Law, as it applies to information systems security, has multiple facets. A security professional is expected to know and understand what laws apply to computer crimes, how to determine whether a crime has occurred, how to preserve evidence, the basics of conducting an investigation, and the liabilities under the law.
In addition to legal obligations, a security practitioner has ethical responsibilities to the employer, the constituency that is being served, and to the profession as a whole. These ethical factors are delineated by a number of professional organizations, including the International Information Systems Security Certification Consortium (ISC)2, the Internet Activities Board (IAB), and the Computer Ethics Institute.
Types of Computer Crime
Computer-related crimes have increased because of the connectivity provided by the Internet and the ever-decreasing costs of computational resources. Because Internet-based crimes can be initiated from jurisdictions all over the world, many are difficult to investigate and prosecute.
Numerous government and private sector surveys show that computer crimes are increasing. It is difficult to estimate the economic impact of these crimes, however, because many are never detected or reported. It is not unreasonable to assume, however, that computer crimes result in billions of dollars in losses to companies in the worldwide economy. In general, computer crimes fall into three categories - crimes committed against the computer, crimes using the computer, and crimes in which the computer is incidental. The following is a general listing of the most prominent types of computer crimes:
- Denial of Service (DoS) and Distributed Denial of Service - Overloading or “hogging” a system’s resources so that it is unable to provide the required services. In the distributed mode, requests for service from a particular resource can be launched from large numbers of hosts where software has been planted to become active at a particular time or upon receiving a particular command.
- Theft of passwords - Illegally acquiring a password to gain unauthorized access to an information system.
- Network Intrusions - Unauthorized penetrations into networked computer resources.
- Emanation eavesdropping - Receipt and display of information that is resident on computers or terminals, through the interception of radio-frequency (RF) signals generated by those computers or terminals. The U.S. government has established a program called Tempest that addresses this problem by requiring shielding and other emanation-reducing mechanisms to be employed on computers processing sensitive and classified government information.
- Social engineering - Using social skills to obtain information, such as passwords or personal identification numbers (PINs), to be used in an attack against computer-based systems.
- Illegal content of material - Pornography is an example of this type of crime.
- Fraud - Using computers or the Internet to perpetrate crimes such as auctioning material that will not be delivered after receipt of payment.
- Software piracy - Illegal copying and use of software.
- Dumpster diving - Theft of sensitive data, such as manuals and trade secrets, by gathering papers or media that have been discarded as garbage in dumpsters or at recycling locations.
- Malicious code - Programs (such as viruses, Trojan horses, and worms) that, when activated, cause DoS or destruction/modification of the information on computers.
- Spoofing of IP addresses - Inserting a false IP address into a message to disguise the original location of the message or to impersonate an authorized source.
- Information warfare - Attacking the information infrastructure of a nation - including military/government networks, communication systems, power grids, and the financial community - to gain military and/or economic advantages.
- Espionage
- Destruction or the alteration of information
- Use of readily available attack scripts on the Internet - Scripts that have been developed by others and are readily available through the Internet, which can be employed by unskilled individuals to launch attacks on networks and computing resources.
- Masquerading - Impersonating someone else, usually to gain higher access privileges to information that is resident on networked systems.
- Embezzlement - Illegally acquiring funds, usually through the manipulation and falsification of financial statements.
- Data-diddling - The modification of data.
- Terrorism
Examples of Computer Crime
The following are some specific instances of computer crimes:
- The Sapphire or Slammer worm of January 2003 exploited buffer overflow vulnerabilities on computers running Microsoft SQL Server Desk Engine (MSDE 2000) or Microsoft SQL Server. This worm employed random scanning to randomly search for IP addresses to infect. With this approach, it spread at a phenomenal rate, doubling every 8.5 seconds.
- The Code Red worm attack in July 2001 was also a random scanning worm that spread through numerous threads to try random IP addresses. It doubled approximately every 37 minutes.
- The Klez worm, alias ElKern, Klaz, or Kletz, is a mass-mailer worm that appeared around January 2002 and contains a polymporphic .exe virus called ElKern. In Klez, there is no message text in the body of the e-mail, but the worm portion contains a hidden message aimed at antivirus researchers. KlezH is a later version of the Klez worm that appeared in April 2002 from Asia. Similar to its predecessor, KlezH sends e-mail messages with randomly named attachments and subject fields.
- Distributed DoS attacks were launched against Yahoo!, Amazon.com, and ZDNet in February 2000.
- The Love Letter (Love Bug) worm, released by Onel de Guzman in the Philippines, spread worldwide in May 2000.
- E-mails containing personal client information were transmitted inadvertently to 19 unintended recipients by Kaiser Permanente HMO in August 2000.
- A cracker penetrated Microsoft Corporation’s network in October 2000 and gained access to software under development.
- Kevin Mitnick was convicted in 1989 for computer and access device fraud but eluded police and the FBI for more than two years while he was on probation. On Christmas 1995, he broke into the computers of Tsutomu Shimomura in San Diego, California. Tsutomu tracked down Mitnick after a cross-country electronic pursuit, and he was arrested by the FBI in Raleigh, North Carolina, on February 15, 1995.
- A gang of teenagers in the Milwaukee area, known as the 414 Gang after Milwaukee’s area code, launched attacks into Sloan-Kettering Cancer Hospital’s medical records systems in 1982.
- In November 1988 Robert Tappan Morris, a 23-year-old doctoral student at Cornell University, wrote a small, self-propagating worm that spread through the Internet far more virulently than Morris had intended and resulted in an Internetwide DoS.
- In 1986, Germans working for the KGB carried out attacks against U.S classified computer systems. This operation is described in the book The Cuckoo’s Egg written by Clifford Stoll, who uncovered this activity after he noticed a 75-cent error in a computer account at Lawrence Livermore National Laboratory.
Laws have been passed in many countries to address these crimes. Obviously, there are jurisdictional problems associated with the international character of the Internet that make prosecution difficult and sometimes impossible. Some of the international organizations that are addressing computer crime are the United Nations, Interpol, the European Union, and the G8 leading industrial nations.
The rapid development of new technology usually outpaces the law. Thus, law enforcement uses traditional laws against embezzlement, fraud, DoS, and wiretapping to prosecute computer criminals. The issues of digital signatures, e-commerce, and digital currency will certainly have to be addressed by the legal system as these technologies are deployed.
In addition to law enforcement agencies, a number of other organizations in the United States track computer crimes. These organizations include the Department of Energy Computer Incident Advisory Capability (CIAC), the Carnegie Mellon University Software Engineering Institute Computer Emergency Response Team Coordination Center (CERT/CC), and the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS).
Law
There are many types of legal systems in the world, and they differ in how they treat evidence, the rights of the accused, and the role of the judiciary. Examples of these different legal systems are common law, Islamic and other religious law, and civil law. The common law system is employed in the United States, United Kingdom, Australia, and Canada. Civil law systems are used in France, Germany, and Quebec, to name a few.
Example The United States
Under the United States Constitution, there are three “branches” of government, and all contribute to making the laws. These branches are the legislative branch, the executive branch, and the judicial branch. The legislative branch makes statutory laws, the administrative agencies of the executive branch create administrative laws, and the judicial branch makes the common laws found in court decisions.
Compilation of Statutory Law
Statutory laws are collected as session laws, which are arranged in order of enactment, or as statutory codes, which arrange the laws according to subject matter. In the United States at the federal level, the session laws are found in the Statutes at Large (Stat.), and the statutory codes are held in the United States Code (U.S.C.). The statutory laws for the states are also arranged in these two categories.
Federal statutes are usually cited to the United States Code, and this citation contains the following elements:
- The Code title number (each title is a grouping of statutes dealing with a particular subject matter)
- The abbreviation for the code (U.S.C.)
- The statutory section number within the title
- The date of the edition or supplement
For example, “18 U.S.C. § 1001 (1992)” refers to Section 1001 in Title 18 of the 1992 edition of the United States Code. Title 18 in the United States Code is Crimes and Criminal Procedures, and many computer crimes are prosecuted under this title. The U.S. Computer Fraud and Abuse Act, which addresses the use of federal-interest computers to commit fraud, can be found as “18 U.S.C. § 1030 (1986).” Other titles are as follows:
- Title 12. Banks and Banking
- Title 15. Commerce and Trade
- Title 26. Internal Revenue Code
- Title 49. Transportation
Compilation of Administrative Law
Administrative laws are also arranged either chronologically in administrative registers or by subject matter in administrative codes. At the federal level, these arrangements are respectively called the Federal Register (Fed. Reg.) and the Code of Federal Regulations (C.F.R.). A citation to the Code of Federal Regulations includes the following:
- The number of the C.F.R. title
- The abbreviation for the Code (C.F.R.)
