The Rhetoric of Commoditized Vulnerabilities: Ethical Discourses in Cybersecurity

Abstract

The field of cybersecurity is relatively uncharted by rhetoricians and sociologists but nevertheless laden with terminological assumptions, violent metaphors, and ethical conflicts. This study explores the discourse surrounding the morally contentious practice of hackers selling software vulnerabilities to third parties instead of disclosing them to the affected technology companies. Drawing on grounded theory, I utilize a combination of quantitative word-level analysis and qualitative coding to assess how notions of right and wrong on this topic are framed by three groups: 1) the hackers themselves, 2) technology companies, and 3) reporters. The results show that the most commonly constructed argument was based on a "greater good" ethic, in which rhetors argue for reducing risk to "us all" or to innocent computer users. Additionally, the technology companies and hackers assiduously build their ethos to increase their trustworthiness in the public mind. Ultimately, studying this unexplored area of "gray hat hacking" has important implications for policymakers creating new cybersecurity legislation, reporters attempting to accurately frame the debate, and information technology professionals whose livelihoods are affected by evolving social norms.