Save it for the MBAs instead, or even as an onboarding requirement along with other training for new management hires. It's not generally the engineers making these decisions.
Sometimes it's an active issue and at the end of the day someone must implement something terrible (knowingly or not -- direct a junior engineer to do some complex task with the expectation they'll leave behind security vulnerabilities, just as good as getting someone to intentionally leave an issue). Ethical engineers can and probably should quit -- who knows how much a required, dull ethics course would influence that though?
Other times at the end of the day it's just lack of engineers doing something -- typically due to management not signing off/budgeting. Ethical management won't even necessarily help here, the incentives don't change. Some sort of stronger corporate liability for negligence is needed, probably, but the problem is not generally the engineers -- engineers, with an ethics course or not, are typically the only people who care about these sorts of things in the first place! What's the largest dip in stock price due to a password leak? How about shady government collusion? Have any groups of shareholders demanded more care to avoid such issues at any company?
I'll wrap up with a joke: "It should be noted that no ethically-trained software engineer would ever consent to write a "DestroyBaghdad" procedure. Basic professional ethics would instead require him to write a "DestroyCity" procedure, to which "Baghdad" could be given as a parameter." --Nathaniel Borenstein
Fun fact: I got an MBA and was one of the first cohorts of a new curriculum, which required an ethics course. Hilariously and sadly, some 20 students were put on probation for CHEATING in ETHICS class.
I think that was the moment I realized I made a $100,000 mistake.
I disagree strongly. If you from an engineering perspective are the only one who truly recognizes the implications of a management decision, you need to speak up about it.
There are still lots of people willing to join the TAO and the like, but the NSA has been pretty open about struggling to recruit top talent. Not all of that is ethical stuff, they lose people for reasons from salary to drug and felony screens, but some of it is.
Bear in mind that the NSA only needs good talent to compromise systems, not elite talent. They have some elite talent (Stuxnet anyone?), but their domestic work is largely hacking theater. After all, you don't have to covery your tracks like a private hacker if you can just ship out an NSL to bury the matter. Hell, some of their projects involved a lawyer, a bunch of analysts, and no internal talent - they can just ask for what they want.
Tailored Access Operations. It's the "offense" branch of the NSA, responsible for gaining access to external computer systems: often technologically, sometimes legislatively when they're domestic. They did QUANTUM and FOXACID among other access tools.
It's a major part of the NSA, and generally considered to be where the bulk of the "serious hackers" work. The Equation Group is (probably) tied to TAO - they're the access group that was recently affected by the Shadow Brokers leak.
To be fair, engineers aren't usually the ones who will have their careers judged by a delayed project that cost the organization large sums of money. There is a much stronger motivation for upper management to pretend everything is still fine and dandy.
Sometimes it's an active issue and at the end of the day someone must implement something terrible (knowingly or not -- direct a junior engineer to do some complex task with the expectation they'll leave behind security vulnerabilities, just as good as getting someone to intentionally leave an issue). Ethical engineers can and probably should quit -- who knows how much a required, dull ethics course would influence that though?
Other times at the end of the day it's just lack of engineers doing something -- typically due to management not signing off/budgeting. Ethical management won't even necessarily help here, the incentives don't change. Some sort of stronger corporate liability for negligence is needed, probably, but the problem is not generally the engineers -- engineers, with an ethics course or not, are typically the only people who care about these sorts of things in the first place! What's the largest dip in stock price due to a password leak? How about shady government collusion? Have any groups of shareholders demanded more care to avoid such issues at any company?
I'll wrap up with a joke: "It should be noted that no ethically-trained software engineer would ever consent to write a "DestroyBaghdad" procedure. Basic professional ethics would instead require him to write a "DestroyCity" procedure, to which "Baghdad" could be given as a parameter." --Nathaniel Borenstein