- The section number
- The year of publication
Thus, the reference “12 C.F.R. § 100.4 (1992)” points to Section 100.4 in Title 12 of the 1992 edition of the Code of Federal Regulations.
Compilation of Common Law
Common law is compiled as Case Reporters in chronological fashion and in Case Digests arranged by subject matter.
Common Law System Categories
The main categories of laws under the common law system (not to be confused with common law resulting from court decisions) are criminal law, civil (tort) law, and administrative/regulatory law.
- Criminal law. Laws about individual conduct that violates government laws enacted for the protection of the public. Punishment can include financial penalties and imprisonment.
- Civil law. Laws about a wrong inflicted upon an individual or organization that results in damage or loss. Punishment cannot include imprisonment, but financial awards that include some combination of punitive, compensatory, and statutory damages can be mandated.
- Administrative/regulatory law. Standards of performance and conduct expected by government agencies from industries, organizations, officials, and officers. Violations of these laws can result in financial penalties and imprisonment.
Other categories of law under the common law system that relate to information systems are intellectual property and privacy laws.
Intellectual Property Law
The following categories fall under intellectual property law:
- Patent. A patent provides the owner of the patent with a legally enforceable right to exclude others from practicing the invention covered by the patent for a specified period of time. It is of interest to note that a patent does not necessarily grant the owner the right to make, use, or sell the invention. A patent obtained by an individual may build on other patents; in such a case, the individual must obtain permission from the owner(s) of the earlier patent(s) to exploit the new patent.
- There are four criteria that an invention must meet in order to be patentable. These criteria are:
- The invention must fall into one of the following five classes:
- Processes
- Machines
- Manufactures (objects made by humans or machines)
- Compositions of matter
- New uses of any of the above
- The invention must be useful. One aspect of this test for utility is that the invention cannot be only a theoretical phenomenon.
- The invention must be novel; it must be something that no one has developed before.
- The invention must not be obvious to “a person having ordinary skill in the art to which said subject matter pertains.”
- Patent law protects inventions and processes (“utility” patents), ornamental designs (“design” patents), and new varieties of plants (“plant” patents). In the United States, as of June 8, 1995, utility patents are granted for a period of 20 years from the date the application was filed. For patents in force prior to June 8, 1995, and patents granted on applications pending before that date, the patent term is the greater of 17 years from the date of issue (the term under prior law) or 20 years from the date of filing. Design patents are granted for a period of 14 years, and a plant patent has a term of 17 years. Once the patent on an invention or design has expired, anyone is free to make, use, or sell the invention or design.
- Copyright. A copyright protects “original works of authorship” and protects the right of the author to control the reproduction, adaptation, public distribution, and performance of these original works. Copyrights can also be applied to software and databases. The copyright law has two provisions that address uses of copyrighted material by educators, researchers, and librarians. These provisions:
- Codify the doctrine of fair use, under which limited copying of copyrighted works without the permission of the owner is allowed for certain teaching and research purposes
- Establish special limitations and exemptions for the reproduction of copyrighted works by libraries and archives
- The Sonny Bono Copyright Term Extension Act, signed into law on October 27, 1998, amends the provisions concerning duration of copyright protection. The Act states that the terms of copyright are generally extended for an additional 20 years. Two specific example provisions of the Sonny Bono Copyright Term Extension Act are as follows:
- Works originally created on or after January 1, 1978, are protected from the time of their creation and are usually given a term of the author’s life plus an additional 70 years after the author’s death.
- Works originally created before January 1, 1978, but not published or registered by that date, are covered by the statute, also with a duration of the author’s life plus an additional 70 years after the author’s death. In addition, the statute provides that in no case will the term of copyright for these types of works expire before December 31, 2002. For works published on or before December 31, 2002, the term of copyright will not expire before December 31, 2047.
- Materials may fall into other copyright categories depending on the age of the work, if the copyright was renewed, if it was developed as work for hire, and so on. Detailed information can be found in the following publications of the U.S. Copyright Office:
- Circular 15, Renewal of Copyright
- Circular 15a, Duration of Copyright
- Circular 15t, Extension of Copyright Terms
- Trade Secret. Trade secret law secures and maintains the confidentiality of proprietary technical or business-related information that is adequately protected from disclosure by the owner. Corollaries to this definition are that the owner has invested resources to develop this information, it is valuable to the business of the owner, it would be valuable to a competitor, and it is not obvious.
- Trademark. A trademark establishes a word, name, symbol, color, sound, product shape, device, or combination of these that will be used to identify goods and to distinguish them from those made or sold by others.
- Warranty. A warranty is a contract that commits an organization to stand behind its product. There are two types of warranties: implied and express. An implied warranty is an unspoken, unwritten promise created by state law that goes from a manufacturer or merchant to the customer. Under implied warranties, there are two categories - the implied warranty of fitness for a particular purpose and the implied warranty of merchantability. The implied warranty of fitness for a particular purpose is a commitment made by the seller when the consumer relies on the advice of the seller that the product is suited for a specific purpose. The implied warranty of merchantability is the seller’s or manufacturer’s promise that the product sold to the consumer is fit to be sold and will perform the functions that it is intended to perform. An express warranty is a warranty that is explicitly offered by the manufacturer or seller to the customer at the time of the sales transaction. This type of warranty contains voluntary commitments to remedy defects and malfunctions that some customers may encounter in using the product. An express warranty can be made orally or in writing. If it is in writing, it falls under the Magnuson-Moss Warranty Act.
- The Magnuson-Moss Warranty Act is the 1975 U.S. federal law that governs warranties on consumer products. The Act requires manufacturers and sellers of consumer products to provide consumers with detailed information concerning warranty coverage. In addition, the FTC adopted three rules under the Act. These rules are the Rule on Disclosure of Written Consumer Product Warranty Terms and Conditions (the Disclosure Rule), the Rule on Pre-Sale Availability of Written Warranty Terms (the PreSale Availability Rule), and the Rule on Informal Dispute Settlement Procedures (the Dispute Resolution Rule). These Rules and the Act detail three basic requirements that apply to a warrantor or seller. These requirements are:
- A warrantor must designate, or title, the written warranty as either full or limited.
- A warrantor must state certain specified information about the coverage of the warranty in a single, clear, and easy-to-read document.
- The warrantor or seller must ensure that warranties are available at the site of sale of the warranted consumer products so that consumers can read them before purchasing a product.
- Regarding used products, an implied warranty can be disclaimed if a written warranty is not provided. This disclaimer must be made in a conspicuous manner, preferably in writing, so that the consumer is aware that there is no warranty on the product. Terms such as this product is being sold “with all faults” or “as is” should be used. Some states do not permit disclaiming of the implied warranty.
Information Privacy and Privacy Laws
Privacy is the right of an individual to protection from unauthorized disclosure of the individual’s personally identifiable information (PII). For example, the Health Insurance Portability and Accountability Act (HIPAA) lists the following 16 items as a person’s individual identifiers:
- Names
- Postal address information, other than town or city, state, and zip code
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger- and voiceprints
- Full face photographic images and any comparable images
An individual’s right to privacy is embodied in the following fundamental principles of privacy:
- Notice - Regarding collection, use and disclosure of PII
- Choice - To opt out or opt in regarding disclosure of PII to third parties
- Access - By consumers to their PII to permit review and correction of information
- Security - To protect PII from unauthorized disclosure
- Enforcement - Of applicable privacy policies and obligations
Privacy Policy
Organizations develop and publish privacy policies that describe their approaches to handling PII. Web sites of organizations usually have their privacy policies available to read online, and these policies usually cover the following areas:
- Statement of the organization’s commitment to privacy
- The type of information collected, such as names, addresses, credit card numbers, phone numbers, and so on
- Retaining and using e-mail correspondence
- Information gathered through cookies and Web server logs and how that information is used
- How information is shared with affiliates and strategic partners
- Mechanisms to secure information transmissions, such as encryption and digital signatures
- Mechanisms to protect PII stored by the organization
- Procedures for review of the organization’s compliance with the privacy policy
- Evaluation of information protection practices
- Means for the user to access and correct PII held by the organization
- Rules for disclosing PII to outside parties
- Providing PII that is legally required
Privacy-Related Legislation and Guidelines
The following list summarizes some important legislation and recommended guidelines for privacy:
- The Cable Communications Policy Act provides for discretionary use of PII by cable operators internally but imposes restrictions on disclosures to third parties.
- The Children’s Online Privacy Protection Act (COPPA) is aimed at providing protection to children under the age of 13.
- Customer Proprietary Network Information Rules apply to telephone companies and restrict their use of customer information both internally and to third parties.
- The Financial Services Modernization Act (Gramm-Leach-Bliley) requires financial institutions to provide customers with clear descriptions of the institution’s polices and procedures for protecting the PII of customers.
