Lesson 3

Cyber Legal Environment:One of the Prime Drivers

for Incident Response

Overview

•Our Ethics•Today’s Criminal Justice

System•Cyber Crime Legislation•USA Patriot Act

CRIMINAL JUSTICE SYSTEM

•Current System•The Process•Recidivism

Current System

• Law enforcement generally overworked

• Understaffed• Under-budgeted• Lacking cyber expertise• Court systems even more

backlogged

Normal Case

• Victim notifies law enforcement• Police gather evidence and

develop suspects• Search warrants executed• Interviews/Interrogations• Suspect(s) charged• Case turned over to prosecutor• Grand Jury• Court Case

Agencies Ready to Respond

• Local Law Enforcement• DHS US CERT

– http://www.uscert.gov/

• FBI’s Internet Crime Complaint Center– http://www.ic3.gov/– http://www.fbi.gov/cyberinvest

• U.S. Secret Service– www.secretservice.gov/

• DoJ’s Computer Crime and Intellectual Property Section– www.cybercrime.gov

Current Trends

• Agencies developing expertise• Sensitive to victims needs

– “They don’t confiscate your machine”

• More Cases being opened• Many cases leading to success

– Mafiaboy – Russian E-Bay Scam– Melissa Author (David Smith)– Deceptive Duo

Recommendation

• Be patient, but persistent• Always describe issue/loss in

plain english• Maintain chain of custody• Estimate Dollar Loss• Do not rule out civil court use

– “Preponderance of the evidence”

Applicable U.S. Criminal Code

• Software Piracy• Using Computers/Networks to commit

“normal” crimes– Plethora of U.S.C. can be used

• Computer Fraud and Abuse Act, 18 U.S.C sect 1030 (Network Crime)

• Wiretapping & Snooping (aka sniffing)– Wiretap Act, 18 U.S.C. sect 2511– Electronic Communications Privacy Act (ECPA),

18 U.S.C. sect 2701

Traditional Crimes

• Criminal Trademark, 18 U.S.C. 2320• Criminal Copyright, 18 U.S.C. 2319 and 17

U.S.C. 506(a)• Child Pornography, 18 U.S.C. 2252A• Criminal Trade Secrets, 18 U.S.C. 1831/1832• Threats & Harassment 18 U.S.C. 844(e) &

875, 47 U.S.C. 223 (a)(1)(C, E)

Computer Fraud and Abuse Act (1)

• Defines certain “protected computers”– U.S. Govt Networks– Financial networks– Networks that affect interstate or

foreign commerce or communication

• Damage to a “protected computer” is a criminal act

• Defines loss thresholds

Computer Fraud and Abuse Act (2)

• Trespass on a Govt system is a criminal act

• Trafficking in info which can allow unauthorized access

• Threatening to damage• Accessing a protected computer• Attempts are a criminal act• Defines loss thresholds

Computer Fraud and Abuse Act (3)

• Certain privacy intrusions are a criminal act – Prohibits unauthorized access to

obtain:• Financial data from federal agency or

on a protected computer

Legal Aspects of Monitoring

• Real-time monitoring:– Two statutes govern:

• Wiretap statute• Pen/Trap statute

– Pen Register: outgoing connection data– Trap & Trace: incoming connection data

• ECPA covers access to stored communications– Covers voice mail, email, “logs”

• But, there are exceptions

Intercept/Monitoring Exceptions

• Computer Trespass Exception– Bannered Systems allow monitoring

• Consent of a Party (victim?)• Provider exception

– To protect provider’s “rights/property”

– When done in “normal ops”– Limited exception– Not an investigators privilege

Electronic Communications Privacy Act (ECPA)

• Applies to stored info– Communications (email, voicemail– Transactional data (connection logs)– Subscriber/session information

• 18 U.S.C. 2701-11 governs access and disclosure

• Public Providers cannot offer info• Private Provides can share info

Related Recent E-Comm Security Legislation that could impact

Forensics

• Gramm-Leach-Bliley Act (Fall 2002)– Financial Privacy, Safeguards, and

Pretexting

• HIPAA (1996 --->14 Apr 2003)– Safeguards to ensure patient

confidentiality

Gramm-Leach-Bliley Act

• Financial Privacy, Safeguards, and Pretexting

• Federal Trade Commission has oversight

• Public Law 106-102, Title V

• Requires financial institutions to notify customers about their privacy practices and allow consumers to "opt out" of having their nonpublic personal information disclosed

• The Act's security provisions require the Commission and certain other federal agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer information.

Source FTC: http://www.ftc.gov/opa/2001/07/glb501.htm

Gramm-Leach-Bliley ActSecurity Issues

• Designate an employee or employees to coordinate its [safeguards] program

• Assess risks in each area of its operations

• Design and implement an information security program to control these risks

• Require service providers (by contract) to implement appropriate safeguards for the customer information at issue

• Adapt its program in light of material changes to its business that may affect its safeguards

Source FTC: http://www.ftc.gov/opa/2001/07/glb501.htm

HIPAA Update

• Health Insurance Portability Accessibility and Accountability Act

• Health and Human Services issued patient-data privacy guidelines

• Passed by Congress in 1996

• 14 April deadline for basic HIPAA compliance

• Applies to companies providing health care services and any business associates handling protected patient data

