sign in sign up
<<
Home , Cyberethics, Legal ethics

Paper ID #29175

Curriculum Development for Cyber with a Focus on Law Enforcement

Dr. Joseph Benin, U.S. Coast Guard Academy

CDR Benin is a graduate of the Coast Guard Academy (BSEE), having served as the Regimental Honor Officer and Chairman of the Cadet Standards of Conduct Board. He then served as the Electrical and Elec- tronics Officer aboard the USCGC Healy (WAGB-20) while completing his Engineer-Officer-In-Training (EOIT) qualifications. He began graduate studies at the Georgia Institute of Technology, was selected as an adjunct MacArthur Fellow, and ultimately earned a Master of Science degree in Electrical and Com- puter Engineering and a Master of Science degree in Information Security. In 2005, he was selected as a member of the Permanent Commissioned Teaching Staff (PCTS). He successfully defended his disserta- tion and graduated with a Ph.D. in Electrical and Computer Engineering from Georgia Tech and presently focuses on the areas of computer networks, programming, and security. He is the Program Coordinator for the Coast Guard Academy’s Cyber Systems major and chair of the USCGA Cyber Council. Mr. William Randall, US Coast Guard Academy

William Randall spent over 30 years in Coast Guard C4IT/C5I including serving as the senior civilian for the engineering, development, and protection of the Coast Guard’s IT infrastructure at the Coast Guard’s Telecommunication and Information Systems Command. William is currently the director of rowing at the Coast Guard Academy and has been lucky enough to be allowed to help in the development of the Cyber Systems Major at the Academy and to teach the first offering of the Cyber Ethics course.

c American Society for Engineering Education, 2020 Curriculum Development for Cyber Ethics with a Focus on Law Enforcement Abstract The goal of this paper is to share the methodology and results of the Coast Guard Academy’s approach to developing a Cyber Ethics course for its Cyber Systems major with an additional focus on Law Enforcement. This paper seeks to apply an ethical framework to an emerging and ever-changing field of cybersecurity. Assessments from the first offering are shared as well as end of course student feedback. These are utilized as a basis of analysis for future improvement. The area of Cyber Ethics is a critical, relatively immature, interdisciplinary, and dynamic field that requires an understanding of ethical frameworks across history and an understanding of the technical details of cyber actions in order to make judgments on the ethical implications of such actions. This course has sought to extend ethical to the cyber domain while introducing many of the legal and policy considerations appropriate. Through the use of vibrant in class discussion, research and presentations, and a final project, students learned about, explored, and sought to discern the ethical implications of cybersecurity within the context of society, especially as it pertains to military and law enforcement. Student feedback validated that the course challenged them, offered them an opportunity to present their views, and extended what they had learned in their classic ethics class into the cyber domain. Based upon lessons learned, adjustments are being made for the second offering of this course in order to improve the flow and delivery of the class and the evaluation criteria. Changes are also being made to account for the increased class size from single to double digits.

1. Introduction As engineering and technology become more pervasive and invasive in society, the need for engineers and computer professionals to possess a set of moral principles to the application of their labor has only become more and more important. This need appears almost universally endorsed given the myriad of ethical codes promulgated by professional organizations in these domains (e.g. [1, 2, 3]). ABET specifies that it “expects [evaluators] to behave in a professional and ethical manner” and lists “an ability to recognize ethical and professional responsibilities” as a required Student Outcome of accredited programs [4, 5]. The American Society for Engineering Education (ASEE) has long held and succinctly insists that “because engineering has a large and growing impact on society, engineers must be equipped by their education to fulfill their ethical obligations to the public at large, to their profession, and to their clients and employers” [6]. Thus it should come as no surprise that as academic cyber programs proliferate, the need for ethics in cyber space is no exception [7, 8]. To date much of the focus on cyber ethics has been on cyber warfare [9, 10].

The course developed and presented in this paper is consistent with the approach to undergraduate Cyber Education as outlined in [11]. Repeated studies have demonstrated the effectiveness of case studies in increasing engagement and impact of cyber ethics internalization (such as in [12, 13]) and thus case studies were incorporated in this work. The topic of cyber ethics in education has evolved over the past ten years from a focus on the ethical use of technology while an undergraduate student (as presented in [14] or [15] with an emphasis on plagiarism) to instilling in students ethical principles of behavior in the use of cyber technology in the world. Our work is also consistent with that of [16] in which the authors point out that the difficulties with the concept of teaching someone ethics and recognize that “what we are truly trying to accomplish is the much more complicated task of advancing students’ sense of moral development and reasoning.” Fortunately, this effort is reinforced by every aspect of the educational and training experience at the Coast Guard Academy. Irrespective, all legitimate institutions of higher learning are committed to developing their students into ethical members of society. Ultimately it is the goal of the authors to move students to higher levels of Kohlberg’s Stages of Moral Development [17] in an effort to have our students make right actions in accordance with “ethical principles appealing to logical comprehensiveness, universality, and consistency.”

