1 the law of information assurance douglas j. sylvester asu college of law faculty fellow, center...
Post on 19-Dec-2015
219 views
TRANSCRIPT
1
The Law ofInformation Assurance
Douglas J. Sylvester
ASU College of Law
Faculty Fellow, Center for the Study of
Law, Science, and Technology
2
Definitions• Cybersecurity Law (often termed “Information Assurance” or
“Information Security”) is concerned with the legal and extra-legal issues surrounding the security and integrity of digital information and systems.
• Pre 9/11, Cybersecurity Law was generally concerned with the ability of IT companies and government to prevent economic malicious acts (hacking, spam, D.O.S. attacks, etc).
• Post 9/11, Cybersecurity Law is increasingly concerned with the prevention of criminal acts, both domestic and international that affect “critical infrastructures”—cyberterrorism
• Not just “information assurance.” – Privacy, Anti-terrorism, Corporate Accountability, Government
Restrictions, Anti-Surveillance, Property Protections
3
Government Records and Security
• Numerous Laws pertaining to Government (mainly federal) policies for record retention and data security– Electronic Records Management and Federal Records Act
• Expanding scope of “records” to include electronic media – Federal Managers Financial Integrity Act of 1982
• Develop security policies and consistent accounting
– Federal Property and Administration Service Act
– National Archives and Records Act
– Freedom of Information Act and Electronic Freedom of information Act
– E-Government Act 0f 2002• Privacy Provisions: CIPSEA
– Requiring federal agencies to protect confidentiality of all data “gathered under a pledge of confidentiality”
– Data may only be used for “statistical purposes”
• Security Provisions: Title III, Federal Information Security Management Act (FISMA)
– Accreditation and Compliance through NIST processes» Requiring non “security” related systems to be secure, promulgation of
agency security policies» OMB governance» 4-steps: initiation, certification, accreditation, continuous monitoring
4
Information Access
• Numerous Federal Laws require Information be Made Available to the Public– FOIA; E-FOIA (1996)– APA
• Other Laws Require Information be Kept Secure– HIPAA– GLB
• Security and Information Assurance?– Most Laws do not have individual requirements
• HIPAA; GLB
• Federal “System” Must Be Secured– Integrated Networks
• Dangers of Hacks and Vulnerabilities?
5
Freedom of Information Act
• Requires disclosure of any available data unless– Relevant to national security– Personal privacy
• Original intent to disclose data to individuals about information government has collected on them– More corporations request than individuals
• 1996—Passage of E-FOIA– All government agencies must make “reading room”
documents electronically available• Tracking + Integrity
– Assessments
6
Secure Government Computer Use
• National Communication System– Established in 1963 after Cuban Missile Crisis
• Link together and evolve communication facilities of federal agencies
• Updated by executive orders over time
– Tasked with developing a national telecommunications infrastructure responsive to national security and emergency needs• Committee of Principles – Agents that own or lease
telecommunication assets part of NCS
• Secretary of DHS is in charge
7
Securing Computers for National Security
• National Security Directive 42 (NSD-42) 1990– Securing computers used for national security– Created Committee on National Security Systems
(CNSS), an inter-agency group• Creates security course requirements among many other
things.
– Secretary of Defense in charge for strategy, vision, etc.– NSA Directory to take care of the technical details.
• Clinger-Cohen 1996 or Information Technology Management Reform Act (ITMRA)– Government must shop and compare when buying
technology
• Many of these functions now under DHS
8
Cryptography
• Pre-1996 view– Encrpytion technology = munitions
• Dual-use standards• Bureau of Industry and Security
– Export Administration Regulations» Forbade export of encryption technologies (export = transmission)» In some cases—criminalized creation » “prior restraint” cases
• In 1996 US government offered to reduce export restrictions for escrow encryption– Licenses granted upon review (30-day for <64 bit)
• 2002-04– New regulations governing encryption technologies – BIS review of >64 bit encryption (cursory)
• Relatively “free” export today– BUT– Department of Homeland Security
• Guidelines on “dual use” materials
9
FISMA
• Following 9/11: Federal Government Gets “Serious” About Information Security– Passage of E-Government Act of 2002
• Federal Information Security Management Act(FISMA)
– Numerous National Security Directives
• Explicitly Adopts:– “Risk-based policy for cost-effective security”
• Requires All Federal Agencies To develop:– Plan for security– Ensure that appropriate officials are assigned security
responsibility– Periodically review the security controls in their information
systems; andAuthorize system processing prior to operations and, periodically, thereafter.
• E-FOIA Act of 1996– Requires Tracking and Integrity of Data
10
FISMA: Implementation
• National Institute of Standards and Technology
– Computer Security Division• Non Legal Institution That Provides Guidance:
– Standards
» Impacts
» Minimum security
» Assessments
» Effectiveness
» Certifying and Accrediting
• Guidance for certifying and accrediting information systems.
– Cost-Effective Systems• Due Diligence for All Federal Contracts
• Does NIST have Legal Authority?– Does it Matter?
