With the three forms of computer involvement in crimes, coupled with increased criminal involvement, multiplied by the myriad of ways a criminal can use a computer to steal or defraud, a
Trang 1Legal Issues, Privacy,
Computer security is no different from any other subject in our society; as it changes
our lives, laws are enacted to enable desired behaviors and prohibit undesired
behav-iors The one substantial difference between this aspect of our society and others is that
the speed of advancement in the information systems world as driven by business,
computer network connectivity, and the Internet is much greater than in the legal
sys-tem of compromise and law-making In some cases, laws have been overly restrictive,
limiting business options, such as in the area of importing and exporting encryption
technology In other cases, legislation has been slow in coming and this fact has
sty-mied business initiatives, such as in digital signatures And in some areas, it has been
both too fast and too slow, as in the case of privacy laws One thing is certain: you will
never satisfy everyone with a law, but it does delineate the rules of the game
The cyber-law environment has not been fully defined by the courts Laws have
been enacted, but until they have been fully tested and explored by cases in court, the
exact limits are somewhat unknown This makes some aspects of interpretation more
challenging, but the vast majority of the legal environment is known well enough that
effective policies can be enacted to navigate this environment properly Policies and
procedures are tools you use to ensure understanding and compliance with laws and
regulations affecting cyberspace
3
53
Trang 2One of the many ways to examine cybercrime involves studying how the computer is involved in the criminal act Three types of computer crimes commonly occur: comput-er-assisted crime, computer-targeted crime, and computer-incidental crime The differ-entiating factor is how the computer is specifically involved from the criminal’s point
of view Just as crime is not a new phenomenon, neither are computers, and cybercrime has a history of several decades
What is new is how computers are involved in criminal activities The days of simple teenage hacking activities from a bedroom have been replaced by organized-crime–controlled botnets (groups of computers commandeered by a malicious hacker) and acts designed to attack specific targets The legal system has been slow to react and law enforcement has been hampered by their own challenges in responding to the new threats posed by high-tech crime
What comes to mind when most people think about cybercrime is a computer that
is targeted and attacked by an intruder The criminal attempts to benefit from some form of unauthorized activity associated with a computer In the 1980s and ‘90s, cyber-crime was mainly virus and worm attacks, each exacting some form of damage, yet the gain for the criminal was usually negligible Enter the 21st century, with new forms of malware, rootkits, and targeted attacks; criminals can now target individual users and their bank accounts In the current environment it is easy to predict where this form of attack will occur—if money is involved, a criminal will attempt to obtain what he con-siders his own fair share! A common method of criminal activity is computer-based
fraud Advertising on the Internet is big business, and hence the “new” crime of click fraud is now a concern Click fraud involves a piece of malware that defrauds the adver-
tising revenue counter engine through fraudulent user clicks
eBay, the leader in the Internet auction space, and its companion PayPal are quent targets of fraud Whether the fraud occurs by fraudulent listing, fraudulent bid-ding, or outright stealing of merchandise, the results are the same: a crime is committed
fre-As users move toward online banking and stock trading, so moves the criminal ment Malware designed to install a keystroke logger and then watch for bank/broker-age logins is already making the rounds of the Internet Once the attacker finds the targets, he can begin looting accounts His risk of getting caught and prosecuted is ex-ceedingly low Walk into a bank in the United States and rob it, and the odds are better than 95 percent that you will be doing time in federal prison after the FBI hunts you down and slaps the cuffs on your wrists Do the same crime via a computer, and the odds are even better than the opposite: less than 1 percent of these attackers are caught and prosecuted
ele-The low risk of being caught is one of the reasons that criminals are turning to puter crime Just as computers have become easy for ordinary people to use, the trend continues for the criminal element Today’s cyber criminals use computers as tools to steal intellectual property or other valuable data and then subsequently market these materials through underground online forums Using the computer to physically iso-late the criminal from the direct event of the crime has made the investigation and prosecution of these crimes much more challenging for authorities
Trang 3The last way computers are involved with criminal activities is through incidental
involvement Back in 1931, the U.S government used accounting records and tax laws
to convict Al Capone of tax evasion Today, similar records are kept on computers
Computers are also used to traffic child pornography and other illicit activities—these
computers act more as storage devices than as actual tools to enable the crime Because
child pornography existed before computers made its distribution easier, the computer
is actually incidental to the crime itself
With the three forms of computer involvement in crimes, coupled with increased
criminal involvement, multiplied by the myriad of ways a criminal can use a computer
to steal or defraud, added to the indirect connection mediated by the computer and the
Internet, computer crime of the 21st century is a complex problem indeed Technical
issues are associated with all the protocols and architectures A major legal issue is the
education of the entire legal system as to the serious nature of computer crimes All
these factors are further complicated by the use of the Internet to separate the criminal
and his victim geographically Imagine this defense: “Your honor, as shown by my
cli-ent’s electronic monitoring bracelet, he was in his apartment in California when this
crime occurred The victim claims that the money was removed from his local bank in
New York City Now, last time I checked, New York City was a long way from Los
Ange-les, so how could my client have robbed the bank?”
