4482LawEthics.ppt

1
8/24/2023 1
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
CSE 4482: Computer Security Management:
Assessment and Forensics

2
Ch 12: Law and Ethics
• Upon completion of this chapter, you should be
able to:
– Differentiate between law and ethics
– Describe the ethical foundations and approaches that
underlie modern codes of ethics
– Identify major national and international laws that
relate to the practice of information security
– Describe the role of culture as it applies to ethics in
information security
– Identify current information on laws, regulations, and
relevant professional organizations
Management of Information Security, 3rd ed.

3
Introduction
• All information security professionals must
understand the scope of an organization’s
legal and ethical responsibilities
• Understand the current legal environment
– Keep apprised of new laws, regulations, and
ethical issues as they emerge
– To minimize the organization’s liabilities
• Educate employees and management
about their legal and ethical obligations
– And proper use of information technology

4
Law and Ethics in Information
Security
• Laws: Rules adopted and enforced by
governments to codify expected behavior in
modern society
• Ethics: Relatively fixed moral attitudes or
customs of a societal group (based on
cultural mores)
• The key difference between law and ethics
is that law carries the sanction of a
governing authority and ethics do not

5
Information Security and the Law
• InfoSec professionals and managers must
understand the legal framework within
which their organizations operate
• Can influence the organization to a greater
or lesser extent, depending on the nature of
the organization and the scale on which it
operates

6
Types of Law
• Civil law
– Pertains to relationships between and among
individuals and organizations
• Criminal law
– Addresses violations harmful to society
– Actively enforced and prosecuted by the state
• Tort law
– A subset of civil law that allows individuals to
seek redress in the event of personal, physical,
or financial injury

7
Civil lawsuits
• In a civil law problem, ‘victim’ must take
action to get a legal remedy (adequate
compensation).
– ‘victim’ must hire a private lawyer & pay expenses
of pursuing the matter
– the police does not get involved, beyond the point
of restoring the order
• In Civil Law, to convict someone, the guilt
must be proven on ‘balance of probabilities’.
• In Civil Law, monetary remedies (damages)
are most common.

8
Criminal cases
In a criminal law problem, ‘victim’ (may)
report the case to the police and they have
the responsibility to investigate.
• if charge has been properly laid and there is
supporting evidence, the Crown Prosecutor
(not person who complains of incident)
prosecutes in the courts – public funds
finance these services
• even if a ‘victim’ starts a prosecution
privately, the Attorney General has the power
to take over the prosecution

9
Criminal cases II
• In Criminal Law, to convict someone, the guilt
must be proven ‘beyond reasonable doubt’.
• In Criminal Law, the sentence to the offender
may include one or a combination of the
following:
– fine
– restitution – compensate for victim’s loss or
damages
– probation
– community service
– imprisonment

10
Types of Law (contd.)
• Private law
– Regulates the relationships among individuals
and among individuals and organizations
• Family law, commercial law, and labor law
• Public law
– Regulates the structure and administration of
government agencies and their relationships
with citizens, employees, and other
governments
• Criminal, administrative, and constitutional law

11
Question
• Is DDoS a civil or criminal offence?

12
Policy Versus Law
• Difference between policy and law
– Ignorance of policy is an acceptable defense
• Policies must be:
– Distributed to all individuals who are expected
to comply with them
– Readily available for employee reference
– Easily understood, with multilingual, visually
impaired and low-literacy translations
– Acknowledged by employee with consent form
– Uniformly enforced for all employees

13
International Laws and Legal Bodies
• International trade is governed by
international treaties and trade agreements
– Many domestic laws and customs do not apply
• There are currently few international laws
relating to privacy and information security
– Because of cultural differences and political
complexities of the relationships among
nations

14
International Laws and Legal
Bodies (cont’d.)
• European Council Cyber-Crime Convention
– Empowers an international task force to
oversee a range of Internet security functions
• Standardizes technology laws internationally
– Attempts to improve the effectiveness of
international investigations into breaches of
technology law
– Goal is to simplify the acquisition of information
for law enforcement agents in certain types of
international crimes, as well as the extradition
process

15
International Laws and Legal
Bodies (cont’d.)
• The Digital Millennium Copyright Act
– A U.S.-based international effort to reduce the
impact of copyright, trademark, and privacy
infringement, especially via the removal of
technological copyright protection measures
• European Union Directive 95/46/EC
– Increases individual rights to process and
freely move personal data
• Database Right
– U.K. version of this directive

