Ethics and network security

By Tom Worthington

Director of the Community Affairs Board

Australian Computer Society Inc.

For the ANUtech Internet for IT Professionals course

First presented 25th August 1995 (amended version 20th October 1995)

Good morning, this is day two of the course, so lets see what you have learned. Lets say your company is about to bid for work at a Commonwealth government agency for security consultant work. How many of you would know how to use SATAN to check the security of the other agency's computer first and add a "hello we got in" file, to impress the client?

How many of you would know not to do it, because its unethical and illegal? Sorry, those that get this question wrong may have a short career and spend ten years in jail.

The ACS has a code of ethics which requires all members to act with professional responsibility and integrity. The code is only binding on members, however this course is for IT Professionals, so judges and others are likely to are likely to use such codes when considering your actions in the use of the Internet.

Draft code of Professional Conduct and Professional Practice

The ACS is preparing a new Code of Professional Conduct and Professional Practice, which will be considered by the ACS's Council.

The code goes into more detail on points in the ACS Code of Ethics:

These are general points which apply to any IT professional's work. In general they apply to a person working in any profession. However the Internet is relatively new and is bringing up old ethical problems, in new guises.

My basic rule of thumb is:

Communications should be private and uncensored, except when there is a good reason they shouldn't. The reasons will vary depending on circumstances. However the rules for a particular system should be set down in advance and known to all concerned. When in doubt, counsult someone else (if it all goes wrong, at least you have someone to share a cell with).

You have the capability to access information which you are not intended to have. This capability does not confer on you an entitlement to that information.

You must not use a tool or technique to attempt to obtain unauthorised access to a computer system. Claiming you were "just testing the security of the system" is not an acceptable defence, either to your profession or the law. If you believe you have a legitimate role in testing system security then seek and obtain permission to do so, first.

The security of the Internet is of concern to organisations and the general community. You should neither attempt to downplay or exaggerate the security problems.

You have an obligation to assist with the general security of the Internet, as well as that of your client's systems. If you identify a generic security problem you must take steps to advise others of the problem, as well as fix it at your client's site. Hoping that no one else will notice the security flaw and using the excuse that telling people will make it worse is not acceptable.

Each individual professional must decide the correct ethical course in each case. You may have to act against the directions of your superiors or against the law to act ethically. It is for you to decide.


There are no final or simple answers with ethical issues. If I have left you with an uneasy feeling that you need to do more, but some ideas of possible action this has been worthwhile.


This document is: