It is common for professional societies and membership organizations to have a Code of Ethics intended to guide their members. Professionals working in the field of information security (INFOSEC) are often members of one or more of these entities, as are academic cyber security researchers and students desiring to enter the INFOSEC field.

专业协会和会员组织通常都有旨在指导其会员的《道德守则》 。 信息安全(INFOSEC)领域的专业人士通常是其中一个或多个实体的成员，而渴望进入INFOSEC领域的学术网络安全研究人员和学生也是如此。

In this article I will focus on three such entities: The IEEE and the Association for Computing Machinery (ACM), which are general professional societies with broad membership across many disciplines, and the Forum of Incident Response and Security Teams (FIRST), who “cooperatively handle computer security incidents and promote incident prevention programs”.

在本文中，我将重点介绍三个这样的实体： IEEE和计算机协会 (ACM)，它们是在许多学科中都有广泛成员的通用专业协会，以及事件响应和安全团队论坛 (FIRST)，它们“ 合作处理计算机安全事件并推广事件预防程序 ”。

Between mid-2018 and the end of 2019, all three of these professional bodies have been actively cultivating their codes of ethics :

从2018年中期到2019年底，这三个专业机构都在积极地培养自己的道德规范：

• The ACM, who first published an extensive code of ethics in 1992, most recently updated their Code of Ethics and Professional Conduct in June 2018 after an open multi-draft revision process.

  ACM于1992年首次发布了广泛的道德规范，在经过开放式多草稿修订程序后，最近于2018年6月更新了其《道德规范和专业行为守则》 。

• The IEEE , whose original Code of Principles of Professional Conduct goes back to 1912, announced its most recent proposed revisions to its Code of Ethics on January 10, 2020. Member and volunteer comments will be accepted until April 10, 2020.

  IEEE的原始《专业行为准则》可追溯到1912年 ，其2020年1月10 日宣布了其最新的《道德准则》 修订版。成员和志愿者的意见将在2020年4月10日之前接受。

• The Ethics Special Interest Group of FIRST announced their proposed Ethics for Incident Response and Security Teams (EthicsfIRST) in December, 2019. Their open comment period ended in January 2020.

  FIRST的道德规范特别兴趣小组于2019年12月宣布了其拟议的事件响应和安全团队道德规范(EthicsfIRST) 。其公开意见征询期于2020年1月结束。

To frame an analysis of the codes for these entities, I will assume a perspective from the subset of INFOSEC professionals involved in digital forensics and incident response (DFIR) and threat intelligence and kinds of actions associated with countering criminal activity by taking over and dismantling malicious botnets. I’ve examined several such case studies in my publications and presentations over the years, in some of which I participated.

为了对这些实体的代码进行分析，我将以INFOSEC专业人士的一个视角为例，这些专家涉及数字取证和 事件响应 (DFIR)， 威胁情报以及与通过接管和拆除恶意软件来打击犯罪活动有关的各种行动僵尸网络 。 多年来，我已经在我的出版物和演示文稿中检查了几个此类案例研究，其中一些是我参与的。

道德准则作为行为指南 (Ethical codes as guides to behavior)

There is a famous quotation in software engineering (variously attributed to Grace Murray Hopper, Andrew Tanenbaum, or Alan Cox, depending on which web site you check!):

在软件工程中有一个著名的报价(根据您要检查的网站而定，其归因于Grace Murray Hopper，Andrew Tanenbaum或Alan Cox！)：

“The good thing about standards is that there are so many to choose from.”

“关于标准的好处是有太多选择。”

— ¯\_(ツ)_/¯

—¯\ _(ツ)_ /¯

When it comes to aggressively responding to botnets and computer intrusions, it can seem like that with ethical codes, too!

当要积极响应僵尸网络和计算机入侵时，似乎也带有道德准则！

Beyond the three codes listed so far, here are some other codes of ethics or codes of conduct that might apply in this space:

除了到目前为止列出的三个守则之外，这里还有可能适用于此领域的其他一些道德守则或行为守则：

• EC Council Code of Ethics

  欧共体理事会道德准则

• International Association of Special Investigation Units Code of Conduct

  国际特别调查单位协会行为准则

• ISC2 CISSP Code of Ethics

  ISC2 CISSP道德规范

• ISSA Code of Ethics

  ISSA 道德规范

• SANS GIAC Code of Ethics

  SANS GIAC道德规范

• SANS IT Code of Ethics

  SANS IT道德守则

• USENIX System Administrators’ Code of Ethics

  USENIX 系统管理员道德规范

Michael Bailey, Sven Dietrich and I analyzed several ethical codes associated with general society at large (think justifications for “self-defense”), the professional community, and the academic community. Individuals from, or groups compromised of people from, each of these three categories engage in things like: the takeover and takedown of botnets; deceiving computer users to better understand how they respond to social engineering (e.g., phishing emails); performing research studies involving access to realtime communications or manipulation of networks used by thousands of people; or demonstrating the need to fix vulnerabilities in widely used internet services or devices by breaking them and publishing functional “proof-of-concept” exploit code.

