ee579u/5 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/5 #1

EE579UInformation Systems Security

and Management5. Information Security Law

Professor Richard A. Stanley


EE579U/5 #2

Overview of Today’s Class

• We will not meet next week, February 23

• Review of last class

• Information Security Law


EE579U/5 #3

Last time…

• Developing systems is hard; developing secure systems is even harder

• It is important to define requirements and specifications at the beginning, and to understand what can be traded for what

• Many development models exist; none is the “best” for any particular purpose

• Beware systems that promise tight analytical information where you have sketchy inputs (which you almost always have)


EE579U/5 #4

Information Security Law? I’m a Techie!

• Modern computer technology has changed the rules about where value resides

• Once upon a time, valuable things -- like money -- were kept in bank vaults and banks were a major target of theives

• Today, valuable things -- like money and information -- are reduced to bits and are kept in computers

• Analogy: today’s interbank courier is a network connection


EE579U/5 #5

Bottom Line...

• If you are going to be involved with computers, you are going to be involved with the law, one way or another

• Better to know what it is all about before you get hurt


EE579U/5 #6

U. S. Law• Criminal

– Charges brought by state in name of the people– No private prosecutions (cf. U.K. law)– No double jeopardy (what does this mean?)– Penalties: incarceration, death and/or fines

• Civil– Action brought by one party against another– Penalties: deprivation of property

NB: There are other ways to classify law. We’ll talk about them next time.


EE579U/5 #7

Basis of U.S. Law

• English Common Law (except Louisiana)– Statutes (enacted by legislatures)– Case law– Precedents

• State/local vs. Federal law– Jurisdiction– Pre-emption


EE579U/5 #8

Why Do You Care?• Computer crime is one of -- if not THE --

fastest growing crime categories• “That’s where the money is”• Fraud loss in Southern NY area alone,

Jan ‘95 to Jan ‘03: nearly $800,000,000• This isn’t just victimless, white-collar

crime: nearly 2/3 of those arrested were carrying automatic weapons


EE579U/5 #9

It Isn’t Just Crime• If you operate a network service, you may

face civil liability if civil codes are violated– Copyright protection– Trademark protection– Other intellectual property

• Pressure from various entities– Privacy– Content


EE579U/5 #10

Knowing what is illegal is key• Example: until late 1998, it was NOT

illegal in the U.S. to steal someone else’s identity

• Where you are defines what is illegal– OK to use another name in US if not to defraud– Illegal in U.K.

• You WILL be involved in this if you are involved in computer security


EE579U/5 #11

Caution!

• You are NOT a law enforcement officer!

• You need to know about computer law to be an effective computer security person, just as you need to know about motor vehicle law to be an effective driver

• Ignorance of the law is not an excuse for breaking it


EE579U/5 #12

A Quick Taxonomy of the Law

• Just like engineering, they have a language• 18 USC § 2319 decodes as “Title 18,

United States Code, Section 2319”• State laws have their own abbreviations, but

follow the same pattern:– In New York: PL = Penal Law– In Mass: MGL = Mass. General Laws– In Conn: CGS = Conn. General Statutes, etc.


EE579U/5 #13

What is illegal?

• Can’t cover everything, so will concentrate on US federal law, with added local & foreign examples

• US Code can be found on the Web at: www4.law.cornell.edu/uscode

• Title 18 is the criminal title: it defines federal crimes and criminal procedure

• All the laws of the United States are found (somewhere) in the Code


EE579U/5 #14

What the laws will tell you

• What is prohibited, often in excruciating detail

• What must be proven to prove the crime (often by inference)

• What the penalty is for violating the law


EE579U/5 #15

US Code Overview - 1Title 1 General Provisions

Title 2 The Congress

Title 3 The President

Title 4 Flag and Seal, Seat Of Government, and the States

Title 5 Government Organization and Employees

Title 6 Surety Bonds (repealed)