11
NIST
• Minimum Standards– Periodic assessments of risk—focused on “harms”– Cost-effectively reduce information security risks to an
acceptable level– Plans for networks, facilities, information systems, or
groups of information systems, as appropriate;– Security awareness training – Periodic testing and evaluation – Procedures for detecting, reporting, and responding to
security incidents; and– Plans and procedures to ensure continuity of operations
for information systems that support the operations and assets of the organization.
12
From Government to the Public
• These Same Standards Will Become (or are) Public Standards– Statutory Minimum Standards
• Health Information and Financial Information
– Common Law• More Important
– “Industry Standards” + Reasonableness
13
HIPAA
• Health Insurance Portability and Accountability Act – Included in massive document and accompanying explanatory
regulations (2002) are numerous privacy provisions
– Imposes liability on covered entities for failing to protect privacy of patient and insured records
– Sets forth minimum standards for securing• Authentication standards• Disclosure• Training• Access• Review
– Does not provide specific technical standards• Legislates security through liability
14
GRAMM-LEACH-BLILEY
• Gramm-Leach-Bliley Act
– Covering “financial institutions”, broadly construed
– Imposes privacy obligations
– Does not set forth minimum standards for security• Many point to HIPAA’s regulations and requirements as
fostering a “best practices” that can be borrowed in GLB analysis
16
National Strategy to Secure Cyberspace
• Final Version Released Feb. 18, 2003– Sets forth federal gov’t plans
• Creates no new regulations
• Sets forth no rigid guidelines
• Phrased merely in “suggestive” terms
– So why worry about it?• Creation of “Best Practices”
• Common-law Civil Liability
• Increased Government Involvement– Increased prosecution?
17
“Suggested” Duties
• Provides support for view that companies have responsibility to 3rd parties to ensure appropriate security
• “Each …organization has a responsibility to secure its own portion of cyberspace…each sector must be aware of its roles and responsibilities…”
• Organizations have internal responsibility and accountability for information security—BOD and CEO responsibility
• Recommends that boards form IT-Security committees– CIO
• Mirrors GLB requirements suggesting broader application– Following Sarbanes-Oxley, corporate accountability will only
increase
18
Securing Cyberspace Cont.
• “Suggested” Minimum Best Practices– Security as Continuous Process
• Unacceptable for companies to “wait and see”
• Various Consent Decrees have made clear FTC and other agencies view that companies must be PRO-ACTIVE– CISS-approved Security Audits and Follow-ups
– Monitoring, Review and Disclosure• Recommends that CEOs are responsible for their
companies continued monitoring and auditing of security practices
• Suggests that companies disclose names of security auditors and internal security governance.
– Education• Imposes on industry the responsibility to ensure that
employees are trained in cybersecurity issues
19
Homeland Security
• Enacted (and funded!) in Nov. 2002
• Various provisions affect Cybersecurity Issues– Undersecretary for Information Analysis and
Infrastructure Protection• Responsible for implementing the Securing Cyberspace
initiatives (teeth may be coming after all)
– Continued emphasis on cooperation of IT industry with government in surveillance• Civil and criminal liability, potential, for failing to cooperate
– Amendment of federal privacy regulations forbidding linking of government information with private• May require increasingly burdensome information
disclosures to government databases
20
Areas of Potential Liability
• Failure to Report & Cooperate– California “Hacker Disclosure Law” (2003)
• Anyone suffering “attacks” must disclose
• Anyone suffering “hacks” must notify
• Whispers of possible enforcement
• Failure to ensure security– Creation of “best practices” and civil liability
• HIPAA
• Securing Cyberspace
• Privacy Guidelines– Reconciling with the other requirements!
21
Examples of a Failure of Due Care
• Failure to Implement Known Software Patches
• Failure to Install Latest Updates
• Failure to Close Known Backdoors
• Failure to Detect the Dry Run
• Failure to Control Active Content
• Failure to Employee Good Anti-Human Engineering Techniques
• Failing to Disclose Information Sharing Practices
22
Current Grace Period
• Few If Any Lawsuits– Many filed—not much recovery
• Little Court or Government Mandated Compliance– Consent decrees have no teeth
• An Opportunity to Get Ahead– Lower risk profile– Develop Favored Status
• Don’t Get Complacent!– Things are changing– Attacks are on the Rise– Government is Watching– Media is Watching
23
Reading Material
• Congressional Research Service Reports on Secrecy and Information Policy– http://www.fas.org/sgp/crs/secrecy/index.html
• Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives
• http://www.fas.org/irp/crs/RL32357.pdf
• The Internet and the USA Patriot Act: Potential Implications for Electronic Privacy, Security, Commerce, and Government
• http://www.epic.org/privacy/terrorism/usapatriot/RL31289.pdf
• Secrets of Computer Espionage: Tactics and Countermeasures, Joel McNamara, Chapter 2.
• Security in Computing, Charles Pfleeger and Shari Lawrence Pfleeger, Chapter 9.• Homepage: National Institute of Standards andTechnology: Computer Security
Division: http://csrc.nist.gov/index.html