CyberWire Daily - The Code of Honor: Paul J. Maurer and Ed Skoudis explore ethics in cybersecurity with Ben Yelin. [Special Edition]
Episode Date: May 25, 2026Authors Paul J. Maurer and Ed Skoudis join Caveat podcast co host Ben Yelin to discuss their new book: "The Code of Honor: Embracing Ethics in Cybersecurity." The book is a comprehensive and practical... framework for ethical practices in contemporary cybersecurity. Listen to Ben's discussion with Paul and Ed as they explore the ethical dimensions of cybersecurity, the influence of AI, and the responsibilities of cyber professionals. Consider joining Paul and Ed in upholding the highest standards of cybersecurity ethics by signing the Cybersecurity Code they share as part of The Code of Honor. Learn more about the book here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hey, everybody, Dave here.
Thanks for joining us here today for this Cyberwire special edition.
Today, my caveat co-host, Ben Yellen, speaks with Paul Mauer and Ed Skodas.
They are authors of The Code of Honor embracing ethics in cybersecurity.
Their new book offers a practical framework for navigating the ethical challenges facing today's cyber professionals.
Here's their conversation.
So these two gentlemen are the co-authors of Code of Honor embracing ethics and cybersecurity.
And I thought we'd start at a very high level and just talk about your motivation for the book,
what message you each were trying to convey and whomever wants to get started.
I'm happy to jump in on that.
We saw a gap.
And anyone who's done higher education, particularly doctoral work, you know that a dissertation
is about finding a gap and filling it.
And if you've done any book writing, it's the same.
And so we think that there was a gap in the ethical teaching of cybersecurity.
And I got a call from the National Security Agency asking for a curriculum.
We had a long conversation, and I suggested that we add a book to that project.
They agreed with it.
And so on behest of the National Security Agency, we agreed to do that.
I reached out to Ed because I needed a co-author on.
on the book and someone who actually understood cybersecurity.
I'm not a cybersecurity technical person, never have been, never will be,
and very graciously came alongside to give it some cyber jobs.
And for me, my involvement was based on 21 years of teaching cybersecurity incident response
and penetration testing in that 21-year span.
I taught over 40,000 students.
and very frequently questions would come up about ethics, about various scenarios that would come up
while handling cyber attacks or while conducting security assessments and penetration testing.
So I would answer students' questions in the classroom as well as those that arrived via email for a couple of decades.
And when Paul approached me saying, hey, there ought to be a book, I said, that's great.
I have a lot of experience.
I can pull up all those old emails with all those questions, and we can put them in a modern framework.
and hopefully impacts some people's lives in a positive way
by focusing on not only what individual practitioners need to think about for ethics,
but also cyber leaders.
So as a law guy myself, when I teach classes,
I always get the question about whether law and ethics are intertwined in one way or another.
And what's kind of the interplay between legal principles,
rules and ethics. I'm wondering if you could get into that because I think sometimes there's a
confusion there. Yeah, I'd be happy to take a first shot at that. I think that an awful lot of
ethics today is defined by law, but that's not historically the case over the course of, you know,
two millennia. When you look at something like the Hippocratic Oath or just war theory,
that is something different than the law. And so what we aspire to
do with this code of honor is to create a code of ethics for cybersecurity that was something that
transcends the law into a higher ethical moral order. Sure. Also, I'd add to that that, you know,
the law is established. That's all fine. And we want people to adhere to the law. But in the cyber world,
especially with AI, things are moving so fast that the law trails. It just, it kind of has to,
because new technologies are enabling new things, new decisions have to be made.
So we thought it would be useful to put a framework together for decision-making in light of rapidly advancing technology.
One thing that and what I really enjoyed about the book is just talking about how much power and influence SEPA professionals have.
Can you talk about just that notion of power and kind of what responsibility comes with that power within organizations?
organizations. Sure. This always brings me back to the Spider-Man quote, right? Uncle Ben,
yes, Uncle Ben said to Peter Parker, with great power comes great responsibility.
My own or ego, Uncle Ben, yeah. Very nice. Yes, I feel more Uncle Ben as I age myself here too.
