Chapter 7. Legal Issues

Incident response, of all the computer security disciplines, is probably the most affected by legal considerations. Many, if not most, incidents involve some sort of crime. Those that do not almost certainly involve some sort of policy violation.An organization might want to prosecute an offender, in which case it must consider the legal implications of the incident and must assist law enforcement in preparing the case (or at least ensure that the incident response team's actions do not impede the investigation and prosecution ). An organization might choose not to prosecute but to instead take some kind of administrative action against an employee (such as suspension or termination). In this case, employment statutes might limit the company's actions. In either situation, the company, its officers, and the incident response team could be liable for violations of laws or regulations during the conduct of the investigation.

This chapter will discuss U.S. and international laws that might affect or impact the incident response process. It will also discuss the importance of developing policies that support incident response efforts and investigations.

The law has been criticized for its slowness to adapt to the Internet and the legal problems associated with it. International and interjurisdictional cooperation is difficult at best. What constitutes a crime in one area might not, in fact, be illegal in another. This would not normally be a problem in more conventional situations because the jurisdiction in which the crime was committed is straightforward in most other crimes. For example, if a person from Russia robs a New York resident at gunpoint in Manhattan, that person has committed a felony in the city and county of New York (regardless of his origin). If, however, a person from Russia accesses computers located in New York (and to make it more difficult, suppose the company's headquarters are in London), there is some question as to whether the crime was committed in New York, London, or Russia. Even if the police can make a case in New York against the suspect, it might not be illegal in Russia to break into the system.

In such cases, there are usually three options:

1. Ignore the problem, fix the vulnerability, and move on. Although not particularly attractive, it might be easier than attempting to conduct an international investigation and prosecution.

2. Prosecute the offender in his or her own country. This assumes that the crime is, in fact, illegal and that local law enforcement agencies perceive that they have a case and can successfully prosecute it.

3. Apply for extradition and prosecute the offender in the country where the computers are located (or perhaps where the company headquarters are located). Unfortunately, this option requires the assistance of agencies in both the home country and the foreign jurisdiction.

In some situations, it is possible to conduct a variation of the third option. For example, Vladimar Levin, the convicted intruder in the 1994 Citibank incident, was persuaded by law enforcement agencies to come to the United Kingdom. There he was arrested by British police and extradited to the United States. This alternative actually works (and has worked several times) against high-profile criminals, although we should probably assume that there are many more who are smart enough not to put themselves in this kind of situation.

Experienced attackers might choose to route their attacks through multiple locations and often choose countries that might be unwilling (or unable) to cooperate in the investigation. When multiple jurisdictions are involved and some of them might not be friendly or sympathetic to the victim, the law can be extremely complex.