Questions of ethics arise as Google cybersecurity report exposes US counterterrorism effort

Experts face a number of ethics challenges in the cybersecurity field and the ever-changing world of hacking. Constant monitoring for potential hackers is vital to protecting systems. But what happens when a discovered vulnerability was actually a government’s attempt at using hacking as a counterterrorism tool? Does a company still have a responsibility to report their findings?

As reported by Patrick Howell O’Neill for the MIT Technology Review, Google recently encountered this exact situation and it has created ripples across the cybersecurity industry.

Google discovers cybersecurity vulnerabilities from unexpected hackers

O’Neill discusses two Google blog posts where the company detailed how their Project Zero team discovered eleven zero-day vulnerabilities that hackers had been exploiting using new techniques. Although common for companies to report when vulnerabilities have been identified, the Google blog posts were missing key information, says O’Neill. The post didn’t include who was responsible for the attack or provide traditionally-shared technical details.

This resulted in more questions than answers, leading to some surprising findings.

“But MIT Technology Review has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation,” writes O’Neill. “The company’s decision to stop and publicize the attack caused internal division at Google and raised questions inside the intelligence communities of the United States and its allies.”

Ethics of reporting hacking in counterterrorism operations

This brings up the question – was Google in the right to report the discovered vulnerabilities knowing that they were a governmental counterterrorism effort?

Though garnering press attention, this is not the first time Google, or other companies – including those in other countries, have faced similar scenarios. In 2018, a Russian firm exposed American-led counterterrorism efforts in the Middle East.

“In response to this incident, some Google employees have argued that counterterrorism missions ought to be out of bounds of public disclosure; others believe the company was entirely within its rights, and that the announcement serves to protect users and make the internet more secure,” says O’Neill.

In other words, if the “good guys” have found and are exploiting these vulnerabilities, who’s to say the “bad guys” won’t soon follow?

It’s a complicated situation between companies like Google, who are trying to protect their own systems as well as their customers, and government safety initiatives that are intended to protect their citizens.

“But while protecting customers from attack is important, some argue that counterterrorism operations are different, with potentially life-and-death consequences that go beyond day-to-day internet security,” says O’Neill.

It’s an ethical gray area that will likely continue to impact the cybersecurity field well into the future.

Want to learn about cybersecurity? View the full list of bachelor’s, master’s and doctorate degrees in cyber and information security. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.