Law and Ethics - York University€¦ · CSE 4482 . Computer Security Management: ... •...
Transcript of Law and Ethics - York University€¦ · CSE 4482 . Computer Security Management: ... •...
CSE 4482 Computer Security Management:
Assessment and Forensics
Instructor: N. Vlajic, Fall 2013
Law and Ethics
Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 12, pp. 428 - 454
Learning Objectives Upon completion of this material, you should be able to:
• Differentiate between law and ethics.
• Identify major US laws that relate to the practice of information security.
• Identify relevant professional organizations and their Codes of Ethics.
• Law – written rules adopted & enforced by a government to define expected behavior
these rules attempt to balance individual freedoms and social order, which may be in conflict
laws are largely drawn from the ethics of a culture
• Ethics – informal set of values and beliefs about right and wrong behavior
some ethics are thought to be universal
murder, theft, assault are legally and ethically unacceptable in most world’s cultures
Key difference between law and ethics:
law caries the sanction of a governing authority and ethics do not!
Introduction (cont.)
Introduction (cont.)
In majority of cases, what is legal is also ethical
and the other way around.
However, with the society operating a dynamic ‘
and ever-changing environment, there are cases
when law and ethics are in conflict.
Introduction (cont.)
• Relationship between Law and Ethics
http://210.46.97.180/zonghe/book/203-Entrepreneurship(fifth%20edition)-Harcourt%20Colledge%20Publishers-Donald%20F.%20Kuratko/chapter_6.htm
Screening of Web-traffic by
Employer
Breaking into Somebody’s
Email Account
Edward Snowden ‘NSA Leak’ Case
• Categories of Law – in Canada and USA:
Public Law(s): regulate …
1) organization and functioning of the state
2) relationship between the state and its subjects
concerned with matters that affect society as a whole
deals with regulation of behavior generally Private Law(s): regulate relationship between individuals and groups that are not of public importance
deals with disputes between parties
regulates rights and duties of individuals to each other
Introduction to Law
Introduction to Law
• Subcategories of Law
Public Law(s)
Constitutional Law – related to interpretation & application of the Constitution of Canada, including the Charter of R&F (freedom of expression & religion, freedom from unreasonable search & seizure, …)
Administrative Law – addresses actions and operations of govern- ment & government agencies
Criminal Law – deals with behaviors that results in injury to people and/or property (murder, break and enter, sexual assault, etc.) Private / Civil Law(s)
Family Law – deals with various relationships of family life
Contract Law – outlines requirements for legally binding agreements
Tort Law – seeks compensation for loss caused by negligence
Property Law – outlines relationship between individuals & property
Labour Law – outlines relationship between employers & employees
• Criminal Law Procedure – the ‘victim’ (may) report the case to the police & they have the responsibility to investigate
if charge has been properly laid & there is supporting evidence the Crown Prosecutor represents the case in the courts and public funds finance these services
even if a ‘victim’ starts a prosecution privately, the Attorney General has the power to take over the prosecution
• Civil Law Procedure – the ‘victim’ must take action to get a legal remedy or adequate compensation
‘victim’ must hire a private lawyer & pay expenses of pursuing the matter
the police does not get involved, beyond the point of restoring the order
Criminal vs. Civil Law Case
Criminal vs. Civil Law Case (cont.)
• Criminal vs. Civil Law Principles
In Criminal Law, to convict someone, the guilt must be proven ‘beyond reasonable doubt’.
In Criminal Law, the sentence to the offender may include one or a combination of the following:
fine
restitution – compensate for victim’s loss or damages
probation
community service
imprisonment
In Civil Law, to convict someone, the guilt must be proven on ‘balance of probabilities’.
In Civil Law, monetary remedies (damages) are most common.
‘beyond reasonable doubt’ evidence =
= clear and convincing evidence
(‘merely possibility’ that what is presented is true is not sufficient)
‘balance of probabilities’ evidence =
= evidence with 50% threshold
(produces a belief that what is presented is more likely true than not true)
More evidence is needed to find the defendant at fault in criminal
than in civil ones.
Criminal vs. Civil Law Case (cont.)
http://www.sclifflaw.com/wp-content/uploads/2013/06/Comparisons-Between-Criminal-Law-and-Civil-Law.jpg
“Every crime has two essential parts: the action or "actus reus" and the intent or "mens rea" (guilty mind).
For example, the crime of arson has two parts: actually setting fire to a building and doing it wilfully and deliberately. Setting a fire by accident may not be a crime.
For most criminal cases both the action and the intent must be proven. If either element is missing, then no crime has been committed.”
http://www.lawlessons.ca/lesson-plans/2.1.definition-and-principles
Criminal vs. Civil Law Case (cont.)