Source Network World, Mar 10, 2003, Pg 30

HIPAA Tenets

• Basic tenet: “apply administrative, physical, and technical safeguards to ensure confidentiality

• Companies worried about being held liable and the consequent damages

• Perception is 14 April opens up the litigation floodgates

• HIPAA’s 3 guidelines– Electronic Data Interchange (EDI)

– Privacy

– SecuritySource Network World, Mar 10, 2003, Pg 30

HIPAA Security Issues

• After 14 April HHS must investigate complaints

– Potential penalty: up to $25K/yr per type of violation

• Creating need for encrypted email

• Increased emphasis on audit and access control for patient data

– For every record accessed you need to know who, what, and when

• Strong Authentication techniques

– Individual passwords that are role based (DR, RN, LPN)

• VPN client software for remote access

Source Network World, Mar 10, 2003, Pg 30

USA PATRIOT ACT of 2001

Uniting and Strengthening America by Providing Appropriate Tools

Required to Intercept and Obstruct Terrorism Act

Major Sections

•Criminal Law•Intelligence•Cross-Flow

Organization

• Title II -- Enhanced Surveillance Procedures

• Title III -- International Money Laundering• Title IV -- Strengthening The Border• Title VII-- Increased Info Sharing For CIP • Title VIII -- Strengthening Criminal Laws• Title IX -- Improved Intelligence• Title X -- Miscellaneous

Criminal Law

Subpoenas for Electronic Evidence Sec 210

• Old: Subpoena limited to customer’s name, address, length of service, and means of payment

• In many cases, users register with ISPs under false names

• New: Update and expand records available by subpoena

• Old list, plus means and source of payment, credit card or bank account number, records of session times and durations, and any temporarily assigned network address

• Not subject to sunset

Pen Register, Trap and TraceSec 216

• Old: “telephone lines” and “numbers dialed”

• Did not clearly cover computer comms

• Court could only authorize use in single judicial district

• New: clearly applies to computer comms, for any non-content info–“dialing, routing, addressing, and signaling information”

• Info relevant to ongoing criminal investigation

• Nationwide federal pen/trap orders

• New LE reporting requirement

• Not subject to sunset

Computer Trespassers Sec 217

• Old: Computer owners were often not clearly “parties” to hacker intrusions into the computer, so the owner generally not deemed able to consent to LE monitoring

• New: Victims of computer attacks can authorize persons “acting under color of law” (LE or CI) to monitor trespassers on their computer systems

• Subject to sunset

Computer Trespasser Defn

• Any person who accesses a “protected computer” without authorization– “protected computer” - one used in interstate or

foreign commerce or communication

• Thus has no reasonable expectation of privacy• In communication to, through, or from• Explicitly excludes any person “known by the

owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer”

Computer Trespasser Requirements

• Investigator may intercept comms of computer trespasser transmitted to, through, or from

• Owner or operator of protected computer authorizes interception– [note: best if in writing]

• Person who intercepts is lawfully engaged in ongoing investigation

• Person acting under color of law has reasonable grounds to believe contents will be relevant to investigation

• Investigators intercept only comms sent or received by trespassers

Civil Liability for Unauthorized Disclosures

Sec 223

• Old: civil remedies for unauthorized interception, disclosure, or use of communications against any person or entity

• New: All civil remedies against persons or entities, other than the US

• New section allows monetary damages against US if employees improperly disclose intercept

• Adds administrative discipline provisions

• Not subject to sunset

“Domestic Terrorism”Sec 802

• Old: no definition of “domestic terrorism”

• New : activities primarily w/in territorial jurisdiction of US

• Acts dangerous to human life and violate US criminal laws

• Appear intended to intimidate or coerce civilian population

• Influence policy of a govt by intimidation or coercion, or affect conduct of a govt – mass destruction– assassination– kidnapping

Crimes at U.S. Facilities Abroad Sec 804

• Old: defined special maritime and territorial jurisdiction of US

• New: extends jurisdiction to U.S. diplomatic, consular, military, or other premises and related private residences overseas for offenses committed by or against U.S. natl.

• Not offenses by members or employees of U.S. armed forces and persons accompanying (covered under another law)

“Federal Crime of Terrorism”Sec 808

• Old: defined “federal crime of terrorism” by listing offenses

• New: adds several offenses, including aircraft violence and computer crimes

• Also attacks on military comm systems, and material support to terrorist orgs (including training and expert advice)

• Longer statute of limitations (Sec 809)

• Add offenses to RICO (Sec 813)

Deterrence and Prevention of Cyberterrorism

Sec 814• Old: “Damage” =

– $5000 loss (per computer?)

– physical injury to person

– threat to public health or safety

– impairing medical care

• Did not define “loss”• Extraterritorial

application unclear

• New– Any impairment if used by

or for govt entity for justice, natl defense, natl security

– $5000 aggregated loss if multiple victims

• Extraterritorial clear• ‘Loss’ includes, damage

assessment, restoration, lost revenue, response, consequential damages

• “Person” includes govt • Not subject to sunset

Critical Infrastructures ProtectionSec 1016

• Continuous natl effort required to ensure cyber and physical infrastructure service

• Requires extensive modeling and analytic capabilities

• National Infrastructure Simulation and Analysis Center (NISAC)

• $20,000,000 authorized for DTRA for FY02

Summary

• Legislation Maturing Quickly

• Plays a vital role in ID and IR