Law and Ethics - York University€¦ · CSE 4482 . Computer Security Management: ... •...

CSE 4482 Computer Security Management:

Assessment and Forensics

Instructor: N. Vlajic, Fall 2013

Law and Ethics

Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 12, pp. 428 - 454

Learning Objectives Upon completion of this material, you should be able to:

• Differentiate between law and ethics.

• Identify major US laws that relate to the practice of information security.

• Identify relevant professional organizations and their Codes of Ethics.

Introduction

• Law – written rules adopted & enforced by a government to define expected behavior

these rules attempt to balance individual freedoms and social order, which may be in conflict

laws are largely drawn from the ethics of a culture

• Ethics – informal set of values and beliefs about right and wrong behavior

some ethics are thought to be universal

murder, theft, assault are legally and ethically unacceptable in most world’s cultures

Key difference between law and ethics:

law caries the sanction of a governing authority and ethics do not!

Introduction (cont.)


In majority of cases, what is legal is also ethical

and the other way around.

However, with the society operating a dynamic ‘

and ever-changing environment, there are cases

when law and ethics are in conflict.


• Relationship between Law and Ethics

http://210.46.97.180/zonghe/book/203-Entrepreneurship(fifth%20edition)-Harcourt%20Colledge%20Publishers-Donald%20F.%20Kuratko/chapter_6.htm

Screening of Web-traffic by

Employer

Breaking into Somebody’s

Email Account

Edward Snowden ‘NSA Leak’ Case

Introduction to Law

• Categories of Law – in Canada and USA:

Public Law(s): regulate …

1) organization and functioning of the state

2) relationship between the state and its subjects

concerned with matters that affect society as a whole

deals with regulation of behavior generally Private Law(s): regulate relationship between individuals and groups that are not of public importance

deals with disputes between parties

regulates rights and duties of individuals to each other

Introduction to Law

Introduction to Law

• Subcategories of Law

Public Law(s)

Constitutional Law – related to interpretation & application of the Constitution of Canada, including the Charter of R&F (freedom of expression & religion, freedom from unreasonable search & seizure, …)

Administrative Law – addresses actions and operations of government & government agencies

Criminal Law – deals with behaviors that results in injury to people and/or property (murder, break and enter, sexual assault, etc.) Private / Civil Law(s)

Family Law – deals with various relationships of family life

Contract Law – outlines requirements for legally binding agreements

Tort Law – seeks compensation for loss caused by negligence

Property Law – outlines relationship between individuals & property

Labour Law – outlines relationship between employers & employees

• Criminal Law Procedure – the ‘victim’ (may) report the case to the police & they have the responsibility to investigate

if charge has been properly laid & there is supporting evidence the Crown Prosecutor represents the case in the courts and public funds finance these services

even if a ‘victim’ starts a prosecution privately, the Attorney General has the power to take over the prosecution

• Civil Law Procedure – the ‘victim’ must take action to get a legal remedy or adequate compensation

‘victim’ must hire a private lawyer & pay expenses of pursuing the matter

the police does not get involved, beyond the point of restoring the order

Criminal vs. Civil Law Case

Criminal vs. Civil Law Case (cont.)

• Criminal vs. Civil Law Principles

In Criminal Law, to convict someone, the guilt must be proven ‘beyond reasonable doubt’.

In Criminal Law, the sentence to the offender may include one or a combination of the following:

fine

restitution – compensate for victim’s loss or damages

probation

community service

imprisonment

In Civil Law, to convict someone, the guilt must be proven on ‘balance of probabilities’.

In Civil Law, monetary remedies (damages) are most common.

‘beyond reasonable doubt’ evidence =

= clear and convincing evidence

(‘merely possibility’ that what is presented is true is not sufficient)

‘balance of probabilities’ evidence =

= evidence with 50% threshold

(produces a belief that what is presented is more likely true than not true)

More evidence is needed to find the defendant at fault in criminal

than in civil ones.


http://www.sba.pdx.edu/faculty/maggief/chap1.pdf


http://www.sclifflaw.com/wp-content/uploads/2013/06/Comparisons-Between-Criminal-Law-and-Civil-Law.jpg

“Every crime has two essential parts: the action or "actus reus" and the intent or "mens rea" (guilty mind).

For example, the crime of arson has two parts: actually setting fire to a building and doing it wilfully and deliberately. Setting a fire by accident may not be a crime.

For most criminal cases both the action and the intent must be proven. If either element is missing, then no crime has been committed.”

http://www.lawlessons.ca/lesson-plans/2.1.definition-and-principles


http://www.lawlessons.ca/lesson-plans/2.1.definition-and-principles

Is a DDoS a Civil or a Criminal offence?

In US, as of 2008, DDoS is considered a criminal offence under Computer Misuse Act.