我和迈克尔·贝利(Michael Bailey)，斯文·迪特里希(Sven Dietrich)分析了与整个社会相关的几种道德准则(认为“自卫”的理由)， 专业团体和学术团体 。 这三个类别中的每个类别的个人或受其折衷的群体都参与到以下活动中：僵尸网络的接管和删除； 欺骗计算机用户以更好地了解他们如何响应社会工程(例如，网络钓鱼电子邮件)； 进行涉及访问实时通信或操纵数千人使用的网络的研究； 或表明有必要通过破坏它们并发布功能性的“概念验证”漏洞利用代码来修复广泛使用的Internet服务或设备中的漏洞。

We observed that ethical codes run the gamut from implicit societal codes where decisions are influenced by friends, family, or one’s own internal moral compass, to published codes like those of ACM, IEEE and the others listed above that members agree to follow when signing up or renewing their membership, all the way up to (in the United States) the Belmont Report’s principles of Respect for Persons, Beneficence, and Justice as codified in the United States Code of Federal Regulations (45 CFR 46, also known as the “Common Rule” because of its uniform adoption by all federal agencies and departments of the United States government.)

我们观察到，道德准则的范围很广，从隐性的社会准则(决定受朋友，家人或自己的内部道德指南针影响)到已发布的准则(例如ACM，IEEE和上面列出的其他准则，会员都同意在遵循时遵循)或更新他们的会员资格，一路攀升到(美国)尊重个人，善行和正义的贝尔蒙报告的原则，在联邦法规(美国法典编撰45 CFR 46 ，也被称为“ 通用规则 ”，因为该规则已被美国政府所有联邦机构和部门统一采用。)

We published our findings on the applicability and limitations of these codes and the efficacy of their enforcement mechanisms, along with over two dozen case studies with which to illustrate the ethical questions raised, in a technical report (“Towards community standards for ethical behavior in computer security research”). The case studies were adopted by the Menlo Working Group and included in the “Companion” to the Menlo Report.

我们在技术报告中发表了有关这些规范的适用性和局限性及其执行机制的有效性的发现，以及超过两打的案例研究，以说明所提出的道德问题。安全研究 ”)。 案例研究已由Menlo工作组通过，并包含在Menlo报告的“伴侣”中。

I will start strategically by looking at ACM’s Code. You’ll see why in a moment.

我将从战略上着眼于ACM的规范。 一会儿您会明白为什么。

ACM道德规范 (The ACM Code of Ethics)

From their web site, “ACM is dedicated to: Advancing the art, science, engineering and application of information technology; fostering the open interchange of information to serve both professionals and the public; and promoting the highest professional and ethical standards.”

在他们的网站上，“ ACM致力于：促进信息技术的艺术，科学，工程和应用； 促进信息的公开交流，以服务专业人士和公众； 并促进最高的职业和道德标准。”

“The 1992 Code organized ethical principles into four categories: general moral imperatives, more specific professional responsibilities, organizational leadership imperatives, and compliance.”

“ 1992年版《守则》将道德原则分为四类：一般的道德要求，更具体的职业责任，组织领导的要求和合规性。”

— https://dl.acm.org/doi/abs/10.1145/3015149

-https://dl.acm.org/doi/abs/10.1145/3015149

Like our technical report and the Companion to the Menlo Report, the most recent revision of the ACM Code of Ethics is accompanied by a set of case studies showing how use the code of ethics for analysis and application.

像我们的技术报告和《门洛报告的同伴》一样，ACM道德规范的最新修订版还包含一系列案例研究，这些案例研究说明了如何使用道德规范进行分析和应用。

The case study most relevant here is the Malware Disruption case.

这里最相关的案例研究是“恶意软件破坏”案例。

This case study implicitly identifies stakeholders including Rogue Services (the network provider covering for unnamed malicious actors sending spam emails), Rogue’s service clients (some legitimate, but the majority malicious), ISPs and international organizations — FIRST members could fall into this group — reporting the malicious activity originating from Rogue’s network requesting it be ceased. It doesn’t categorize them or go into detail about their motivations, risks, benefits, etc.

此案例研究隐含地确定了利益相关者，包括Rogue Services(网络提供商，涵盖发送垃圾邮件的未命名恶意参与者)，Rogue的服务客户端(一些合法，但大多数是恶意的)，ISP和国际组织-FIRST成员可能属于该组-报告来自Rogue网络的恶意活动要求停止。 它没有对它们进行分类，也没有详细介绍它们的动机，风险，收益等。

For the purposes of clearly identifying stakeholders, I will call Rogue and the criminals they are enabling negatively inclined actors and the group acting to stop the harm being caused to the general public positively inclined actors.

