By User701213-Oracle on Oct 17, 2007
Many corporations have corporate ethics policies. I take a refresher ethics class online once a year at Oracle and despite the fact I think I am pretty ethical, I always get at least one question wrong. (I think that means I am learning at least one new thing when I take the class.)
One of the areas most corporate policies cover is the area of conflicts of interest. For example, at Oracle, if you are asked to serve on an advisory board or board of directors of a company, you need to get multiple approvals. Approval is generally only given under certain circumstances that include consideration of whether there is a potential conflict of interest. For example, serving on an advisory board of a company in direct competition with Oracle would most likely not be approved.
Even in the ordinary course of business, potential conflicts of interest can arise and you are expected to disclose these. I don't know if it's my Midwestern upbringing or going to a university with a very strong honor code, but I am really big on disclosure. Probably ad nauseum disclosure: if I think something is even approaching a gray area of ethics, I email our corporate compliance officer to ask if there is an issue. And the reason is that at some point it is not merely the company's ethics policy that governs my disclosure, it's my personal integrity. I would hate to have someone think I said or did something where I appeared to be "independent" but in reality had an "angle" that was tainted by my being a stakeholder in some way.
Disclosure forces you to be honest with yourself as well as other people. If you have an axe to grind about something, you need to disclose who sharpens your axe if it is material to the discussion. And it often is.
There are many written or unwritten ethics codes that cover issues of disclosure in the business world. People who write about securities or recommend them are generally either prohibited from owning stock in companies they write about, or they have to disclose it. Imagine reading "Investment Kahuna-ette's" column in (insert name of well-respected business publication here), going out to buy the stock Ms. Kahuna-ette touted, and come to find out, she went long on the stock before the article came out (meaning, she bought the stock and hoped the price would rise). You'd feel as if Ms. Investment Kahuna-ette pumped the stock just so she'd make money, right? And if Ms. Investment Kahuna-ette did not disclose that in her column (not in subparagraph III, second sentence on some fine print document nobody could possibly be expected to find let alone read), you'd feel as if she cheated. Because she did cheat. People get fired for that.
One of the real downsides to the democratization of opinions that Web 2.0 represents is that where bloggers are competing with or crowding out "professionals," they are not necessarily adopting the code of ethics that some of the professionals have or at least pretend to have. This includes issues around disclosure.
I read an article over the weekend about how influential bloggers are to the restaurant business. On the face of it, there is nothing wrong with word of mouth spreading a restaurant's reputation; how many of us have had friends or relatives in town and asked our "foodie" friends for a restaurant recommendation? However, some of these bloggers are so successful that they quit their day jobs and blog for a living: their revenue is through advertising. So now, they are "professionals" and ought to be governed by a code of ethics. But few are.
Here's what I mean: professional restaurant reviewers as a matter of course (and ethics) pay for their own meals at the restaurants so they can't be accused of being "on the take." However, the "new breed" of online restaurant reviewers are apparently, as a matter of course, wooed by restaurants through "receptions" (read, "free food and drink"), after which their reviews becomes positive, what a surprise. Or, a blogger's parents who had a horrible restaurant experience were sent meal coupons (after their online blogger child ripped the restaurant). The blogger subsequently gave a rave review to the restaurant that supplied the meal coupons to his parents.
Now, maybe the food was really fabulous (I can't imagine any self-respecting "foodie" calling artfully presented dog food anything but "dog food," even if it was free, high end and organic dog food). However, in none of the above cases did the Influential Blogger disclose that he or she had gotten something of value for free from the restaurant. It doesn't mean they weren't entitled to an opinion, it means that they should have disclosed the freebie(s) because it likely "taints" their opinion. Or at least gives the appearance of tainting it, which is just as bad.
Other disclosure issues arise from people's business models and
business relationships. For example, a lot of firms that are industry
analysts, since they analyze and recommend products, also work with
product vendors to guide their product directions. Many of them are
very good in their sectors and can add value to vendors trying to
ensure they solve the right customer problems. It becomes a problem
if there is de facto or implicit "tit for tat" (meaning, if the vendor does
not purchase consulting "advice," the analyst firm's "product reviews"
of the vendor suffer). It's also a problem, in my opinion, if the analyst
firm does not disclose (as they issue reports) which firms they "consult"
for and which not.* One does have to ask the question, how objective
can you be if the people whose products you review are also paying
you to give them advice? At least disclose that there is a relationship
and let the reader decide how important that relationship is.