EXAM TIP Computersareinvolvedinthreeformsofcriminalactivity:the
computerasatoolofthecrime,thecomputerasavictimofacrime,andthe
computerthatisincidentaltoacrime
Common Internet Crime Schemes
To find crime, just follow the money In the United States, the FBI and the National
White Collar Crime Center (NW3C) have joined forces in developing the Internet
Crime Complaint Center, an online clearinghouse that communicates issues associated
with cybercrime One of the items provided to the online community is a list of
com-mon Internet crimes and explanations (www.ic3.gov/crimeschemes.aspx) A separate
list offers advice on how to prevent these crimes through individual actions (www.ic3
Trang 4In the United States, three primary sources of laws and regulations affect our lives and
govern actions Statutory laws are passed by the legislative branches of government, be it
the Congress or a local city council Another source of laws and regulations is trative bodies given power by other legislation The power of government sponsored agencies, such as the Environmental Protection Agency (EPA), the Federal Aviation Ad-ministration (FAA), the Federal Communications Commission (FCC), and others lie in
adminis-this powerful ability to enforce behaviors through administrative rule making The last source of law in the United States is common law, which is based on previous events or
precedent This source of this law is the judicial branch of government: judges decide
on the applicability of laws and regulations
All three sources have an involvement in computer security Specific statutory laws, such as the Computer Fraud and Abuse Act, govern behavior Administratively, the FCC and Federal Trade Commission (FTC) have made their presence felt in the Internet arena with respect to issues such as intellectual property theft and fraud Common law cases are now working their way through the judicial system, cementing the issues of comput-ers and crimes into the system of precedents and the constitutional basis of laws
EXAM TIP Threetypesoflawsarecommonlyassociatedwithcybercrime:statutorylaw,administrativelaw,andcommonlaw
Computer Trespass
With the advent of global network connections and the rise of the Internet as a method
of connecting computers between homes, businesses, and governments across the
globe, a new type of criminal trespass can now be committed Computer trespass is the
unauthorized entry into a computer system via any means, including remote network connections These crimes have introduced a new area of law that has both national
Trang 5and international consequences For crimes that are committed within a country’s
bor-ders, national laws apply For cross-border crimes, international laws and international
treaties are the norm Computer-based trespass can occur even if countries do not share
a physical border
Computer trespass is treated as a crime in many countries National laws exist in
many countries, including the EU, Canada, and the United States These laws vary by
country, but they all have similar provisions defining the unauthorized entry into and
use of computer resources for criminal activities Whether called computer mischief as in
Canada, or computer trespass as in the United States, unauthorized entry and use of
com-puter resources is treated as a crime with significant punishments With the
globaliza-tion of the computer network infrastructure, or Internet, issues that cross naglobaliza-tional
boundaries have arisen and will continue to grow in prominence Some of these issues
are dealt with through the application of national laws upon request of another
govern-ment In the future, an international treaty may pave the way for closer cooperation
Convention on Cybercrime
The Convention on Cybercrime is the first international treaty on crimes committed via
the Internet and other computer networks The convention is the product of four years
of work by Council of Europe experts, but also by the United States, Canada, Japan, and
other countries that are not members of the organization of the member states of the
European Council The current status of the convention is as a draft treaty, ratified by
only two members A total of five members must ratify it to become law
The main objective of the convention, set out in the preamble, is to pursue a
com-mon criminal policy aimed at the protection of society against cybercrime, especially by
adopting appropriate legislation and fostering international cooperation This has
be-come an important issue with the globalization of network communication The
abil-ity to create a virus anywhere in the world and escape prosecution because of lack of
local laws has become a global concern
The convention deals particularly with infringements of copyright,
computer-relat-ed fraud, child pornography, and violations of network security It also contains a series
of powers and procedures covering, for instance, searches of computer networks and
interception It will be supplemented by an additional protocol making any
publica-tion of racist and xenophobic propaganda via computer networks a criminal offense
Significant U.S Laws
The United States has been a leader in the development and use of computer
technol-ogy As such, it has a longer history with computers and with cybercrime than other
countries Because legal systems tend to be reactive and move slowly, this leadership