This topic became particularly prescient to the U.S. Coast Guard Academy when on March 13, 2019, it launched its ninth major: Cyber Systems. A computing major with a cybersecurity focus modeled on the NSA/DHS National Centers of Academic Excellence in Cyber Defense program [18], ACM Cybersecurity curriculum for four-year institutions (CSEC) [19], and ABET Criteria for Accrediting Cybersecurity Computing Programs [20]. The Cyber Systems (CYS) major prepares future officers for exciting careers within the Coast Guard with a focus on developing and implementing cutting-edge computing technologies in an interconnected cyber world. Cyber technology is inextricably linked with all aspects of Coast Guard mission performance. The Cyber Systems major comprises a strong academic foundation in technical computing balanced with a managerial cyber emphasis. The major provides students with the necessary foundations for the design and development of assured, secure computer systems in order to defend computer networks, enable Coast Guard missions, and protect critical national infrastructure in support of the Coast Guard’s Cyber Strategy [21]. The program challenges cadets to become critical thinkers who can design and implement computer systems and software to solve real-world technical problems. This major includes managing information technology, understanding a systems approach, and achieving fluency with information systems. Research and capstone areas include such diverse fields as security, physical systems, risk management, intelligence, policy, geospatial science, secure software development, and network security all within a cyber context. More details about this major can be found at [22].

Morals and Ethics is not something the Coast Guard Academy takes lightly. Honor permeates all that is done at the Academy as one of three Core Values, in its mission, and during Swab Summer Core Values training where the new 4/c (first year) cadets are introduced to the Core Values of their chosen service: Honor, Respect, and Devotion to Duty. They are taught about and required to live up to these Core Values if they are going to complete their journey. Furthermore, violating the Academy’s Honor Concept (“Who lives here reveres honor, honors duty. We neither lie, cheat, steal, nor attempt to deceive.”) is a serious offense and can result in being disenrolled.

In addition to the extensive military training, the Core Curriculum of the U.S. Coast Guard Academy also requires all cadets to take three credit hours specifically focused on moral and ethical education. This can be met by either taking a three credit Morals and Ethical course or a combination of a two credit Introduction to Moral and Ethical Philosophy course and a follow on one credit course focused on their major area of study. Given the importance of ethics in an engineering, technology, and cyber context, the Coast Guard Academy elected to introduce a new course on cyber ethics with the introductory course as a prerequisite which ultimately became titled Cyber Policy, Compliance, and Ethics. This cyber ethics course attempts to take the discussions of , Kant, and others started in the core morals and ethics course into the realm of cyber with a distinctly Law Enforcement perspective germane to future officers with a set of unique authorities that span from humanitarian, regulatory, law enforcement, and military.

For the course, the authors start with a definition of ethics as a set of moral principles and cyber ethics as a set of "moral principles relative to IT systems, technologies, and digital media." We define “cyber” as pertaining to . We adopt the United States Department of Defense definition of cyberspace as

A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. [23]

We build from these definitions as a class by discussing how (a) the acceptable behavior in the real world is also acceptable in cyberspace, (b) examples of moral conduct in both physical and virtual realms include showing respect for others, being honest, etc. [24], and (c) drawing in real- world examples of ethical discussions in law enforcement currently occurring in the cyber-world. This goes well beyond “following the rules” to understanding morals and discussing the principles of right and wrong and how that is determined. Let us now explore the process that was utilized in the development of this cyber ethics course.

2. Methodology The course was developed in two parts and was designed to give students a chance to both reflect on the social and professional impacts of computer technology by focusing on the rules and the ethical issues faced in our evolving cyber world and to meet a portion of the National Centers of Academic Excellence in Cyber Defense Education (CAE-CDE) requirements established by the NSA and DHS.

We arrived at the decision to develop the course in two parts as both a practical solution to covering the CAE-CDE knowledge units for both “Policy, Legal, Ethics, and Compliance” and “Cybersecurity Ethics.” It was determined that by first covering the knowledge units for policy, legal, ethics, and compliance we could establish a framework based in legal precedence from which to discuss ethical behavior in the cyber realm.

In order to accomplish the first part, to cover the myriad laws, rules, regulations, and guidelines listed in the knowledge units, we undertook the approach of student-based presentations.

Each student, or pair of students with the larger class size the second year, would select a topic from the list of policies, laws, rules, and regulations and develop a 6 to 8 minute presentation that: • Explains what the topic is (expands the acronym, summarizes the law, etc.) • Explains from a Cyber standpoint why we care • Explains some of the cyber security concerns • Provides three questions that can be used on a quiz or test to confirm knowledge

The remaining students in the class would then assist in the grading of the presentations and a subset of the questions provided would be used to test all the students’ knowledge at the end of this section.