- Telephone Consumer Protection Act restricts communications between companies and consumers, such as in telemarketing.
- The 1973 U.S. Code of Fair Information Practices states that:
- There must not be personal data record–keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about her or him is in a record and how it is used.
- There must be a way for a person to prevent information about him or her that was obtained for one purpose from being used or made available for another purposes without the person’s consent.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for its intended use and must take precautions to prevent misuses of that data.
- The Health Insurance Portability and Accountability Act (HIPAA), Administrative Simplification Title, includes Privacy and Security Rules and standards for electronic transactions and code sets.
European Union (EU) Principles
The protection of information on private individuals from intentional or unintentional disclosure or misuse is the goal of the information privacy laws. The intent and scope of these laws widely varies from country to country. The European Union (EU) has defined privacy principles that in general are more protective of individual privacy than those applied in the United States. Therefore, the transfer of personal information from the EU to the United States, when equivalent personal protections are not in place in the United States, is prohibited. The EU principles include the following:
- Data should be collected in accordance with the law.
- Information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.
- Records kept on an individual should be accurate and up-to-date.
- Individuals have the right to correct errors contained in their personal data.
- Data should be used only for the purposes for which it was collected, and it should be used only for a reasonable period of time.
- Individuals are entitled to receive a report on the information that is held about them.
- Transmission of personal information to locations where equivalent personal data protection cannot be ensured is prohibited.
Health Care–Related Privacy Issues
An excellent example of the requirements and application of individual privacy principles is in the area of health care. The protection from disclosure and misuse of a private individual’s medical information is a prime example of a privacy law. Some of the common health care security issues are as follows:
- Access controls of most health care information systems do not provide sufficient granularity to implement the principle of least privilege among users.
- Most off-the-shelf applications do not incorporate adequate information security controls.
- Systems must be accessible to outside partners, members, and some vendors.
- Providing users with the necessary access to the Internet creates the potential for enabling violations of the privacy and integrity of information.
- Criminal and civil penalties can be imposed for the improper disclosure of medical information.
- A large organization’s misuse of medical information can cause the public to change its perception of the organization.
- Health care organizations should adhere to the following information privacy principles (based on European Union principles):
- An individual should have the means to monitor the database of stored information about himself or herself and should have the ability to change or correct that information.
- Information obtained for one purpose should not be used for another purpose.
- Organizations collecting information about individuals should ensure that the information is provided only for its intended use and should provide safeguards against the misuse of this information.
- The existence of databases containing personal information should not be kept secret.
The U.S. Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA - Public Law 104-191), effective August 21, 1996, addresses the issues of health care privacy and plan portability in the United States. With respect to privacy, this Act stated, “Not later than the date that is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit … detailed recommendations on standards with respect to the privacy of individually identifiable health information.” This Act further stated “the recommendations … shall address at least the following:
- The rights that an individual who is a subject of individually identifiable health information should have:
- The procedures that should be established for the exercise of such rights
- The uses and disclosures of such information that should be authorized or required”
The Privacy regulations were reopened for public comment for an additional period that closed on March 30, 2001. In March 2002, HHS proposed changes to the HIPAA Privacy Rule in response to input from health care–related organizations as well as the private sector. The changes were put into effect in August 2002. The Final Privacy Rule refers to security issues as illustrated in the following statements:
“(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2) Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.”
The Platform for Privacy Preferences (P3P)
The Platform for Privacy Preferences was developed by the World Wide Web Consortium (W3C) to implement privacy practices on Web sites. The W3C P3P Specification, which can be found at www.w3.org/TR, states:
P3P enables Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
With P3P, an organization can post its privacy policy in machine-readable form (XML) on its Web site. This policy statement should include:
- Who has access to collected information
- The type of information collected
- How the information is used
- The legal entity making the privacy statement
The P3P specification contains the following items:
- A standard vocabulary for describing a Web site’s data practices
- A set of data elements that Web sites can refer to in their P3P privacy policies
- A standard schema for data a Web site may wish to collect, known as the “P3P base data schema”
- A standard set of uses, recipients, data categories, and other privacy disclosures
- An XML format for expressing a privacy policy
- A means of associating privacy policies with Web pages or sites and cookies
- A mechanism for transporting P3P policies over HTTP
A useful consequence of implementing P3P on a Web site is that Web site owners are required to answer multiple-choice questions about their privacy practices. This activity will cause the organization sponsoring the Web site to think about and evaluate its privacy policy and practices in the event that it has not already done so. After answering the necessary P3P privacy questions, an organization can then proceed to develop its policy. A number of sources provide free policy editors and assistance in writing privacy policies. Some of these resources can be found at http://www.w3.org/P3P/ and http://p3ptoolbox.org/.
P3P also supports user agents that allow a user to configure a P3P-enabled Web browser with the user’s privacy preferences. Then, when the user attempts to access a Web site, the user agent compares the user’s stated preferences with the privacy policy in machine-readable form at the Web site. Access will be granted if the preferences match the policy. Otherwise, either access to the Web site will be blocked or a pop-up window will appear notifying the user that he or she must change the privacy preferences. Microsoft’s Internet Explorer 6 (IE6) Web browser supports P3P and can be used to generate and display a report describing a particular Web site’s P3P-implemented privacy policy.
Another P3P implementation is provided by AT&T’s Privacy Bird software, which is an add-on to a browser and inserts an icon of a bird in the top right corner of a user’s Web browser. The AT&T software reads the XML privacy policy statements from a Web site and causes the bird to chirp and change color to inform the user if the user’s listed privacy preference settings are satisfied by the Web site’s P3P policy statements. Clicking on the bird provides more detailed information concerning mismatches between the Web site’s policy practices and the user’s provided preferences.
Electronic Monitoring
Additional personal security issues involve keystroke monitoring, e-mail monitoring, surveillance cameras, badges, and magnetic entry cards. Key issues in electronic monitoring are that the monitoring is conducted in a lawful manner and that it is applied in a consistent fashion. With e-mail, for example, an organization monitoring employee e-mail should:
- Inform all, by means of a prominent logon banner or some other frequent notification, that e-mail is being monitored
This banner should state that, by logging on to the system, the individual consents to electronic monitoring and is subject to a predefined punishment if the system is used for unlawful activities or if the user violates the organization’s information security policy. It should also state that unauthorized access and use of the system is prohibited and subject to punishment.
- Ensure that monitoring is uniformly applied to all employees
- Explain what is considered acceptable use of the e-mail system
- Explain who can read the e-mail and how long it is backed up
- Not provide a guarantee of e-mail privacy
In this context, it is useful to examine the difference between enticement and entrapment. Enticement occurs after an individual has gained unauthorized access to a system. The intruder is then lured to an attractive area, or honey pot, in order to provide time to determine the origin of the intrusion and eventually the identity of the intruder. For example, a student breaking into a professor’s computer may be lured to a file entitled “Final Examination Questions.” Entrapment, on the other hand, encourages the commission of a crime that the individual initially had no intention of committing.
Recent legislation has given the U.S. government additional license to monitor electronic communications and computer files. See the discussion on the PATRIOT Act in the section on “Computer Security, Privacy, and Crime Laws.”
Computer Security, Privacy, and Crime Laws
The following is a summary of laws, regulations, and directives that lists requirements pertaining to the protection of computer-related information:
- 1970 U.S. Fair Credit Reporting Act. Covers consumer reporting agencies.
- 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act. Addresses both criminal and civil crimes involving racketeers influencing the operation of legitimate businesses; crimes cited in this act include mail fraud, securities fraud, and the use of a computer to perpetrate fraud.
- 1973 U.S. Code of Fair Information Practices. Applies to personal record keeping.
- 1974 U.S. Federal Privacy Act (amended in 1980). Applies to federal agencies; provides for the protection of information about private individuals that is held in federal databases, and grants access by the individual to these databases. The law imposes civil and criminal penalties for violations of the provisions of the Act. The Act assigns the U.S. Treasury Department the responsibilities of implementing physical security practices, information management practices, and computer and network controls.
- 1978 Foreign Intelligence Surveillance Act (FISA). Can be used to conduct electronic surveillance and physical searches under a court order and without a warrant in cases of international terrorism, spying, or sabotage activities that are conducted by a foreign power or its agent. FISA is not intended for use in prosecuting U.S. citizens.
- 1980 Organization for Economic Cooperation and Development (OECD) Guidelines. Provides for data collection limitations, the quality of the data, specifications of the purpose for data collection, limitations on data use, information security safeguards, openness, participation by the individual on whom the data is being collected, and accountability of the data controller.
- 1984 U.S. Medical Computer Crime Act. Addresses illegal access to or alteration of computerized medical records through phone or data networks.