position has translated into a leadership position from a legal perspective as well The
one advantage of this legal leadership position is the concept that once an item is
iden-tified and handled by the legal system in one jurisdiction, subsequent adoption in
other jurisdictions is typically quicker
Trang 6Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) of 1986 was passed by Congress andsignedbyPresidentReagantoaddressamyriadoflegalprivacyissuesthatresultedfrom the increasing use of computers and other technology specific to telecommunica-tions Sections of this law address e-mail, cellular communications, workplace privacy, and a host of other issues related to communicating electronically A major provision was the prohibition against an employer’s monitoring an employee’s computer usage, including e-mail, unless consent is obtained Other legal provisions protect electronic communications from wiretap and outside eavesdropping, as users were assumed to have a reasonable expectation of privacy and afforded protection under the Fourth Amendment to the Constitution
A common practice with respect to computer access today is the use of a warning banner These banners are typically displayed whenever a network connection occurs and serve four main purposes First, from a legal standpoint, they establish the level of expected privacy (usually none on a business system) and serve as consent to real-time monitoringfromabusinessstandpoint.Real-timemonitoringcanbeconductedforsecurity reasons, business reasons, or technical network performance reasons The key
is that the banner tells users that their connection to the network signals their consent
to monitoring Consent can also be obtained to look at files and records In the case of government systems, consent is needed to prevent direct application of the Fourth Amendment And the last reason is that the warning banner can establish the system or network administrator’s common authority to consent to a law enforcement search
Computer Fraud and Abuse Act (1986)
TheComputerFraudandAbuseAct(CFAA)of1986,amendedin1994,1996,andin
2001 by the Patriot Act, serves as the current foundation for criminalizing unauthorized access to computer systems The CFAA makes it a crime to knowingly access a com-puter or computer system that is a government computer or is involved in interstate or foreign communication, which in today’s Internet-connected age can be almost any machine The act sets financial thresholds, which were lowered by the Patriot Act, but
in light of today’s investigation costs, these are easily met The act also makes it a crime
to knowingly transmit a program, code, or command that results in damage Trafficking
in passwords or similar access information is also criminalized This is a wide-sweeping act, but the challenge of proving a case still exists
Patriot Act
The Patriot Act of 2001, passed in response to the September 11 terrorist attack on the World Trade Center buildings in New York, substantially changed the levels of checks and balances in laws related to privacy in the United States This law extends the tap and trace provisions of existing wiretap statutes to the Internet and mandates certain technological modifications at ISPs to facilitate electronic wiretaps on the Internet The act also permitted the Justice Department to proceed with its rollout of the Carnivore program, an eavesdropping program for the Internet Much controversy exists over Car-nivore, but until it’s changed, the Patriot Act mandates that ISPs cooperate and facilitate
Trang 7monitoring The Patriot Act also permits federal law enforcement personnel to
investi-gate computer trespass (intrusions) and enacts civil penalties for trespassers
Gramm-Leach-Bliley Act (GLB)
In November 1999, President Clinton signed the Gramm-Leach-Bliley Act, a major
piece of legislation affecting the financial industry with significant privacy provisions
for individuals The key privacy tenets enacted in GLB included the establishment of an
opt-out method for individuals to maintain some control over the use of the
informa-tion provided in a business transacinforma-tion with a member of the financial community
GLB is enacted through a series of rules governed by state law, federal law, securities law,
and federal rules These rules cover a wide range of financial institutions, from banks
and thrifts, to insurance companies, to securities dealers Some internal information
sharingisrequiredundertheFairCreditReportingAct(FCRA)betweenaffiliatedcom-panies, but GLB ended sharing with external third-party firms
Sarbanes-Oxley (SOX)
In the wake of several high-profile corporate accounting/financial scandals in the
Unit-ed States, the fUnit-ederal government in 2002 passUnit-ed sweeping legislation overhauling the
financial accounting standards for publicly traded firms in the United States These
changes were comprehensive, touching most aspects of business in one way or another
Withrespecttoinformationsecurity,oneofthemostprominentchangesisSection404
controls, which specify that all processes associated with the financial reporting of a
firm must be controlled and audited on a regular basis Since the majority of firms use
computerized systems, this placed internal auditors into the IT shops, verifying that the
systems had adequate controls to ensure the integrity and accuracy of financial