In Canada, DDoS is also a criminal offence under Criminal Code 430: Unauthorized Use of Computer & Mischief.

victim

attacker

Law and Computer Security

Law and Computer Security (cont.)

“In the early days of computer security, information security professionals were pretty much left on their own to defend their systems against attacks. They did not have much help from the criminal and civil justice systems.

When they did seek assistance from law enforcement, they were met with reluctance by overworked agents who did not have a basic understanding of how something that involved a computer could actually be a crime …

Fortunately, both our legal system and the man and women of law enforcement have come a long way over the past two decades …”

CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 630)

Law and Computer Security (cont.) “The first computer security issues addressed by legislators were those involving computer crime.

Early computer crime prosecutions were attempted under traditional criminal law, and many were dismissed because judges thought that applying traditional law to this modern type of crime was too far of a stretch. …”

Example: Hearsay evidence!

“… Legislators responded by passing specific statutes that defined computer crime and laid out specific penalties for various crimes …

Every information security professional should have basic understanding of the law as it relates to information technology. However, the most important lesson to be learned is knowing when it is necessary to call in an attorney …

CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 633)

Law and Computer Security (cont.)

• To minimize their & their organization’s liability, information security professionals must:

keep informed about new laws, regulations and ethical issues as they emerge

understand the scope of organization’s legal and ethical responsibilities

educate the management and employees about their legal and ethical obligations and the proper use of information technology

Computer Crime • Computer Crime – criminal activity in which either of the following is true:

computer is a target – e.g., somebody attempts to control a computer or interfere with its availability

(examples: development and distribution of malware, DDoS attacks, …)

computer is a storage device – e.g., somebody uses a computer to store stolen or inappropriate content

computer is a communication tool – e.g., somebody uses computer(s) to conduct illegal sale of drugs or guns

(aka Cybercrime)

Convention on Cybercrime

• Cybercrime – 1st international agreement seeking to address Computer/Cyber Crimes by harmonizing national laws & increasing inter-national cooperation

initially drawn up by the Council of Europe and active participation of Canada & Japan

in 2006, USA became the 16th nation to ratify the treaty

currently, 40 states had ratified, and 11 states had signed (but not ratified) the convention – Canada one of them

Convention (2001)

http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/T-CY/Default_TCY_en.asp

http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CL=ENG

Stallings, Computer Security, 2nd edition, pp. 596

List of cybercrimes cited in the Convention on Cybercrime – represents an international consensus on

what constitutes cybercrime and what crimes are considered important.

US Laws

• Key US laws of interest to IS professionals

US Laws (cont.)

STATE

INDIVIDUAL

INSTITUTIONS

Computer Fraud & Abuse Act Patriot Act

Federal Privacy Act Electronic Communications Privacy Act

Health Insurance Portability and Accountability Ac Gramm-Leach-Bliley Act Children’s Online Privacy Protection Act

US Laws: CFA Act

• Computer Fraud – law passed by the US Congress

landmark in the fight against cybercrime – the first law to address crime involving computers

initially intended to address offenses to computers of the US government and certain financial institutions

amended in 1988, 1994, 1996 and 2001 by the USA Patriot Act

through amendments, the scope extended to all ‘protected computers’, i.e. any computer connected to the Internet

and Abuse Act (CFA Act) of 1986

criminal offences under the CFA Act:

1) knowingly accessing a computer without authorization1 or exceeding authorized access2 to obtain national security data 2) intentionally accessing a computer without authorization (or 2) to obtain one of the following:

a) a financial record of a financial institution;

b) information from any US-government department or agency;

c) information from any protected computer. 3) intentionally accessing without authorization (or 2) a government computer and affecting the use of the government’s operation of the computer 4) knowingly causing the transmission of a program, information, code or command that causes damage such as:

a) loss to one or more persons (or companies) during any one-year period aggregating at least $5,000 in value

US Laws: CFA Act (cont.)


criminal offences under the CFA Act (cont.)

b) the modification or impairment of medical records

c) physical injury to any person

d) a threat to public health of safety

e) damage affecting a government computer system 5) knowingly and with intent to defraud traffics a password or a similar information through which a computer may be accessed without authorization

1 Access without authorization = access by an outsider who breaks in and uses a computer for any malicious purpose 2 Exceeding authorized access = access by an authorized user who obtains or alters information that he/she is not allowed to obtain or alter (e.g. employees)


• Computer Fraud although the Act does not specifically mention hacking, malware and denial of service, they are its main focus

example:

1) knowing transmission of a code that causes damage – infection by a virus

2) knowing execution of a command that causes damage – DDoS attack

and Abuse Act (cont.)

Punishment for offences prosecuted under the CFA varies from fines to imprisonment of up to 20 years, or both.


