CyberEthics: Toward a Comprehensive Philosophy of Cybersecurity
There is yet to be written an effective surveyable account of Cybersecurity. This essay will attempt to circumscribe the challenges, various approaches and possible paths of development that the philosophy of cybersecurity could undertake. Just like any science or discipline, cybersecurity would require its own specific ontology, epistemology, ethics and perhaps even a metaphysics. Not to mention a critical history and the intricacies of its particular application. Including specific case-studies and if possible, a proper delimitation of its central concepts and technical terms.
Cybersecurity aims to secure something. As a science, Cybersecurity has its own domain of inquiry and the types of objects it recognizes as relevant to its goals. One of the first steps would be to identify and delimit the types of things that cybersecurity, as a discipline, a technical practice and a science takes note of. Defining these objects would be the task of an Ontology of Cybersecurity. And it would also include (if any) the types of things that cybersecurity creates, constructs or invents. For lack of a better term, we will refer to these objects as inventory. Unlike the familiar definition of the word, inventory will now refer to anything that Cybersecurity would consider as an object of inquiry; this could include physical objects like computers, pieces of code, software, information, physical lay-out of a room or a building and even human actors. An inventory would be a part of a set-up. And a set-up would refer to a particular combination of inventory items. For instance, a room filled with computers that have valuable information on them, could be considered as particular set-up, where each individual computer would be an inventory item. The same would apply for the software. The internal configuration of a software would be another set-up with each setting representing an item etc. More obvious examples include: Financial systems, consumer electronics, corporate or government data, individual user data, patient medical reports, insurance companies, equipment in the energy sector etc.
Luckily some significant progress has already been achieved in Cyberethics. Richard Spinello’s book “Cyberethics: Morality and law in cyberspace”, is an excellent account of ethical issues in cybersecurity. Spinello touches upon issues of government regulation, free speech and censorship, intellectual property, privacy and security while presenting numerous case-studies and examples. Naturally, ethical questions in cybersecurity will overlap significantly with legal questions, but also issues of freedom/autonomy, cyberviolence, personal identity and moral responsibility. Who gets the blame for data-leaks? How to tell the difference between a white hacker and a black hacker? What are the dangers of data surveillance? Where is the balance between freedom of information and infrastructure security? In short: Cyberethics investigates moral disputes as they pertain specifically to user-behavior in an online virtual space.
But what would an Epistemology of Cybersecurity look like? This is where it gets tricky. Epistemology studies the necessary conditions of knowledge. It is defined as theory of knowledge. Epistemic questions try to account for foundational questions concerning knowledge. What needs to happen, in order that we can know ‘x’? What are the conditions of possibility for knowing ‘x’? Things are complicated enough when we are dealing with clearly delimited spheres of knowledge like physics, biology, chemistry or mathematics. It gets much more complicated with domains of knowledge that are by nature applied and interdisciplinary, like medicine, bioengineering and last but not least, cybersecurity itself. Cybersecurity is itself a branch of Cybernetics it is applied Cybernetics; only one of its many instances. But reducing the philosophy of cybersecurity to a philosophy of cybernetics does little to solve the problem as the latter is an interdisciplinary field itself. It draws on research from psychology, logic, biology and mechanics (not to mention other interdisciplinary fields like control systems, neuroscience, and electrical network theory). Therefore, if we wish to look for epistemic grounds of cybernetics, leaving its applications and history aside, we would have to combine central concepts in at least most of the above-mentioned disciplines and come up with an integrated perhaps even a hybrid epistemological grounding for a theory of cybernetics.
Finally, how would we go about establishing a cyber-metaphysics? The goal of metaphysics is to uncover the fundamental nature of reality. A metaphysics of cybernetics would try to investigate how cybernetics influences our understanding of reality. It would be an attempt to describe a cybernetic worldview. For instance, anything from a simple software to virtual reality simulators have demonstrated the possibility for the existence of very particular types of objects (ontology), which are strictly speaking, neither completely physical, nor entirely abstract (like numbers, concepts and mental representations). Instead there is both a physical and an abstract component to virtual reality. On the hand it is impossible to access a virtual reality without some physical input, like a computer screen or a keyboard, while on the other these seemingly regular everyday objects (that we can touch, see and feel) operate as gateways into another reality, which is only partially tangible i.e. we “touch” files “through” the mouse-button, but not directly. But we do seem to be looking at the same file the way we look at ordinary objects. This could lead to some remarkable observations: The fact for instance, that virtual reality does not affect all the senses in the same way. At least a part of the virtual reality is embedded in cultural practices and cannot be made sense of without specific training. How much of virtual reality is mind-independent, how much of it is a construct of the human mind? All these questions and problems create new ways of perceiving and understanding the reality around us. It therefore becomes a non-trivial issue to re-construct a phenomenology of hacking, or to situate virtual objects in an understandable conceptual field. A world without a cyberspace is not the same as a world with a cyberspace and these two types of worlds require different metaphysical accounts.
Clearly, a comprehensive philosophy of cybersecurity is a serious undertaking. But luckily, philosophy does provide us with the necessary armament to achieve this. If we are to be successful, we will have at our disposal an effective conceptual tool-kit to navigate ourselves through this complicated, interdisciplinary field much faster and more effectively than before. Whether cybernetics will turn out to be reducible to a handful of basic concepts or instead, prove to be irreducibly complex, we will at least have a practical and working map of the territory and a useful compass for many people working in this field.
REF
- Spinello, Richard. Cyberethics: Morality and law in cyberspace. Jones & Bartlett Learning, 2010.