- 1984 (strengthened in 1986 and 1994) First U.S. Federal Computer Crime Law Passed. Covers classified defense or foreign relations information, records of financial institutions or credit reporting agencies, and government computers. Unauthorized access or access in excess of authorization became a felony for classified information and a misdemeanor for financial information. This law made it a misdemeanor to knowingly access a U.S. Government computer without or beyond authorization if the U.S government’s use of the computer would be affected.
- 1986 (amended in 1996) U.S. Computer Fraud and Abuse Act. Clarified the 1984 law and added three new crimes:
- When use of a federal-interest computer furthers an intended fraud
- When altering, damaging, or destroying information in a federal-interest computer or preventing the use of the computer or information that causes a loss of $1000 or more or could impair medical treatment
- Trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers
- 1986 U.S. Electronic Communications Privacy Act. Prohibits eavesdropping or the interception of message contents without distinguishing between private or public systems. This law updated the Federal privacy clause in the Omnibus Crime Control and Safe Streets Act of 1968 to include digitized voice, data, or video, whether transmitted over wire, microwave, or fiber optics. Court warrants are required to intercept wire or oral communications, except for phone companies, the FCC, and police officers that are party to a call with the consent of one of the parties.
- 1987 U.S. Computer Security Act. Places requirements on federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems. A category of sensitive information called Sensitive But Unclassified (SBU) has to be considered. This category, formerly called Sensitive Unclassified Information (SUI), pertains to information below the government’s classified level that is important enough to protect, such as medical information, financial information, and research and development knowledge. This act also partitioned the government’s responsibility for security between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). NIST was given responsibility for information security in general, primarily for the commercial and SBU arenas, and NSA retained the responsibility for cryptography for classified government and military applications.
- The Computer Security Act established the National Computer System Security and Privacy Advisory Board (CSSPAB), which is a twelve-member advisory group of experts in computer and telecommunications systems security.
- 1990 United Kingdom Computer Misuse Act. Defines computer-related criminal offenses
- 1991 U.S. Federal Sentencing Guidelines. Provides punishment guidelines for those found guilty of breaking federal law. These guidelines, in relation to information systems security and computer crime, are as follows:
- Treat the unauthorized possession of information without the intent to profit from the information as a crime.
- Address both individuals and organizations.
- Make the degree of punishment a function of the extent to which the organization has demonstrated due diligence (due care or reasonable care) in establishing a prevention and detection program.
- Invoke the prudent-man rule, which requires senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances.
- Place responsibility on senior organizational management for the prevention and detection programs, with fines of up to $290 million for nonperformance.
- 1992 OECD Guidelines to Serve as a Total Security Framework. The Framework includes laws, policies, technical and administrative measures, and education.
- 1994 U.S. Communications Assistance for Law Enforcement Act. Requires all communications carriers to make wiretaps possible.
- 1994 U.S. Computer Abuse Amendments Act. This act accomplished the following:
- Changed the phrase “federal interest computer” to “a computer used in interstate commerce or communications”
- Covers viruses and worms
- Included intentional damage as well as damage done with “reckless disregard of substantial and unjustifiable risk”
- Limited imprisonment for the unintentional damage to one year
- Provides for civil action to obtain compensatory damages or other relief
- Paperwork Reduction Acts of 1980, 1995. Provides Information Resources Management (IRM) directives for the U.S. Government. This law established the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB). One result of the Act is to require government agencies to apply information technology systems to increase productivity, improve delivery of services, and minimize waste.
- The OMB was assigned the responsibility for improving government efficiency through the application of new technologies and was also made responsible for developing guidance on information security for government agencies. Under the Paperwork Reduction Act, agencies must:
- Manage information resources to improve integrity, quality, and utility of information to all users
- Manage information resources to protect privacy and security
- Designate a senior official, reporting directly to the Secretary of the Treasury, to ensure that the responsibilities assigned by the Act are accomplished
- Identify and afford security protections in conformance with the Computer Security Act of 1987 commensurate with the magnitude of harm and risk that might result from the misuse, loss, or unauthorized access relative to information collected by an agency or maintained on behalf of an agency
- Implement and enforce applicable policies, procedures, standards, and guidelines on privacy, confidentiality, security, disclosures, and sharing of information collected or maintained by or for the agency
- 1995 Council Directive (Law) on Data Protection for the European Union (EU). Declares that each EU nation is to enact protections similar to those of the OECD Guidelines.
- 1996 U.S. Economic and Protection of Proprietary Information Act. Addresses industrial and corporate espionage and extends the definition of property to include proprietary economic information in order to cover the theft of this information
- 1996 U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (HIPAA). With additional requirements added in December 2000, addresses the issues of personal health care information privacy, security, transactions and code sets, unique identifiers, and health plan portability in the United States.
- 1996 U.S. National Information Infrastructure Protection Act. Enacted in October 1996 as part of Public Law 104-294, amended the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030. The amended Computer Fraud and Abuse Act is patterned after the OECD Guidelines for the Security of Information Systems and addresses the protection of the confidentiality, integrity, and availability of data and systems. This path is intended to encourage other countries to adopt a similar framework, thus creating a more uniform approach to addressing computer crime in the existing global information infrastructure.
- 1996 Information Technology Management Reform Act (ITMRA) of 1996, National Defense Authorization Act for Fiscal Year 1996 (Clinger-Cohen Act). Relieves the General Services Administration of responsibility for procurement of automated systems and contract appeals. OMB is charged with providing guidance, policy, and control for information technology procurement. With the Paperwork Reduction Act, as amended, this Act delineates OMB’s responsibilities for overseeing agency practices regarding information privacy and security.
- 1996, Title I, Economic Espionage Act. Addresses the numerous acts concerned with economic espionage and the national security aspects of the crime. The theft of trade secrets is also defined in the Act as a federal crime.
- 1998 U.S. Digital Millennium Copyright Act (DMCA). The DMCA prohibits trading, manufacturing, or selling in any way that is intended to bypass copyright protection mechanisms. It also addresses ISPs that unknowingly support the posting of copyrighted material by subscribers. If the ISP is notified that the material is copyrighted, the ISP must remove the material. Additionally, if the posting party proves that the removed material was of “lawful use,” the ISP must restore the material and notify the copyright owner within 14 business days.
- Two important rulings regarding the DMCA were made in 2001. The rulings involved DeCSS, which is a program that bypasses the Content Scrambling System (CSS) software used to prevent the viewing of DVD movie disks on unlicensed platforms. In a trade secrecy case (DVD-CCA v. Banner), the California appellate court overturned a lower court ruling that an individual who posted DeCSS on the Internet had revealed the trade secret of CSS. The appeals court has reversed an injunction on the posting of DeCSS, stating that the code is speech protected by the First Amendment.
- The second case (Universal City v. Reimerdes) was the first constitutional challenge to DMCA anticircumvention rules. The case involved Eric Corley, the publisher of the hacker magazine 2600 Magazine. Corley was covering the DeCSS situation, and as part of that coverage he posted DeCSS on his publication’s Web site. The trial and appellate courts both ruled that the posting violated the DMCA and was, therefore, illegal. This ruling upheld the DMCA. It appears that there will be more challenges to DMCA in the future.
- 1999 U.S. Uniform Computers Information Transactions Act (UCITA). Approved by the National Commissioners on Uniform State Laws (NCCUSL) on July 29, 1999. This legislation, to be enacted state-by-state, should greatly affect libraries’ access to and use of software packages. It also keeps in place the current licensing practices of software vendors. At present, shrink-wrap or click-wrap licenses limit rights that are normally granted under copyright law. Under Section 109 of the U.S. 1976 Copyright Act, the first-sale provision permits “the owner of a particular copy without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy.” The software manufacturers use the term “license” in their transactions, however. As opposed to the word “sale,” the term “license” denotes that the software manufacturers are permitting users to use a copy of their software. Thus, the software vendor still owns the software. Until each state enacts the legislation, it is not clear whether shrink-wrap licenses that restrict users’ rights under copyright law are legally enforceable. For clarification, shrink-wrap licenses physically accompany a disk, while click-on and active click-wrap licenses are usually transmitted electronically. Sometimes, the term “shrink-wrap” is interpreted to mean both physical and electronic licenses to use software. The focus of the UCITA legislation is not on the physical media but on the information contained on the media.
- 2000 U.S. Congress Electronic Signatures in Global and National Commerce Act (“ESIGN”). Facilitates the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically. An important provision of the act requires that businesses obtain electronic consent or confirmation from consumers to receive information electronically that a law normally requires to be in writing.
- The legislation is intent on preserving the consumers’ rights under consumer protection laws and has gone to extraordinary measures to meet this goal. Thus, a business must receive confirmation from the consumer in electronic format that the consumer consents to receiving information electronically that used to be in written form. This provision ensures that the consumer has access to the Internet and is familiar with the basics of electronic communications.