Is a DDoS a Civil or a Criminal offence?
In US, as of 2008, DDoS is considered a criminal offence under Computer Misuse Act.
In Canada, DDoS is also a criminal offence under Criminal Code 430: Unauthorized Use of Computer & Mischief.
victim
attacker
Law and Computer Security
Law and Computer Security (cont.)
“In the early days of computer security, information security professionals were pretty much left on their own to defend their systems against attacks. They did not have much help from the criminal and civil justice systems.
When they did seek assistance from law enforcement, they were met with reluctance by overworked agents who did not have a basic understanding of how something that involved a computer could actually be a crime …
Fortunately, both our legal system and the man and women of law enforcement have come a long way over the past two decades …”
CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 630)
Law and Computer Security (cont.) “The first computer security issues addressed by legislators were those involving computer crime.
Early computer crime prosecutions were attempted under traditional criminal law, and many were dismissed because judges thought that applying traditional law to this modern type of crime was too far of a stretch. …”
Example: Hearsay evidence!
“… Legislators responded by passing specific statutes that defined computer crime and laid out specific penalties for various crimes …
Every information security professional should have basic understanding of the law as it relates to information technology. However, the most important lesson to be learned is knowing when it is necessary to call in an attorney …
CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 633)
Law and Computer Security (cont.)
• To minimize their & their organization’s liability, information security professionals must:
keep informed about new laws, regulations and ethical issues as they emerge
understand the scope of organization’s legal and ethical responsibilities
educate the management and employees about their legal and ethical obligations and the proper use of information technology
Computer Crime • Computer Crime – criminal activity in which either of the following is true:
computer is a target – e.g., somebody attempts to control a computer or interfere with its availability
(examples: development and distribution of malware, DDoS attacks, …)
computer is a storage device – e.g., somebody uses a computer to store stolen or inappropriate content
computer is a communication tool – e.g., somebody uses computer(s) to conduct illegal sale of drugs or guns
(aka Cybercrime)
Convention on Cybercrime
• Cybercrime – 1st international agreement seeking to address Computer/Cyber Crimes by harmonizing national laws & increasing inter-national cooperation
initially drawn up by the Council of Europe and active participation of Canada & Japan
in 2006, USA became the 16th nation to ratify the treaty
currently, 40 states had ratified, and 11 states had signed (but not ratified) the convention – Canada one of them
Convention (2001)
http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/T-CY/Default_TCY_en.asp
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CL=ENG
Stallings, Computer Security, 2nd edition, pp. 596
List of cybercrimes cited in the Convention on Cybercrime – represents an international consensus on
what constitutes cybercrime and what crimes are considered important.
US Laws (cont.)
STATE
INDIVIDUAL
INSTITUTIONS
Computer Fraud & Abuse Act Patriot Act
Federal Privacy Act Electronic Communications Privacy Act
Health Insurance Portability and Accountability Ac Gramm-Leach-Bliley Act Children’s Online Privacy Protection Act
US Laws: CFA Act
• Computer Fraud – law passed by the US Congress
landmark in the fight against cyber- crime – the first law to address crime involving computers
initially intended to address offenses to computers of the US government and certain financial institutions
amended in 1988, 1994, 1996 and 2001 by the USA Patriot Act
through amendments, the scope extended to all ‘protected computers’, i.e. any computer connected to the Internet
and Abuse Act (CFA Act) of 1986
criminal offences under the CFA Act:
1) knowingly accessing a computer without authorization1 or exceeding authorized access2 to obtain national security data 2) intentionally accessing a computer without authorization (or 2) to obtain one of the following:
a) a financial record of a financial institution;
b) information from any US-government department or agency;
c) information from any protected computer. 3) intentionally accessing without authorization (or 2) a government computer and affecting the use of the government’s operation of the computer 4) knowingly causing the transmission of a program, information, code or command that causes damage such as:
a) loss to one or more persons (or companies) during any one-year period aggregating at least $5,000 in value
US Laws: CFA Act (cont.)
US Laws: CFA Act (cont.)
criminal offences under the CFA Act (cont.)
b) the modification or impairment of medical records
c) physical injury to any person
d) a threat to public health of safety
e) damage affecting a government computer system 5) knowingly and with intent to defraud traffics a password or a similar information through which a computer may be accessed without authorization
1 Access without authorization = access by an outsider who breaks in and uses a computer for any malicious purpose 2 Exceeding authorized access = access by an authorized user who obtains or alters information that he/she is not allowed to obtain or alter (e.g. employees)
US Laws: CFA Act (cont.)
• Computer Fraud although the Act does not specifically mention hacking, malware and denial of service, they are its main focus
example:
1) knowing transmission of a code that causes damage – infection by a virus
2) knowing execution of a command that causes damage – DDoS attack
and Abuse Act (cont.)
