parties may compromise the
confidentiality of information by accessing, copying and disseminating it. Such actions may, first of all,
violate property rights, including intellectual property rights, which are rights to own and use intellectual
creations such as artistic or literary works and industrial design. The information may be exclusively owned
by someone who has the right to determine who can access and use the information, and this right can be
violated.

Second, compromises of confidentiality may violate privacy rights. This occurs when information that is
accessed includes information about persons that is considered to be private. In addition to violations of
property and privacy rights, breaches of confidentiality may also cause a variety of other harms resulting
from the dissemination and use of confidential information. For instance, dissemination of internal memos
of a firm damages its reputation, and compromises of the confidentiality of online credit card transactions
undermines trust in the security of online financial transactions and harms e-banking and e-commerce
activity.

Compromises of the availability of information can, when they are prolonged or intentional, violate freedom
rights, specifically rights to freedom of information and free speech. Freedom of information is the right to
access and use public information. Jeroen van den Hoven has argued that access to information has
become a moral right of citizens in the information age, because information has become a primary social
good: a major resource necessary for people to be successful in society. Shutting down vital information
services could violate this right to information. In addition, computer networks have become important as a
medium for speech. Websites, e-mail, bulletin boards, and other services are widely used to spread
messages and communicate with others. When access to such services is blocked, for instance through
denial of service attacks or hijackings of websites, such acts are properly classified as violations of free
speech. Computer security measures normally prevent harms and protect rights, but they can also cause
harm and violate rights. Notably, security measures may be so protective of information and system
resources that they discourage or prevent stakeholders from accessing information or using services.
Security measures may also be discriminatory: they may wrongly exclude certain classes of users from
using a system, or may wrongly privilege certain classes of users over others.

Computer Security and National Security

Developments in computer security have been greatly influenced by the September 11, 2001 terrorist
attacks in the United States and their aftermath. In response to these attacks, national security has become
a major policy concern of Western nations. National security is the maintenance of the integrity and survival
of the nation-state and its institutions by taking measures to defend it from threats, particularly threats from
the outside. Many new laws, directives and programs protective of national security have come into place
in Western nations after 9/11, including the creation in the U.S. of an entire Department of Homeland
Security. The major emphasis in these initiatives is the protection of state interests against terrorist attacks.
Information technology has acquired a dual role in this quest for national security. First of all, computer
security has become a major priority, particularly the protection of critical information infrastructure from
external threats. Government computers, but also other public and private infrastructure, including the
Internet and telephone network, have been subjected to stepped-up security measures. Secondly,
governments have attempted to gain more control over public and private information infrastructures. They
have done this through wiretapping and data interception, by requiring Internet providers and telephone
companies to store phone and e-mail communications records and make them available to law
enforcement officials, by attempting to outlaw certain forms of encryption, or even through attempts to
require companies to reengineer Internet so that eavesdropping by the government is made easier.
Paradoxically, these efforts by governments to gain more control over information also lessen certain forms
of security: they make computers less secure from access by government agencies.

Philosopher Helen Nissenbaum has argued that the current concern for national security has resulted in a
new conception of computer security next to the classical one. The classical or ordinary conception of
computer security is the one used by the technical community and defines computer security in terms of
systems security and integrity, availability and confidentiality of data. Nissenbaum calls this technical
computer security. The other, which she calls cybersecurity, involves the protection of information
infrastructure against threats to national interests. Such threats have come to be defined more broadly than
terrorism, and have nowadays come to include all kinds of threats to public order, including internet crime,
online child pornography, computer viruses, and racist and hate-inducing websites. At the heart of
cybersecurity, however, are concerns for national security, and especially the state’s vulnerability to
terrorist attacks.

Nissenbaum emphasizes that technical computer security and cybersecurity have different conceptions of
the aims of computer security and the

measures that need to be taken. Technical computer security aims to protect the private interests of
individuals and organizations, specifically owners and users of computer systems and data. Cybersecurity
aims to protect the interests of the nation-state and conceives of computer security

as a component of national security. Technical computer security measures mostly protect computer
systems from outside attacks. Cybersecurity initiatives include such protective measures as well, but in
addition include measures to gain access to computer systems and control information. The two
conceptions of security come into conflict when they recommend opposite measures. For instance, cyber-
security may require computers system to be opened up to remote government inspection or may require
government access to websites to shut them down, while technical computer security may prohibit such
actions. The different interests of technical computer security and cybersecurity can in this way create
moral dilemmas: should priority be given to state interests or to the interests and rights of private parties?
This points to the larger dilemma of how to balance national security interests against civil rights after 9/11.