- 2001 USA Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act. Permits the:
- Subpoena of electronic records
- Monitoring of Internet communications
- Search and seizure of information on live systems (including routers and servers), backups, and archives
- This act gives the U.S. government new powers to subpoena electronic records and to monitor Internet traffic. In monitoring information, the government can require the assistance of ISPs and network operators. This monitoring can extend even into individual organizations. In the PATRIOT Act, Congress permits investigators to gather information about e-mail without having to show probable cause that the person to be monitored has committed a crime or was intending to commit a crime. Routers, servers, backups, and so on now fall under existing search and seizure laws. A new twist is delayed notification of a search warrant. Under the PATRIOT Act, if it is suspected that notification of a search warrant would cause a suspect to flee, a search can be conducted before notification of a search warrant is given.
- Generally Accepted Systems Security Principles (GASSP). These items are not laws but are accepted principles that have a foundation in the OECD Guidelines:
- Computer security supports the mission of the organization.
- Computer security is an integral element of sound management.
- Computer security should be cost-effective.
- Systems owners have security responsibilities outside their organizations.
- Computer security responsibilities and accountability should be made explicit.
- Computer security requires a comprehensive and integrated approach.
- Computer security should be periodically reassessed.
- Computer security is constrained by societal factors.
- 2002 E-Government Act. Title III, the Federal Information Security Management Act (FISMA). Written to:
- “Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets
- Recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities
- Provide for development and maintenance of minimum controls required to protect Federal information and information systems
- Provide a mechanism for improved oversight of Federal agency information security programs”
Additional information on FISMA is given in Chapter 12.
Investigation
The field of investigating computer crime is also known as computer forensics. Specifically, computer forensics is the collecting of information from and about computer systems that is admissible in a court of law.
Computer Investigation Issues
To explore computer crime investigation, it is useful to consider the motivations for committing computer crime. The major reasons are financial gain, revenge, ego, or to receive attention. The method of operation, or modus operandi, of computer criminals is designed to create a high probability of successfully carrying out the criminal act, protecting their identity, and enhancing their means of escape.
Because of the nature of information that is stored on the computer, investigating and prosecuting computer criminal cases have unique issues, such as the following:
- Investigators and prosecutors have a compressed time frame for the investigation.
- The information is intangible.
- The investigation may interfere with the normal conduct of the business of an organization.
- There may be difficulty in gathering the evidence.
- Data associated with the criminal investigation may be located on the same computer as data needed for the normal conduct of business (comingling of data).
- In many instances, an expert or specialist is required.
- Locations involved in the crime may be geographically separated by long distances in different jurisdictions. This separation might result in differences in laws, attitudes toward computer crimes, or definitions of computer crimes as well as difficulty in obtaining search warrants, lack of cooperation, and so forth.
- Many jurisdictions have expanded the definition of property to include electronic information.
Evidence
The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. The major types of computer evidence are computer printouts, plotter outputs, display screens, and magnetic or optical storage. Because the evidence involved in a computer crime may be intangible and subject to easy modification without a trace, evidence must be carefully handled and controlled throughout its entire life cycle. Specifically, there is a chain of evidence that one must follow and protect. The following are the major components of this chain of evidence:
- Location of evidence when obtained
- Time evidence was obtained
- Identification of individual(s) who discovered evidence
- Identification of individual(s) who secured evidence
- Identification of individual(s) who controlled evidence and individual(s) who maintained possession of that evidence
The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components:
- Discovery and recognition
- Protection
- Recording
- Collection:
- Collect all relevant storage media.
- Make an image of the hard disk before removing power.
- Print out the screen.
- Avoid degaussing equipment.
- Identification (tagging and marking)
- Preservation:
- Protect magnetic media from erasure.
- Store in a proper environment.
- Transportation
- Presentation in a court of law
- Return of evidence to owner
Evidence Admissibility
To be admissible in a court of law, evidence must meet certain stringent requirements. The evidence must be relevant, legally permissible, reliable, properly identified, and properly preserved. The main points of these requirements are as follows:
- Relevant. The evidence is related to the crime in that it shows that the crime has been committed, it can provide information describing the crime, it can provide information as to the perpetrator’s motives, it can verify what has occurred, or it can fix the crime’s time of occurrence.
- Legally permissible. The evidence was obtained in a lawful manner.
- Reliable. The evidence has not been tampered with or modified.
- Properly Identified. The evidence is properly identified without being changed or damaged the evidence. In computer forensics, this process includes the following:
- Labeling printouts with permanent markers
- Identifying the operating system used, the hardware types, and so on
- Recording serial numbers
- Marking evidence without damaging it or by placing it in sealed containers that are marked
- Preserved. The evidence is not subject to damage or destruction. The following are the recommended procedures for preservation:
- Do not prematurely remove power.
- Back up the hard disk image by using disk-imaging hardware or software.
- Avoid placing magnetic media in the proximity of sources of magnetic fields.
- Store media in a dust- and smoke-free environment at a proper temperature and humidity.
- Write-protect media.
- Authenticate the file system by creating a digital signature based on the contents of a file or disk sector. One-way hash algorithms, such as the Secure Hash Algorithm (SHA) described in Chapter 4, can be used.
Types of Evidence
Legal evidence can be classified into the following types:
- Best evidence. Original or primary evidence rather than a copy or duplicate of the evidence
- Secondary evidence. A copy of evidence or oral description of its contents; not as reliable as best evidence
- Direct evidence. Proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses
- Conclusive evidence. Incontrovertible; overrides all other evidence
- Opinions. The following are the two types of opinions:
- Expert - Can offer an opinion based on personal expertise and facts
- Nonexpert - Can testify only as to facts
- Circumstantial evidence. Inference of information from other, intermediate, relevant facts
- Hearsay evidence (third party). Evidence that is not based on personal, firsthand knowledge of the witness but that was obtained from another source. Under the U.S. Federal Rules of Evidence (803), hearsay evidence is generally not admissible in court. Computer-generated records and other business records fall under the category of hearsay evidence because these records cannot be proven accurate and reliable. This inadmissibility is known as the hearsay rule. However, there are certain exceptions to the hearsay rule for records that are:
- Made during the regular conduct of business and authenticated by witnesses familiar with their use
- Relied upon in the regular course of business
- Made by a person with knowledge of the records
- Made by a person with information transmitted by a person with knowledge
- Made at or near the time of occurrence of the act being investigated
- In the custody of the witness on a regular basis
Searching and Seizing Computers
The U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) has issued the publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001). The document introduction states, “This publication provides a comprehensive guide to the legal issues that arise when federal law enforcement agents search and seize computers and obtain electronic evidence in criminal investigations. The topics covered include the application of the Fourth Amendment to computers and the Internet, the Electronic Communications and Privacy Act, workplace privacy, the law of electronic surveillance and evidentiary information system security uses.” The document also cites the following U.S. Codes relating to searching and seizing computers:
- 18 U.S.C. § 12510 - Definitions
- 18 U.S.C. § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited
- 18 U.S.C. § 2701 - Unlawful access to stored communications
- 18 U.S.C. § 2702 - Disclosure of contents
- 18 U.S.C. § 2703 - Requirements for governmental access
- 18 U.S.C. § 2705 - Delayed notice
- 18 U.S.C. § 2711 - Definitions
- 18 U.S.C. § 2000aa - Searches and seizures by government officers and employees in connection with the investigation or prosecution of criminal offenses
The headings of these codes illustrate the areas covered and, in general, the increased concern for the privacy of the individual.
Conducting the Investigation
There are many issues involved in the conduct of an investigation of suspected computer crime. For example, in a corporate environment, an investigation should involve management, corporate security, human resources, the legal department, and other appropriate staff members. The act of investigating may also affect critical operations. For example, it may prompt a suspect to commit retaliatory acts that may compromise data, result in a DoS, generate negative publicity, or open individual privacy issues. Thus, it is important to prepare a plan beforehand on how to handle reports of suspected computer crimes. A committee of appropriate personnel should be set up beforehand to address the following issues:
- Establishing a prior liaison with law enforcement
- Deciding when and whether to bring in law enforcement (in the United States, the FBI and Secret Service have jurisdiction over computer crimes)
- Setting up means of reporting computer crimes
- Establishing procedures for handling and processing reports of computer crime
- Planning for and conducting investigations
- Involving senior management and the appropriate departments, such as legal, internal audit, information systems, and human resources
- Ensuring the proper collection of evidence, which includes identification and protection of the various storage media
If a computer crime is suspected, it is important not to alert the suspect. A preliminary investigation should be conducted to determine whether a crime has been committed, examining the audit records and system logs, interviewing witnesses, and assessing the damage incurred. It is critical to determine whether disclosure to legal authorities is required by law or regulation. U.S. Federal Sentencing Guidelines require organizations to report criminal acts. There are a number of pertinent issues to consider relative to outside disclosure. Negative publicity resulting in a lack of confidence in the business of the organization is an obvious concern. Once an outside entity such as law enforcement is involved, information dissemination is out of the hands of the organization. Law enforcement involvement necessarily involves support from the organization in terms of personnel time.
