The furore over the McKinnon hacking case provides a useful backdrop for efforts to improve ethical standards among IT professionals, says David Clarke.
The threatened extradition of Gary McKinnon to the US on charges of computer hacking raises important questions for the continuing development of the IT profession.
Putting aside the rights and wrongs of the request to try him in the US, one of the first things that struck me when I heard about the case was the sheer number of computers McKinnon accessed. His case provides a salutary lesson for the UK and US authorities.
Strong security community
The British Computer Society (BCS) is home to a strong security community and works with government and others to ensure professional standards are high. Breaches such as those McKinnon has admitted perpetrating should in future be a rarer occurrence.
Then there is the long-running debate over the teaching of skills that give the capability to attack IT systems. Analogies are difficult, because the ability to use a PC in a private home in the UK to bring enormous disruption half a world away is unlike anything else — but there are similarities with some other professional skills.
Soldiers, police officers, teachers and doctors all have capabilities and opportunities that enable them to disrupt and affect the lives of fellow citizens should they so choose. The traditional professions maintain their position and mandate through a social contract with ethical, professional behaviour on the one side and public trust on the other. It is vital that the IT profession achieves that same balance as it matures.
Inherent in the charter that grants the BCS its existence is this idea of an organisation and profession working for the public good — a profession worthy of public trust. That end-state of trust is at the core of the work the BCS is undertaking to create a recognised IT profession.
Significant harm
Increasingly, IT professionals are responsible for systems where negligence can mean significant harm, and where deliberate misuse of capability and opportunity could mean even greater harm. I am not just talking about systems that are usually identified as safety-critical or about complete systems failure.
In an information society, simply failing to make a supermarket website work well for those with disabilities can have a significant impact on lives. Hacking an eBay account or taking out the website of a small business can ruin livelihoods and cause misery. IT underpins the structures by which people conduct their lives.
That situation places a heavy burden not only on the individual, but on the profession as a whole to regulate itself and meet standards. For those of us who have been around the profession for a while, that means leaving behind a better culture than when we arrived. We owe this to the people who are entering the profession, for their own protection as much as other people's.
Another important element of this philosophy is the idea that the power of IT capability brings with it a public responsibility. It must be professionally — even socially — unacceptable to abuse that capability in IT as elsewhere.
Capable and ethical
We are further along this path than many might suspect. University courses accredited by the BCS require the teaching of professional ethics, and this is the start of a process that continues in some organisational inductions and vocational training. The end result is a true professional, both capable and ethical.
Ethical behaviour in practice is more and more the topic of conversation that others want to have with us as the professional body for IT. Ethics and professional responsibility are on the agenda for the public-sector and private-sector organisations we work with.
It is not so hard these days to draw a line between a professional ethos in IT and long-term value for citizens and shareholders. I think that situation is very encouraging, and a good foundation on which to build.
David Clarke is chief executive of the BCS, the Chartered Institute for IT, representing over 70,000 IT professionals. Clarke took up his post at the BCS in May 2002 and has nearly 30 years' involvement with IT systems, first on the supply side with HP, DEC and Compaq, then as chief executive in the Virgin group of companies and Trinity Mirror.
Talkback
Makes a lot of sense and a great deal of what happened in the McKinnon case could have being avoided if the approach to IT security in those facilities had being better thought out process.