为了清楚地识别利益相关者，我将称呼Rogue及其犯罪分子，他们正在使消极倾向的行为者和行径能够阻止对公众产生积极影响的行为者造成的伤害。

After multiple reports and requests of Rogue to stop the criminal activity were refused by Rogue, citing their “no matter what” pledge of guaranteed service to their customers, multiple security vendors and governmental organizations acted to “forcibly [take spamming sources] offline through a coordinated effort [consisting of] a targeted worm that spread through Rogue’s network [in a] denial-of-service (DoS) attack successfully [taking] Rogue’s machines offline, destroying much of the data stored with the ISP in the process.”

在Rogue拒绝了多个举报和Rogue要求停止犯罪活动的请求之后，Rogue拒绝了Rogue的“无论如何”向其客户提供有保证的服务的承诺，多个安全供应商和政府组织采取了“ 通过[协同工作[由]一个通过Rogue的网络传播的目标蠕虫组成[成功地]拒绝服务(DoS)攻击[使Rogue的计算机脱机，在此过程中破坏了与ISP一起存储的许多数据。 ”

The case goes into just enough detail to allow relevant principles to be identifiable and applied, which they state are:

案例的细节足够详细，可以使相关原则得以识别和应用，它们指出：

• Principle 1.1 (Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing)

  原则1.1( 为社会和人类福祉做出贡献，并承认所有人都是计算领域的利益相关者 )

• Principle 1.2 (Avoid harm)

  原则1.2( 避免伤害 )

• Principle 2.8 (Access computing and communication resources only when authorized or when compelled by the public good)

  原则2.8( 仅当获得公共物品授权或强迫时，才可使用计算和通信资源 )

• Principle 3.1 (Ensure that the public good is the central concern during all professional computing work)

  原则3.1( 确保公共利益是所有专业计算工作中的核心问题 )

The analysis points out that the negatively inclined actors violated Principles 1.1, 1.2, 2.8 and 3.1. These violations are then weighed against the actions taken by the positively inclined actors in service to the public good.

分析指出，消极行为者违反了原则1.1、1.2、2.8和3.1。 然后，将这些违法行为与积极服务于公共利益的积极行动者所采取的行动进行权衡。

Where it gets interesting is in analyzing the employment of a destructive worm to forcibly stop the spamming and delivery of “dropper” malware through tainted ads served from Rogue’s network. I consider this to be acting at Level 4.2 — Uncooperative Cease and Desist — on the Active Response Continuum.

有趣的是分析破坏性蠕虫的使用，以通过Rogue网络投放的受污染广告强行阻止垃圾邮件和“投递”恶意软件的传播。 我认为这在主动响应连续体上处于4.2级( 不合作的停止和停止 )上。

While it is acknowledged that the DoS worm violates Principle 1.2, it is justified by the negatively inclined actors’ violation of Principle 1.2 combined with (a) the worm authors’ adherence to Principle 1.1 and (b) specific targeting that minimizes any effects implicated in Principle 1.2. Additionally, the DoS worm authors’ violation of Principle 2.8 was mitigated by the targeting through a “compelling belief that the service disruption was consistent with the public good [as embodied by Principle 3.1].”

尽管人们公认DoS蠕虫违反了原则1.2，但它的存在是有理由的是，负面行动者违反了原则1.2，并且(a)蠕虫作者遵守了原则1.1，并且(b)专门针对性降低了与之相关的任何影响。原则1.2。 此外，通过“有针对性的信念，即服务中断与公共利益相一致(如原则3.1所体现)，针对性缓解了DoS蠕虫作者对原则2.8的违反。”

In other words, the conflict here between the duty to adhere to principles or chosing to violate them is resolved by balancing by the consequences of the actions taken in terms of the public good. (You might recognize this as a utilitarian philosophical position.)

换句话说，遵守原则的义务与选择违反原则的义务之间的冲突是通过在公共利益方面采取的行动的后果之间取得平衡来解决的。 (您可能会认为这是功利主义的哲学立场。)

The ACM task force used an open process that involved publishing drafts of the Code (with changes tracked) and articles in ACM publications, helping us understand the thinking behind the changes. I can imagine the discussions of how to apply the evolving Code to the use cases, since we went through a very similar exercise while drafting the Menlo Report and its Companion.

ACM工作组使用了一个开放的流程，其中涉及在ACM出版物中发布守则的草案(跟踪更改)和文章 ，从而帮助我们理解更改背后的想法。 我可以想象到有关如何将不断发展的代码应用于用例的讨论，因为我们在起草Menlo报告及其伴侣时经历了非常相似的练习。

With the Malware Disruption case in mind, consider the evolution of Principle 2.8 in these three screenshots:

考虑到恶意软件破坏的情况，请在以下三个屏幕截图中考虑Principle 2.8的演变：

It is clear that the original 1992 blanket “must always” exclusion to accessing resources of others without authorization, cooperation, or coordination doesn’t allow the actions taken by the positively inclined actors in the Malware Disruption case study.

