The Hypocrisy of Cyber’s Hippocratic Oath
When graduating medical school, physicians take the medical Hippocratic Oath known as Primum Non Nocere – “First Do No Harm.” There’s a lot more to the Hippocratic Oath, and as I share my own experience in medical training, I will draw parallels to how similar and relevant it is to cyber security professionals and the work they do every day.
As a concept, “Do No Harm” is simple to understand. As we unpack what it means to always do no harm by operating successfully and consistently, a physician is essentially making a series of individual commitments that minimize the risk to the patient during treatment. It matters more than you imagine. According to a 2016 Study by Johns Hopkins University – medical errors, if properly coded as a cause of death, would be the third ranking cause of death just behind heart disease and cancer.
Cyber professionals are all too familiar with the stark role humans play. The leading causes of cyber breaches involve vulnerabilities present in human-engineered products, or due to failures of humans to properly install, configure, or use these systems.
“I don’t want to hurt you.”
It goes without much argument that a physician should always act in the best interest of the patient (as opposed to the hospital, insurance company, herself, etc). It’s a foundational part of trusting the physician when you are about to put your life in her hands.
It sounds simple, but if we think about how it might apply in cybersecurity, things get interesting. While in medicine we are always caring for an individual patient (young physicians often have to be reminded that they are treating the patient, not the disease), how do we define the protected unit in cybersecurity?
Do we act to minimize harm to a company overall? Should we care more about the employee or customer base? Or in a strict comparison to medicine, should we prioritize the safety and privacy of a single employee or member. While codes of ethics in cybersecurity exist, they are vague on who’s best interest a cyber professional should put first and above all others. A truly important step in professionalizing the field of cybersecurity would involve setting and adhering to these protection criteria. Some will be driven by morals and ethics, while others by law and regulation. Each has a part to play when referenced by the others.
“I know what to do in this situation.”
Medical treatment plans are always drawn up prior to treatment, whether a basic procedure or a complicated hours-long operation. It also often involves a team of professionals, not just one physician, to execute the care plan over a long period of time (pre-treatment, treatment, and follow-up care). Knowing what to do is such a big part of the Hippocratic Oath that the top promise within the oath is to “respect the hard-won scientific gains of those physicians prior and share the knowledge with those who follow.”
This is where there is the biggest gap exists between long-established professions like medicine and law, and young professions like cybersecurity. Even if we tried to utilize an accepted standard of knowledge, we would quickly hit a brick wall trying to agree on what ought to be standardized and accepted cybersecurity knowledge. It’s hardly agreed upon within specialized areas of cybersecurity like incident response or threat intelligence, much less for the cyber field overall. The lack of clarity hurts those in the field as much as those interested in getting into the cybersecurity field.
An Ounce of Prevention; A Pound of Cure
80% of healthcare spending in the U.S. is spent on the seriously ill – who represent 10% of the population at any given time. By contrast, only 20% of healthcare resources is spent on proactive care.
The cybersecurity industry is no different, where it is almost by definition driven by products and services meant to remediate incidents and breaches, and the costliest spend incurred within the industry is related to actively defending against attackers and dealing with the aftermath of these incidents.
In the Hippocratic Oath, a physician promises to prevent disease before seeking a cure for it, but human nature gets in the way of much of this. In cybersecurity, risk management as a practice is a declining budget exercise that is constrained by the psychology of the unknown that plagues non-technical executives controlling spend allocation. If an organization has not had a major breach in ten years, is leadership likely to approve higher levels of spend on proactive measures? Likely not.
Similarly, cyber decision makers are influenced by the ecosystem around them, and they are not immune to the constant marketing pressures of firms that are built around remediation rather than prevention. Many cybersecurity firms, like hospitals, are not built to prevent disease but to treat it once begotten. If we are to learn anything from medicine here, it is that more of our institutions have to focus on prevention.
A Small Step to the Solution
The solution isn’t easy, but by studying other professions that have developed in the last two centuries, it is fairly evident and consistent across professions. Truly professionalizing cybersecurity will require stricter adherence to a common body of core knowledge. To start, we’ll need to dispel with the myth that cybersecurity is a field that changes constantly – while the threat landscape does change as the actors, motives, and means change (much the way viruses evolve in medicine), the fundamentals of the field remain the same. If we agree that much of the problem is human derived, then it stands to reason that even more of the field is by driven by understanding human behaviors and motivations.
In our own work at N2K, our most recent contribution to the field was to map the core bodies of knowledge from most major certification bodies to one genericized version that we have created based on the NIST Cyber Workforce framework. By creating an ‘open-source’ concept of learning and performance objectives for the field, we hope to work with all professional associations, learning hubs like academies and universities, and practice centers like companies, government agencies, and public service institutions to advance the level of professionalism of individuals within the field.
Steve Jobs gave a commencement address at Stanford in 2005 saying, “Don’t be trapped by dogma – which is living with the results of other people’s thinking.” As cyber professionals, we ought to take that advice more to heart by building on the results of other people’s thinking.
The Hippocratic Oath ends with this promise to oneself that is fully applicable to all of us in Cyber – a reminder of the importance of the mission and the work we do:
If I do not violate this oath, may I enjoy life and art, respected while I live and remembered with affection thereafter. May I always act so as to preserve the finest traditions of my calling and may I long experience the joy of healing those who seek my help.