Case Study: Morris Case (1988)

One of the first cases prosecuted under the CFA Act.

Morris, a Ph.D. candidate in CS (Cornell U), wanted to demonstrate the weakness of security measures of computers on the Internet, a network linking university, government and military computers around the United States.

His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash.

However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic" at numerous institutions, with estimated damages of $200 to $53,000 for each institution.

Morris was sentenced to three years‘ probation and 400 hours of community service, and was fined $10,500.

US Laws: Patriot Act

• US Patriot Act – allows law enforcement greater latitude in combating criminals and terrorists who use computers and communication networks [telephone, computer, wireless]

L.E. has authority to intercept voice communications in computer hacking investigations

L.E. has authority to obtain voice mail and other stored voice communications using standard search warrants rather than wiretap orders

L.E. has authority to trace communications on the Internet and other computer networks

(2001 – weeks after Sept. 11)

US Laws: Patriot Act (cont.)

• US Patriot Act

L.E. has authority to issue nationwide search warrants for e-mails and other electronic data ⇒ ISPs compelled to disclose unopened emails …

ISPs are permitted to disclose customer info in the case of emergency - if they suspect an immediate risk of death or serious physical injury to any person

(2001 – weeks after Sept. 11)

For more see: http://www.justice.gov/criminal/cybercrime/PatriotAct.htm

Patriot Act one of the most controversial acts – gives away personal freedoms and constitutional rights in

exchange for higher levels of (national) safety …

US Laws: Patriot Act (cont.)

Case Study: Patriot Act vs. Constitution (2004)

“ … While conducting surveillance of the defendant and co-defendant, the agents lost track of them. The agents then dialed the defendant’s cell phone several times, and used the provider’s computer data to determine which cell transmission towers were being ‘hit’ by that phone. The cell’s data revealed the defendant’s general location and helped catch him.

On appeal of his conviction, the defendant argued that the cell-site data and resulting evidence should have been suppressed because they turned his phone into a tracking device – and that violated his constitutional rights …”

The court found that the cell-site data falls under the category of ‘electronic communication’, hence was not illegal … “Computer Forensics: Principles and Practices”, pp. 423 by L. Volonino, R. Anzaldua, J. Godwin

US Laws: Privacy (1)

• Federal Privacy – regulates the government’s use of private information

addresses concerns about creation and use of computerized data

the act states:

government agencies must protect the privacy of individuals’ and businesses’ information and are responsible if any portion of information is released without prior written consent of the individual

at the same time, individuals CAN access information controlled by others if they can demonstrate that that information is necessary to protect their health & safety

Act (1974)


• Electronic Comm. – often referred to as federal wiretapping act

primarily designed to prevent unauthorized government access to private electronic communications

sets high standards for search warrants of:

wire, oral & electronic communications while in transit

communications held in electronic storage

dialing, routing, addressing & signaling information …

some provisions of the act are later weakened by Patriot Act

Privacy Act (1986)


• Health Insurance – aims to protect confidentiality and security of health data

requires organizations that retain health care information to use comprehensive information security mechanisms

severely restricts dissemination & distribution of private health info without documented consent

provides patients right to know who has access to and who has accessed their information

gives patients the right to examine & obtain a copy of their own data

Portability and Accountability Act - HIPAA (1996)


• Gramm-Leach- – contains a number of provisions that affect banks, security firms, and insurance companies

the act requires that such institutions:

implement a comprehensive info. security program with appropriate administrative, technical and physical safeguards

ensure the security and confidentiality of customer info., and protect customer info. from unauthorized access by ‘third party’ that could result in harm or inconvenience to the customer

-Bliley Act (1999)

Safeguarding the confidentiality and integrity of customer information is no longer just a best practice for financial

institutions – it is now a legal requirement.

http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027122



• Children’s Online – prohibits certain actions by websites and similar services that are directed at children & by any site that may be visited by a person younger than 13

the act prohibits such sites from:

collecting and using identifying info (name, postal code, address, SIN) from children under 13 unless they got verifiable parental consent

registration requiring personal info as a requirement for playing games, applying for prizes, etc.

Privacy Protection Act – COPP Act (1998)

http://www.priv.gc.ca/fs-fi/02_05_d_15_e.cfm

US Laws: Privacy

Two key Canadian (federal) privacy laws:

1) The Privacy Act - imposes obligations on federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information.