很明显，原始的1992年一揽子“必须始终”排除未经授权，合作或协调而访问他人的资源，这不允许积极倾向的参与者在恶意软件破坏案例研究中采取行动。

The final language acknowledges that non-cooperative criminal infrastructure takedowns do take place, that members of ACM take part in them and that the actions taken shouldn’t put members in conflict with their obligation to follow ACM’s Code of Ethics. Usually these botnet takedown actions are nowhere near as aggressive or damaging as described in the Malware Disruption case study, but the massive DDoS attacks stemming from insecure home network equipment and Internet of Things (IoT) devices like baby monitors and home security cameras are leading some people to head in that direction (e.g., see “Someone Has Hacked 10,000 Home Routers To Make Them More Secure,” “Vigilante botnet infects IoT devices before blackhats can hijack them,” and “BrickerBot is a vigilante worm that destroys insecure IoT devices.”)

最终语言承认非合作犯罪基础设施确实发生了 ，ACM成员也参与其中，并且所采取的行动不应使成员与遵守ACM道德守则的义务发生冲突。 通常，这些僵尸网络删除行动远不如恶意软件破坏案例研究中所述的那样具有侵略性或破坏性，但是由不安全的家庭网络设备以及诸如婴儿监视器和家庭安全摄像机之类的物联网(IoT)设备产生的大规模DDoS攻击正在引领一些人们朝着这个方向前进(例如，请参阅“ 有人入侵了10,000台家用路由器以使其更安全 ”，“ Vigilante僵尸网络在IoT受到黑帽劫持之前就感染了IoT设备 ”和“ BrickerBot是一种警惕蠕虫，它摧毁了不安全的IoT设备 。 ”)

The case study only mentions the law in terms of (the lack of) proscribing Rogue’s negatively inclined behavior as a service provider. It does not directly address the legality of the actions taken by the DoS worm authors, but there clearly could be violations of law in one or more jurisdictions in which the positively inclined actors reside, or at least grounds for civil action by innocent third parties who are legitimate (and benign) customers of Rogue. The legal concept of tortious interference with business process comes to mind here. There may also be a criminal violation of the Computer Fraud and Abuse Act (18 U.S. Code § 1030) by those actors residing in the United States.

案例研究仅从禁止( 缺乏 )罗格(Rogue)作为服务提供者的消极行为方面提及法律。 它没有直接解决DoS蠕虫作者采取的行为的合法性，但是显然，在一个或多个积极倾向参与者所居住的辖区中可能存在违反法律的行为，或者至少是无辜第三方的民事诉讼依据是Rogue的合法(和良性)客户。 在这里想到折磨性干扰业务流程的法律概念。 居住在美国的那些行为者还可能违反《 计算机欺诈和滥用法》 ( 美国法典第18条第1030款 )。

I would argue that Principle 2.3 (Know and respect existing rules pertaining to professional work), while not mentioned in the case study, would be appropriate to include here. The relevant portions are:

我认为原则2.3( 了解并尊重与专业工作有关的现有规则 )虽然在案例研究中未提及，但应适当地包括在这里。 相关部分是：

“Rules” here include local, regional, national, and international laws and regulations, as well as any policies and procedures of the organizations to which the professional belongs. Computing professionals must abide by these rules unless there is a compelling ethical justification to do otherwise. […] A computing professional who decides to violate a rule because it is unethical, or for any other reason, must consider potential consequences and accept responsibility for that action.

这里的“规则”包括当地，地区，国家和国际法律和法规，以及专业人员所属组织的任何政策和程序。 除非有令人信服的道德理由这样做，否则计算专业人员必须遵守这些规则。 […]因不道德或出于任何其他原因而决定违反规则的计算专业人员，必须考虑潜在的后果并对此行为承担责任。

This principle not only allows an exception for nuanced situations like that described in the Malware Disruption case study, but it also puts the onus on the positively inclined actors — who may believe their potential violation of law will achieve a greater moral good to society — to do their homework and be prepared to put forward an affirmative defense to justify their actions. In this case, the multiple attempts to report wrongdoing and get Rogue to take care of it, working in concert with government and non-governmental organizations, and efforts to narrowly target and minimize any harm by the DoS worm, all exhibit the kind of due diligence and responsibility called for by Principle 2.3.

这项原则不仅允许对“恶意软件破坏”案例研究中所描述的细微差别进行例外处理，而且还为积极倾向的行为者承担责任(他们可能认为他们潜在的违法行为将为社会带来更大的道德利益)，做好功课，并准备提出肯定的辩护以证明他们的行为合理。 在这种情况下，与政府和非政府组织合作，多次举报举报不当行为并让Rogue采取措施的努力，以及努力缩小DoS蠕虫的针对性并最大程度地减少其危害的努力，都表明了应有的责任。原则2.3要求的勤奋和责任。

Next, let’s look at IEEE’s code.

接下来，让我们看一下IEEE的代码。

IEEE道德规范 (The IEEE Code of Ethics)

From their web site, “IEEE is the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity [whose] core purpose is to foster technological innovation and excellence for the benefit of humanity.”

