This learning module is designed to address the accreditation and membership requirements of the Australian Computer Society (ACS) for Information Communications Technology (ICT) professionals to have an understanding of ethics and codes of conduct.
Title: Basic ICT Professional Ethics
These notes are used for the course: Networked Information Systems (undergraduate COMP2410, graduate COMP6340), Australian National University (ANU).
Adapted from "Professional Ethics and Social Issues in Networked Information Systems" first run at ANU, 2011.
The web version of Basic ICT Professional Ethics by Tom Worthington is licensed under a Creative Commons Attribution-ShareAlike 3.0 Australia License.
See: http://www.tomw.net.au/basic_ict_professional_ethics
This learning module is designed to address the accreditation and membership requirements of the Australian Computer Society (ACS) for Information Communications Technology (ICT) professionals to have an understanding of ethics and codes of conduct.
At the completion of this subject the student can:
Understand basic IT professional ethics, responsibilities, and norms of professional computing practice.
Graduate attribute 9 of the Seoul Accord (Seoul Accord Secretariat, 2008), "Ethics", requires Computing Professional Graduates to "Understand and commit to professional ethics, responsibilities, and norms of professional computing practice".
The ACS Core Body of Knowledge for ICT Professionals, includes under "Ethics":
- "fundamental ethical notions (virtues, duty, responsibility, harm, benefit, rights, respect and consequences);
- basic ethics theories;integrity systems including the ACS Code of Professional Conduct, ethics committees and whistle blowing;
- methods of ethical analysis including methods of ethical reflection, and methods and procedures of ethical repair and recovery; and
- ICT specific ethical issues (professional - e.g. compromising quality and conflict of interest, and societal - e.g. phishing and privacy)" (ACS Professional Standards Board, p. 36, 2016).
It is assumed that the student has completed at least one year of a three year ICT degree program and understands basic computer concepts, the use of the Internet, academic writing and referencing.
The course consists of a summary of ethical concepts and a case study.
To complete the subject you will need to spend 5 to 7 hours reading the material, communicating with colleagues and tutors, and writing.
There one areas of assessment for the module:
One question in the final examination.
The module is presented as a set of notes to be read, additional readings and a case study. The material may be presented as a live lecture, with student participation in a "Hypothetical" based on the case study. The equivalent of six printed pages of notes are provided. Further readings (which the notes have been prepared from) and questions for the student are also provided. A paper detailing the design and educational philosophy is available (Worthington, 2012).
The subject is supported by a website where the online learning takes place. Learning materials plus discussion forums are available through this site. Set readings elsewhere on the web are linked from the site.
Tom Worthington is an independent ICT consultant and an Adjunct Senior Lecturer in the Research School of Computer Science at the Australian National University, where he teaches ICT Sustainability, the design of web sites, e-commerce and professional ethics. Tom is a past president, Fellow and Honorary Life Member of the Australian Computer Society. In 2010 Tom received the Canberra ICT Award for Education and in 2015 a National ICT Higher Educator of the Year "Gold Digital Disruptor Award" for course design. In 1999 Tom was elected a Fellow of the Australian Computer Society for his contribution to the development of public Internet policy. He is also a voting member of the Association for Computing Machinery and a member of the Institute of Electrical and Electronics Engineers.
The notes for this course are published on paper and electronic formats as: "Basic ICT Professional Ethics" (Worthington, 2016). Further readings, most of which are available on-line, are detailed in the notes. Students may be provided with a copy of the notes via a Learning Management System.
These notes have been developed from "Professional Ethics and Social Issues in Networked Information Systems" (Worthington, 2011). Changes for 2016 include:
Skills descriptions: Reference to Seoul Accord (Seoul Accord Secretariat, 2008) added.
Hypothetical scenario: The hypothetical scenario has been changed from a "My University" website to "Cyberwar".
The Oxford English Dictionary defines Ethics as:
Moral principles, or a system of these. ...
The branch of knowledge or study dealing with moral principles. ...
The codes of conduct or moral principles recognized in a particular profession, sphere of activity, relationship, or other context or aspect of human life. ...
From: "ethics, n." OED Online. Oxford University Press, March 2016. Web.
A President of the Australian Computer Society (ACS) provided a much shorter definition of ethics:
"Doing the right thing even when no one looking."
From: Philip Argy, at the ACS Canberra Branch Conference 2007
Professional ethical issues can occur in developing any technology. However, the Internet and web allow many more people around the world to quickly connect to an IT system. As a result professionals are more likely to confront ethical issues when dealing with the Internet and the World Wide Web. Professionals may be called to account for their actions not only in their own country, but in any jurisdiction in the world. As Holmes (2013) points out, "People decide what technology is used for and must, therefore, take responsibility for the effects of such use".
