Doing the right thing in a world of grey. Remaining Ethical in Intelligence Analysis often gets blurry.
CyBeer of the Week: Northern Monk Laura Slater Montage
Metal Artist of the Week: Cavalera Conspiracy
Blessed Monday to you, my friends, and welcome back to the best intelligence analysis blog on the internet run by someone called Aaron, who likes hoppy IPAs and heavy metal. It’s a niche, but goddamnit I’m carving that one out! After a short break for the long weekend here in the UK last week, we’re back with your face-melting band and palate-awakening beer of the week, so let’s get straight into it.
CyBeer of The Week
Firstly, this weeks beer is a stonker. The magicians at Northern Monk have conjured up something special with Laura Slater. This double dry-hopped Mosaic IPA is entirely heavenly. From the aromas on the nose of fruit and citrus down the incredibly refreshing taste and mouth-feel. I could drink ten of these and not get bored. I’d be unwell the next day, but that might be worth it. Check this beer out. Really.
Heavy Metal!
This weeks band is Cavalera Conspiracy. A superband of sorts from Brazil, with members from Sepultura, Soulfly and Gojira. They haven’t dropped anything new for a couple of years, but they came on a Spotify playlist, and it was an excellent time all around. So this week they’re getting the nod of approval for the highly-sought-after AaronCTI metal artist of the week spot. You wait and see, soon bands will be asking me to be featured I’m very sure.
Ethical Intelligence Analysis – How?
Moving onto what I wanted to discuss this week, and that’s remaining ethical when conducting any investigation or intelligence analysis. I touched upon this subject in my last blog about Sockpuppets and working under an alias, but I think there’s more ground to be covered here. I should note that this post doesn’t revolve solely around doing OSINT either. This applies to all forms of intelligence analysis and gathering, from HUMINT to SIGINT and CTI. When you’re doing research or investigation, it’s imperative to remain ethical.
You might wonder what I mean by that, and it’s a reasonably nuanced topic, but I’ll try my best to clarify. Firstly, when you’re conducting an investigation, be that into a person, a criminal group, malware or a particular incident. It would be best if you didn’t do anything that you’re unsure about or could be illegal or dodgy. This may be something like trying a hacked password against a social media account, trying to conduct HUMINT against an innocent party to try and find information about a subject (this is mainly in the case of OSINT, as anything derived from interaction with another person is clearly NOT open-source). This list could go on but listen to your gut. 99 times out of 100, your gut is telling you the right thing to do.
Over The Top?
You may think that it’s a bit over the top and that ‘hacking back’ is entirely acceptable to you morally. After all, if the criminals have exploited someone else, then that makes them fair game, right? Wrong. The issue with this is two-fold:
1) In the UK at least, hacking back would constitute an offence under the computer misuse act, regardless of the intention.
2) By hacking back at the villains, that doesn’t make you any better than them.
In cybersecurity, we’re here to guard and protect our customers/clients, and we do that by providing advice to help them stay secure and assisting when things go wrong. It’s not our place to conduct illegal activity and nor should it be. To flourish as a law-abiding society, we need to remain on the right side of the law. Don’t get me wrong, I’d love nothing more than to see some villains get wholly exposed, but there are right ways and wrong ways to go about it.
I’m not for a second suggesting this is a common occurrence (at least not that I’ve personally encountered). Still, I feel with a growing interest in intelligence analysis as a profession in cybersecurity; it’s a discussion that should be brought to the forefront. After all, intelligence by its very nature remains fairly close-guarded and a small community (it’s mostly an excellent community too, by the way!). But as we see more people come into the industry and more businesses set up their own teams, there is likely to be an increase in the number of people working in the field without prior experience, which could lead to issues when it comes down to the ethical approach of investigating.
You Don’t Need Experience from The Military or Law Enforcement to conduct Ethical Intelligence Analysis
Don’t get me wrong. I’m not suggesting you need 100 years experience in the military or law enforcement to be a good analyst, far from it. The community today is mostly comprised of people with those backgrounds, who operate against a rigorous and defined set of rules and guidelines. Which, in turn, translates across into the private sector.
This background helps to ensure that when an intel team is set up, it operates within the spirit and confines of the law, and ensures that the individuals working have a thorough appreciation of the task at hand, and the limitations in which they must operate. I think it’s harder for someone without that experience to understand that, they can learn of course, and it’s in all our best interest to ensure we have a diverse team, with a range of backgrounds and approaches so we can operate at our best. But when it comes to thinking about the right way to conduct an investigation or if what you’re about to do is ok or not, you potentially introduce risk if you can’t pull on the legal frameworks used by state-funded organisations into your thought process.
The existing legal frameworks are, of course, far from perfect. Still, the point here is that as intelligence analysis continues to become a profession outside of the traditional areas, it is more important than ever that we establish our code of ethics when conducting investigations.
Code Breaker
For example, if you recruit a very keen school-leaver or graduate, they may absolutely get it on a technical level. But, sometimes you may need to mould the softer-skill side of intelligence work. We can talk about cognitive biases and critical thinking etc. But when it comes to an understanding of why we do or don’t do a particular activity. This can take some work. I have and continue to work with some outstanding junior analysts who’ve never set foot in the public sector.
These analysts are on their way to ‘infosec rockstar’ status, which is incredible. But they’re definitely an exception rather than the rule. I think as a community; we need to foster and encourage these individuals to exploit their natural curiosity after all, genuine interest is probably the first absolute requirement for anyone to become a successful intelligence analyst. But we need to make sure we can do so in such a way that they understand the risks and the reasons why you don’t stray outside of the lines.
Code of Ethics?
I think there’s merit in the idea of an industry-standard code of ethics for intelligence professionals. This idea could enable the community writ-large to solidify investigative conduct and ensure we continue to be the ‘good guys’ in the battle against villains. It’s something which groups like ISACA do for their members. Still, it’s very much for cybersecurity professionals who want to do particular exams (such as CISM), these are almost always aimed at senior people in cyber. Thus, exams don’t work to serve those junior or new people into the industry. We’re already moving towards standardisation in other areas (Mitre ATT&CK for adversary tracking, STIX/TAXII for sharing threat data, Microsoft Excel for everything else haha). So why don’t we operate an industry-standard code of ethics? Given different laws in different countries, I think this is much more about the spirit of researching a specific list of commandments (although I wouldn’t mind rocking a Moses-Esque beard). We can tell everyone to ‘don’t be a twat’, but that only goes so far. In my experience, 99% of people I’ve met in the industry and professional and good people.
Parting Thoughts?
What do you think? Is this an idea that could have legs? Or am I an idealist on a blog reading my mighty list of orders to the three of you that actually read these posts (Hi Mum)?
Let me know your thoughts. Maybe we can crowd-source a code of ethics for the intelligence community? Wouldn’t that be neat?! Ethical intelligence analysis shouldn’t be an aspiration, it should be the norm after all.
A slightly shorter post this time, but I wanted to expand on the ethical discussion. I think as a community, we should be encouraging the broader debate on this. Now, though, time for a beer.
Cheers,
Aaron