在他们的网站上， IEEE是世界上最大的技术专业组织，致力于为人类的利益而发展技术，其核心目的是为人类的利益而促进技术创新和卓越。 ”

The IEEE Code of Ethics is much shorter (10 items) than that of the ACM (25 items), though they both share some fundamental elements. Part of the difference in length results from IEEE only listing items, while ACM includes some explanation and guidance.

尽管IEEE道德规范 (共有10项)具有一些基本要素，但它们都比ACM(25项)要短得多(10项)。 长度的部分差异是由IEEE仅列出项目引起的，而ACM包括一些解释和指导。

The Code is written with what you could describe as an “inward focus,” using language that centers on professional behavior in the workplace, with the impacts to society being those resulting from use of the products and services developed by the engineering professionals to whom the code is directed. It might be that the lack of explanations about application, like that accompanying the ACM Code, is what gives it that feeling.

本《准则》使用您可以形容为“内向型”的语言编写，使用的语言以工作场所的专业行为为中心，对社会的影响是使用由工程专业人士开发的产品和服务所产生的影响。代码是定向的。 可能是因为缺乏对应用程序的解释(如ACM规则随附的解释)才使它产生这种感觉。

IEEE does not have a similar set of case studies to the ACM, but we can experiment with applying their Code of Ethics to the Malware Disruption case.

IEEE没有与ACM相似的案例研究集，但是我们可以尝试将其道德守则应用于恶意软件破坏案例。

• The first element of item 1 of the Code states, “to hold paramount the safety, health, and welfare of the public.” While this is similar to ACM’s Principle 3.8, it seems a weaker justification for actions such as the DoS worm.《守则》第1项的第一要素规定：“对公众的安全，健康和福利至为重要。” 尽管这与ACM的3.8原理相似，但对于诸如DoS蠕虫之类的行动而言，其理由似乎较弱。
• The last element of item 1 states, “to disclose promptly factors that might endanger the public or the environment.” This could apply to the reporting of malicious activity to Rogue by the positively inclined actors.项目1的最后一个要素指出：“及时披露可能危害公众或环境的因素。” 这可能适用于由积极倾向的行为者向Rogue报告恶意活动。

• Item 6 states, “to maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience.” I argue in some of my publications and talks that we ought to have requirements on the technical capability and maturity of those engaged in the most extreme and aggressive actions like botnet takedowns, since such situations increase the potential for harm to the public who is caught in the middle. This item alone does not seem to me to help, since the positively inclined actors may all believe they will not make any mistakes or encounter any unforeseen circumstances, and besides, there is nothing requiring them to meet any qualifications (as none exist in this space.)

  项目6指出：“只有在经过培训或经验合格的情况下，才能维持和提高我们的技术能力，并为他人承担技术任务。” 我在我的一些出版物和谈话中提出，我们应该对从事最极端和激进行为(如僵尸网络删除)的人员的技术能力和成熟度提出要求，因为这种情况增加了对被困公众的伤害的可能性。中间。 对我而言，仅此一项似乎对我没有帮助，因为积极向上的演员可能都相信他们不会犯任何错误或遇到任何不可预见的情况，此外，没有任何要求他们具备任何资格的条件(因为该领域不存在任何资格) )

• Item 9 of the Code states, “to avoid injuring others, their property, reputation, or employment by false or malicious action.” While this seems like it could apply to the targeting actions designed to minimize harm from the DoS worm, the final clause “by false or malicious action” seems to negate its utility here since the actions of the positively inclined actors (as ACM describes their actions) are neither “false” nor “malicious.”

  《守则》第9条规定：“避免因错误或恶意的行为而伤害他人，其财产，声誉或就业。” 尽管这似乎可以应用于旨在最大程度地减少DoS蠕虫危害的定向操作，但最后一句“通过虚假或恶意操作”似乎否定了它的效用，因为积极主动的行为者的行为(如ACM描述了他们的行为) )既不是“假”也不是“恶意”。

The remainder of the items in the Code don’t seem to help in terms of the Malware Disruption case study.

就恶意软件破坏案例研究而言，《准则》中的其余条款似乎无济于事。

One of the proposed changes to the Code — adding a requirement “to engage in lawful conduct” to item 4 — actually seems to make things more difficult in application to the Malware Disruption case study.

对准则的拟议更改之一(在第4项中增加了“ 从事合法行为 ”的要求)实际上似乎使在“恶意软件破坏”案例研究中应用起来更加困难 。

There is some nuanced language required to accommodate real-world cases such as this one, which is one of the difficulties encountered in writing codes like this. We had to deal with this in the Menlo Working Group effort and it took a lot of effort and patience to get to our final product. The fundamental problem has to do with using vague terms like “attack,” “breach,” and “intrusion” that can lead to fallacious logic and other misunderstandings. Legislative proposals like the ACDC Act share this same problem

需要一些细微的语言来适应诸如此类的现实情况，这是编写此类代码时遇到的困难之一。 我们不得不在Menlo工作组的工作中处理此问题，并且花了很多精力和耐心才能获得最终产品。 基本问题与使用诸如“攻击”，“违反”和“入侵”等模糊术语有关，这可能导致谬误的逻辑和其他误解。 ACDC法案等立法提案也存在同样的问题

I find the concept of Information Assurance to help in being clear, concise, and comprehensive. A worm that destroys files (compromise of the integrity of information and information systems) resulting in a denial of service (compromise of the availability of information and information systems) are both the types of acts that are often encompassed by computer misuse statutes like the United States’ Computer Fraud and Abuse Act (18 U.S. Code § 1030). The latter, when done by someone with malicious intent against a rival company, has in fact resulted in criminal indictments in the past.