Title 7 Agriculture

Title 8 Aliens and Nationality

Title 9 Arbitration

Title 10 Armed Forces


EE579U/5 #16

US Code Overview -2Title 11 Bankruptcy

Title 12 Banks and Banking

Title 13 Census

Title 14 Coast Guard

Title 15 Commerce and Trade

Title 16 Conservation

Title 17 Copyrights

Title 18 Crimes and Criminal Procedure

Title 19 Customs Duties

Title 20 Education


EE579U/5 #17

US Code Overview -3Title 21 Food and Drugs

Title 22 Foreign Relations and Intercourse

Title 23 Highways

Title 24 Hospitals and Asylums

Title 25 Indians

Title 26 Internal Revenue Code

Title 27 Intoxicating Liquors

Title 28 Judiciary and Judicial Procedure

Title 29 Labor

Title 30 Mineral Lands and Mining


EE579U/5 #18

US Code Overview -4Title 31 Money and Finance

Title 32 National Guard

Title 33 Navigation and Navigable Waters

Title 34 Navy (repealed)

Title 35 Patents

Title 36 Patriotic Societies and Observances

Title 37 Pay and Allowances Of the Uniformed Services

Title 38 Veterans' Benefits

Title 39 Postal Service

Title 40 Public Buildings, Property, and Works


EE579U/5 #19

US Code Overview -5Title 41 Public Contracts

Title 42 The Public Health and Welfare

Title 43 Public Lands

Title 44 Public Printing and Documents

Title 45 Railroads

Title 46 Shipping

Title 47 Telegraphs, Telephones, and Radiotelegraphs

Title 48 Territories and Insular Possessions

Title 49 Transportation

Title 50 War and National Defense


EE579U/5 #20

Where You Stand Depends on Where You Sit

• What is illegal depends on:– where the crime occurred– who has jurisdiction

• this is not always determined by geography (e.g., bank robbery is always a federal crime in the U.S.A.)

• there may be overlapping jurisdiction

• prosecutors may decide to proceed in one jurisdiction because of penalties available


EE579U/5 #21

For Example...

• Consider privacy• The European Union has a very different

view of how data on individuals may be collected and handled than does the U.S.

• This difference in laws has a significant effect on cross-border electronic commerce– How can you tell when E-commerce is cross-

border? It isn’t easy?


EE579U/5 #22

Directive 95/46/EC of the European Parliament

and of the Council of 24 October 1995, Article 6

1. Member States shall provide that personal data must be:(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.


EE579U/5 #23

Directive 95/46/EC of the European Parliament

and of the Council of 24 October 1995, Article 8

The processing of special categories of data1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. {absent specific consent of the data subject as provided in other sections of this article}

3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.


EE579U/5 #24

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, Article 10

Information in cases of collection of data from the data subjectMember States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:(a) the identity of the controller and of his representative, if any;(b) the purposes of the processing for which the data are intended;(c) any further information such as- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,- the existence of the right of access to and the right to rectify the data concerning himin so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.


EE579U/5 #25


Information where the data have not been obtained from the data subject1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:{same as Article 10 disclosures}

2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.


EE579U/5 #26


Right of accessMember States shall guarantee every data subject the right to obtain from the controller:(a) without constraint at reasonable intervals and without excessive delay or expense:- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.


EE579U/5 #27

The Point?

• Under U.S. law, data about individuals belongs to the collector of the data– Hard to know what was collected & by whom– Hard/impossible to access, correct

• Under E.U. law, data about individuals belongs to the individual– Data collector must advise individual of details

of data collected and what is being done with it


EE579U/5 #28

I Still Don’t Get It

• OK. Do you know where all your data originates and whose laws apply to it?

• Because of the E.U. privacy laws, multinational companies based in the U.S. may no longer maintain E. U. employee data in U.S. databases, and cannot process payrolls for E.U. citizens on U.S. computers

• Could this impact your business?


EE579U/5 #29

Language is Important• Regulations are not laws -- they describe

details of how to comply with the law• Annotations in laws trace the history of the

law’s development--what was illegal yesterday may not be illegal today (e.g. Prohibition), and vice versa

• You need a lawyer or a law enforcement agent to help with the details


EE579U/5 #30

How Do Regulations Fit?