The goal of the second part of this course was to provide students an opportunity to build on their foundation in ethics by applying lessons learned to the cyber domain. This was done by extending the and ethical constructs the students were exposed to in the introductory course on morals and ethics specifically to the cyber domain with an emphasis on Coast Guard (law enforcement, regulatory, and military) applicability. The first part of the development of this section was to review the readings that the students were exposed to in their introductory morals and ethics course (Appendix V). Examples of how we provide the students to build on their ethics foundation include:

Table 1. Examples of Extending Traditional Ethics to Cyberspace "By choosing to live in Athens, a citizen is implicitly endorsing the laws, and is willing to abide by them." (' conversation Crito)

Rather than simply break the Laws and escape as Crito wanted, Socrates argued that the laws are a citizen’s duty and a form of social contract. He further argued that, more than most, he should live in accordance with the contract since he had lived happily in the city for 70 years and was fully content with the Athenian way of life.

But,  What happens when the laws can't keep up with the technology?  How do you address the issue that the internet does not match the geographic boundaries of countries? “What Matters is the Motive” and the ideas of “

According to Kant, the moral worth of an action consists not in the consequences that flow from it, but in the intention from which the act is done. What matters is the motive, and the motive must be of a certain kind. What matters is doing the right thing because it's right, not for some ulterior motive.

Contrast that with the idea that “The ends justify the means”  Are computers and networks weapons that could/should be used for “proportional response”?  Is there such thing as a just cyber war? “Following the law enforcement debate – vs. security with respect to encryption on smart phones”

Law enforcement is one of the key mission areas of the graduates of the Coast Guard Academy. So, this year, as we progressed through the semester we followed the latest events in the debate about developing a “back door” to allow law enforcement agents access to encrypted data stored on suspected criminals smart phones.

Each week or two we would quickly discuss a new article – articles like:

Breaking iPhone encryption won't make anyone safer - By Jonny Evans, Computerworld, JAN 15, 2020 - Any security vulnerability will be exploited, enabling more of the bad activity backdoors intend to prevent.

Apple dropped plan for encrypting backups after FBI complained - by Joseph Menn, JANUARY 21, 2020 - Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

As Department Pressures Apple, Investigators Say iPhone Easier to Crack, By Robert McMillan, January 14, 2020 - Security experts question necessity of latest battle over encryption as new tools emerge

The last installment of this was sent this past week. The discussion point was from a student paper. The student wrote, “The fourth amendment says that you need probable cause and a warrant in order to make searches and seizures and having a backdoor would make it so the FBI could access any iPhone without either since they could access anyone’s iPhone at will.” I asked the students to think about it this way, “This is a very tough issue since you are determining the lesser – encryption that can’t be broken and so the bad guys can use it for nefarious ends or a back door that bad guys can use for nefarious reasons in and of itself.”

The final course description is given in Table 2. Please see Appendix III for the full catalog entry and Appendix IV for the syllabus. Once the curriculum was developed it was time to test out this course with students. The initial offering of this course was in the spring of 2019 as a one credit directed studies for nine brave cadets who wanted to dive deeper into the topic of cyber ethics. Given the Cyber Systems curriculum was (and still is) in the process of being deployed, there were some challenges to the first “test drive” of this material. For example, some of the students had not previously completed the Introduction to Moral and Ethical Philosophy course. Additional peculiarities include the fact that it was taught by an engineer (not an academic ; albeit someone with 20 years of experience as a Coast Guard officer and an additional 12 years as a Coast Guard civilian managing the classified and unclassified information technology, including all of the classified and unclassified systems, networks, and access points connecting the Coast Guard to the Department of Defense information infrastructure) and within the cyber section (within the Engineering Department; not the Department of Humanities). Another major challenge for this course is that as a one credit course it only meets once per week with an expectation of 2-3 hours of work outside of class to read, study, and write which made providing written assignments of serious complexity and depth next to impossible.

Table 2. Cyber Policy, Compliance and Ethics Course Description The world of cyber is complex and full or questions. This course is designed to delve into some of these questions and challenge students to explore their system in a digitally connected world. The course is designed in two parts. Part one provides students with some understanding of information assurance in the context and the myriad laws, rules, regulations, and guidelines that impact compliance. Part two provides students an opportunity to build on their foundation in ethics by applying lessons learned in the cyber domain. This course will give students a chance to reflect on the social and professional impacts of computer technology by focusing on the rules and the ethical issues faced in our evolving cyber world.

