PLEASE ANSWER THE 4 QUESTIONS BELOW!!!

Cybersecurity Ethics Case Study:

Source/credit: An Introduction to Cybersecurity Ethics, Shannon Vallor, Ph.D., William J. Rewak, Santa Clara University.

In the summer of 2017 it was revealed that Equifax, a massive credit reporting bureau managing the credit rating and personally identifying information of most credit-using Americans, had suffered a severe security breach affecting 143 million Americans. Among the data stolen in the breach were social security and credit card numbers, birthdates, addresses, and information related to credit disputes.

The scale and severity of the breach was nearly unprecedented, and to make things worse, Equifaxs conduct before and after the announcement of the breach came under severe criticism. For example, the website created by a PR consulting firm to handle consumer inquiries about the breach was itself riddled with security flaws, despite requesting customers submit personally identifying information to check to see if they were affected. The site also told consumers that by using the site to see if they were affected, they were waiving legal rights to sue Equifax for damages related to the breach. The site, which gave many users inconsistent and unclear information about their status in the breach, offered to sell consumers further credit protection services from Equifax, for a fee.

Soon it was learned that the Equifax had known of the May 2017 breach for several months before disclosing it. Additionally, the vulnerability the attackers exploited had been discovered by Equifaxs software supplier earlier that year; that company provided a patch to all of its customers in March 2017. Thus Equifax had been notified of the vulnerability, and given the opportunity to patch its systems, two months before the breach exposed 100 million Americans to identity theft and grievous financial harm.

Later, security researchers investigating the general quality of Equifaxs cybersecurity efforts discovered that on at least one of Equifaxs systems in Argentina, an unsecured network was allowing logons with the eminently guessable admin/admin combination of username and password, and giving intruders ready access to sensitive data including 14,000 unencrypted employee usernames, passwords and national ID numbers.

Following the massive breach, two high-ranking Equifax executives charged with information security immediately retired, and the Federal Trade Commission launched an investigation of Equifax for the breach. After learning that three other Equifax executives had sold almost two billion dollars of their company stock before the public announcement of the breach, the Department of Justice opened an investigation into the possibility of insider trading related to the executives prior knowledge of the breach.

Question 1: what ethical challenges for cybersecurity practitioners do you think are most relevant to these studies? Briefly explain your answer.

Question 2: What significant ethical harms are involved in the Equifax case, both in the short- term and the long-term? Who are some of the different stakeholders who may be harmed, and how?

Question 3: What do you imagine might be some of the causes of Equifaxs failure to adopt more stringent cybersecurity protections and a more effective incident response? Consider not just the actions of individuals but also the larger organizational structure, culture, and incentives.

Question 4: If you were hired to advise another major credit bureau on their information security, in light of the Equifax disaster, what are three questions you might first ask about your clients cybersecurity practices, and their ethical values in relation to cybersecurity?