16
Relevant U.S. Laws
• The Computer Fraud and Abuse Act of 1986
(CFA Act)
– landmark in the fight against cybercrime : the first law
to address crime in which the computer is the ‘subject’
– The cornerstone of many computer-related federal
laws and enforcement efforts
– Amended in October 1996 by the National Information
Infrastructure Protection Act
– Further modified by the USA Patriot Act of 2001
• Provides law enforcement agencies with broader latitude to
combat terrorism-related activities
• The USA Patriot Act was updated and extended, in many
cases permanently

17
CFA Act
criminal offences under the CFA Act:
• knowingly accessing a computer without
authorization or exceeding authorized access
to obtain national security data
• intentionally accessing a computer without
authorization (or) to obtain one of the
following:
– a financial record of a financial institution;
– information from any US-government department or agency;
– information from any protected computer.
• 3) intentionally accessing without authorization
(or) a government computer and affecting the
use of the government’s operation of the
computer

18
CFA Act – contd.
• knowingly causing the transmission of a
program, information, code or command that
causes damage such as:
– loss to one or more persons (or companies) during any one-
year period aggregating at least $5,000 in value
– the modification or impairment of medical records
– physical injury to any person
– a threat to public health of safety
– damage affecting a government computer system
• 5) knowingly and with intent to defraud traffics
a password or a similar information through
which a computer may be accessed without
authorization

19
CFA Act – contd.
• although the Act does not specifically
mention hacking, malware and
denial of service, they are its main
focus
• Punishment for offences prosecuted
under the CFAA varies from fines to
imprisonment of up to 20 years, or both.

20
Case Study: Morris Case (1988)
One of the first cases prosecuted under the CFA Act.
• Morris, a Ph.D. candidate in CS (Cornell U), wanted to
demonstrate the weakness of security measures of
computers on the Internet, a network linking university,
government and military computers around the US.
• His plan was to insert a worm into as many computers
as he could gain access to, but to ensure that the worm
replicated itself slowly enough that it would not cause
the computers to slow down or crash.
• However, Morris miscalculated how quickly the worm
would replicate. By the time he released a message on
how to kill the worm, it was too late: Some 6,000
computers had crashed or become "catatonic“ at
numerous institutions, with estimated damages of $200
to $53,000 for each institution.
• Morris was sentenced to three years‘ probation and 400
hours of community service, and was fined $10,500.

21
Relevant U.S. Laws (cont’d.)
• The Computer Security Act of 1987
– One of the first attempts to protect federal
computer systems
• Established minimum acceptable security practices
– Established a Computer System Security and
Privacy Advisory Board within the Department
of Commerce
– Requires mandatory periodic training in
computer security awareness and accepted
computer security practice for all users of
Federal computer systems

22
(cont’d.)
– Charged the National Bureau of Standards and
the NSA (now NIST) with the development of:
• Standards, guidelines, and associated methods and
techniques for computer systems
• Uniform standards and guidelines for most federal
computer systems
• Technical, management, physical, and
administrative standards and guidelines for the cost-
effective security and privacy of sensitive
information in federal computer systems

23
(cont’d.)
– Charged the National Bureau of Standards and
the NSA ( now NIST) with the development of:
(cont’d.)
• Guidelines for operators of federal computer
systems containing sensitive information in training
their employees in security awareness
• Validation procedures for, and evaluation of the
effectiveness of, standards and guidelines
– Through research and liaison with other government and
private agencies

24
Patriot Act
• allows law enforcement greater latitude in
combating criminals and terrorists who use
computers and communication networks
[telephone, computer, wireless]
– L.E. has authority to intercept voice
communications in computer hacking
investigations
– L.E. has authority to obtain voice mail and other
stored voice communications using standard
search warrants rather than wiretap orders
– L.E. has authority to trace communications on the
Internet and other computer networks

25
Patriot Act - II
• L.E. has authority to issue nationwide search
warrants for e-mails and other electronic data
⇒ ISPs compelled to disclose unopened
emails …
• ISPs are permitted to disclose customer info
in the case of emergency - if they suspect an
immediate risk of death or serious physical
injury to any person
• Patriot Act one of the most controversial acts – gives
away personal freedoms and constitutional rights
inexchange for higher levels of national) safety …
For more see:
http://www.justice.gov/criminal/cybercrime/PatriotAct.htm