我发现信息保证的概念有助于清晰，简洁和全面。 蠕虫破坏文件(损害信息和信息系统的完整性)导致拒绝服务(损害信息和信息系统的可用性)是两种行为类型，通常都被计算机滥用法规(如美国)所涵盖。州的《 计算机欺诈和滥用法》 ( 美国法典第18条第1030款 )。 后者是由怀有恶意企图对竞争对手的公司进行的，实际上在过去已导致刑事起诉 。

I would argue that the new item 5 would also apply to the Malware case study:

我认为新的项目5也将适用于恶意软件案例研究：

“to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, to be honest and realistic in stating claims or estimates based on available data […]”

“寻求，接受并诚实地批评技术工作，承认和纠正错误，在根据现有数据陈述索赔或估计时要诚实和现实[…]”

I would hope that sufficient analysis and documentation by the positively inclined actors of the criminal activity being perpetrated from Rogue’s network and Rogue’s refusal to stop it — including the plan for the DoS worm, and how its effects were to be targeted and controlled — would be produced and vetted prior to taking such an aggressive action.

我希望积极的行为者会对Rogue的网络进行的犯罪活动以及Rogue拒绝制止这一行为(包括DoS蠕虫的计划以及如何针对和控制其影响)进行充分的分析和记录， 在采取此类侵略性行动之前生产和审核。

Lastly, we look at the new EthicsfIRST code.

最后，我们看一下新的EthicsfIRST代码。

事件响应和安全团队的道德规范 (Ethics for Incident Response and Security Teams)

From their web site, FIRST describes themselves as “the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams [from government, commercial, and educational organizations] to more effectively respond to security incidents reactive as well as proactive. […] FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.” The Ethics SIG more directly states that, “FIRST functions similar to a professional association for CSIRT and PSIRT members as well as other cybersecurity professionals with training and experience related to the work of incident response and security teams.”

FIRST在其网站上将自己描述为“ 事件响应的首要组织和公认的全球领导者”。 FIRST的成员资格使(来自政府，商业和教育组织的)事件响应团队能够更有效地响应安全性事件，既有React性也有前瞻性。 […] FIRST旨在促进事件预防方面的合作与协调，激发对事件的快速React，并促进成员与整个社区之间的信息共享。 ” Ethics SIG更直接地指出：“ FIRST的职能类似于针对CSIRT和PSIRT成员以及接受过事件响应和安全团队工作培训和经验的其他网络安全专业人员的专业协会。 ”

At first glance, you may notice that all of the principles are expressed as duties. The codes of IEEE and ACM also list duties, but more indirectly and subtly. Framing the code this way differs slightly from some other codes that blend duties with consequentialist or utilitarian principles that discuss outcomes (e.g., results of the acts, benefits that derive, who receives the benefits, etc.).

乍一看，您可能会注意到所有原则都被表述为职责。 IEEE和ACM的代码也列出了职责，但更为间接和巧妙地列出了职责。 从其他一些代码成帧码这种方式略有不同的是混合责任与后果论或功利主义的原则是讨论的结果(例如，行为，也从中得到实惠，谁获得的利益，结果等)。

FIRST makes it clear that these principles are not intended to be as absolutist as you might encounter in a philosophical discussion of deontological ethical principles. The code starts by making it clear the principles are “formulated as statements of responsibility, based on the understanding that the public good is always the primary consideration.”

FIRST明确指出，这些原则并非像您在有关道义伦理原则的哲学讨论中可能遇到的专制主义。 该准则首先阐明了原则，即“ 基于对公共利益始终是首要考虑因素的理解，制定为责任声明 ”。

The introduction goes on to explain a feature shared with the ACM Code. “Each principle is supplemented by guidelines, which provide explanations to assist computing professionals in understanding and applying the principle,” and an Appendix provides further guidance on how to deal with dilemmas.

引言继续说明与ACM代码共享的功能。 “ 每项原则都有指导原则补充，指导原则提供了解释，以帮助计算专业人士理解和应用该原则 。”附录提供了有关如何解决难题的进一步指导。

I’ll perform the same experiment of using the EthicsfIRST code to consider the ACM Malware Disruption case study.