Finally, there was the issue of a textbook. Students tend to ignore textbooks when assigned but complain of the lack of one when they are not utilized. In the area of cyber ethics there are plenty of books to choose from, but none that perfectly captures the essence of this class’ goals (see Table 3). Ultimately, we elected not to use a text book, but relied on the readings that the students had to complete for their introductory course and on current articles from the internet. Table 3 Potential Cyber Ethics Books  Cybersecurity and Cyberwar, P.W. Singer and Allan Friedman, 2014  code 2.0, Lawrence Lessig, 2006  The Rise of Big Data Policing: Surveillance, Race and the Future of Law Enforcement, Andrew Guthrie Ferguson, 2017  Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare, George Lucas, 2017  LikeWar: The Weaponization of Social Media, PW. Singer and Emerson T. Brooking, 2018 Table 4 Example of a Current Article

Transportation Secretary Elaine Chao Releases New Guidance For Self-Driving Vehicles At CES

The Washington (DC) Post (1/8/20, Duncan) reports that in her speech, Chao said, “The federal government is all in for safer, better and more inclusive transportation, aided by automated driving systems.” The Post says the latest version of the guidelines “largely continues on a path of letting private companies take the lead on developing the technology with limited input from the government.”

Chao said of the guidelines, “The goals are pretty simple. They’re clear and consistent,” adding, “They need to improve safety, security and the quality of life for all Americans. That’s the barometer for success.” The Post reports that Chao’s speech focused on the potential for self-driving vehicles to reduce traffic fatalities and congestion while offering new mobility for those with disabilities. However, Chao acknowledged in her speech that the “technologies are not yet advanced enough to enable wide-scale deployment of fully autonomous vehicles.” The Post mentions that questions have been raised over the government’s role in self-driving vehicles following the fatal accident involving an autonomous Uber vehicle and a pedestrian in 2018, and the National Transportation Safety Board “said safety regulators ought to compel companies to share more information about their testing.”

This article has significance both from the question the government role in self driving cars and by extension to autonomous watercraft that the Coast Guard will be called on in the future as part of or regulatory and law enforcement roles.

3. Lessons Learned from the First Offering As Justice Louis Brandeis taught, “there is no such thing as good writing. There is only good re- writing” [25], so too can one approach the development of academic curricula. That being said, and based on the end of course reviews, the course went well. The students completed their evaluations with the teacher out of the room and the forms are turned in directly to the Electrical Engineering and Cyber Systems Section Chief and then are returned to the instructor after grading is completed as a part of the overall course review. The course is evaluated on a 5-point scale for learning, enthusiasm, organization, classroom environment, individual report, examinations, and assignments. Figure 1 provides the feedback received. Overall, the student feedback was very positive with the highest feedback for “Students are encouraged to express their own ideas and/or question the instructor,” “Students are encouraged to ask questions and are given meaningful answers,” and “Instructor is enthusiastic about teaching the course”. Of note, the most negative feedback was in regards to “Required reading/textbooks are valuable” but generally anything above a 3.5 is considered positive.

Figure 1. End of Course Student Feedback from First Offering

In addition to providing numeric feedback, students are also asked to comment on the things they most liked and disliked about the course. The most prevalent positives were related to the open discussion of current cyber events in an open discussion format. Feedback included:  “I liked that there wasn’t a lecture every day and that the class revolves around open discussion…”  “We did current events at the beginning of class which helped broaden our views.”  “I would highly recommend this course and instructor.” The biggest negatives were understanding the assignments for the next class and the volume of work for a one credit course. That said, two thirds of the students said they spent 0-2 hours per week out of class and one third said they spent 3-5 hours a week. As previously stated, the target was about 3 hours a week for out of class work. Interestingly the comments about too much work were more from the students that spent 0-2 hours each week such as one student who stated that “It seemed sometimes to be more work for a 1 credit class than necessary.” The other negative was about structure and the knowing what the upcoming assignments were. “The upcoming assignments and generally knowing what was due next class could be improved. At times I felt as if I did not know what was expected of me in the preparation for next class.” An additional graph and the raw data from the survey are included in Appendix VI. 4. “Re-writing” the Course With the Cyber Systems cadets at the United States Coast Guard Academy now moving into their second year of the program (3/c year), this course is presently (spring 2020) being offered as a USCGA Curriculum Committee approved course that has since been added to the official Course Catalog. As we begin the second offering of the course there are several changes that are planned which correct shortcomings in the first offering, take into account the feedback of the students, and are designed to enhance the course. The cadets were effective at conveying their ideas in oral presentations, but they were, in general, far less effective in conveying their ideas in a written form. While the number of written assignments for a one credit course was deemed adequate the plan is to place more emphasis on quality of the writing and the student’s ability to present their idea in written form. There is going to be a slight increase in the emphasis on the ideas of Just War Theory1 and how it relates to the concept of Cyber War. This emphasis aligns with the student’s discussions of Just War Theory in their core Introduction to Moral and Ethical Philosophy course. The discussions will be around the use of “proportional response” and collateral damage and is in alignment with the National Cyber Strategy directing the Coast Guard to be a leader in the operational technology/industrial control systems (OT/ICS) space. As far as the primary concern of the students (the volume of work required for the credits offered), there is no plan to reduce the volume of work assigned as it is well within the amount of time they should be spending on a one credit hour course. In response to other feedback and to add more structure to the assignments, the learning management system used by the Academy (Desire 2 Learn (D2L)/Brightspace) will be more effectively used and the notification system within D2L will be leveraged. 5. The Next “Revision” In the years ahead we hope to continue to develop the thoughts about what is the proper place to teach cyber ethics (as part of philosophy or as part of engineering/computing) and who the best people to teach it are. An engineering professor can bring an understanding of the technology that creates some of the ethical dilemmas faced. A philosophy professor can bring a deeper