Punishment for offences prosecuted under the CFA varies from fines to imprisonment of up to 20 years, or both.
US Laws: CFA Act (cont.)
Case Study: Morris Case (1988)
One of the first cases prosecuted under the CFA Act.
Morris, a Ph.D. candidate in CS (Cornell U), wanted to demonstrate the weakness of security measures of computers on the Internet, a network linking university, government and military computers around the United States.
His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash.
However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic" at numerous institutions, with estimated damages of $200 to $53,000 for each institution.
Morris was sentenced to three years‘ probation and 400 hours of community service, and was fined $10,500.
US Laws: Patriot Act
• US Patriot Act – allows law enforcement greater latitude in combating criminals and terrorists who use computers and communication networks [telephone, computer, wireless]
L.E. has authority to intercept voice communications in computer hacking investigations
L.E. has authority to obtain voice mail and other stored voice communications using standard search warrants rather than wiretap orders
L.E. has authority to trace comm- unications on the Internet and other computer networks
(2001 – weeks after Sept. 11)
US Laws: Patriot Act (cont.)
• US Patriot Act
L.E. has authority to issue nationwide search warrants for e-mails and other electronic data ⇒ ISPs compelled to disclose unopened emails …
ISPs are permitted to disclose customer info in the case of emergency - if they suspect an immediate risk of death or serious physical injury to any person
(2001 – weeks after Sept. 11)
For more see: http://www.justice.gov/criminal/cybercrime/PatriotAct.htm
Patriot Act one of the most controversial acts – gives away personal freedoms and constitutional rights in
exchange for higher levels of (national) safety …
US Laws: Patriot Act (cont.)
Case Study: Patriot Act vs. Constitution (2004)
“ … While conducting surveillance of the defendant and co-defendant, the agents lost track of them. The agents then dialed the defendant’s cell phone several times, and used the provider’s computer data to determine which cell transmission towers were being ‘hit’ by that phone. The cell’s data revealed the defendant’s general location and helped catch him.
On appeal of his conviction, the defendant argued that the cell-site data and resulting evidence should have been suppressed because they turned his phone into a tracking device – and that violated his constitutional rights …”
The court found that the cell-site data falls under the category of ‘electronic communication’, hence was not illegal … “Computer Forensics: Principles and Practices”, pp. 423 by L. Volonino, R. Anzaldua, J. Godwin
US Laws: Privacy (1)
• Federal Privacy – regulates the government’s use of private information
addresses concerns about creation and use of computerized data
the act states:
government agencies must protect the privacy of individuals’ and businesses’ information and are responsible if any portion of information is released without prior written consent of the individual
at the same time, individuals CAN access information controlled by others if they can demonstrate that that information is necessary to protect their health & safety
Act (1974)
US Laws: Privacy (2)
• Electronic Comm. – often referred to as federal wiretapping act
primarily designed to prevent unauthorized government access to private electronic communications
sets high standards for search warrants of:
wire, oral & electronic communications while in transit
communications held in electronic storage
dialing, routing, addressing & signaling information …
some provisions of the act are later weakened by Patriot Act
Privacy Act (1986)
US Laws: Privacy (3)
• Health Insurance – aims to protect confidentiality and security of health data
requires organizations that retain health care information to use comprehensive information security mechanisms
severely restricts dissemination & distribution of private health info without documented consent
provides patients right to know who has access to and who has accessed their information
gives patients the right to examine & obtain a copy of their own data
Portability and Accountability Act - HIPAA (1996)
US Laws: Privacy (4)
• Gramm-Leach- – contains a number of provisions that affect banks, security firms, and insurance companies
the act requires that such institutions:
implement a comprehensive info. security program with appropriate administrative, technical and physical safeguards
ensure the security and confidentiality of customer info., and protect customer info. from unauthorized access by ‘third party’ that could result in harm or inconvenience to the customer
-Bliley Act (1999)
Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for financial
institutions – it is now a legal requirement.
US Laws: Privacy (5)
• Children’s Online – prohibits certain actions by websites and similar services that are directed at children & by any site that may be visited by a person younger than 13
the act prohibits such sites from:
collecting and using identifying info (name, postal code, address, SIN) from children under 13 unless they got verifiable parental consent
registration requiring personal info as a requirement for playing games, applying for prizes, etc.
Privacy Protection Act – COPP Act (1998)
http://www.priv.gc.ca/fs-fi/02_05_d_15_e.cfm
US Laws: Privacy
Two key Canadian (federal) privacy laws:
1) The Privacy Act - imposes obligations on federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information.