26
Case Study: Patriot Act vs.
Constitution (2004)
• “ … While conducting surveillance of the defendant and
co-defendant, the agents lost track of them. The agents
then dialed the defendant’s cell phone several times, and
used the provider’s computer data to determine which
cell transmission towers were being ‘hit’ by that phone.
The cell’s data revealed the defendant’s general
locationand helped catch him.
• On appeal of his conviction, the defendant argued that
the cell-site data and resulting evidence should have
been suppressed because they turned his phone into a
tracking device – and that violated his constitutional
rights …”
• The court found that the cell-site data falls under the
category of ‘electronic communication’, hence was not
illegal …
• “Computer Forensics: Principles and Practices”, pp. 423 by L.
Volonino, R. Anzaldua, J. Godwin

27
• Privacy Laws
– Many organizations collect, trade, and sell
personal information as a commodity
• Individuals are becoming aware of these practices
and looking to governments to protect their privacy
– Aggregation of data from multiple sources
permits unethical organizations to build
databases with alarming quantities of personal
information

28
• Privacy Laws (cont’d.)
– The Privacy of Customer Information Section
of the section of regulations covering common
carriers
• Specifies that any proprietary information shall be
used explicitly for providing services, and not for
any marketing purposes
– The Federal Privacy Act of 1974 regulates the
government’s use of private information
• Ensure that government agencies protect the
privacy of individuals’ and businesses’ information

29
• Privacy Laws (cont’d.)
– The Electronic Communications Privacy Act of
1986
• A collection of statutes that regulates the
interception of wire, electronic, and oral
communications
– These statutes work in cooperation with the
Fourth Amendment of the U.S. Constitution
• Prohibits search and seizure without a warrant

30
• Health Insurance Portability &
Accountability Act Of 1996 (HIPAA)
– An attempt to protect the confidentiality and
security of health care data
• Establishes and enforces standards
• Standardizes electronic data interchange
– Requires organizations that retain health care
information to use information security
mechanisms to protect this information
• Also requires an assessment of the organization's
InfoSec systems, policies, and procedures

31
HIPPA II
• Provides guidelines for the use of electronic
signatures
– Based on security standards ensuring message
integrity, user authentication, and nonrepudiation
• Fundamental privacy principles:
– Consumer control of medical information
– Boundaries on the use of medical information
– Accountability for the privacy of private information
– Fundamental privacy principles: (cont’d.)
• Balance of public responsibility for the use of medical
information for the greater good measured against impact to
the individual
• Security of health information

32
The Financial Services
Modernization Act
• Also called Gramm-Leach-Bliley Act of 1999
• Applies to banks, securities firms, and insurance
companies
• Requires all financial institutions to disclose their
privacy policies
– Describing how they share nonpublic personal
information
– Describing how customers can request that their
information not be shared with third parties

33
The Financial Services
Modernization Act II
– Ensures that the privacy policies in effect in an
organization are fully disclosed when a
customer initiates a business relationship
• Distributed at least annually for the duration of the
professional association
– Safeguarding the confidentiality and
integrity of customer information is no
longer just a best practice for financial
institutions – it is now a legal
requirement.

34
• Export and Espionage Laws
– Economic Espionage Act (EEA) of 1996
• An attempt to protect intellectual property and
competitive advantage
• Attempts to protect trade secrets from the foreign
government that uses its classic espionage
apparatus to spy on a company
– Also between two companies
– Or a disgruntled former employee

35
• Export and Espionage Laws
– The Security and Freedom through Encryption
Act of 1997
• Provides guidance on the use of encryption
• Institutes measures of public protection from
government intervention
• Reinforces an individual’s right to use or sell
encryption algorithms
• Prohibits the federal government from requiring the
use of encryption for contracts, grants, and other
official documents, and correspondence

36
Relevant Canadian Laws
Two key Canadian (federal) privacy laws:
• The Privacy Act - imposes obligations on
federal government departments and
agencies to respect privacy rights by
limiting the collection, use and
disclosure of personal information.
• Personal Information Protection and
Electronic Document Act (PIPEDA) -
sets out ground rules for how private
sector organizations may collect, use or
disclose personal information in the
course of commercial activities.
Figure 12-1: Export restrictions
Source: Course Technology/Cengage Learning

37
• U.S. Copyright Law
– Extends protection to intellectual property,
including words published in electronic formats
– ‘Fair use’ allows material to be quoted so long
as the purpose is educational and not for profit,
and the usage is not excessive
– Proper acknowledgement must be provided to
the author and/or copyright holder of such
works
• Including a description of the location of source
materials, using a recognized form of citation

38
• Freedom of Information Act of 1966
– All Federal agencies are required to disclose
records requested in writing by any person
– Applies only to Federal agencies and does not
create a right of access to records held by
Congress, the courts, or by state or local
government agencies
• Sarbanes-Oxley Act of 2002
– Enforces accountability for the financial record
keeping and reporting at publicly traded
corporations