1 For more information or an understanding of the author’s concept of Just War Theory for those unfamiliar with this concept, readers are encouraged to visit https://www.iep.utm.edu/justwar/ understanding of the philosophical underpinnings that support study of ethics. Ideally, one day we will achieve a partnership with the Department of Humanities to co-teach this course and further develop its contents and assignments. Furthermore, while continuing to meet the knowledge unit requirements of the NSA/DHS CAE- CD program, we desire to ensure this course remains firmly rooted in academic and intellectual discourse. While the non-technical core knowledge units for policy, legal, ethics, and compliance from the National Centers of Academic Excellence in Cyber Defense Education (CAE-CDE) established by the NSA is quite prescriptive and has a strong leaning toward an overview of the laws and regulations that exist it feels more like training than education (see Appendix I/ [26]). That being said, the list actually points to ethical issues we discuss in class such as “What happens when the laws can't keep up with the technology?” and “How do you address the issue that the internet does not match the geographic boundaries of countries?” Thus we hope to continue to improve our application of this KU and extend those portions of the Cybersecurity Ethics KU (see Appendix II/ [26]) as appropriate in order to develop the best educational experience for our students. 6. Works Cited

[1] "IEEE Code of Ethics," [Online]. Available: https://www.ieee.org/about/corporate/governance/p7- 8.html. [Accessed 27 January 2020]. [2] "ACM Code of Ethics and Professional Conduct," [Online]. Available: https://www.acm.org/code- of-ethics. [Accessed 27 January 2020]. [3] National Society of Professional Engineers, "Code of Ethics," [Online]. Available: https://www.nspe.org/resources/ethics/code-ethics. [Accessed 27 January 2020]. [4] ABET, "Accreditation Policy and Procedure Manual (APPM), 2020-2021," [Online]. Available: https://www.abet.org/accreditation/accreditation-criteria/accreditation-policy-and-procedure- manual-appm-2020-2021/. [Accessed 27 January 2020]. [5] ABET, "Criteria for Accrediting Engineering Programs, 2020 – 2021," [Online]. Available: https://www.abet.org/accreditation/accreditation-criteria/criteria-for-accrediting-engineering- programs-2020-2021/. [Accessed 27 January 2020]. [6] American Society for Engineering Education, "ASEE Statement on Education," 31 January 1999. [Online]. Available: https://www.asee.org/about-us/the-organization/our-board-of- directors/asee-board-of-directors-statements/engineering-ethics-education. [Accessed 27 January 2020]. [7] E. H. Fiallo, "The lack of ethics in cyber space: a case for cyber ethics," in Proceedings. Eleventh International Conference on Computer Communications and Networks, Miami, FL, 2002. [8] S. Lingafelt, "The History and Development of a “Cyber Security” Program Criteria," ABET, 11 November 2017. [Online]. Available: https://www.abet.org/the-history-and-development-of-a- cyber-security-program-criteria/. [Accessed 27 January 2020]. [9] N. A. Barghouthi and H. Said, "Critical structure of ethics behind offensive cyber warfare," in 2013 International Conference on Current Trends in Information Technology, Dubai, 2013. [10] N. M. Cal, "Crossing the rubicon: identifying and responding to an armed cyber-attack," in 2016 International Conference on Cyber Conflict, Washington, D.C., 2016. [11] E. Sobiesk, J. Blair, G. Conti, M. Lanham and H. Taylor, "Cyber Education: A Multi-Level, Multi- Discipline Approach," in 16th Annual Conference on Information Technology Education (SIGITE ’15), , NY, 2015. [12] M. Skirpan, N. Beard, S. Bhaduri, C. Fiesler and T. Yeh, "Ethics Education in Context: A Case Study of Novel Ethics Activities for the CS Classroom," in 49th ACM Technical Symposium on Computer Science Education (SIGCSE ’18), New York, NY, 2018. [13] Z. Yijia, H. Jiaqi, L. Guiqin, C. Feng and G. Zhiyuan, "Autonomous Driving Ethics Case Study for Engineering Ethics Education," in Proceedings of the 2019 International Conference on Modern Educational Technology, Nanjing, China, 2019. [14] M. Masrom, Z. Ismail and R. Hussein, "Ethical awareness of computer use among undergraduate students," SIGCAS Computer Society, vol. 39, no. 1, pp. 27-40, 2009. [15] J. Whittington and J. Colwell, "Should A Class Be Required? Plagiarism And Online Learning," in ASEE Annual Conference & Exposition, Austin, TX, 2009. [16] M. J. Dark and J. Winstead, "Using Educational Theory and to Inform the Teaching of Ethics in Computing," in Information Security Curriculum Development (InfoSecCD), Kennesaw, GA, 2005. [17] L. Kohlberg and R. Hersh, "Moral Development: A Review of the Theory," Theory Into Practice: Moral Development, vol. 16, no. 2, 1977. [18] National Security Agency, "National Centers of Academic Excellence," [Online]. Available: https://www.nsa.gov/resources/students-educators/centers-academic-excellence/#defense. [Accessed 27 January 2020]. [19] A. o. C. Machinery, "Cybersecurity," [Online]. Available: https://ccecc.acm.org/guidance/cybersecurity. [Accessed 27 January 2020]. [20] ABET, "Criteria for Accrediting Computing Programs, 2020 – 2021," [Online]. Available: https://www.abet.org/accreditation/accreditation-criteria/criteria-for-accrediting-computing- programs-2020-2021/. [Accessed 27 January 2020]. [21] U.S. Coast Guard, "Cyber Strategy," June 2015. [Online]. Available: https://www.uscg.mil/Portals/0/Strategy/Cyber%20Strategy.pdf. [22] United States Coast Guard Academy, "Cyber Systems," [Online]. Available: https://www.uscga.edu/cysys/. [Accessed 27 January 2020]. [23] Joint Chiefs of Staff, "Joint Publication 3-12: Cyberspace Operations," Department of Defense, Washington, DC, 2018. [24] J. Chen, "Cyberethics," January 2012. [Online]. Available: http://etec.ctlt.ubc.ca/510wiki/Cyberethics. [Accessed 27 January 2020]. [25] E. C. Gerhart, Ed., Quote It II: A Dictionary of Memorable Legal Quotations, William S. Hein & Company, 1988. [26] "2020 Knowledge Units," [Online]. Available: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2020_Knowledge_Units.pdf. [Accessed 27 January 2020].