2) Personal Information Protection and Electronic Document Act (PIPEDA) - sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.
US Laws: Export & Espionage (1)
• Economic – attempts to prevent illegal sharing of trade secrets
first federal law that defines trade secret and severely punishes any individual or organization that knowingly steals, copies, receives, buys or possesses trade secrets or conspires to do so
penalties: fines up to $500,00 or 15 years in prison (or both) for individuals, and fines of up to $10 million for organizations
trade secret = all forms and types of financial, business, scientific, technical, economic or engineering information that the owner has taken reasonable measures to keep secret and that is not known to the public http://www.shreditprovidence.com/Legislation/economicespionageact.pdf
Espionage Act (1996)
• Security And – provides guidance on the use of encryption, and provides measures of protection from government intervention; specifically, the act …
relaxes restrictions concerning the sale and export of cryptographic products - used to be tightly controlled by the government
states that the use of encryption is not probable cause to suspect a criminal activity - people can use encryption freely
provides additional penalties for unlawful use of encryption in furtherance of a criminal act - e.g., with the intent to conceal a felony
Freedom Through Encryption Act (1999)
US Laws: Export & Espionage (2)
US Laws: Copyright Laws
• No Electronic – provides for criminal prosecution of individuals who engage in copyright infringement
prior to this act, criminal copyright infringement required that the infringement was for the purpose of “commercial advantage or private financial gain”
merely downloading files on the Internet did not constitute a criminal activity
the act permits the use of copyrighted material to support news reporting, teaching, … as long as it is not for profit, … and as long as proper acknowledgment is provided
Theft Act (1997)
US Laws: Sarbanes-Oxley Act
• Sarbanes- – passed as a result of a series of financial scandals in 1990s (Enron, WorldCom) – intended to protect general public from accounting errors & fraudulent practices
puts far greater responsibility on the shoulder of corporate executives regarding:
effective & efficient operation (including IT and Info Sec operation)
reliable financial reporting and auditing
compliance with applicable laws & regulations
the act requires that all business documents (paper & electronic) must be kept for 5 years
Canadian equivalent: Bill 198 (2003)
Oxley Act (2002)
International Laws
Info Sec related laws (may) vary considerably from one country to another. When organizations do business on the Internet, they do it globally; hence, it is important to be sensitive to the law and ethics values of different countries …
Ethics • Code of Ethics – sets out general principles about an organization’s beliefs on matters such as mission, quality, privacy or environment
effectiveness of such codes depend on the extent to which respective organizations support them with sanctions & rewards
doctors and lawyers who violate ethical cannons of their professions’ could be removed from practice
field Information Security (and IT) does not have a binding Code of Ethics
instead, professional associations (ACM) and accreditation agencies ((ISC)2, SANS) work to establish the professions’ codes of conduct
Code of Ethics
• Thou shall not … • Thou shall not … • Thou shall not … …
Ethics (cont.)
• 10 Commandments of Computer Ethics Institute (intended for IT community)
1. Thou shall not use a computer to harm other people.
2. Thou shall not interfere with other people’s computer work.
3. Thou shall not snoop around in other people’s computer files.
4. Thou shall not use a computer to steal.
5. Thou shall not use a computer to bear false witness.
6. Thou shall not copy or use proprietary software for which you have not paid.
7. Thou shall not use other people’s computer resources without without authorization or proper compensation.
8. Thou shall not appropriate other people’s intellectual output.
9. Thou shall think about the social consequences of the program you are writing or the system you are designing.
10. Thou shall always use a computer in ways that ensure consideration and respect for your fellow humans.
Ethics (cont.)
• Information Security failure to obey Code of Ethics implies loss of accreditation or certification …
and consequently (may) result in dramatically reduced marketability and earning power
Organizations with Code of Ethics
1. Association of respected non-profit professional society with scientific & educational orientation
ACM’s code of ethics addresses a wide range of ethical duties – the ones related to information security specify that each ACM member should:
protect confidentiality of information
cause no harm (e.g. loss) of information
protect privacy of others
protect IP & copyright of others
Computing Machinery (ACM)
Ethics (cont.)
2. (ISC)2 non-profit organization; focuses on development & implementation of info. sec. certifications & credentials
4 mandatory canons of (ISC)2 code of ethics are:
protect society, the commonwealth, and the infrastructure
act honorably, honestly, justly, responsibly and legally
provide diligent and competent service to principals
advance and protect the profession
3. SANS professional research & education cooperative organ. - prepares individuals towards GIAC accreditation
GIAC’s code of ethics is organized into 3 key areas:
I will strive to know myself and be honest about my capability
I will conduct my business in a manner that assures the IT profession is considered one of integrity professionalism
I respect privacy and confidentiality
Institute (GIAC)