You know, I think that your average layperson doesn't understand the power that cybersecurity
security professionals have. Or maybe they think of it as some sort of bizarre magic. But as a
cybersecurity professional, you have access to all kinds of information that could be abused in
very bad ways, access to systems, hacking capabilities, detailed information about how systems
are put together and the vulnerabilities they have. So these folks are very trusted implicitly. And our
book tries to make the point that we need to make sure that we have an explicit declaration of the
need for trusting these individuals and then a framework for them to exercise their duties in light of
this great trust that we put in them. Yeah, the thing I would add to that is that we see cybersecurity
as the economic and security threat of our time. And as such, the number of people who are vulnerable to
this is infinite. Everyone is vulnerable to this. And so the responsibility to protect the vulnerable
is very, very great. And we think that it cannot simply be about technical education. The human
factor really is at the core of the cyber problem and the cyber solution. And so you have to have
people who are ethically trained and ethically committed in order to do the full job.
I know this might be a difficult question, but we often talk about those gray zones where
somebody faces a decision point. Maybe they've discovered a vulnerability and they don't know
exactly what to do. Is there one or two examples of kind of those gray zone moments that
stick out to you and that kind of gave you the most fuel for this writing? Oh, sure. There are many
different things. You know, there's a lot of gray zones in this, this cyber world, and that's why the book is
built on different principles, one principle per chapter, you know, working for the common good,
maintaining privacy, et cetera, et cetera. And Paul and I actually wrestled for about two years on this.
Paul came and visited me in my office monthly, sometimes more than once a month, and we'd spend
a day or two trying to figure out what these foundational principles are.
and then, Ben, we ordered them to say, hey, these are the most important ones, and then, you know, they go in order of decreasing importance.
And that was to kind of help people balance things out, because in any ethical dilemma, you are going to face multiple different principles.
So we tried to place them in order to give a sense of where the decision should come out.
an example, you ask a specific example.
Suppose you find a vulnerability.
You're a cybersecurity researcher, a vulnerability researcher.
You find a vulnerability in some system that thousands or maybe even millions of people rely on.
And you disclose this responsibly.
That is you tell the vendor who makes the software that there's a problem here.
That's all very good.
And that's actually pretty easy from an ethical perspective.
Here's where we get into a gray zone.
What if the vendor doesn't respond?
Or that they just keep dragging things out for long.
long periods of time while people have that exposure. Unknowingly, their customers are exposed to this
vulnerability that you, the cybersecurity researcher, know about, but the vendor of the software isn't
moving fast enough. What do you do then? Do you disclose publicly to force that vendor's hand? Well,
that risks all of those people who use the software and their sensitive data. So we talk in the book about
how to navigate situations like that and to reach out potentially to a trustworthy third
party, perhaps in industry or in academia. They can help get the attention of a vendor, also just to
help vet your own understanding of that vulnerability. So that's an example of sort of that gray zone and how to
reach out to a mentor or another trustworthy person to help clarify.
We don't assume that this is easy and we don't assume that this is simple. We think that this is
a muscle that has to be exercised and developed through practice and time.
And there are no pat answers, or there are many answers that are not clearly black or white or pat answers.
And so that's where the critical thinking of human beings working together as a team is so critical to solving these problems.
How have you found reception just among technologists?
So I am also somebody who is not a technologist.
I have no fluency in whatever it is the cybersecurity professionals do.
But for people who have been in the field,
have you found a positive reception to this book and to your framework?
Yes, I have.
I've had many people come up to me and tell me that they found the book very understandable,
very organized.
You know, cybersecurity professionals are very busy people.
There's a lot of technical information coming their way.
The book, including appendices, is a very organized.
190 pages long. The font is a friendly reading size, and it's very structured. It also includes
a whole bunch of case studies. And some of the case studies we go through and provide approaches and
answers. And then every chapter ends with an open-ended case study for interaction and discussion.
So that seems to have hit the mark. And I'm very pleased at that from what I'm hearing from our readers.
also occasionally I will present this book to a friend or a former student of mine.
And one of the things that I do, and I think you'll get a kick out of this, Ben, I'll say to them,
hey, I wrote a book on cybersecurity ethics, and I can think of no one who needs this book more than you.
And then I hand them with an autograph copy of the book.
It always puts a laugh.
The kiss of death, yep.
Yep.
But there's a subtle thing here saying, hey, I think you might want to read this, you know, in a friendly way, in a friendly way.
So I feel like there's this conflict between.
immediacy and ethics.
So, and you've talked a little bit about this, things move very quickly, and sometimes
there are going to be decisions that technologists and even leaders have to make in a matter
of minutes or seconds.
You know, if you're a public sector worker, you're a secretary of a state agency and there's a
ransomware attack.