Appendix I: NSA CAE-CD Policy, Legal, Ethics, and Compliance Knowledge Unit [26] The intent of the Policy, Legal, Ethics, and Compliance Knowledge Unit is to provide students with and understanding of information assurance in context and the rules and guidelines that control them. Outcomes To complete this KU, students should be able to: 1. List the applicable laws and policies related to cyber defense and describe the major components of each pertaining to the storage and transmission of data. 2. Describe their responsibilities related to the handling of data as it pertains to legal, ethical and/or agency auditing issues. 3. Describe how the type of legal dispute (civil, criminal, private) affects the evidence used to resolve it. Topics To complete this KU, all Topics and sub-Topics must be completed. 1. Federal Laws and Authorities a. Computer Security Act b. Sarbanes – Oxley c. Gramm – Leach – Bliley d. Privacy (COPPA) HIPAA / FERPA e. USA Patriot Act f. Americans with Disabilities Act, Section 508 g. Other Federal laws and regulations 2. State, US and international standards / jurisdictions 3. Payment Card Industry Data Security Standard (PCI DSS) 4. BYOD issues

Appendix II: NSA CAE-CD Cybersecurity Ethics Knowledge Unit [26] The intent of the Cybersecurity Ethics Knowledge Unit is to provide students with an understanding of ethics in a cyber context, to examine typical situations where ethical dilemmas arise and to provide the students with tools for ethical decision making. Outcomes To complete this KU, students should be able to: 1. Explain how ethical foundations are applied to situations arising from the interconnected world. 2. Examine diverse ethical dilemmas. 3. Describe the role of cybersecurity in supporting and encouraging ethics, as well as where cybersecurity practices can cause ethical conflicts. Topics To complete this KU, all Topics and sub-Topics must be completed: 1. Ethical Codes and Frameworks 2. Ethics and Cyberspace 3. Ethical Issues a. b. Availability c. of others d. Respect and principles of community e. Resource use, allocation, and abuse f. 4. Ethics-based decision tools 5. Cybersecurity and social responsibility

Appendix III: USCGA Cyber Systems Catalog Entry 7294 CYBER POLICY, COMPLIANCE, AND ETHICS The world of cyber is complex and full or questions. This course is designed to delve into some of these questions and challenge students to explore their value system in a digitally connected world. The course is designed in two parts. Part one provides students with some understanding of information assurance in the context and the myriad laws, rules, regulations, and guidelines that impact compliance. Part two provides students an opportunity to build on their foundation in ethics by applying lessons learned in the cyber domain. This course will give students a chance to reflect on the social and professional impacts of computer technology by focusing on the rules and the ethical issues faced in our evolving cyber world. Credit Hours: 1.00 Format: Class Prerequisites: 2394 Projected Offering: Spring

Appendix IV: USCGA Syllabus for Cyber Policy, Compliance, and Ethics

U.S. Coast Guard Academy 7294: Cyber Policy, Compliance, and Ethics

Course Syllabus — Spring 2020

Introduction Instructor William M. Randall Office: Rowing Center Phone x-8679 [email protected] Course Description This course is designed in two parts. Part one should provide students with and understanding of information assurance in context and the myriad laws, rules, regulations, and guidelines that impact compliance. Part two should provide students an opportunity to build on their foundation in ethics by applying lessons learned to the cyber domain. This course will give students a chance to reflect on the social and professional impacts of computer technology by focusing on the rules and the ethical issues faced in our evolving cyber world.