39
• Sarbanes-Oxley Act of 2002 (cont’d.)
– Requires that the CEO and chief financial
officer (CFO) assume direct and personal
accountability for the completeness and
accuracy of a publicly traded organization’s
financial reporting and record-keeping systems
• As these executives attempt to ensure that the
systems used to record and report are sound, the
related areas of availability and confidentiality are
also emphasized

40
State and Local Regulations
• Information security professionals must
understand state laws and regulations
– Ensure that their organization’s security policies and
procedures comply
• Georgia Computer Systems Protection Act
– Has various computer security provisions
– Establishes specific penalties for use of information
technology to attack or exploit information systems in
organizations
• The Georgia Identity Theft Law
– a business may not discard a record containing
personal information unless it shreds, erases, modifies,
or otherwise makes the information irretrievable

41
Ethics in Information Security
• The student of information security is not
expected to study the topic of ethics in a
vacuum, but within a larger ethical
framework
– Information security professionals may be
expected to be more articulate about the topic
than others in the organization
– Often must withstand a higher degree of
scrutiny

42
Ten Commandments of
Computer Ethics
From the Computer Ethics Institute
• Thou shalt not:
– Use a computer to harm other people
– Interfere with other people's computer work
– Snoop around in other people's computer files
– Use a computer to steal
– Use a computer to bear false witness
– Copy or use proprietary software (w/o paying)

43
Ten Commandments - contd
– Use other people's computer resources
without authorization or proper
compensation
– Appropriate other people's intellectual
output
– Think about the social consequences of
the program you are writing or the system
you are designing
– Always use a computer in ways that
ensure consideration and respect for fellow
humans

44
Ethics and Education
• Differences in computer use ethics
– Not exclusively cultural
– Found among individuals within the same
country, within the same social class, and
within the same company
• Key studies reveal that the overriding factor
in leveling the ethical perceptions within a
small population is education
• Employees must be trained on the
expected behaviors of an ethical employee

45
Deterring Unethical and Illegal
Behavior
• InfoSec personnel should do everything in
their power to deter unethical and illegal
acts
– Using policy, education and training, and
technology as controls to protect information
• Categories of unethical behavior
– Ignorance
– Accident
– Intent

46
Deterring Unethical and Illegal
Behavior (cont’d.)
• Deterrence
– Best method for preventing an illegal or
unethical activity
– Examples: laws, policies, and technical
controls
– Laws and policies and their associated
penalties only deter if three conditions are
present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered

47
Professional Organizations and
their Codes of Ethics
• Some professional organizations have
established codes of conduct and/or codes
of ethics (e.g. ACM, Bar assoc, Nurses Assoc)
– Members are expected to follow
– Codes of ethics can have a positive effect on
an individual’s judgment regarding computer
use
• Security professionals must act ethically
– According to the policies and procedures of
their employers, their professional
organizations, and the laws of society

48
Organizational Liability and the
Need for Counsel
• What if an organization does not support or
encourage strong ethical conduct by its
employees?
• What if an organization does not behave
ethically?
• If an employee, acting with or without the
authorization, performs an illegal or
unethical act, causing some degree of
harm, the organization can be held
financially liable for that action

49
Organizational Liability and the
Need for Counsel (cont’d.)
• An organization increases its liability if it
refuses to take measures (due care) to
make sure that every employee knows
what is acceptable and what is not, and the
consequences of illegal or unethical actions
• Due diligence requires that an organization
make a valid and ongoing effort to protect
others

50
Managing Investigations in the
Organization
• When (not if) an organization finds itself dealing
with a suspected policy or law violation
– Must appoint an individual to investigate it
– How the internal investigation proceeds
• Dictates whether or not the organization has the ability to take
action against the perpetrator if in fact evidence is found that
substantiates the charge
• In order to protect the organization, and to
possibly assist law enforcement in the conduct of
an investigation
– The investigator (CISO, InfoSec Manager or other
appointed individual) must document what happened
and how

51
Summary
• Introduction
• Law and ethics in information security
• The legal environment
• Ethical concepts in information security
• Professional organizations’ codes of ethics
• Organizational liability and the need for
counsel
• Key U.S. Federal agencies
• Managing investigations in the organization

4482LawEthics.ppt

Recommended

Recommended

More Related Content

Similar to 4482LawEthics.ppt

Similar to 4482LawEthics.ppt (20)

Recently uploaded

Recently uploaded (20)

4482LawEthics.ppt