So, what does disclosure have to do with security? A lot, as it happens, and not just the age-old "full vs. responsible disclosure" issue. Many security professionals, me included, have opinions and beliefs and we blog about them. For a lot of us, our associations don't need an explicit disclosure because they are already obvious. I don't add a disclaimer when I say something positive about Oracle in my blog because hey, I work for Oracle, my blog is hosted by Oracle, my email address has "oracle.com" in it; nobody could reasonably expect that I have a hidden agenda if I say something positive about Oracle.
It would be different, however, if I blogged on another web site where I had a totally different email id (let's say, a hotmail account), and I claimed to be the world's biggest Oracle security fan and did not disclose that I was a security executive with the company. Any sane person's response if I did that and it came out that LuvOracleSecurity@hotmail.com (which is a made up email address as far as I know) is lil' ol' me, would be, "Hey, who are you kidding here?" And they'd be right. It's not ethical. Not even close to being ethical. ("Slimy" is the word that comes to mind.)
As with other sectors of life, in the security community, many people have relationships that they do not disclose that either explicitly or implicitly influence their opinions, business judgment and/or public statements. They ought to - but often do not - disclose them.
For example, many security researchers also work for vendors from time to time to help them find vulnerabilities in the software. If you are a vendor, you figure if someone is a good researcher (has found a number of product vulnerabilities and worked with you well as "an independent") and you feel you can trust him/her, it can be helpful to have the researcher in to help you improve your product. We actually hired one of these individuals to run our ethical hacking team - a smart guy, good at finding vulnerabilities, and an ethical person.
Many vendors hire third parties to help them improve their products (disclosure: we have hired and do hire third parties to perform product assessments in addition to using our own internal ethical hacking team). Also, typically, you have some contractual restrictions on what the researchers can do with the information they find under contract. Most of these items are covered by a confidential disclosure agreement (sometimes called a non-disclosure agreement) and the thinking behind it is, "Hey, I am paying you to tell me about what you find so I can fix it, and I want time to fix it. So, Mr. Researcher, I don't want you doing a paper about this until some period after you report the bug and I fix it, to make sure customers are protected, and I don't want you ever releasing exploit code because I think it puts people at risk." Fair enough.
So, where does disclosure come into it? Just this: since many researchers who do "work for hire" for vendors are prevented from talking about what they are working on for Vendor X, they can - and often do - start talking about Vendor Y. Researchers do not generally have big PR agencies working for them and creating a media splash is "free marketing" that works pretty well. And because controversy sells, they may not be saying nice things about Vendor Y. None of this is necessarily a problem if Vendor Y is actually in the wrong. If you are guilty of tormenting small mammals, and a third party says so publicly, you have no cause to complain that you were wronged. Be nice to the critters and your PR problem goes away. But to the extent that the researcher is prohibited from talking at all about Vendor X, or does not disclose that he does work for hire for them, his opinion is potentially tainted to the extent he speaks about Vendor X or others in their market sectors. Just like the restaurant reviewers, if Vendor X paid me or gave me something for free, and I now say glowing, wonderful things about their product, I ought to disclose that I am or have been on their payroll or that I am getting freebies.
Even if we debate responsible disclosure (about the vulnerabilities themselves, which is another charged area) there should be no debate about the ethics of disclosing business relationships if you are going to set yourself up as "an independent expert." If you are on someone's payroll, you are not independent anymore, though you may still be an expert.
Quite honestly, even if you cannot speak or are restricted in how you speak about Vendor X, you need to disclose that or you have no moral leg to stand on in discussing disclosure - of any kind - with anybody. You might still be right in what you say, but at least the reader can correctly surmise that you might not be telling all you know about Vendor X - because you can't. If I am evaluating an expert's opinion, knowing what he cannot say or is not saying is at least as important as knowing what he can and does say.
