Cybersecurity, whistleblowers and me.

During the last six years, of working with The Cyber Academy, I found myself in a very unique position. I came from a practitioner's background, but I was working in an academic environment, albeit not an academic myself.

I guess my work with public and industry engagement played a role in what happened.

Over the last few years, I have been contacted by a few Whistleblowers and/or potential whistleblowers, somehow related to the cybersecurity industry, the government and even other organisations.

Somehow, the people who contacted me were looking for guidance on what they should be doing with the information they had at hand. I felt privileged that people would trust me with something so important. Most of the time it was people I did not know, but in some cases, these were people I already knew.

Being a confidant

When people are concerned with something they see that they identify as fundamentally wrong, they often want to do something about it. The brave ones at least. However, the fear of losing one's job leads one towards the dilemma of doing what is right or risking one's career and prospects.

Being confided by those people, I found myself in my own moral dilemma: Do I do something about it, or do I let people make their own decisions?

The problem with doing something as a third party is that you are not always provided with solid evidence of malpractice or wrongdoing. As a result, you cannot go on accusing people of somebody else's saying so.

On the other hand, I decided from day one, that I would keep the trust and privacy of people who confided in me, and who may be in a vulnerable position, in order to protect them. To that end, I would always destroy any evidence that was shared with me and remove all conversations from my devices. (it is a bit easier if you have been working on Digital Forensics for 15 years!).

Cybersecurity & Integrity issues

One of the people who contacted me was concerned about something very serious. The company they worked for, was dealing with a government contract. They were installing workstations and at the end of the day, the staff would take the drives with the images for the workstation, back home. That meant that, in theory, one could deploy one of those images, install spyware, re-image the drive and start deploying the compromised image the next day.

I have no evidence that this had happened, but the risk was there, and the concern was genuine. The prevailing culture of the employer at the time would allow little opportunity for raising concerns. The business was an approved supplier. That would mean some kind of vetting by the awarding bodies, although I do not know what that would be.

My advice to that person was, that if they did not want to talk to their employer, to report it to the government authorities that had granted the contract and/or the police. There are ways to do that anonymously and I advised them to use such a way.

Internal employment issues

Some of the issues I was approached about, had to do with organisations in our industry, but the issues were internal employment issues, rather than cybersecurity risks.

One name kept coming up the last few years. A high-profile organisation with a toxic culture at the very top meant that people were unhappy or they were forced to leave their jobs, even without having lined up a new one yet. Funny (or maybe not) enough, this organisation and the one mentioned above, were interlinked, as the former was professionally vouched by the latter. The issues however were unrelated, and there was no cause/effect relationship between them.

My advice to all those who contacted me about this organisation was that they should seek legal advice. Ask a solicitor about what they should do, and where they stand and check if there were any contractual clauses or NDAs that would become an issue.

What can one do?

The first time I was contacted by a whistleblower, I felt the innate need to report this to someone. Then I realised that this was not my story to tell. I may have believed the people who approached me, but this was their experience and their evidence (whenever they had any).

I do not know what happened after those people talked to me. I wiped out any evidence of any communication, to ensure that their names were protected. I have actually forgotten a couple of their names, to be honest ... but I have not forgotten the details of their stories.

A couple of people from the organisations concerned, I often see in conferences and other events, from public engagement to formal dinners. It feels strange to know something about them, keeping a secret that they would not know that I know...

Keeping a whistleblower's confidence is of paramount importance. It is the cornerstone of transparency that other processes and rules do not provide nowadays.

I am wondering, however, if I should anonymously report in some instance, what I was privy to, if it was in the public interest for me to disclose it. I am talking about the information, not the person.

This thought has troubled me in the past. I am still to make up my mind and certainly not sure what the standard of proof for my redline would be. It is a moral dilemma.

Any thoughts?

#whistleblowers #disclosure #proof #moral_dilemma #Scotland #Cyber #Cybersecurity #organisation #right #wrong #truth #nomorelies