report-ing These controls have resulted in controversy over the cost of maintaining these
con-trols versus the risk of not using them
Section404requiresfirmstoestablishacontrol-basedframeworkdesignedtode-tect or prevent fraud that would result in misstatement of financials In simple terms,
these controls should detect insider activity that would defraud the firm This has
sig-nificant impacts on the internal security controls, because a system administrator with
root level access could perform many, if not all, tasks associated with fraud and would
have the ability to alter logs and cover his or her tracks Likewise, certain levels of
pow-er uspow-ers of financial accounting programs would also have significant capability to altpow-er
records
Payment Card Industry Data Security Standards
(PCI DSS)
The payment card industry, including the powerhouses of MasterCard and Visa,
de-signed a private sector initiative to protect payment card information between banks
and merchants This is a voluntary, private sector initiative that is proscriptive in its
se-curity guidance Merchants and vendors can choose not to adopt these measures, but
the standard has a steep price for noncompliance; the transaction fee for noncompliant
Trang 8vendors can be significantly higher, fines up to $500,000 can be levied, and in extreme cases the ability to process credit cards can be revoked The PCI DSS is a set of six con-trol objectives, containing a total of 12 requirements:
1 Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall configuration to protect cardholder data
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters
2 Protect Cardholder Data
Requirement 3 Protect stored cardholder data
Requirement 4 Encrypt transmission of cardholder data across open, public networks
3 Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update anti-virus software
Requirement 6 Develop and maintain secure systems and applications
4 Implement Strong Access Control Measures
Requirement 7 know
Requirement 8 Assign a unique ID to each person with computer access
6 Maintain an Information Security Policy
Requirement 12 Maintain a policy that addresses information security for all employees and contractors
Import/Export Encryption Restrictions
Encryption technology has been controlled by governments for a variety of reasons The level of control varies from outright banning to little or no regulation The reasons be-hind the control vary as well, and control over import and export is a vital method of maintaining a level of control over encryption technology in general The majority of the laws and restrictions are centered on the use of cryptography, which was until re-cently used mainly for military purposes The advent of commercial transactions and network communications over public networks such as the Internet has expanded the
Trang 9use of cryptographic methods to include securing of network communications As is
the case in most rapidly changing technologies, the practice moves faster than law
Many countries still have laws that are outmoded in terms of e-commerce and the
In-ternet Over time, these laws will be changed to serve these new uses in a way consistent
with each country’s needs
U.S Law
Export controls on commercial encryption products are administered by the Bureau of
Industry and Security (BIS) in the U.S Department of Commerce The responsibility
for export control and jurisdiction was transferred from the State Department to the
Commerce Department in 1996 and most recently updated on June 6, 2002. Rules
governingexportsofencryptionarefoundintheExportAdministrationRegulations
(EAR),15C.F.R.Parts730–774.Sections740.13,740.17,and742.15aretheprincipal
references for the export of encryption items
Needless to say, violation of encryption export regulations is a serious matter and is
not an issue to take lightly Until recently, encryption protection was accorded the same
level of attention as the export of weapons for war With the rise of the Internet,
wide-spread personal computing, and the need for secure connections for e-commerce, this
position has relaxed somewhat The United States updated its encryption export
regula-tions to provide treatment consistent with regularegula-tions adopted by the EU, easing export
and re-export restrictions among the 15 EU member states and Australia, the Czech
Republic,Hungary,Japan,NewZealand,Norway,Poland,andSwitzerland.Themem-ber nations of the Wassenaar Arrangement agreed to remove key length restrictions on
encryption hardware and software that is subject to certain reasonable levels of
encryp-tion strength This acencryp-tion effectively removed “mass-market” encrypencryp-tion products from
the list of dual-use items controlled by the Wassenaar Arrangement
The U.S encryption export control policy continues to rest on three principles:
review of encryption products prior to sale, streamlined post-export reporting, and
license review of certain exports of strong encryption to foreign government end users
The current set of U.S rules requires notification to the BIS for export in all cases,
but the restrictions are significantly lessened for mass-market products as defined by all
Trang 10• Whennecessary,detailsoftheitemsareaccessibleandwillbeprovided,uponrequest, to the appropriate authority in the exporter’s country in order to ascertain compliance with export regulations.