The ACS has a code of professional conduct (ACS Professional Standards Board, 2014), incorporating a code of ethics (ACS Professional Standards Board, 2015) which requires all members to act with professional responsibility and integrity. The code is only binding on members of the ACS, but as noted in the document:
"Failure to abide by the Code could be used as grounds for a claim of professional negligence. The Code may be quoted by an expert witness giving an assessment of professional conduct." (ACS Professional Standards Board, p.4, 2014).
In decreasing order of priority, the ACS Code of Ethics lists:
- "The Primacy of the Public Interest: You will place the interests of the public above those of personal, business or sectional interests.
- The Enhancement of Quality of Life: You will strive to enhance the quality of life of those affected by your work.
- Honesty: You will be honest in your representation of skills, knowledge, services and products.
- Competence: You will work competently and diligently for your stakeholders.
- Professional Development: You will enhance your own professional development, and that of your staff.
- Professionalism: You will enhance the integrity of the ACS and the respect of its members for each other."
The ACS Code of Professional Conduct expands on the six values in the code of ethics. The first is the Primacy of the Public Interest:
"In the context of this Code, the public interest takes precedence over personal, private and sectional interests, and any conflicts should be resolved in favour of the public interest. In your work, you should safeguard the interests of your immediate stakeholders, provided that these interests do not conflict with the duty and loyalty you owe to the public. The public interest is taken to include matters of public health, safety and the environment.
In accordance with this value you will:
a) identify those potentially impacted by your work and explicitly consider their interests;
b) raise with stakeholders any potential conflicts between your professional activity and
legal or other accepted public requirements;
c) advise your stakeholders as soon as possible of any conflicts of interest or conscientious
objections that you have;
d) take into consideration the fact that your profession traverses many other professions,
and has implications for other social systems and organisations;
e) endeavour to preserve the integrity, security, continuity and utility of ICT;
f) respect the intellectual property of others; and
g) endeavour to preserve the confidentiality and privacy of the information of others."From ACS Professional Standards Board (2014).
Professional ethics are mainly concerned with applied ethics (as used in the workplace). However, research at the ANU on meta-ethics and normative ethics provided a better understanding how ethics applies to ICT. Lucas and Weckert (2008) conducted a survey and interviews of ICT professionals on their attitudes to ethics and the IT industry. One finding was that those borne 1981 to 1999 (so called "Generation Y") though:
Holmes (2013) argues that the ICT profession has an ethical responsibility "... to see that the social benefits of binary digital technology are broadened and amplified, rather than the commercial and political benefits" and suggests this be done through education.
The Australian Federal and State Governments have enacted Professional Standards Legislation, coordinated by the Standing Committee of Attorneys General, which regulates professions, including engineers, solicitors, accountants and IT professionals. In return for accepting mandatory levels of qualifications and training, professionals are able to limit their liability. The Australian Computer Society was registered in 2010 (ACS Professional Standards Scheme, 2010). To take part in the scheme ICT professionals must:
In return for this a Certified Computer Professional has their maximum amount of liability limited to $1.5 million.
Worthington (2005) suggests that the guidelines provided by courts to expert witnesses also provide a useful summary of how professionals should act in their ordinary work:
"1.1 An expert witness has an overriding duty to assist the Court on matters relevant to the expert's area of expertise.
1.2 An expert witness is not an advocate for a party even when giving testimony that is necessarily evaluative rather than inferential.
1.3 An expert witness's paramount duty is to the Court and not to the person retaining the expert. ...
2.1 An expert's written report must ...
(d) identify the questions that the expert was asked to address; and
(e) set out separately each of the factual findings or assumptions on which the expert's opinion is based; and
(f) set out separately from the factual findings or assumptions each of the expert's opinions; and
(g) set out the reasons for each of the expert's opinions; ...
From
.
Professionals need to keep in mind that regardless of whoever is paying them, they are to act in the public interest, withing their area of expertise.
The ACS Code of Professional Conduct Case Studies (Bowern, 2014) set out thirty-three hypothetical situations which an ICT professional might find themselves in. Each case study has a summary and the references to relevant clauses of the ACS Code of Professional Conduct which apply to it.