Like, you have to decide very quickly whether you're going to pay the ransom or how you're
to recover your data. So can you talk a little bit about that conflict between the need for speed
and ethics and kind of what principles go into making decisions in that context?
Ed? Sure. So this is why we talk about building the muscle of ethics, you know, starting with
small, simpler things, but having that framework to view things through. We hope the book presents
a clear, concise, ethical framework so that you can respond.
quickly by building up that muscle over time on the stuff that doesn't need immediate response,
but you think through things carefully so that once that muscle is built, you then have a knee-jerk
reaction that will go in the direction of what is ethically sound. We also encourage people in the book
to build up a relationship with a mentor, somebody that is known, trusted, maybe within your
same organization, or perhaps in another organization, although we always say, make sure you
honor your nondisclosure agreements appropriately there, and then have that person available.
Now, they're often not available on a split-second moment, but again, they may be available right
away, or they've helped to build your ethical muscles over time.
A book includes the cybersecurity code. This is the code or the oath that we ask students and
cyber professionals to consider taking, and we encourage teachers to make.
this available to students, maybe even as a condition of finishing the program at their particular
institution or a CISO in the workplace. And that code is a series of eight relatively, very easy
to read, simple, concise principles. And so even in the heat of decision making, you can have
that code right in front of you and reference it in part, be part of the decision making.
And as I referenced, over time, if you do that, if professionals do that, committed to that,
then it becomes part of the automatic thinking rather than having to use a cheat sheet.
But I think early on, I think having that code in front of the professionals is a very helpful cheat tool.
It is.
And that code is in the book itself.
But we also make it available on a website associated with the book.
And it looks really pretty and fancy.
We had some really good artists kind of lay it out.
I can attest to that, by the way, after having visited it.
I'm glad you liked that, Ben.
That means a lot to us.
And we had some really good people on Paul's team that put that together in that format.
And then kind of the reverse question, talking about lack of immediacy, we have to turn to legislators and regulators.
So oftentimes they're the ones who are going to be drafting actual policies and obligations and compliance metrics.
How do you think they should take into account your ethical principles, if at all?
Do you think we should keep those domains separate?
Or is this something where you'd be willing to advise state legislators on these ethical principles
and how that can inform laws or regulations?
Paul, that is firmly in your lane.
Yeah, part of what I do is I am part of a group that speaks on intelligence and security issues at a global level.
And I speak on this book.
I was in Madrid and El Salvador last year.
I'll be in Warsaw later this year.
And the audience for those forums is almost entirely parliamentarians,
members of parliament from 40 or 50 countries at each venue.
And my encouragement to them is not to bake this into law in their countries,
but to take responsibility for the security of their countries,
meaning the education and training of the workforce in their nations to protect their nations,
and that they ought not to forget the centrality of the human factor in that education.
And that's what this book addresses, the human factor in critical decision-making,
well done in the interest of their nation or their businesses within their nation.
And so I don't see this as a part of a legislative,
package, I see this is part of a legislator's overall responsibility to have their nation
train their people holistically.
I think that's very well said.
Also, we did try to write the book so that it is generally applicable around the world.
You know, it's not written specifically with a mindset towards, say, the United States or Europe.
It is written so that it has timeless principles in cyber issues that come up independent of culture or language or even legal framework within a country.
We really tried to hold ourselves to that being a very wide open and widely applicable book.
And that was part of that wrestling I talked about over the two-year span of the creation of the book.
What is specifically cultural or merely cultural and what is universal?
You talk about taking two years to write a book, and one thing that strikes me is a lot can change in two years.
These days, every story is an AI story.
And so, you know, two years ago, generative AI LLMs were not widely adopted.
We were still kind of experimenting with them, and now I feel like I couldn't do without them.
So I just was wondering if how you apply this to our AI future, like what are some AI-specific ethical
issues that you're focusing on as this technology continues to grow so rapidly.
Oh, that's such a great question, Ben. I really appreciate it. You know, as we were working on this
book and with the penetration of AI into the cybersecurity space as well as all technology space,
so many principles that come up in the book lend themselves very much to the use of AI effectively.
And I think about my own use of AI and my discussion about AI usage with other people.
You know, if you look at our first main principle, it is that technology exists to support humans and not the other way around.
And what I've been translating this to in my discussions about AI generally is to use AI to uplift human dignity and not the opposite, because it can be used very much for the opposite.
So now I read our book that we wrote and I look at the different principles and how they do apply directly in the AI space.
