Freedom of speech or lack of professional responsibility?

A look at what can happen when a consultant wants to go public with a security audit and the vulnerabilities found.

EDITOR'S NOTE: Ejovi Nuwere disputes Ira Winkler's interpretation of published news reports upon which the columnist's opinions are based. Nuwere says his lawsuit dealt only with censorship of a conference presentation and not the security audit he performed for the state of Nagano, not the national Japanese government.

Public disclosure of vulnerabilities revealed during a security audit made headlines recently when U.S. security consultant Ejovi Nuwere sued the Japanese government for violating his freedom of speech.

Papers filed in a Japanese court imply that Nuwere discovered many serious problems while performing a security audit of a Japanese government network containing the personal information of Japanese citizens. Nuwere intended to present details of the audit at a public conference. Through some means, the Japanese government found out about the presentation and its contents, and forced Nuwere to delete significant content to the point that he supposedly could not give the presentation. He claims his rights under the Japanese constitution were violated, and is now suing the Japanese government for damages.

I am definitely not an expert in Japanese constitutional law, but I do have significant experience with contracts to perform security assessments. In all of my experience, there has been a confidentiality and non-disclosure agreement embedded in a contract. Unless the Japanese government was extremely negligent, there should have been language to that effect in the contract to perform the security assessment in question. Assuming this to be the case, Nuwere likely waived his rights to freedom of speech to disclose the work so that he could perform the work and be paid for it.

Even if there was no language stopping Nuwere from disclosing his findings, you'd have to ask if it's ethical for a security professional to discuss clients. Clients hire security consultants because they trust them. It's not just a matter of being able to disclose client details, but a question of whether details should be divulged.

Naming clients, especially while disclosing details of their security assessment, not only potentially embarrasses them, but can make them vulnerable to an attack. There might have been enough time for the Japanese government to remediate the problems Nuwere found; however, that's not a guarantee that the problems were actually fixed. That could either be due to a shortage of funds or a variety of technical issues. Either way, it's not for a consultant to decide to potentially increase the risk of his client.

Would clients be able to trust security consultants if they believed that there was a possibility those consultants would randomly release the information? If a consultant wants to write about his experiences, he can easily disguise the identities of his clients. I frequently detail how I perform penetration tests and I find ways to change the circumstances, locations, industries and details of the clients. The industry benefits from learning methods for performing penetration tests and what to look for to secure their own environments. A presentation detailing how Nuwere performed a security assessment could benefit the industry. However, if the presentation was accepted on the basis that it would disclose his client's weaknesses, that clearly is a problem.

If Nuwere intended to warn the Japanese people about how woefully vulnerable their information was or is, that is probably not his decision to make because of legal or professional obligations. If he wants to be a whistle blower, which could remotely be a legitimate claim if he knew that there were serious problems that were still unremediated, then there are better and more efficient methods to get that done.

My commentary is based on what I read in several articles, and the facts could be very different. However, if the facts are even half true, Nuwere's actions call the security profession into serious question. This is not to say that we should sit back and let crimes be committed if we find obvious crimes or extremely gross negligence during the course of our work. However, clients cannot trust us if they cannot expect us to otherwise act in their best interests.

About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

Have an opinion on this article? E-mail your letters to Shawna McAlearney, and include your name, title and organization. Letters may be edited for space and clarity.

This was first published in January 2005

Dig deeper on Security Testing and Ethical Hacking

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close