Unclassified. All Scenario Data is Notional and For Exercise Only
Briefing by Cyberspace Operations Wing at Headquarters Joint Operations Command (COW/HQJOC), 12:30 Zulu 1 April 2017:
"At 02:20 Zulu, 1 April 2017, one of our maritime surveillance aircraft was reported missing. The aircraft was conducting a freedom of navigation flyover on one of the reefs, subject to claim by several nations. The last recorded radio transcripts are:
Intercepts from our new signals intelligence (SIGINT) aircraft, which was on a test flight in the area, reported signals from a fire control radar, shortly before communication was lost.
- OPFOR: "Unidentified military aircraft, you are entering a restricted zone. Turn now to avoid unfortunate consequences.
- OURFOR: We are over international waters, in accordance with accepted law.
- OPFOR: Unidentified military aircraft, turn back now. This is your last warning.
- OURFOR: Mayday, Mayday, Mayday, this is Surveillance One Zero Five Charlie Delta, one zero zero kilometers South East of ... " [Transmission ends]
The radar was in test mode, however, the older radar warning receiver in our maritime surveillance aircraft is not sophisticated enough to distinguish a test signal from a real attack.
Our aircraft's flares and electronic countermeasures were activated. This may have been mistaken for the launch of a cruse missile, which our aircraft can carry (but was not).
A surface-to-air missile (SAM) was launched and our aircraft appears to have crashed while maneuvering to avoid the missile. The crew have been rescued by a civilian vessel, but have not yet been debriefed.
The media are reporting that one of our unarmed aircraft has been shot down and the Government has asked for military options to respond. The best kinetic solution is a precision air attack on the missile batteries, guided by special forces landed from a submarine, which is already on station. However, the government has also asked for a cyber option which would disrupt the opposing force's systems, show our national resolve, but avoid casualties.
It is proposed to target the opposing force's electronic control systems. This is expected to disable electrical systems and cause some local electrical fires. Our intelligence assets in the area will arrange for video of the damage to be posted to social media, for maximum news value. We will be working with civilian government personnel with special expertise, to prepare a human factor attack on their Internet of Things (IoT).
Unclassified. All Scenario Data is Notional and For Exercise Only
The hypothetical scenario presented is based on real events. In 2015 an Australian military aircraft was challenged by radio while on patrol (Wroe & Wen, 2015). In 2010 the "Stuxnet" computer worm was released, apparently designed to destroy a nuclear processing facility, but spread world wide (Langner, 2011). In 2014 five military officers were charged with hacking to obtain trade secrets (Wechsler, 2016).
Henschke (p. 17, 2014) points out that "the purpose of a cyberweapon is to attack an information system in order to perpetrate harm". Ford (p. 7, 2014) provide a diagram to help decide how to respond to a critical infrastructure/high impact attack. This chart could equally used to plan an attack for maximum impact.
Cyber-warfare attacks do not necessarily need sophisticated computer code. Human factor attack, where someone within the organization being attacked is tricked into providing information or access. In 2013 invitations to apply to a supposed government endorsed child care center were sent to employees of an intelligence agency. An attached form was designed to collect personal information which could be used for later attacks (Page & Jean, 2013).
Suppose you are a Senior Incident Responder (SRI) in the Digital Protection Group (DPG) at the Digital Transformation Office (DTO) of the Government. Your job is protecting the whole of government website. Recently you detected a sophisticated attack and boasted "we could turn that attack back on them!". So you are now asked to do just that, despite being a civilian employee.
You are reasonably sure you can mount a cyber-attack which will have the desired political effect: it will disrupt systems of the opposing force enough to cause public embarrassment to their government, with minimum risk of casualties. But can you be sure its effects will be confined to government systems, or to that country? What if the attack shuts down hospital in their country, or across the world?
Is it ethical to be involved in planning such an attack? Would your answer be different, if you are a civilian contractor rather than a government employee, or if you were a military officer? Note that the hypothetical scenario does not say what country is planning the attack, or who they are attacking: does it make a difference to your answer who is attacking who?
Note that you are not asked to become an expert on the Geneva Conventions or the laws of war. However, as an professional you need to be aware of the ethical implications of what you choose to do, or not do, in your work.
In decreasing order of priority, the ACS Code of Ethics lists:
- "The Primacy of the Public Interest: You will place the interests of the public above those of personal, business or sectional interests.
- The Enhancement of Quality of Life: You will strive to enhance the quality of life of those affected by your work.
- Honesty: You will be honest in your representation of skills, knowledge, services and products.
- Competence: You will work competently and diligently for your stakeholders.
- Professional Development: You will enhance your own professional development, and that of your staff.
- Professionalism: You will enhance the integrity of the ACS and the respect of its members for each other."
