In the cybersecurity space, there’s an interesting debate surrounding whistleblowers – are they troublemakers or heroes? In an ideal situation, the role of a whistleblower in cybersecurity, also known as cyber-whistleblowing, is simple: to serve as a watchdog who identifies and reports potential security breaches, vulnerabilities, or unethical cybersecurity practices within organizations for swift rectification.
While the role sounds straightforward, it’s often riddled with complexities and perceived differently by different organizations.
In the cybersecurity circle, Chief Information Security Officers (CISOs) understand that the role of a whistleblower, although judged to be in the best interest of the public, can strike a dent on the organization’s image.
In the eyes of many CISOs, CEOs, or a board of executives, the whistleblower is perceived through different optics. Some see the whistleblower in cybersecurity as an ethical, compliant personnel whose concern is to correct the wrong practices of organizations in relation to data privacy and compliance, as well as encourage a sort of checks/balances in the system to avert arbitrary use of technology and access to sensitive and non-sensitive data.
Others might perceive the whistleblower as an alarmist, informant. and a selfish individual whose actions can either be fuelled by self-gratification – a means of gaining the attention of the organization due to unresolved grievances against a superior or the organization as a whole, or as simple as the monetary rewards attached to successful whistleblowing.
Regardless of which side of the divide you find yourself on, this article is not intended to pick a side but to analyze the culture of whistleblowing in cybersecurity and suggest ways it can be improved.
Evolution of Whistleblowing
Before whistleblowing gained prominence in recent years, it had already existed in the 16th century, with its legal history traced back to the Whistleblower Protection Act of 1778.
The law was a consequence of the case of two American naval officers, Richard Marven and Samuel Shaw, who reported torturing of British prisoners of war by their commanding officer, Esek Hopkins. During that time, whistleblowers faced grave consequences like victimization and termination of their employment.
Around 1930, the contemporary meaning we understand today began to emerge. The term took on a metaphorical sense, referring to an individual reporting wrongdoing or aiming to direct the public’s attention to a case.
Whistleblowers: Threat or Ally?
The perception of whistleblowing in cybersecurity as either an ally or a threat borders on varying perspectives and its impact. Generally, whistleblowers serve as advocates for transparency, ensuring that organizations are walking the right paths of regulatory compliance.
But events show that whistleblowing, if not handled properly, could leave the whistleblower not only at the mercy of their employers but also at the court of public opinion.
One significant example is Edward Snowden, the former contractor for the National Security Agency (NSA). In 2013, Snowden leaked classified information to The Guardian, revealing extensive global surveillance programs conducted by the NSA. His actions sparked debates on government surveillance and individual privacy and a global conversation.
Snowden’s disclosures led to increased public awareness about data privacy and the potential misuse of surveillance tools. While some sects saw him as a hero, others saw him as an enemy of the state who exposed sensitive information that could jeopardize national security. Snowden exiled himself to Russia before he was charged with violating the Espionage Act.
In another case, on the 30th of April, 2020, In the Qui Tam False Claims Act case initiated by Alexander Chepurko, U.S. District Court Judge Tanya Walton Pratt issued a significant judgment of $69.6 million against E-biofuels, LLP, et al.
Chepurko’s disclosures exposed fraudulent activities within the renewable energy biofuels sector, leading to one of Indiana’s most substantial environmental and securities fraud cases. Featured on the CBS TV show “Whistleblower,” the case resulted in successful prosecutions by the government, culminating in the imprisonment of six individuals involved in the fraud scheme. The mastermind received a 20-year prison sentence, while the former CEO of a publicly traded company received a 10-year sentence.
A more recent and popular whistleblowing case is the Peiter Zatko vs. Twitter case. Zatko, within Twitter’s executive team, was primarily responsible for security oversight. Hired to enhance security measures after a high-profile breach affected the accounts of influential figures, he identified critical issues, particularly concerning inadequate security oversight and employee access to private accounts, which led to the earlier breach.
Ultimately, he went public as a whistleblower, which led to his dismissal. During a Senate hearing, he highlighted that prioritizing improved visibility into the platform’s security had been overshadowed by other goals, such as revenue generation and user growth.
Notice how these three whistleblowing cases had different resulting impacts?
The first case highlights the risks whistleblowers face and the personal impact on the whistleblower.
The second case illustrates the potential reward for the whistleblower yet also reveals how whistleblowing might negatively affect an organization financially, albeit for a just cause.
While the last case is still ongoing and isn’t definitive yet, it underscores the ethical challenges associated with whistleblowing in cybersecurity and its potential impact on the whistleblower’s life.