我将使用EthicsfIRST代码进行相同的实验，以考虑ACM恶意软件破坏案例研究。

Several principles appear to me to be implicated in application of the code to this case:

在我看来，在这种情况下代码的应用牵涉到一些原则：

• Duty of coordinated vulnerability disclosure: This duty is intended more for disclosure of vulnerabilities that present risks to users of affected systems following public disclosure, at which point anyone developing or possessing a functioning exploit can begin causing harm. The purpose of coordinated disclosure is to maximize the ability to fix the problem and distribute patches to minimize risk exposure before widespread exploitation begins. In this case, however, the coordinated disclosure would be the reporting of the criminal activity to Rogue.

  协调漏洞披露的职责：此职责旨在更多地披露在公开披露后向受影响的系统的用户带来风险的漏洞的披露，此时，开发或拥有有效利用程序的任何人都可以开始造成危害。 协调公开的目的是在广泛利用开始之前，最大程度地解决问题和分发补丁以最大程度地降低风险 。 但是，在这种情况下，协调披露将是向Rogue 报告犯罪活动 。

• Duty of authorization: This is a little like ACM’s Principle 2.8, and serves a similar purpose. (The concern for the public good portion is covered by the overall requirement to place this concern as the top priority.)

  授权职责 ：这有点类似于ACM的2.8原则 ，并且具有类似的目的。 (将公共利益放在首位的总体要求涵盖了对公共利益的关注。)

• Duty to inform: As with the previous principle, the DoS worm authors and others had already performed their duty to report malicious activity to Rogue, before contemplating any further coordinated (if uncooperative with respect to Rogue) actions.

  通知的义务：与以前的原则一样，DoS蠕虫作者和其他人员已经履行了向Rogue报告恶意活动的职责，然后再考虑采取任何进一步的协调(如果与Rogue不合作的行为)。

• Duty to recognize jurisdictional boundaries: This principle is similar to ACM’s Principle 2.3 and IEEE’s item 4 revision, but FIRST does a much more thorough job of providing guidance appropriate to situations like the DoS worm action. The explanation of the SHOULD definition at the beginning of the code further reinforces the need for careful preparation, narrow targeting and discrimination (following the meaning of that term in the context of the law of war) of impacts resuting from actions taken.

  认识管辖范围的职责：该原则类似于ACM的原则2.3和IEEE的第4项修订 ，但是FIRST所做的工作要彻底得多，以提供适合于DoS蠕虫行动等情况的指导。 在代码开头对 SHOULD定义的解释进一步强调了对采取的措施所产生的影响进行仔细准备，缩小目标范围和区分 (遵循战争法中该术语的含义)的需要。

• Duty of evidence-based reasoning: This duty seems to be the most important for the Malware Disruption case study, since the actions are so aggressive and destructive. As I described in the ACM section, a DoS worm that deletes files on a corporate network could result in civil or criminal legal action, or at least public debate about any damage that occurs.

  基于证据的推理的职责：对于恶意软件破坏案例研究，此职责似乎是最重要的，因为这些行为是如此具有侵略性和破坏性。 正如我在ACM部分中所述，删除公司网络上文件的DoS蠕虫可能会导致民事或刑事法律诉讼，或至少引起有关所发生损害的公开辩论 。

I like how these principles complement each other in terms of guiding careful consideration of actions, following an escalatory path towards more aggressive actions only when it appears to be necessary, and stressing an evidence-based reasoning process. The latter makes it easier to seek pre-action review, perform post-action review in light of empirical data, and justify any harm along axes of proportionality, necessity, discrimination, etc.

我喜欢这些原则在指导仔细考虑行动，仅在必要时遵循逐步采取更积极行动的道路以及强调循证推理过程方面如何相互补充。 后者使得更容易进行事前审查，根据经验数据进行事后审查，并证明沿比例，必要性，歧视等方面的任何损害是合理的。

意见和建议 (Observations and suggestions)

The IEEE Code was the hardest to use in analyzing the Malware Disruption case and justifying the actions taken by the positively inclined actors, due to what I interpret as a focus on the discipline and professional practice of engineering in the benign context. This focus is understandable for a large society who first put forward a code of ethics over a hundred years ago — decades before INFOSEC, DFIR, and threat intelligence became disciplines and professions. There was no need to contemplate activities intended to actively counter ongoing crime! Besides, a short and concise code is easier to understand and keep in mind.

由于我认为在良性环境下对工程学科和专业实践的关注，IEEE代码最难用于分析恶意软件破坏案并证明积极倾向的参与者采取的行动是合理的。 对于一个大型社会来说，这种关注是可以理解的，它是一百多年前首次提出道德规范的，这比INFOSEC，DFIR和威胁情报成为学科和专业早了几十年。 无需考虑旨在积极打击持续犯罪的活动！ 此外，简短明了的代码更易于理解和记住。

ACM and FIRST have more detailed codes that consider application by their members, including when acting in the malign context where actions are intended to achieve a greater moral good in service to the public interest.