The timing of requesting outside assistance from law enforcement is another major issue. In the United States, law enforcement personnel are bound by the Fourth Amendment to the U.S. Constitution and must obtain a warrant to search for evidence. This amendment protects individuals from unlawful search and seizure. A search warrant is issued when there is probable cause for the search, and it provides legal authorization to search a location for specific evidence. Private citizens are not held to this strict requirement, thus, in some cases, a private individual can conduct a search for possible evidence without a warrant. However, if a private individual were asked by a law enforcement officer to search for evidence, a warrant would be required, because the private individual would be acting as an agent of law enforcement.
An exception to the search warrant requirement for law enforcement officers is the Exigent Circumstances Doctrine. Under this doctrine, if probable cause is present and destruction of the evidence is deemed imminent, the search can be conducted without the delay of having the warrant in-hand.
Thus, if law enforcement is called in too early when a computer crime is suspected, the law enforcement investigators will be held to a stricter standard than the organization’s employees in regard to searching for and gathering evidence. However, there is a higher probability that any evidence acquired will be admissible in court, because law enforcement personnel are trained in preserving the chain of evidence. As stated previously, the dissemination of information and the corresponding publicity will also be out of the organization’s control when the investigation is turned over to law enforcement. Conversely, if law enforcement is called in too late to investigate a possible computer crime, improper handling of the investigation and evidence by untrained organization employees may reduce or eliminate the chances of a successful prosecution.
Good sources of evidence include telephone records, video cameras, audit trails, system logs, system backups, witnesses, results of surveillance, and e-mails.
A standard discriminator used to determine whether a subject may be the perpetrator of a crime is to evaluate whether the individual had a Motive, the Opportunity, and the Means to commit the crime. This test is known as MOM.
If the investigation is undertaken internally, the suspect should be interviewed to acquire information and to determine who committed the offense. This interrogation should be planned in advance, and expert help should be obtained in the conduct of the interview. Obviously, the suspect is alerted when he or she is scheduled for interrogation, and a common mistake in setting up and conducting the interview is providing the suspect with too much information. With this information, the suspect may try to alter additional evidence, leave the premises, or warn other coconspirators. In the conduct of the interrogation, the pertinent information relative to the crime should be obtained, and the questions should be scripted beforehand. To avoid the possible destruction of critical information by the suspect, original documents should not be used in the conduct of the interview.
Export Issues and Technology
In July 2000 the United States announced a relaxation of its encryption export policy to certain countries. To quote the President’s Chief of Staff, John D. Podesta, “Under our new policy, American companies can export any encryption product to any end user in the European Union and eight other trading partners. We’re also speeding up the time to market by eliminating the 30-day waiting period when exporting encryption goods to these countries.”
Podesta also pointed out the effect that advancing technology has had on the Electronic Communications and Privacy Act (ECPA). He pointed out, “ECPA, like its predecessors, has, in many ways, become outdated by the new advances in computer technology and electronic communication. Since its passage in 1986, we’ve seen a communications revolution with the explosion of the cell phone and the development and use of the World Wide Web. Today, there are more than 95 million cell phone users, and more than 50 million households online in the United States. More than 1.4 billion e-mails change hands every day … ECPA was not devised to address many of the issues related to these newer, faster means of electronic communication. It doesn’t extend the stringent Title III protections to the capture of e-mail that you send to your friends or business partners.” Podesta cited legislation that was being proposed to amend existing statutes and outmoded language (which applied primarily to wiretapping) and to define protections for hardware and software systems in general.
Liability
In 1997 the Federal Sentencing Guidelines were extended to apply to computer crime. Recall that, under these guidelines, senior corporate officers can be personally subject to up to $290 million in fines if their organizations do not comply with the law. These guidelines also treat the possession of illegally acquired material without intent to resell as a crime.
Management has the obligation to protect the organization from losses due to natural disasters, malicious code, compromise of proprietary information, damage to reputation, violation of the law, employee privacy suits, and stockholder suits. Management must follow the prudent-man rule, which “requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances.” The officers must exercise due care or reasonable care to carry out their responsibilities to the organization. In exercising due care, corporate officers must institute the following protections:
- Establishing an organizational incident-handling capability
The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from exploitation of the corresponding vulnerability. If C < L, then a legal liability exists.
Incident handling, noted in the prevention list, is an important part of the contingency planning that addresses the handling of malicious attacks, usually by technical means. Incident handling or an emergency response should be planned for prior to the occurrence of any incidents and should address the following questions:
- What is considered an incident?
- How should an incident be reported?
- To whom should the incident be reported?
- When should management be informed of the incident?
- What action should be taken if an incident is detected?
- Who should handle the response to the incident?
- How much damage was caused by the incident?
- What information was damaged or compromised by the incident?
- Are recovery procedures required to remediate damages caused by the incident?
- What type of follow-up and review should be conducted after the incident is handled?
- Should additional safeguards be instituted as a result of the incident?
Incident handling can be considered as the portion of contingency planning that responds to malicious technical threats and can be addressed by establishing a Computer Incident Response Team (CIRT). A proper incident response is important to limit the resulting damage, to provide information for prevention of future incidents, and to serve as a means of increasing employee awareness. The majority of incidents do not occur from outside sources, such as crackers and malicious code. Many incidents are the result of incompetent employees, malicious employees, other insiders, accidental actions, and natural disasters. If an intruder is identified, penalty options include civil or criminal prosecution, employee termination, reprimand, or suspension.
Attacks can be traced in real time or indirectly after the fact. To accomplish a real-time trace, the source of the attack has to be identified while it is occurring. This trace usually has to go through intermediate computers that were part of the attack path. Thus, the administrators of these systems have to be willing to cooperate in back tracing to locate the initiator of the attack. Indirect tracing is accomplished by analyzing log files of computer systems that were part of the attack path.
The Carnegie Mellon University Computer Emergency Response Team Coordination Center (CERT®/CC) is an excellent source of information for establishing and maintaining organizational CIRTs.
Ethics
Ethics is concerned with standards of behavior and considerations of what is “right” and what is “wrong.” It is difficult to state hard ethical rules because definitions of ethical behavior are a function of an individual’s experience, background, nationality, religious beliefs, culture, family values, and so on.
Similarly, ethical computing is a phrase that is often used but difficult to define. Certified professionals are morally and legally held to a higher standard of ethical conduct. In order to instill proper computing behavior, ethics should be incorporated into an organizational policy and further developed into an organizational ethical computing policy.
Some people who conduct attacks on computers rationalize these attacks with assumptions such as the following:
- “My actions will not cause permanent harm to a computer. Files can always be recovered.”
- “My motivation is to advance my knowledge of networks and computers by breaking into someone else’s computers and learning from my actions.”
- “Information wants to be free, and I am helping to liberate it.”
- “Under the First Amendment of the U.S. Constitution, I have the right to exercise my freedom of speech by writing viruses.”
- “The computer and its software will prevent from doing harm to the computer.”
- “Because it is easy to copy software, I can copy it and use it on my computer without purchasing the software.”
Individual ethical behavior varies widely because a person’s perception of ethics is a function of many variables in that person’s background. Because one is not stealing physical property, the “borrowing” or “viewing” of information on an organization’s computers is perceived by many as innocent behavior. Some crackers (malicious hackers) feel that any information available for access or subject to access by virtue of inadequate control measures is fair game. Others are of the opinion that hacking into an organization’s information systems is performing a service by alerting the organization to weaknesses in their system safeguards. These naïve and incorrect perspectives trample on the rights of individual privacy and compromise critical and organizational proprietary information.
These breaches of security can result in million-dollar losses to an organization through the destruction or unavailability of critical data and resources or through stock devaluation. From the national perspective, destructive cracker behavior could seriously affect a nation’s critical infrastructure, economic health, and national security. Clearly, these types of malicious hacking results cannot be explained away by claims of freedom of speech and freedom of expression rights.
A number of organizations have addressed the issue of ethical computing and have generated guidelines for ethical behavior. A few of these ethical codes are presented to provide a familiarization with the items addressed in such codes. Some of these lists are under revision. However, the versions illustrate the general areas that are important in ethical computing behavior.
(ISC)2 Code of Ethics
The preamble to the (ISC)2 Code of Ethics states:
- “Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this code is a condition of certification.”
The Canons of the (ISC)2 Code of Ethics are:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to the principals.