Mass-marketcommoditiesandsoftwareemployingakeylengthgreaterthan64bitsfor the symmetric algorithm must be reviewed in accordance with BIS regulations RestrictionsonexportsbyU.S.personstoterrorist-supportingstates(Cuba,Iran,Iraq,Libya, North Korea, Sudan, or Syria), their nationals, and other sanctioned entities are not changed by this rule
As you can see, this is a very technical area, with significant rules and significant penalties for infractions The best rule is that whenever you are faced with a situation involving the export of encryption-containing software, consult an expert and get the appropriate permission, or a statement that permission is not required, first This is one case where it is better to be safe than sorry
Non-U.S Laws
Export control rules for encryption technologies fall under the Wassenaar Arrangement,
an international arrangement on export controls for conventional arms and dual-use goods and technologies The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability, by promoting transpar-ency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations Participating states, of which the United States is one of 33, will seek, through their own national policies and laws, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted
to support such capabilities
Many nations have more restrictive policies than those agreed upon as part of the WassenaarArrangement.Australia,NewZealand,theUnitedStates,France,andRussia
go further than is required under Wassenaar and restrict general-purpose cryptographic software as dual-use goods through national laws The Wassenaar Arrangement has had
a significant impact on cryptography export controls, and there seems to be little doubt that some of the nations represented will seek to use the next round to move toward a more repressive cryptography export control regime based on their own national laws There are ongoing campaigns to attempt to influence other members of the agreement toward less restrictive rules, and in some cases no rules These lobbying efforts are based
on e-commerce and privacy arguments
In addition to the export controls on cryptography, significant laws prohibit the use and possession of cryptographic technology In China, a license from the state is re-quiredforcryptographicuse.Insomeothercountries,includingRussia,Pakistan,Ven-ezuela, and Singapore, tight restrictions apply to cryptographic uses France relinquished tight state control over the possession of the technology in 1999 One of the driving points behind France’s action is the fact that more and more of the Internet technolo-gies have built-in cryptography Digital rights management, secure USB solutions, digi-tal signatures, and Secure Sockets Layer (SSL)–secured connections are examples of
Trang 11common behind-the-scenes use of cryptographic technologies. In 2007, the United
Kingdom passed a new law mandating that when requested by UK authorities, either
police or military, encryption keys must be provided to permit decryption of
informa-tion associated with terror or criminal investigainforma-tion Failure to deliver either the keys or
decrypted data can result in an automatic prison sentence of two to five years Although
this seems reasonable, it has been argued that such actions will drive certain financial
entities off shore, as the rule applies only to data housed in the UK As for deterrence,
the two-year sentence may be better than a conviction for trafficking in child
pornogra-phy; hence the law seems not to be as useful as it seems at first glance
Digital Signature Laws
On October 1, 2000, the Electronic Signatures in Global and National Commerce Act
(commonly called the E-Sign law) went into effect in the United States This law
imple-ments a simple principle: a signature, contract, or other record may not be denied legal
effect, validity, or enforceability solely because it is in electronic form Another source
of law on digital signatures is the National Conference of Commissioners on Uniform
State Laws’ Uniform Electronic Transactions Act (UETA), which has been adopted in
more than 20 states A number of states have adopted a nonuniform version of UETA,
and the precise relationship between the federal E-Sign law and UETA has yet to be
re-solved and will most likely be worked out through litigation in the courts over complex
technical issues
Many states have adopted digital signature laws, the first being Utah in 1995 The
Utah law, which has been used as a model by several other states, confirms the legal
status of digital signatures as valid signatures, provides for use of state-licensed
certifica-tion authorities, endorses the use of public key encrypcertifica-tion technology, and authorizes
online databases called repositories, where public keys would be available The Utah
act specifies a negligence standard regarding private encryption keys and places no
lim-it on liabillim-ity Thus, if a criminal uses a consumer’s private key to commlim-it fraud, the
consumer is financially responsible for that fraud, unless the consumer can prove that
he or she used reasonable care in safeguarding the private key Consumers assume a
duty of care when they adopt the use of digital signatures for their transactions, not
un-like the care required for PINs on debit cards
From a practical standpoint, the existence of the E-Sign law and UETA has enabled
e-commerce transactions to proceed, and the resolution of the technical details via
court actions will probably have little effect on consumers It is worth noting that
con-sumers will have to exercise reasonable care over their signature keys, much as they
must over PINs and other private numbers For the most part, software will handle
these issues for the typical user
Non-U.S Signature Laws
The United Nations has a mandate to further harmonize international trade With this
in mind, the UN General Assembly adopted the United Nations Commission on
Inter-nationalTradeLaw(UNCITRAL)ModelLawonE-Commerce.Toimplementspecific