Emmanuel Marboeuf

@emmanuelboumeraf

What you should know before working in Cybersecurity in the Military.

Photo by rawpixel on Unsplash
Heard you are working in the weapon industry now ? How is sleeping at night going for you?

This sentence was addressed to me a few years ago by a friend’s dad while his daughter was experimenting every possible drugs in her room 20 meters away from him, slowly trying to kill herself. As astonished as I was that this dad was more concerned about my ethics than his daughter life, this is actually the first time I seriously considered ethics in development as a part of my duty as a developer.

Just after graduating in 2012, I had started working for the service branch of a French multinational that happens to develop weapons (Cyber, Electronic and conventional weapons). Working in the Network and Systems security branch I started as a Software Engineer, designing and building applications mainly for Banks and Insurances and never had faced any ethical dilemma other than the good old: “Should I tell the manager that this user has been watching adult content with the company’s device”. Good. I can handle that. I intended to keep it that way. After all, the only reason why I had chosen this company as a first job was because the pay was really good and that everybody wanted to work there. Anyway I had other plans for the future and just wanted to learn as much as possible and be financially comfortable to start something on my own later.

This company’s main client was the state military (or defense, depending how you see it) and although my job was like any other Software engineer at the beginning I must say I took advantage of it a number of times during random social encounters

I work for the military as an engineer, most of my projects are classified so if I tell you about it I will have to kill you after.

That worked great as a conversation starter! Much better than the “I am a Software Engineer” which at that time in my city was usually welcomed with at best a polite “sigh” at worst an eye roll and a “Eww, so you are a nerd”.

But internally to cope with the little guilt I was feeling I would tell myself.

It’s ok you just develop Web Applications, it’s never gonna kill anybody

And it was true, as good as they were my forms and buttons could not be possibly used in any lethal way .

Working for the defense

Eager to learn, and working day and night I was well considered by my pairs and I climbed the company’s ladder. Gradually I was offered much more interesting missions that were closer to one of their core business : Cybersecurity.

Maryland Guard cyber warfare operators from the 175th Wing’s Cyber Operations Group

Working for Cybersecurity was way cooler than everything I had done before. I was working in a research lab, we were free to innovate, to spend as much time as we needed trying out the latest technologies and building prototypes. Eventually we developed an internal framework combining cutting edge web technologies that was used to showcase the latest Cyber-defense innovations during European defense shows.

These prototypes would range from a simple tool to visualize in real time the vulnerabilities in a complex network to a complete air defense control app where you could see in real times the radars coverage and visualize the trust you have in these data from a Cyber point of view.

Again I was asked if I was developing weapons

Nah, I only develop the visualization tools for threat detection and these are only prototypes anyway.

I was promoted as an expert in web software technologies and I never went further since I left the company shortly after to start my own business . But I am sure that as I would have progressed in the company I would have ended up on more sensitive projects or actually implementing the real systems that I had been prototyping. And here is my question: where does your responsibility as a developer starts ?

Military despite yourself

Photo by Hello I’m Nik on Unsplash

Few people know but latest missiles can be compared to supercars. They cost millions each (thank god), are auto-guided, on-board a computer, the latest high definition cameras, dozens of sensors and use cutting-edge technologies. Most of the time these sensors and technologies were not primarily designed for military use and the people that have conceived them are not even aware of how it is being used. Designing and assembling these missiles probably only requires few people, but in reality I would not be surprised if more than 1000 people have worked on the embedded technologies that will allow target detection, missile launch, guidance and impact optimization . Actually if you are contributing to a widely used open source software or library your lines of code are probably already on there. In my example, maybe one library that I’ve prototyped will be re-used in an air monitoring system that will allow threat detection and will automatically trigger a counter-attack. Of course I was working in the military so even if I never thought about it this way before, I agreed to my code being re-used for any purpose when I signed the contract but that is not the case for most of us in the open source community.

Most popular open sources licenses and NMPL license concept : Non Military Public License

My way to cope with that after leaving the company was to ask myself “Could what I’ve built be used for doing any harm?” but I quickly realized that pretty much everything you do can be used in a bad way (You can kill someone with a Pretzel after all), and the bigger impact your contribution has the more dangerous it is. So I just limit myself to the direct impacts that my work could have for lack of a better solution.

So I was thinking, instead, could we start a new license that will allow opening sources and forbid re-use for the military? “Non Military Public License” or something like that. And can it realistically be controlled ?

Topics of interest

More Related Stories