And that first one is, I think, one of the most critical.
So I've done presentations over the last six months to a year in various places, in banks, in film production companies, in other organizations, emphasizing the principles we put in the Code of Honor book for cybersecurity and how they apply to AI.
and that's been very well received there.
Just, you know, thinking about use of AI and different things, I'm sure, Ben, you can imagine this.
You know, is this planned use for AI uplifting human dignity or not?
And you can think about how that might happen in banking or how it might happen in film production or what have you.
And I think that's a good thought exercise to have.
I would just add that while certainly AI has taken all the oxygen out of the room in
so many technological discussions,
it doesn't mean that cyber's any less
of the economic and security threat of our time.
And so we're constantly asking ourselves the question,
does that description still hold for cybersecurity,
and we still think it does?
AI certainly will help with some of the efficiencies in cybersecurity,
but also it has already and continue to,
will continue to complicate the problems of cybersecurity.
And so all the cyber experts I've spoken with about this question,
does this mean that need for the human factor in cyber is diminished?
Does AI diminish that?
And the answer is a resolute no.
We more than ever need people over technology to guide the use of technology.
I mean, you both were almost ahead of your.
time talking about doing things for the betterment of humans, of humanity. And now there's this
breakdown that might be on the horizon between the humans and the machines. And so I think
you came at this at the right time. In closing here, I kind of wanted to get into your
personal reflections about the process of writing this. Is there something that you learned
about yourself that you apply in your own life that you're willing to share? Or, or
Or how have you integrated it into talking to other educators, talking to students?
Like what are the kind of core messages that just having spent so much time working on this you try to get across?
Sure.
If I could go first and then maybe Paul, you can round it up.
So mine's going to be very personal.
You know, having spent the time on this book to think about a framework for decision making,
having been in the cybersecurity industry for 30 years.
What I found is as we were working on the book,
and certainly since we've completed the writing,
as I go through my job and issues come up, ethical decisions,
I have worked on that muscle for many, many years,
and I'll have an impression of like this is the way I should do it.
What the book has me doing, though, is going back,
it's like, okay, why?
Why do I have that gut reaction?
And is that really the right reaction?
So it's actually forced me to be more systematic as I make decisions.
Or maybe I've made the decision and then I'm thinking about it after the fact.
It's like, well, why did I do that?
How does this adhere to the principles Paul and I have put in the book?
So it's made me more self-reflective on things.
I think that's a good thing, right?
You know, we talk in the book a little bit about how when you get to the end of your day,
you think about what it is that you did that day, revisit that.
And if, hey, maybe you did something not right that day, what can you do the next morning to
address that and steer the ship more in the right direction?
So from a personal perspective, the process of getting through this book has made me more
self-reflective.
And I hope in reading the book, it would help our readers also do that.
I think for me, it's less of a personal lesson and more of an observation of how the
marketplace is responding to this narrative.
We started a narrative about a decade ago at Monterey College that goes like this,
that the problem of cybersecurity is not principally a technical problem.
It is principally a human problem.
And therefore, the solution to cybersecurity is not principally a technical solution.
It is principally a human solution.
If you don't have people of the right ethics and character as your cyber leaders and frontline operators,
your technology doesn't matter very much.
we actually value tested that in the marketplace
by doing roundtables all over the country
to test that value proposition
and I was, this is 2017, 16, 17, 18
and I was frankly quite surprised
at the receptivity even among
deeply technical people
who really had maybe no religious or faith
or kind of moral
overtly bent to them that they were articulating.
And so people agree with the human factor,
and yet we knew from the very beginning
that ethics books really never make the top
the New York Times best-selling list
because ethics is hard.
And so I think what Ed and I have discovered along the way
I've certainly seen is that you have to keep talking about this
because not a lot of people naturally will talk about this part of the cyber equation.
And we are for obvious reasons.
And while it's being received very, very well,
I think my observation is we have to continue talking about this out loud in order for this to sink in.
Well, the book is Code of Honor Embracing Ethics in Cybersecurity.
Paul, Ed, this was a real pleasure.
Thank you for your contribution, and thanks for joining us today.
That was my Caviot podcast, co-host Ben Yellen, speaking with Paul Mauer and Ed Skodas about their new book, The Code of Honor, Embracing Ethics in Cybersecurity.
Thanks again for joining us for this special edition of the Caviot podcast.
If you're not familiar with Caviott, we hope you will check it out.
You can find it wherever you get your favorite shows.