ACM和FIRST拥有更详细的代码，考虑其成员的应用 ，包括在恶性环境中行动时，这些行为旨在为公众利益提供更大的道德利益。

ACM published their first Code of Ethics just one year after Eugene Spafford published “Are computer hacker break-ins ethical” and two years after Dorothy Denning published “Concerning Hackers Who Break into Computer Systems.” The reasoning for updating the 1992 Code in 2018 acknowledges the risks presented by pervasive computing that have been growing over the last two decades:

在尤金·斯帕福德(Eugene Spafford)出版“ 计算机黑客闯入伦理 ”之后一年，而多萝西•丹宁(Dorothy Denning)出版了“ 关于闯入计算机系统的黑客有关 ”的两年之后，ACM就发布了他们的第一本《道德守则》 。 ”在2018年更新1992 Code的理由承认，在过去的二十年中，普适计算所带来的风险在不断增长：

Computing today is in our bodies — prosthetics, pacemakers, and insulin pumps. Computing is also integral to the ways in which societies wage war. Computers impact all areas of our lives and many life-preserving functions are relegated to a piece of computer guided machinery. […] The changes in technology and the kinds and number of impacted stakeholders are changing society in fundamental ways.

今天的计算就在我们的身体内–假肢，起搏器和胰岛素泵。 计算也是社会发动战争的方式的组成部分。 计算机影响着我们生活的所有领域，许多救生功能被赋予了计算机引导的机器功能。 […]技术的变化以及受影响的利益相关者的种类和数量正在从根本上改变社会。

— https://cacm.acm.org/magazines/2016/12/210367-making-a-positive-impact/fulltext

-https://cacm.acm.org/magazines/2016/12/210367-making-a-positive-impact/fulltext

FIRST is the most recent organization I am aware of from the INFOSEC and DFIR space to put forward a code of ethics. It should come as no surprise that FIRST, whose membership is comprised of people focused on INFOSEC and DFIR, has a code that includes very clear principles and practical guidance for applying them.

FIRST是我从INFOSEC和DFIR领域了解到的最新组织，该组织提出了道德准则。 毫不奇怪，FIRST的成员由专注于INFOSEC和DFIR的人员组成，其代码包含非常清晰的原则和应用它们的实用指南。

I believe that realistic case studies prove very helpful in developing ethical codes as well as learning how to analyze real-world situations to apply ethical principles. This is the reason my colleagues and I included real-world cases in our technical report and why the Menlo Working Group created a synthetic case study for the Companion based on real historic events with many decision points for ethical consideration. I imagine that the ACM task force did exactly the same thing for the same reasons.

我相信，现实的案例研究在制定道德规范以及学习如何分析现实情况以应用道德原则方面非常有帮助。 这就是我和我的同事将真实案例纳入我们的技术报告的原因，也是Menlo工作组基于真实的历史事件并结合伦理学考虑的许多决策要点为同伴创建综合案例研究的原因。 我想象ACM工作队出于相同的原因做了完全相同的事情。

I would encourage IEEE and FIRST to either use the ACM case studies, those included in the Companion to the Menlo Report, or develop their own case studies based on historical events involving their membership. Using existing case studies is less work than developing new ones and I would think could prove helpful in producing codes that converge, rather than diverge, in end results.

我鼓励IEEE和FIRST使用ACM案例研究(包括在Menlo报告的同伴中)，或根据涉及其成员资格的历史事件来开发自己的案例研究。 使用现有的案例研究比开发新的案例研究少了工作，我认为这可能会有助于产生最终结果收敛而不是发散的代码。

Beyond case studies, ACM also has an “Ask an Ethicist” video/blog section. As of the writing of this article, it has only two Q&A items, both involving discovery and disclosure of vulnerability information. I expect the list will grow over time, providing further guidance for those attempting to navigate tough ethical issues not covered by the existing body of case studies.

除了案例研究之外，ACM还提供了“ 询问伦理学家 ”视频/博客部分。 在撰写本文时，它只有两个问答项目，都涉及发现和披露漏洞信息。 我希望这个列表会随着时间的推移而增长，为那些试图解决现有案例研究未涵盖的棘手的道德问题的人提供进一步的指导。

I hope that my focus here on going beyond just producing good professional engineering results to also aggressively countering ongoing harm to the public is helpful.

我希望我在这里的关注重点不仅限于产生良好的专业工程成果，而且还可以积极地抗击对公众的持续伤害。

Ethics is about doing the right thing in all situations you might encounter in your day to day working life, not just in the best-case scenarios. As the scale and scope of potential harm to the general public via networked computing systems increases, so does the necessity for capable and responsible people to actively counter the harm without making matters worse.

道德准则是在日常工作中可能遇到的所有情况下都做正确的事情，而不仅仅是在最佳情况下。 随着通过网络计算系统对公众造成潜在危害的规模和范围不断扩大，有能力和负责任的人们积极应对危害而又不会使情况进一步恶化的必要性也随之增加。

I think we have further to go, but in terms of producing actionable codes of ethics we’re heading in the right direction!

我认为我们还有很长的路要走，但是就制定可行的道德规范而言，我们正在朝着正确的方向前进！