Credit Hours: 1.0 Format: Class Prerequisite: 2394 Ethics References This course will draw from current events that are affecting the nation’s and the Coast Guard’s cyber security posture. There is no text for the course, but there will be research required on the internet to prepare for class. Course Website The course online presence can be found on Desire 2 Learn. The site includes links to a complete syllabus, course schedule, homework, and other items of interest.

Format This course will meet during one fifty minute class each week.

Course Objectives The student will demonstrate:

 The ability to read, digest, and present the impacts of current policies, laws, and regulations on cyber infrastructure and security.  An understanding of the Coast Guard’s position in the federal government cyber world and how that impacts the laws and regulations as well as each members  The ability to apply the concepts, terms, and ideas they have learned to ethical issues in the cyber domain  An understanding of why professional codes of conduct are important for cyber security professionals and will develop the start of their own ethical roadmap Policies Class Attendance Class lectures and activities will be conducted at a level and pace that assumes students have completed any preparatory assignments. You are expected to be familiar with the material in order to move toward better comprehension during class and complete the in-class exercises and homework assignments. Class attendance is mandatory.

If you must miss a session due to illness, injury or other emergency, contact your instructor as soon as practical. If you expect to miss a session because of an extracurricular activity, please contact your instructor in advance. In either case, you are highly encouraged to meet with a classmate to obtain copies of class notes, assignments, etc., as you will still be responsible for all content covered during the class you missed.

If you expect to miss class on a date that an assignment is due, you are responsible for seeing that your work is submitted on time.

Collaboration Students shall not collaborate on quizzes. Collaboration on many of the assignments is allowed and highly encouraged. You are encouraged to discuss assignments with other members of the class or with anyone else whom you believe can be of assistance; however, submitted assignment must be your own.

You are ultimately responsible for knowing and following the stated collaboration policy of each assignment and should feel free to discuss any questions with your instructor.

Assignments and Grading Homework Pre-class reading, videos, and/or exercises designed to prepare you for class will be assigned and graded based upon completion and will directly prepare you for the in-class exercises. Homework is primarily designed to prepare you to fully participate in class. All homework assignments are due at the beginning of class on the scheduled date. Late homework will not be accepted unless previously arranged with your instructor.

In-Class Exercises/Participation Participation in class discussions is required, and counts for 20% of your grade. The key to effective class participation is to be prepared.

Consider preparing questions, objections, or comments in advance of class. Remember that effective class participation transcends merely providing “right” answers; you should also constructively respond to or ask questions about the assignment and/or comments of other students. Quizzes There will be a few individual assessments (quizzes) based upon previously covered material.

 Class Projects and Final Project There will be two class projects. The projects will require the student to research, develop, and present to the class their results. The format for the presentation will be provided for each of the assignments.

In lieu of a final exam the class will be required to complete a group project and then provide an individual evaluation of the review.

Your grade in the course will be based on the following:

Item Weight

Homework 20% Class Participation 20% Quizzes 10% Class Projects/In-Class Exercise 30% Final Project 20%

Course Schedule Week 1 – Overview of Cyber Policy, Regulations, Rules, and Ethics Course  Policies and Regulations o HIPAA o FERPA o Computer Security Act o Sarbanes – Oxley o Gramm – Leach – Bliley o Privacy (COPPA) o Payment Card Industry Data Security Standard (PCI DSS) o State, US and international standards / jurisdictions Laws and Authorities o US Patriot Act o Americans with Disabilities Act, Section 508 - For 508 talk to public affairs o GDPR - General Data Protection Regulation

Week 2 and 3 – Presentations on rules, regulations and policies that govern cyber space

Each presentation should be 6 to 8 min in length and answer at least the following questions –

 What's is the rule (many are acronyms)?  From an IT stand point why do we care?  What are some of the cyber security concerns?  What questions (at least 3 questions) should everyone be able to answer after your presentation?

Week 4 – Close-out of rules, regulations and policies that govern cyber space, Quiz

 Cover the listed rules that were not presented  Quiz

Week 5 – CG infrastructure moving forward

 CGONE, JIE, and .MIL/.GOV rules and comparisons  Bring your own device (BYOD)

Week 6 and 7 – CG ethics and core values as a framework for cyber ethics

 USCG - COMDTINST M5370.8B, STANDARDS OF ETHICAL CONDUCT, March 01, 2002  USCG Ethics training  Define “Cyber Ethics”

Week 8 through 13 – topics in cyber ethics

Week 8 – Issues in cyber ethics and impacts on the CG

o What are the biggest issues in cyber ethics o What are the biggest issues in cyber ethics effecting the CG

Week 9 - Contrast harpists with serious harpists (Aristotle)

o From the framework of honor, respect, and devotion to duty - What are the responsibilities as USCG officers in the world of cyber (ship control systems, maritime safety, UAVs, marine inspectors, etc…)

Week 10 - "By choosing to live in Athens, a citizen is implicitly endorsing the laws, and is willing to abide by them." (Socrates' conversation with Crito)

o What happens when the laws can't keep up with the technology? o How do you address the issue that the internet does not match the geographic boundaries of countries?