I have a final thought on what is at the core of the disclosure issue for me, and that is the age-old but never surpassed virtues of honor and integrity. I mentioned earlier that I had gone to a university with a strong honor code: the University of Virginia. The single biggest reason I went there wasn't the beautiful architecture, though it is stupendous. Many buildings were designed by Thomas Jefferson: in 1976, Jefferson's Lawn and Rotunda were named the most outstanding architectural achievement in 200 years of American history by the American Institute of Architects (AIA). It wasn't the beauty of The University though there is that: the only time I have experienced love at first sight was seeing UVA in fall when I went there as a high school senior to check it out. I applied to UVA, and only UVA, and got in. It wasn't the fact that the engineering program was designed to turn out well-rounded graduates (I had to read More's Utopia and Plato's Republic as an engineering school requirement!), though that appeals to my literary side.
Nope, I went to UVA because they had an honor code that means something. It's one of the oldest honor codes in the country, and there is still a single sanction for honor violations: dismissal. Because there are no degrees of honor. If you think that there are degrees of honor, and cheating, lying and stealing are all excusable depending on day of the week, your mood, or your "value system," then you are welcome to attend another university: UVA does not want you there, and they make that clear in their recruiting materials. And as a graduate, I don't want people attending there who do not believe in and subscribe to the honor code. There is a beautiful gateway at UVA at one of the entrances, on which is incised: "Enter by this gateway and seek the way of honor, the light of truth and the will to work for men." Says it all.
The University recently sent a number of alumni/ae a link to some new ads they are going to run during televised football games. The emphasis in these ads was "diversity." And I was upset, but not because I have anything against diversity, if by that one means "commitment to the highest standards of academic excellence by all members of the university community, regardless of background." But what the school stands for, really and truly stands for, that makes it different from all others is the honor code, and that is what the ads should have stressed. Furthermore, in matters of honor, there should be no diversity. Whoever you are, wherever you come from, you live by the University of Virginia honor code, with its single sanction, or you go someplace else. A single code for all, and a single sanction for violations: dismissal.
There are precious few bastions in this country that have not fallen by the wayside to "everyone does it," "lying, cheating and stealing are just 'different values' that need to be tolerated," and "you can't expect people to live up to some arcane old ideal." (Except that I can and I do expect it.) One of these bastions is the University of Virginia. The other bastions include the service academies: the Naval Academy, the Military Academy, the Air Force Academy, the Coast Guard Academy. And for many of these schools, part of the honor code includes creating a community of honor: "A cadet will not lie, cheat or steal, nor tolerate those who do."
West Point has a single, straightforward motto that every cadet remembers because it is engraved on the West Point coat of arms. It is "Duty, Honor, Country." It was also among the last phrases to be quoted by GEN Douglas MacArthur at his stirring farewell address: "In my dreams I hear again the crash of guns, the rattle of musketry, the strange, mournful mutter of the battlefield. But in the evening of my memory I come back to West Point. Always there echoes and re-echoes: Duty, Honor, Country."
Need I add that "Duty, Honor, Country" is a lot worthier ideal than "Me, myself, and I," which seems to be the ruling ethos of so many?
For me, the issues around disclosure are not really as complicated as people seem to think they are. It goes back to honor. Honorable men and women disclose the nature of relationships when the existence of that relationship gives the appearance of - or substance to - a tainting of their opinions or a conflict of interest. If there is, as yet, no professional code of ethics in the security community, it is time we had one, and we can start with acting honorably as individuals: if your opinion looks to be or is influenced by a business relationship, disclose the relationship. You may still be right in what you say when you have an axe to grind, but the reader will know who sharpens your axe.
* Note: even if the vendor does not want the relationship disclosed for a variety of reasons, an analyst firm typically can say that they consult to players in the same space. It has the same disclosure effect for their allegedly impartial reviews, but saves the initial vendor's confidentiality requirement. This type of arrangement is common in the securities industry.
For more information:
Book of the week: Mr. Pip by Lloyd Jones. I do not generally like much modern fiction, especially as so much is of the post-modernist drivel variety. However, a single great book can change your life, which happens to be the conceit of this story. After a revolution breaks out on Bougainville, the last white man on the island becomes a teacher, and he teaches the children by reading them Dicken's Great Expectations. A magical, special book that enriches your soul.
About the University of Virginia Honor Code:
A virtual tour of Jefferson's Academical Village at:
Pictures of UVA:
A link on honor codes:
General Douglas MacArthur's Farewell Speech at West Point:
The Coat of Arms of West Point:
A great biography of Douglas MacArthur is still American Caesar by William Manchester, which you can find at:
(I found out a few years ago that my dad had actually met Douglas MacArthur a couple of times while serving in Japan after WWII. How cool is that?)