2) Personal Information Protection and Electronic Document Act (PIPEDA) - sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

US Laws: Export & Espionage (1)

• Economic – attempts to prevent illegal sharing of trade secrets

first federal law that defines trade secret and severely punishes any individual or organization that knowingly steals, copies, receives, buys or possesses trade secrets or conspires to do so

penalties: fines up to $500,00 or 15 years in prison (or both) for individuals, and fines of up to $10 million for organizations

trade secret = all forms and types of financial, business, scientific, technical, economic or engineering information that the owner has taken reasonable measures to keep secret and that is not known to the public http://www.shreditprovidence.com/Legislation/economicespionageact.pdf

Espionage Act (1996)

• Security And – provides guidance on the use of encryption, and provides measures of protection from government intervention; specifically, the act …

relaxes restrictions concerning the sale and export of cryptographic products - used to be tightly controlled by the government

states that the use of encryption is not probable cause to suspect a criminal activity - people can use encryption freely

provides additional penalties for unlawful use of encryption in furtherance of a criminal act - e.g., with the intent to conceal a felony

Freedom Through Encryption Act (1999)

US Laws: Export & Espionage (2)

US Laws: Copyright Laws

• No Electronic – provides for criminal prosecution of individuals who engage in copyright infringement

prior to this act, criminal copyright infringement required that the infringement was for the purpose of “commercial advantage or private financial gain”

merely downloading files on the Internet did not constitute a criminal activity

the act permits the use of copyrighted material to support news reporting, teaching, … as long as it is not for profit, … and as long as proper acknowledgment is provided

Theft Act (1997)

US Laws: Sarbanes-Oxley Act

• Sarbanes- – passed as a result of a series of financial scandals in 1990s (Enron, WorldCom) – intended to protect general public from accounting errors & fraudulent practices

puts far greater responsibility on the shoulder of corporate executives regarding:

effective & efficient operation (including IT and Info Sec operation)

reliable financial reporting and auditing

compliance with applicable laws & regulations

the act requires that all business documents (paper & electronic) must be kept for 5 years

Canadian equivalent: Bill 198 (2003)

Oxley Act (2002)

US Laws: Sarbanes-Oxley Act (cont.)

http://www.dgslaw.com/images/materials/electronicevidence.pdf

International Laws

Info Sec related laws (may) vary considerably from one country to another. When organizations do business on the Internet, they do it globally; hence, it is important to be sensitive to the law and ethics values of different countries …

Ethics • Code of Ethics – sets out general principles about an organization’s beliefs on matters such as mission, quality, privacy or environment

effectiveness of such codes depend on the extent to which respective organizations support them with sanctions & rewards

doctors and lawyers who violate ethical cannons of their professions’ could be removed from practice

field Information Security (and IT) does not have a binding Code of Ethics

instead, professional associations (ACM) and accreditation agencies ((ISC)2, SANS) work to establish the professions’ codes of conduct

Code of Ethics

• Thou shall not … • Thou shall not … • Thou shall not … …

Ethics (cont.)

• 10 Commandments of Computer Ethics Institute (intended for IT community)

1. Thou shall not use a computer to harm other people.

2. Thou shall not interfere with other people’s computer work.

3. Thou shall not snoop around in other people’s computer files.

4. Thou shall not use a computer to steal.

5. Thou shall not use a computer to bear false witness.

6. Thou shall not copy or use proprietary software for which you have not paid.

7. Thou shall not use other people’s computer resources without without authorization or proper compensation.

8. Thou shall not appropriate other people’s intellectual output.

9. Thou shall think about the social consequences of the program you are writing or the system you are designing.

10. Thou shall always use a computer in ways that ensure consideration and respect for your fellow humans.

Ethics (cont.)

• Information Security failure to obey Code of Ethics implies loss of accreditation or certification …

and consequently (may) result in dramatically reduced marketability and earning power

Organizations with Code of Ethics

1. Association of respected non-profit professional society with scientific & educational orientation

ACM’s code of ethics addresses a wide range of ethical duties – the ones related to information security specify that each ACM member should:

protect confidentiality of information

cause no harm (e.g. loss) of information

protect privacy of others

protect IP & copyright of others

Computing Machinery (ACM)

Ethics (cont.)

2. (ISC)2 non-profit organization; focuses on development & implementation of info. sec. certifications & credentials

4 mandatory canons of (ISC)2 code of ethics are:

protect society, the commonwealth, and the infrastructure

act honorably, honestly, justly, responsibly and legally

provide diligent and competent service to principals

advance and protect the profession

3. SANS professional research & education cooperative organ. - prepares individuals towards GIAC accreditation

GIAC’s code of ethics is organized into 3 key areas:

I will strive to know myself and be honest about my capability

I will conduct my business in a manner that assures the IT profession is considered one of integrity professionalism

I respect privacy and confidentiality

Institute (GIAC)

Law and Ethics - York University€¦ · CSE 4482 . Computer Security Management: ... •...

Documents

Transcript of Law and Ethics - York University€¦ · CSE 4482 . Computer Security Management: ... •...