How about, “Don’t Be Evil”

Thomas Ptacek | June 17th, 2005 | Filed Under: Uncategorized

Richard Bejtlich inspects a survey from the ISC2, corporate owner of the CISSP certification, and finds it asking him whether “something you know” is more important to the exam than “something you have” or “something you have”, whether “value-added networks (VAN)” are more important than “global information grids (GIG)”, and whether “hubs” are more important than “routers”, or “gateways”.

Heh.

Richard (who holds a CISSP) says: The only value CISSP retains is its Code of Ethics.

Is that so, Richard?

It’s not much of a secret that I sincerely dislike the CISSP —- to the point of feeling slightly distrustful of people who openly admit to holding the certificate. Call me crazy, but a certificate that is held by less than 10% of the most respected practitioners in the industry, but that is held by more than 90% of third-string consultants and entry level IT secops, lacks some credibility.

There are a variety of good, specific reasons to disdain CISSP, but you can sum the whole thing up this way: there’s a 90% likelihood that the next major security advisory isn’t going to come from someone who holds a CISSP, and a 90% likelihood that the next weirdo suggesting a scheme whereby security patches remain encrypted until a critical mass of users have installed it so that “hackers” can’t get the details of the exploit is going to come from someone with a CISSP.

But this isn’t a post about the (lacking) merits of the CISSP certificate itself. It’s a post about the (lacking) merits of the CISSP Code of Ethics.

Three proposed “rules of thumb” about a security “code of ethics”:

1. Rules that are self-evident are not useful. If you can take a rule, stick “don’t” at the front of it, and come up with an ethical statement that my five year old son Galen can reject, you are demagoguing, not helping.

2. Rules that defend the salary of CISSP-holders instead of the integrity of the practice or the common good are not useful.

3. Rules that defend the salary of CISSP-holders at the expense of the common good are less than not-useful.

“Compliance with the preamble and the canons” (of the code) is “mandatory”. Well, the preamble says “you must comply with the canons”. What do the canons say?

• Protect society, the commonwealth, and the infrastructure.

  Hey Galen: Should you protect society? The commonwealth? The infrastructure? Cute little puppies? Criminals?

  Whoah. He got all of them right. Strike one “canon”.

• Act honorably, honestly, justly, responsibly, and legally.

  Galen: Should you tell the truth? How about when telling a lie will get you a candy bar?

  Is it possible that my kindergarten-age son was born with an innate sense of the ethics of computer security? It is in the genes, you know.

• Provide diligent and competant service to principals.

  Well, Galen doesn’t know most of these words. But let’s try this:

  Don’t provide diligent and competant service to principals.

  Hey wait a minute, I know consultancies that use this second statement as an operating charter. But that’s ok! The CISSP code clearly states:

  Conflicts between the canons should be resolved in the order of the canons. The canons are not equal and conflicts between them are not intended to create ethical binds.

  I’m not making this up: the CISSP seems to want to leave you wiggle room to resolve “conflicts” between “competancy” and “honesty”.

• Advance and protect the profession.

  Now we’re getting away from the Galen test and into rules number 2 and 3 of “codes of ethics”. Let’s look at some of the sub-bullets for this “canon”:

  • Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons.

  • My break here Avoid professional association with those whose practices or reputation might diminish the profession.

Is it prima facie unethical to offer to render life-or-death security services based on experience you can claim only by having read a Que “… in 21 days” book? Yes.

Is it prima facie unethical to equate yourself professionally with people who can render those same services based on a decade of battlefield experience? Yes.

Is this “ethical bind” covered by the CISSP code? No.

Information security is rife with ethical conundrums. Vulnerability disclosure. Exposure versus liability versus availability. The SPAM blacklist debacle. Product marketing and selection. A real code of conducts —- one that actually enumerated the tradeoffs involved in real professional conflicts and gave real guidance, would be useful.

If this code is the best thing Richard can say about the CISSP, he’s damning it with faint praise.