- Advance and protect the profession.
The Computer Ethics Institute s Ten Commandments of Computer Ethics
In 1992, the Coalition for Computer Ethics incorporated as the Computer Ethics Institute (CEI) to focus on the interface of advances in information technologies, ethics, and corporate and public policy. The CEI addresses industrial, academic, and public policy organizations. The Institute’s founding organizations are the Brookings Institution, IBM, the Washington Consulting Group, and the Washington Theological Consortium. The Institute is concerned with the ethical issues associated with the advancement of information technologies in society and has generated the following ten commandments of computer ethics:
- Thou shalt not use a computer to harm other people.
- Thou shalt not interfere with other people’s computer work.
- Thou shalt not snoop around in other people’s computer files.
- Thou shalt not use a computer to steal.
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy or use proprietary software for which thou hast not paid.
- Thou shalt not use other people’s computer resources without authorization or the proper compensation.
- Thou shalt not appropriate other people’s intellectual output.
- Thou shalt think about the social consequences of the program thou art writing for the system thou art designing.
- Thou shalt use a computer in ways that ensure consideration and respect for thy fellow humans.
The Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)
Access to and use of the Internet is a privilege and should be treated as such by all users of the system.
The IAB also makes the following statement:
The Internet exists in the general research milieu. Portions of it continue to be used to support research and experimentation on networking. Because experimentation on the Internet has the potential to affect all of its components and users, researchers have the responsibility to exercise great caution in the conduct of their work. Negligence in the conduct of Internet-wide experiments is both irresponsible and unacceptable.
Any activity is defined as unacceptable and unethical that purposely:
- Seeks to gain unauthorized access to the resources of the Internet
- Destroys the integrity of computer-based information
- Disrupts the intended use of the Internet
- Wastes resources such as people, capacity, and computers through such actions
- Compromises the privacy of users
- Involves negligence in the conduct of Internetwide experiments
The U S Department of Health and Human Services Code of Fair Information Practices
The United States Department of Health and Human Services has developed the following list of fair information practices that focuses on the privacy of individually identifiable personal information:
- There must not be personal data record-keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about him or her is in a record and how it is used.
- There must be a way for a person to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without their consent.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must ensure the reliability of the data for their intended use and must take precautions to prevent misuses of that data.
The Organization for Economic Cooperation and Development (OECD)
The Organization for Economic Cooperation and Development (OECD) (www.oecd.org) has issued guidelines that are summarized as follows:
- Collection Limitation Principle - There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Data Quality Principle - Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, it should be accurate, complete, and up-to-date.
- Purpose Specification Principle - The purposes for which personal data is collected should be specified not later than at the time of data collection, and the subsequent use should be limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
- Use Limitation Principle - Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:
- With the consent of the data subject
- By the authority of law
- Security Safeguards Principle - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
- Openness Principle - There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of its use, as well as the identity and usual residence of the data controller.
- Individual Participation Principle - An individual should have the right:
- To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him or her
- To have communicated to him or her data relating to him or her within a reasonable time:
- At a charge, if any, that is not excessive
- In a reasonable manner
- In a form that is readily intelligible to him
- To be given reasons if a request made under subparagraphs (a) and is denied, and to be able to challenge such denial
- To challenge data relating to him or her and, if the challenge is successful, to have the data erased, rectified, completed, or amended
- Accountability Principle - A data controller should be accountable for complying with measures that give effect to the principles stated above.
- Transborder Issues - A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet substantially observe these guidelines or where the re-export of such data would circumvent its domestic privacy legislation.
- A member country can also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.
Assessment Questions
You can find the answers to the following questions in Appendix A.
1.
|
According to the Internet Architecture Board (IAB), an activity that causes which of the following is considered a violation of ethical behavior on the Internet?
- Wasting resources
- Appropriating other people’s intellectual output
- Using a computer to steal
- Using a computer to bear false witness
|
|
2.
|
Which of the following best defines social engineering?
- Illegal copying of software
- Gathering information from discarded manuals and printouts
- Using people skills to obtain proprietary information
- Destruction or alteration of data
|
|
3.
|
Because the development of new technology usually outpaces the law, law enforcement uses which traditional laws to prosecute computer criminals?
- Malicious mischief
- Embezzlement, fraud, and wiretapping
- Immigration
- Conspiracy and elimination of competition
|
|
4.
|
Which of the following is not a category of law under the Common Law System?
- Criminal law
- Civil law
- Administrative/regulatory law
- Derived law
|
|
5.
|
A trade secret:
- Provides the owner with a legally enforceable right to exclude others from practicing the art covered for a specified time period
- Protects original works of authorship
- Secures and maintains the confidentiality of proprietary technical or business-related information that is adequately protected from disclosure by the owner
- Is a word, name, symbol, color, sound, product shape, or device used to identify goods and to distinguish them from those made or sold by others
|
|
6.
|
Which of the following is not a European Union (EU) principle?
- Data should be collected in accordance with the law.
- Transmission of personal information to locations where equivalent personal data protection cannot be ensured is permissible.
- Data should be used only for the purposes for which it was collected and should be used only for a reasonable period of time.
- Information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual.
|
|
7.
|
The Federal Sentencing Guidelines:
- Hold senior corporate officers personally liable if their organizations do not comply with the law
- Prohibit altering, damaging, or destroying information in a federal interest computer
- Prohibit eavesdropping or the interception of message contents
- Established a category of sensitive information called Sensitive But Unclassified (SBU)
|
|
8.
|
What does the prudent-man rule require?
- Senior officials to post performance bonds for their actions
- Senior officials to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances
- Senior officials to guarantee that all precautions have been taken and that no breaches of security can occur
- Senior officials to follow specified government standards
|
|
9.
|
Information Warfare is:
- Attacking the information infrastructure of a nation to gain military or economic advantages
- Developing weapons systems based on artificial intelligence technology
- Generating and disseminating propaganda material
- Signal intelligence
|
|
10.
|
The chain of evidence relates to:
- Securing laptops to desks during an investigation
- DNA testing
- Handling and controlling evidence
- Making a disk image
|
|
11.
|
The Kennedy-Kassebaum Act is also known as:
- RICO
- OECD
- HIPAA
- EU Directive
|
|
12.
|
Which of the following refers to a U.S. government program that reduces or eliminates emanations from electronic equipment?
- CLIPPER
- ECHELON
- ECHO
- TEMPEST
|
|
13.
|
Imprisonment is a possible sentence under:
- Civil (tort) law
- Criminal law
- Both civil and criminal law
- Neither civil nor criminal law
|
|
14.
|
Which one of the following conditions must be met if legal electronic monitoring of employees is conducted by an organization?
- Employees must be unaware of the monitoring activity.
- All employees must agree with the monitoring policy.
- Results of the monitoring cannot be used against the employee.
- The organization must have a policy stating that all employees are regularly notified that monitoring is being conducted.
|
|
15.
|
Which of the following is a key principle in the evolution of computer crime laws in many countries?
- All members of the United Nations have agreed to uniformly define and prosecute computer crime.
- Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime.
- The definition of property is extended to include electronic information.
- Unauthorized acquisition of computer-based information without the intent to resell is not a crime.
|
|
16.
|
The concept of due care states that senior organizational management must ensure that:
- All risks to an information system are eliminated.
- Certain requirements must be fulfilled in carrying out their responsibilities to the organization.
- Other management personnel are delegated the responsibility for information system security.
- The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches.
|
|
17.
|
Liability of senior organizational officials relative to the protection of the organization’s information systems is prosecutable under:
- Criminal law
- Civil law
- International law
- Financial law
|
|
18.
|
Responsibility for handling computer crimes in the United States is assigned to:
- The Federal Bureau of Investigation (FBI) and the Secret Service
- The FBI only
- The National Security Agency (NSA)
- The Central Intelligence Agency (CIA)
|
|
19.
|
In general, computer-based evidence is considered:
- Conclusive
- Circumstantial
- Secondary
- Hearsay
|
|
20.
|
Investigating and prosecuting computer crimes is made more difficult because:
- Backups may be difficult to find.
- Evidence is mostly intangible.
- Evidence cannot be preserved.
- Evidence is hearsay and can never be introduced into a court of law.
|
|
21.
|
Which of the following criteria are used to evaluate suspects in the commission of a crime?
- Motive, Intent, and Ability
- Means, Object, and Motive
- Means, Intent, and Motive
- Motive, Means, and Opportunity
|
|
22.
|
Which one of the following U.S. government entities was assigned the responsibility for improving government efficiency through the application of new technologies and for developing guidance on information security for government agencies by the Paperwork Reduction Act of 1980, 1995?
- The National Institute for Standards and Technology (NIST)
- The General Services Administration (GSA)
- The Office of Management and Budget (OMB)
- The National Security Agency (NSA)
|
|
23.
|
What is enticement?