There will be a question on this topic in the examination.
ACS Professional Standards Board. (2014). ACS Code of Professional Conduct. Sydney: Australian Computer Society. Retrieved from https://www.acs.org.au/__data/assets/pdf_file/0014/4901/Code-of-Professional-Conduct_v2.1.pdf
ACS Professional Standards Board. (2015). ACS Code of Ethics. Sydney: Australian Computer Society. Retrieved from https://www.acs.org.au/__data/assets/pdf_file/0005/7835/Code-of-Ethics.pdf
ACS Professional Standards Board. (2016). Accreditation Management Manual: Document 2: Application Guidelines - Professional Level and Advance Professional Level. Sydney: Australian Computer Society. Retrieved from https://www.acs.org.au/__data/assets/pdf_file/0010/24499/ACS-Accreditation-Document-2-Application-Guidelines-V2.0.pdf
ACS Professional Standards Scheme. (2010). Professional Standards Act 1994 (NSW). . Retrieved from http://www.psc.gov.au/sites/default/files/ACS_Scheme_2016-17.pdf
Bowern, M. (2014). ACS Code of Professional Conduct Case Studies. Sydney: Australian Computer Society. Retrieved from https://www.acs.org.au/__data/assets/pdf_file/0004/30964/ACS_Ethics_Case_Studies_v2.1.pdf
"ethics, n." OED Online. Oxford University Press, March 2016. Web.
Ford, S. (2014). Warfare, cyberweapons and morality. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Henschke, A. (2014). A decision-making procedure for responding to cyber-attacks. In M. Keelty, A. Henschke, N. Evans, S. Ford & A Gastineau & L. West, Cybersecurity: mapping the ethical terrain. National Security College (ANU). Retrieved from http://nsc.anu.edu.au/documents/ocassional-paper-6-cyber-ethics.pdf
Holmes, N. (2013). Some ethical imperatives for the computing profession. in J. Weckert & R. Lucas. (2013). Professionalism in the information and communication technology industry. ANU Press. Retrieved from http://press.anu.edu.au/apps/bookworm/view/Professionalism+in+the+Information+and+Communication+Technology+Industry/10791/ch03.xhtml#toc_marker-12
Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3), 49-51. Retrieved from http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=5772960
Lucas, R., & Weckert, J. (2008). Ethics and Regulation in the ICT Industry. Canberra: Centre for Applied Philosophy and Public Ethics. Retrieved from http://web.archive.org/web/20080821051937/http://www.acs.org.au/act/2008conference/docs/LucasACSConference2008.pdf
Page, F., & Jean, P. (2013, April 16). Free childcare scam aimed at intelligence staff. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/it-pro/security-it/free-childcare-scam-aimed-at-intelligence-staff-20130415-2hwhq.html
Seoul Accord. (2008). Seoul Accord: Section D Graduate Attributes. Taipei: Seoul Accord Secretariat. Retrieved from http://www.seoulaccord.org/document.php?id=79
Wechsler, P. (2016). Issue: Cybersecurity Short Article: China's Unit 61398 Pulled From the Shadows. Retrieved from http://businessresearcher.sagepub.com/sbr-1775-98146-2715481/20160201/chinas-unit-61398-pulled-from-the-shadows?download=pdf
Worthington, T. (2005, December). The accidental expert witness. Information Age. Sydney:IDG. Retrieved from http://www.tomw.net.au/technology/it/expert_witness/
Worthington, T. (2011). Professional Ethics and Social Issues in Networked Information Systems. Canberra:Tomw Communications. Retrieved from http://www.tomw.net.au/technology/it/professional_ethics/
Worthington, T. (2012, July). A Green computing professional education course online: Designing and delivering a course in ICT sustainability using Internet and eBooks. In Computer Science & Education (ICCSE), 2012 7th International Conference on (pp. 263-266). IEEE. Retrieved from http://dx.doi.org/10.1109/ICCSE.2012.6295070
Wroe, D., & Wen, P. (2015, December 15). South China Sea: Australia steps up air patrols in defiance of Beijing. Sydney Morning Herald. Retrieved from: http://www.smh.com.au/federal-politics/political-news/south-china-sea-australia-steps-up-air-patrols-in-defiance-of-beijing-20151215-gloc2e.html
Liu Z. (2016, March 25). China Remains Committed to Peaceful Settlement of Disputes in the South China Sea through Negotiations and Consultations. Beijing: Ministry of Foreign Affairs the People's Republic of China. Retrieved from http://www.fmprc.gov.cn/mfa_eng/wjbxw/t1350776.shtml