What Cybersecurity Experts Think About Whistleblowing
Speaking to Techopedia, Ryan R. Johnson, Esq., Chief Privacy Office, Savvas Learning, noted that:
“Whistleblowers in cybersecurity can be viewed as extra eyes that help ensure cybersecurity compliance. While, on its face, the practice can raise concerns, whistleblower actions often serve as a valuable mechanism for identifying vulnerabilities and non-compliance, ultimately strengthening corporate culture in terms of security.
“More simply put, think of cyber-whistleblowing as internal security research operating inside an organization. Security researchers and bug bounty programs are a vital component of any robust cybersecurity program and encouraging employees to report concerns, in my opinion, only strengthens an organization’s security posture.”
Anurag Gurtu, CPO at StrikeReady, said: “Whistleblower in cybersecurity can be seen as both a threat and an ally, depending on the corporate culture.
“If a company values transparency and ethical conduct, whistleblowers are allies who help enforce compliance and integrity. However, in environments where security practices are lax or unethical behavior is swept under the rug, whistleblowers might be viewed as a threat to the status quo.”
According to Richard Bird, Chief Security Officer at Traceable, “Organizations with a healthy security ecosystem do not see whistleblowers as a threat. The majority, if not the totality, of whistleblowers historically have been a voice crying out from inside a dysfunctional security or corporate risk organization.
“Either business leaders were actively ignoring or discounting risk, CISOs were being told to sit down and shut up and ignore risk or both functions were ignoring or discounting risk. Whistleblowers generally don’t manifest in companies with healthy, listening cultures.”
Josh Amishav, Founder and CEO at Breachsense, believes that “Another way to look at whistleblowing is that it’s a sign of a strong internal security culture. It shows that employees are vigilant and feel a responsibility towards the security of the company.”
Improving the culture of whistleblowing in cybersecurity
Improving the culture of whistleblowing in cybersecurity is crucial for safeguarding against threats, but it requires acknowledging the risks whistleblowers face.
“One of the best ways to improve the whistleblowing culture in cybersecurity is to make it unnecessary to begin with,” said Bird.
“CISOs and business leaders should take their internal staff recommendations and observations seriously when a catastrophic risk is raised and identified and approach the conversation with a commitment to push aside petty internal political squabbles, budget constraints, and uninformed opinions.”
Discussing the best actions to take for better propagation of whistleblowing, Bird called on CISOs to view whistleblowing in cybersecurity with an objective lens, as it helps them understand that the intention of the whistleblower is not personal.
“Sure, a whistleblower might have a bone to pick or an axe to grind, but the data and evidence related to their disclosures will lead to a confirmation or refutation of that kind of problem.
“CISOs should evaluate the whistleblower’s observations with respect and the expectation that the whistleblower and the CISO want the same thing; a safer and more secure company.
“Treating a whistleblower like an adversary is a surefire way to auger yourself into a whole other set of problems beyond what the whistle is being blown on.”
Gurtu added: “CISOS should ensure that there are clear policies in place that encourage employees to report any cybersecurity concerns or unethical behavior without fear of retribution. They should also establish protocols for how such reports are handled, ensure investigations are thorough and fair, and communicate the value of these actions in protecting the company’s assets and reputation.”
Gary S. Chan, CISO at Alfizo LLC, said:
“Ensure that there is good education on what constitutes good whistleblowing. Encourage dialogue and use an external ethics firm. The ethics firm should be a party that both the whistleblower and CISO can trust.”
While the above recommendations will go a long way to improving the culture of cyber-whistleblowing, there is also a need to protect the whistleblower.
To protect the whistleblower, organizations should establish anonymous reporting channels to protect the identity of the whistleblower; ensure legal protection for whistleblowers; provide whistleblower and cybersecurity education and support, encourage a culture of transparency and trust, and recognize and reward ethical disclosures promptly as these measures protect whistleblowers, encourage reporting, and strengthen the cybersecurity framework.
There’s no security program without a loophole. OneTrust’s Chief Ethics and Compliance Officer on whistleblowing, Jisha Dymond, puts it best when she said:
“Internal security programs are never perfect, and misconduct is impossible for organizations to completely avoid. Whistleblowing channels should complement internal security measures by revealing oversights and potential gaps in processes or potential cyber incidents that would have otherwise gone undetected; thereby enhancing organizational resilience against cybersecurity risks.”
So, instead of backlashing whistleblowers, the government and organizations should do more to protect them and create whistleblowing programs that not only address technical issues but also ethical and compliance-related concerns.