• Regulations provide detailed information on how laws are to be applied– Code of Federal Regulations (CFR) [44 USC § 1510]– Code of Massachusetts Regulations (CMR)– Similar taxonomy to statutes

• Regulations are not laws, but failure to observe their requirements can often lead to serious problems (e.g., losing a contract)

• In some few cases, violation of a regulation can be a violation of a statute


EE579U/5 #31

Who Does What?• Law enforcement agencies

– Investigate crimes, collect evidence

• Prosecutors– Evaluate evidence, decide whether to prosecute– Represent state in criminal matters

• Courts– Hear evidence, reach conclusion on guilt

• Defense attorneys– Represent the accused


EE579U/5 #32

Prosecutorial Peculiarities• All crimes are not prosecuted• The likelihood of prosecution depends on

– Magnitude of the crime– Likelihood of conviction

• Will the jury understand the crime?• How good is the evidence?

• You can improve probability of prosecution by knowing what you are doing and keeping the evidence sound

• Prosecutors get performance reviews, too


EE579U/5 #33

Basic Theorem• It is not permissible to break the law in

order to enforce it– IRC sessions and law enforcement– Automatic actions to counter hacking– Eavesdropping (but not always)

• Depending on your point of view, this is a basic preservation of constitutional liberty or a gift to law breakers. But it is the law!


EE579U/5 #34

So, Who Enforces the Laws?

• Law enforcement officers!!• Who, as we all know from television and

the newspapers, are– overweight– addicted to doughnuts and coffee– oversexed– not too bright

• BUNK!!!


EE579U/5 #35

Some facts about law enforcement

• For the most part, law enforcement agents are intelligent, honest, and hard-working

• Pay scales are far below private industry, so finding agents with technology skills is hard, especially CURRENT technology

• They want to do a good job -- taking criminals off the street is what they do

• You need their help, and they need yours.


EE579U/5 #36

Federal Agency Snapshots - 1

• FBI– Federal Bureau of Investigation– Part of US Department of Justice– Charged with enforcement of federal laws– Other counterparts

• Canada: RCMP (but not exactly)

• Germany: Bundeskriminalpolizei

• Many nations have no counterpart


EE579U/5 #37


• USSS– United States Secret Service– Best known for protecting the President– Part of the Homeland Security Department– Primary jurisdiction in electronic crime,

currency and counterfeiting (all sorts)– Foreign counterparts: no exact ones. RCMP in

Canada has many of same roles


EE579U/5 #38


• US Customs Service– Responsible for collecting duties and

preventing smuggling– Primary enforcement agency protecting US

borders– If you bring it into the US, it is their business– Part of the Treasury Department– Nearly every nation has an equivalent agency


EE579U/5 #39

New York Electronic Crimes Task Force (NYECTF)

• Flagship law enforcement effort to protect the public from electronic crimes

• Formed in 1995 by the US Secret Service New York Field Office

• Unique partnership among government, industry, and academia

• Now numbers over 250 members


EE579U/5 #40

Some ECTF Members

• Federal law enforcement (FBI, USSS, etc.)• State law enforcement (NY State Police, etc.)• Local law enforcement (NYPD, PAPD, etc.)• Federal prosecutors (USA for So. Dist. Of NY,

USA for NJ, USA for CT, etc.)• Academia (Fordham, CCNY, Dartmouth, etc.)• Industry partners (telephone companies, banks,

consultants, etc.)


EE579U/5 #41

NYECTF Results

• Has brought more than 800 indictments– The Gambino crime family– Crooks selling counterfeit hardware & software– Cellular telephone fraud

• Value of crimes exceeds $600 million

• Looked to by law enforcement and industry worldwide as the model to be emulated


EE579U/5 #42

The NYECTF Secret

• Deal with law enforcement as if it were a business activity– Don’t focus on numbers of arrests to measure

success– Instead, focus on the change you bring to the

community– Put differently, what is the return on

investment? (ROI)


EE579U/5 #43

The Ultimate Compliment: USA PATRIOT ACT OF 2001

SEC. 105. EXPANSION OF NATIONAL ELECTRONIC CRIME TASK FORCE INITIATIVE.The Director of the United States Secret Service shall take appropriate actions to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States, for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

(Italics and colored text not in original.)


EE579U/5 #44

Results

• There is now a task force based in Boston: New England Electronic Crimes Task Force

• Other task forces in various states of formation:– Atlanta, Houston, Chicago, Miami, Los

Angeles, Las Vegas, among others


EE579U/5 #45

What About Unauthorized Computer Access?


