Ethical Considerations of Sharing Data for Cybersecurity Research

  • Darren Shou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7126)

Abstract

Governments, companies, and scientists performing cyber security research need reference data sets, based on real systems and users, to test the validity and efficacy of the predictions of a given theory. However, various ethical and practical concerns complicate when and how proprietary operational data should be shared. In this paper, we discuss hypothetical and actual examples to illustrate the reasons for increasing the availability of data for legitimate research purposes. We also discuss the reasons, such as privacy and competition, to limit data sharing. We discuss the capabilities and limitations of several existing models of data sharing. We present an infrastructure specifically designed for making proprietary operational data available for cyber security research and experimentation. We conclude by discussing the ways in which a new infrastructure, WINE, balances the values of openness, sound experimentation, and privacy by enabling data sharing with privacy controls.

Keywords

Data sharing ethics security 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    18 U.S.C. §2510-2522. Wire and Electronic Communications Interception and Interception of Oral CommunicationsGoogle Scholar
  2. 2.
    18 U.S.C. §2701-2711. Electronic Communications Privacy Act: Stored Wire and Electronic Communications and Transactions Records AccessGoogle Scholar
  3. 3.
    18 U.S.C. §3121-3127. Pen Registers and Trap and Trace DevicesGoogle Scholar
  4. 4.
    H.R. 2272–110th Congress: America COMPETES Act (2007) GovTrack.us, http://www.govtrack.us/congress/bill.xpd?bill=h110-2272
  5. 5.
    Camp, J., Cranor, L., Feamster, N., Feigenbaum, J., Forrest, S., Kotz, D., Lee, W., Lincoln, P., Paxson, V., Reiter, M., Rivest, R., Sanders, W., Savage, S., Smith, S., Spafford, E., Stolfo, S.: Data for Cybersecurity Research: Process and Wish List. In: National Science Foundation Workshop on Cyber Security Data for Experimentation (2010)Google Scholar
  6. 6.
    Chesbrough, H.: Open Business Models: How to Thrive in the New Innovation Landscape. Harvard Business School Press, Boston (2006)Google Scholar
  7. 7.
    Coull, S., Wright, C., Keromytis, A., Monrose, F., Reiter, M.: Taming the Devil: Techniques for Evaluating Anonymized Network Data. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California (2008)Google Scholar
  8. 8.
    Department of Homeland Security: Protected Repository for the Defense of Infrastructure Against Cyber Threats, https://www.predict.org
  9. 9.
  10. 10.
    Internet Measurement: The Internet Measurement Data Catalogue (DatCat), http://imdc.datcat.org
  11. 11.
    42 U.S.C. §17935. Health Insurance Portability and Accountability ActGoogle Scholar
  12. 12.
    Internet Systems Consortium: Security Information Exchange, https://sie.isc.org
  13. 13.
    Internet Traffic Archive: The Internet Traffic Archive (ITA), http://ita.ee.lbl.gov
  14. 14.
  15. 15.
    National Science Foundation: Dissemination and Sharing of Research Results: NSF Data Sharing Policy, http://www.nsf.gov/bfa/dias/policy/dmp.jsp
  16. 16.
    Ohm, P.: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. SSRN eLibrary (2009)Google Scholar
  17. 17.
    Powner, D.A. , Wilshusen, G.C: Key Challenges Need to Be Addressed to Improve Research and Development. Technical Report, GAO-10-466 (2010)Google Scholar
  18. 18.
    Resnik, D.B.: What is Ethics in Research and Why is it Important? National Institute of Environmental Health Sciences, http://www.niehs.nih.gov/research/resources/bioethics/whatis.cfm
  19. 19.
    Symantec Corporation: Internet Security Threat Report. Technical report, Symantec Managed Security Services (2010)Google Scholar
  20. 20.
    Symantec Corporation: Symantec Responsible Disclosure Policy, http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
  21. 21.
    Vogeli, C., Yucel, R., Bendavid, E., Jones, L.M., Anderson Melissa, S., Louis, K.S., Campbell, E.G.: Data Withholding and the Next Generation of Scientists: Results of a National Survey Academic Medicine 81(2), 128–136 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Darren Shou
    • 1
  1. 1.Symantec Research LabsCulver CityUSA

Personalised recommendations