By Graham K. Rogers

Most years I am asked to teach a course on Ethics and Morals for Computer Engineers. I am not sure, but the philosophy behind asking me may be based on the idea that it takes a thief to catch a thief. Not that I have ever done anything wrong, of course and I was a policeman in the UK for a number of years before going all academic.

Computing history is based on questionable acts, some of which have been done for the good of the world in general terms. After trying to define the terms (ethics, morals) I usually display a picture of Colossus, one of the first analytical computers. I visited Bletchley Park in the 1990s when the late Tony Sale was part-way through his reconstruction and he explained a couple of points to me then.

Rather than specially designed parts for Colossus, which is the norm for some computers nowadays, all the parts were standard telephone equipment. It had vacuum tubes: transistors were not invented until much later. The paper roll feed was used in the absence of memory.

The purpose of Colossus, and the earlier Bombes developed by Alan Turing was to break code. Tactical communications between units of the German forces and the High Command were coded by a rather clever device called Enigma and the coded messages were impossible to crack by conventional means.

No one has ever suggested that Colossus or the Bombes were not ethical or moral developments (and I am certainly not going to do that now). I have no doubt that the Enigma encryption system was also completely ethical. A nation at war has a duty to counter the enemy by the means at its disposal. Chemical or biological warfare may be at hand for many governments, but its use is generally considered immoral. For now.

Fast forward some 40 years or more from World War 2 and the first malware appeared on Unix systems in the United States: the Morris Worm. The actions in creating the worm and inserting it into systems have been judged to have been questionable, although I doubt whether it was immoral.

It was certainly unethical as the intent was to cause certain effects to a system, but there is a borderline call on the morality of the action: irresponsible for sure. There is evidence to suggest that Morris never intended the Worm to spread in the way it did, and had no idea of the way so many systems would be overloaded and shut down: a lesson still not properly learned.

Another 30 years on we have a several conflicts bubbling under the surface: potential wars, or wars that are undeclared. From one of these apparently, Stuxnet has caused much damage at certain installations in Iran connected with their alleged nuclear weapons program with the main attacks aimed at computers supplied by Siemens (who coincidentally also made some of the Enigma machines, like the later Lorenz).

In the Executive Summary of their Security Response on W32.Stuxnet, Symantec make it clear that this is no ordinary piece of malware and its intent is "to reprogram industrial control systems" such as those "used in gas pipelines and power plants".

Iran was targeted it is believed because of its nuclear program, but the worm has now spread to several other countries, notably Indonesia and India. With Malaysia also shown in the statistics, there may be some risk to Thailand: the Electricity Generating network main control system does not appear to use Windows; but Bangkok's BTS (SkyTrain) uses much equipment from Krupp and Siemens. The malware is introduced (perhaps unwittingly) via a flash drive or other removable device and then spreads via LAN.

The report does not name any country or organisation responsible for Stuxnet, but notes in the Summary that "Stuxnet is of such great complexity - requiring significant resources to develop - that few attackers will be capable of producing a similar threat. . . ."

Many examined that point and concluded, rightly or wrongly, that the United States and Israel (which is strongly believed to hold its own nuclear arsenal) had a hand in the creation of this worm. The reasons suggested were because of Iran's nuclear program and the fear it would develop weapons from the work being done. If the United States were responsible, this would be hypocritical as the Americans condemn others who act in this way: with their reliance on computing and networked systems, they have the most to lose.

However, in an article confirming this by Nate Anderson on Ars Technica, the sub-heading has an unlearned lesson: "Stuxnet was never meant to propagate in the wild," a lesson that was there for all to see from the Morris Worm. Things do not always go according to plan.

A report on Iran from the World Nuclear Organisation begins with three statements:

• A large nuclear power plant has started up in Iran, after many years construction, and been grid-connected.
• The country also has a major program developing uranium enrichment, and this was concealed for many years.
• Iran has not suspended its enrichment-related activities, or its work on heavy water-related projects, as required by the UN Security Council.

Here I will turn this back to the students with a number of questions:

• Is Iran's development of nuclear power moral/ethical?
• Is government-sponsored malware moral/ethical in these circumstances?
• If such software attacks on the infrastructure affect the civilian population (e.g. severe power outages), is that moral/ethical?

Some of the questions I want the students to examine in the course have no clear answers, or may change with the circumstances. Examples include breaking into computers, normally considered taboo, but in some cases, this may be justifiable, especially with regard to computer forensic examinations.

Other questions to be raised in the short course concern Steganography (hiding data inside image files), Data Mining, Hacking, Privacy & Civil Liberties and Economic Issues (patents, trademarks, piracy).

And on that last point, I have a completely legal computer: all software bought and paid for, but I am not sure about others with whom I come into contact daily; but then there may be a reason for the massive piracy industry in Thailand (and other countries).

When I first arrived here in the late 1980s, it was easy to buy a PC. Buying legal software was another matter as the developers - especially the largest companies - would not sell their products here. Trying to buy from another country (pre-Internet) was not easy, and the moment the address was given, the deal was off: cannot ship to Thailand.

With computers, but no software, what do people do? . . .

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.