Week 11 – The Internet, the cyber world, and the Constitution

o Privacy, , Peaceable assembly, and Innocent until proven guilty o How does this apply with: . News agencies with political agendas . Facebook, google, etc. . Automated politics

Week 12 – Attacking the Coast Guard

Sun Tzu was credited with the saying, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Week 13 - Motive maters

Build a discussion from Sandel’s review of Kant – summarized in a quick phrase as: “What Matters is the Motive” and the ideas of “just war theory”. Finally consider, stealing from Spiderman, “With great power comes great responsibility” and whether the ends do or do not justify the means… - Computers and networks as a weapon.

Week 14 and 15 – Final project

To draw together much of what we discussed into a final presentation that the students ability to articulate their thoughts about Cyber Ethics. Appendix V: Reading List for the 2-Credit Prerequisite Ethics Course Reading Assignment  , “Meno”  Plato, “Meno”  Plato, “Apology”  Plato, “Crito”  Wingrove-Haugland (& Gregg?), Varieties of **  Mill,  Bufacchi & Arrigo, Utilitarianism and Torture  Harris, The Ethics of Natural Law  Wingrove-Haugland & Bosanquet, “Just War Theory”***  Walzer, “Guerilla Warfare”  Epictetus, The Handbook  Stockdale, “Courage under fire”* and Sherman, “Manners and Morals”*  Kant, Groundwork, Preface and First Section  Kant, Groundwork, Second Section  Kant, Groundwork, Third Section  Sandel: “What Matters is the Motive: ”  O’Neill, “Treating Others as Persons”*  Gilligan & Attanucci, “Two Moral Orientations”  Aristotle, Nicomachean Ethics, Book I  Aristotle, Nicomachean Ethics, Book II  Aristotle, Nicomachean Ethics, Book III  Sandel, Ch 8, “Who Deserves What? Aristotle  Sandel, “What do We Owe One Another? Dilemmas of Loyalty”  MacIntyre, “Is Patriotism a ?” and Douglass, “What to the Slave is the Fourth of July?”  Walzer, “Just and Unjust Targeted Killings”  Film: Eye in the Sky, course evaluations, etc.

*- Edited to be significantly shorter than existing reading in 3-credit course. **- New article with links to Rachels, “Ethical Egoism,” Pojman, “Cultural Relativism, and Arthur, “.” Cadets will choose one of these to read, rather than reading all three. *** - With new “Pacifism, Realism, and Just War Theory” section at the beginning, “” section shortened so length remains about the same.

Appendix VI: Additional Graphs and Data from Student Feedback

General Feedback

Assignments contribute to understanding of the subject Required reading/textbooks are valuable Methods of evaluating student work are fair and… Feedback on examinations/graded materials is valuable Instructor has a genuine interest in individual students Instructor makes students feel welcome in seeking… Students are encouraged to express their own ideas… Students are encouraged to ask questions and are given… Proposed objectives agree with those actually taught so… Course materials are well prepared and carefully… Instructor's explanations are clear Instructor's style of presentation holds your interest… Instructor is enthusiastic about teaching the course The learning outcomes for the course were successfully… You have learned and understood the subject materials… You find the course intellectually challenging and…

012345678910

Negative (1-2) Neutral (3) Positive (4-5)

Raw Data Student Student Student Student Student Student Student Student Student #1 #2 #3 #4 #5 #6 #7 #8 #9 LEARNING 4 3 4 5 5 5 4 4 5 5 4 3 4 5 5 5 4 5

5 4 1 4 5 5 5 3 5

ENTHUSIASM 5 5 5 5 5 5 4 5 5 5 3 4 5 5 5 4 5 5

ORGANIZATION 5 4 4 5 5 4 4 4 5 5 2 3 4 5 5 4 4 5

5 4 4 5 5 5 3 2 5

CLASSROOM 5 5 4 5 5 5 5 5 5 ENVIRONMENT 5 5 4 5 5 5 5 5 5

INDIVIDUAL 5 5 2 5 5 5 4 4 5 RAPPORT 5 5 4 5 5 5 4 5 5

5 4 3 4 5 5 4 3 5 EXAMINATIONS 4 2 4 5 5 4 3 5

ASSIGNMENTS 5 3 3 4 5 2 5 5 4 3 5 5 5 4 4 5