EE579U/5 #46

Unauthorized Computer Access

• Federal law– 18 USC § 1030 -- Fraud, use of computers for

economic espionage, computer intrusions

• Massachusetts law– 266 MGL § 33A. Intent to defraud commercial computer

service; penalties

– 266 MGL § 120F. Unauthorized access to computer system; penalties

• Canadian Law– Criminal Code of Canada, 342.1


EE579U/5 #47

18 USC § 1030

• Knowing, intentional unauthorized access or access beyond authorization is a crime, depending on the computer and what is accessed

• Trafficking in computer access information is a crime

• Severe punishments provided– As much as 10 years imprisonment

• USA Patriot Act of 2001 expands US Secret Service jurisdiction in this area (§506)


EE579U/5 #48

MGL CHAPTER 266. CRIMES AGAINST PROPERTY.

Chapter 266: Section 120F. Unauthorized access to computer system; penalties.

Section 120F. Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both.

The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.


EE579U/5 #49

Criminal Code of Canada342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.


EE579U/5 #50

Some Other Computer Crimes

• 18 USC § 1028 -- Identity theft • 18 USC § 1029 -- Fraud and related activity

in connection with access devices• 18 USC § 471 -- Counterfeiting US notes• 18 USC § 2252 -- Kiddy pornography• 18 USC § 2318 -- Counterfeit computer

labels, program documentation, packaging• 18 USC § 2319 -- Copyright infringment


EE579U/5 #51

Identity Fraud

• Deals with “false identification document”– Making, transfer, use, possession all crimes– Identity documents covered

• Any identification document issued under by or under the authority of the United States

– Includes federal, state, local, foreign government, international quasi-governmental organization

– Birth certificate, driver’s license, personal ID card

– Penalties up to 15 years imprisonment


EE579U/5 #52

Other Areas of Concern

• Intellectual property of all types– Copyrights– Patents– Trade secrets

• Your responsibility for the actions of others


EE579U/5 #53

More Legal Considerations

• What if…– One of your employees is using your computer

system to do something illegal?– Someone outside the organization is using your

computer resources for illicit purposes?– Your system is broken into and important

information goes missing or becomes public?

Are You Liable?


EE579U/5 #54

What Is Your Responsibility?• For intellectual property?

• For personal data?

• For financial data?

• For proper operation of the network?

• How and where are these things defined?


EE579U/5 #55

The Other “P” Word• Privacy

– What is it?– How to protect it?– What do customers and employees expect?– What do they have a right to expect?– Where is the Constitutional right to privacy

found?


EE579U/5 #56

What Are You Gonna Do?

• Know the applicable law where you operate• When you determine a violation has

probably occurred:– Save the audit logs and any other documentary

evidence of the offense– Notify your supervisor– Call the authorities– Keep your suspicions close hold


EE579U/5 #57

Whom to Call?

• First, call the local police – Describe what you think you have– Ask for advice– Announce intention to call federal law agency

• Call the feds– USSS– FBI


EE579U/5 #58

Before You Call• Get to know the cognizant law enforcement

agents, local and federal• Find out if you can help them

– Low investment, high payoff– They’ll be more responsive if they know you

• Don’t cry wolf– Be sure you know what you are talking about– Have the information to support your claim


EE579U/5 #59

Above All...

• Be certain your organization intends to pursue the criminal case to the end; otherwise, you are wasting everyone’s time and they won’t thank you

• Keep your mouth shut except to the police; the libel laws are still in full effect

• Don’t forget you don’t carry the badge• Don’t talk down to the police


EE579U/5 #60

Summary

• Computer crime is a fast-growing area of illegal activity

• “That’s where the money is”• Computers (and networks) are regulated by

a large and growing body of law• Both civil and criminal issues involved• Liability is a major consideration for any

business or practitioner


EE579U/5 #61

Homework - 1

• 1. Identify a computer security incident that is being, or -- in your view -- should be treated as a crime. Describe the incident and its impact. Identify the crime(s) that you believe was (were) committed. In what jurisdiction should action be pursued? What would you have done to prevent this incident? To mitigate the effects of the investigation on continuing business?


EE579U/5 #62

Homework - 2

• 2. What effect does the body of computer law have on your company’s computer security policy? How can / should you make these congruent? Cite facts to support your argument, not just your opinion.