- Encouraging the commission of a crime when there was initially no intent to commit a crime
- Assisting in the commission of a crime
- Luring the perpetrator to an attractive area or presenting the perpetrator with a lucrative target after the crime has already been initiated
- Encouraging the commission of one crime over another
|
|
24.
|
Which of the following is not a computer investigation issue?
- Evidence is easy to obtain.
- The time frame for investigation is compressed.
- An expert may be required to assist.
- The information is intangible.
|
|
25.
|
Conducting a search without the delay of obtaining a warrant if destruction of evidence seems imminent is possible under:
- Federal Sentencing Guidelines
- Proximate Causation
- Exigent Circumstances
- Prudent-Man Rule
|
|
26.
|
Which one of the following items is not true concerning the Platform for Privacy Preferences (P3P) developed by the World Wide Web Consortium (W3C)?
- It allows Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents.
- It allows users to be informed of site practices in human-readable format.
- It does not provide the site privacy practices to users in machine-readable format.
- It automates decision making based on the site’s privacy practices when appropriate.
|
|
27.
|
The 1996 Information Technology Management Reform Act (ITMRA), or Clinger-Cohen Act, did which one of the following?
- Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the Office of Management and Budget with providing guidance on information technology procurement
- Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Institute for Standards and Technology with providing guidance on information technology procurement
- Relieved the Office of Management and Budget of responsibility for procurement of automated systems and contract appeals and charged the General Services Administration with providing guidance on information technology procurement
- Relieved the General Services Administration of responsibility for procurement of automated systems and contract appeals and charged the National Security Agency with providing guidance on information technology procurement
|
|
28.
|
Which one of the following U.S. Acts prohibits trading, manufacturing, or selling in any way that is intended to bypass copyright protection mechanisms?
- The 1999 Uniform Information Transactions Act (UCITA)
- The 1998 Digital Millennium Copyright Act (DMCA)
- The 1998 Sonny Bono Copyright Term Extension Act
- The 1987 U.S. Computer Security Act
|
|
29.
|
Which of the following actions by the U.S. government is not permitted or required by the U.S. PATRIOT Act, signed into law on October 26, 2001?
- Subpoena of electronic records
- Monitoring of Internet communications
- Search and seizure of information on live systems (including routers and servers), backups, and archives
- Reporting of cash and wire transfers of $5,000 or more
|
|
30.
|
Which Act required U.S. government agencies to do the following?
- Manage information resources to protect privacy and security
- Designate a senior official, reporting directly to the Secretary of the Treasury, to ensure that the responsibilities assigned by the Act are accomplished
- Identify and afford security protections in conformance with the Computer Security Act of 1987 commensurate with the magnitude of harm and risk that may result from the misuse, loss, or unauthorized access relative to information collected by an agency or maintained on behalf of an agency
- Implement and enforce applicable policies, procedures, standards, and guidelines on privacy, confidentiality, security, disclosures, and sharing of information collected or maintained by or for the agency
- 1994 U.S. Computer Abuse Amendments Act
- 1996, Title I, Economic Espionage Act
- 1987 U.S. Computer Security Act
- Paperwork Reduction Act of 1980, 1995
|
|
Answers
1.
|
Answer: a
The correct answer is a. Answers b, c, and d are ethical considerations of other organizations.
|
2.
|
Answer: c
The correct answer is c: using people skills to obtain proprietary information. Answer a is software piracy, answer b is dumpster diving, and answer d is a violation of integrity.
|
3.
|
Answer: b
The answer b is correct. Answer a is not a law, answer c is not applicable because it applies to obtaining visas and so on, and answer d is not correct because the laws in answer b are more commonly used to prosecute computer crimes.
|
4.
|
Answer: d
The correct answer, d, is a distracter. All the other answers are categories under common law.
|
5.
|
Answer: c
Answer c defines a trade secret. Answer a refers to a patent. Answer b refers to a copyright. Answer d refers to a trademark.
|
6.
|
Answer: b
The transmission of data to locations where equivalent personal data protection cannot be ensured is not permissible for the EU. The other answers are EU principles.
|
7.
|
Answer: a
The answer a is correct. Answer b is part of the U.S. Computer Fraud and Abuse Act. Answer c is part of the U.S. Electronic Communications Privacy Act. Answer d is part of the U.S. Computer Security Act.
|
8.
|
Answer: b
The answer b is correct. Answer a is a distracter and is not part of the prudent man rule. Answer c is incorrect because it is not possible to guarantee that breaches of security can never occur. Answer d is incorrect because the prudent-man rule does not refer to a specific government standard but relates to what other prudent persons would do.
|
9.
|
Answer: a
The answer a is correct. Answer b is a distracter and has to do with weapon systems development. Answer c is not applicable. Answer d is the conventional acquisition of information from radio signals.
|
10.
|
Answer: c
The answer c is correct. Answer a relates to physical security, answer b is a type of biological testing, and answer d is part of the act of gathering evidence.
|
11.
|
Answer: c
The answer c is correct. The others refer to other laws or guidelines.
|
12.
|
Answer: d
The answer d is correct. Answer a refers to the U.S. government Escrow Encryption Standard. Answer b refers to the large-scale monitoring of RF transmissions. Answer c is a distracter.
|
13.
|
Answer: b
Answer b is the only one of the choices in which imprisonment is possible.
|
14.
|
Answer: d
The answer d is correct. Answer a is incorrect because employees must be made aware of the monitoring if it is to be legal; answer b is incorrect because employees do not have to agree with the policy; and answer c is incorrect because the results of monitoring may be used against the employee if the corporate policy is violated.
|
15.
|
Answer: c
The answer c is correct. Answer a is incorrect because all nations do not agree on the definition of computer crime and corresponding punishments. Answer b is incorrect because the existing laws can be applied against computer crime. Answer d is incorrect because in some countries, possession without intent to sell is considered a crime.
|
16.
|
Answer: b
The answer b is correct. Answer a is incorrect because all risks to information systems cannot be eliminated; answer c is incorrect because senior management cannot delegate its responsibility for information system security under due care; and answer d is incorrect because the cost of implementing safeguards should be less than or equal to the potential resulting losses relative to the exercise of due care.
|
17.
|
Answer: b
|
18.
|
Answer: a
The correct answer is a, making the other answers incorrect.
|
19.
|
Answer: d
The answer d is correct. Answer a refers to incontrovertible evidence; answer b refers to inference from other, intermediate facts; and answer c refers to a copy of evidence or oral description of its content.
|
20.
|
Answer: b
The answer b is correct. Answer a is incorrect because if backups are done, they usually can be located. Answer c is incorrect because evidence can be preserved using the proper procedures. Answer d is incorrect because there are exceptions to the hearsay rule.
|
21.
|
Answer: d
|
22.
|
Answer: c
|
23.
|
Answer: c
Answer c is the definition of enticement. Answer a is the definition of entrapment. Answers b and d are distracters.
|
24.
|
Answer: a
The correct answer is a. In many instances, evidence is difficult to obtain in computer crime investigations. Answers b, c, and d are computer investigation issues.
|
25.
|
Answer: c
The answer c is correct. The other answers refer to other principles, guidelines, or rules.
|
26.
|
Answer: c
In addition to the capabilities in answers a, b, and d, P3P does provide the site privacy practices to users in machine-readable format.
|
27.
|
Answer: a
The answer a is correct. The other answers are distracters.
|
28.
|
Answer: b
Answers a and d are distracters. Answer c, the 1998 Sonny Bono Copyright Term Extension Act, amends the provisions concerning duration of copyright protection. The Act states that the terms of copyright are generally extended for an additional 20 years.
|
29.
|
Answer: d
Wire and cash transfers of $10,000 or more in a single transaction must be reported to government officials. Actions in answers a, b, and c are permitted under the PATRIOT Act. In answers a and b, the government has new powers to subpoena electronic records and to monitor Internet traffic. In monitoring information, the government can require the assistance of ISPs and network operators. This monitoring can extend even into individual organizations. In the PATRIOT Act, Congress permits investigators to gather information about electronic mail without having to show probable cause that the person to be monitored had committed a crime or was intending to commit a crime. In answer c, the items cited now fall under existing search and seizure laws. A new twist is delayed notification of a search warrant. Under the PATRIOT Act, if it is suspected that notification of a search warrant would cause a suspect to flee, a search can be conducted before notification of a search warrant is given.
In a related matter, the United States and numerous other nations have signed the Council of Europe’s Cybercrime Convention. In the United States, participation in the Convention has to be ratified by the Senate. In essence, the Convention requires the signatory nations to spy on their own residents, even if the action being monitored is illegal in the country in which the monitoring is taking place.
|
30.
|
Answer: d
|