Lesson 24-Security and Law

Background

Computer security is similar to any other subject in the society.

As it changes our lives, laws will be enacted to:

– Enable desired behaviors.

– Prohibit undesired behaviors.

Laws may have been overly restrictive, limiting business options,

such as in the area of importing and exporting encryption

technology.

In other cases, legislation is being implemented slowly and this

fact has hindered business initiatives, such as in digital signatures.

Objectives

Upon completion of this lesson, the learner will be able to:

– List laws and rules concerning importing and exporting

encryption software.

– List laws that govern computer access and trespass.

– List laws that govern encryption and digital rights

management.

– List laws that govern digital signatures.

– List computer security laws that govern privacy in various

industries.

– List laws that enforce ethical behavior.

Encryption Restrictions

Governments control the encryption technology.

– The level of control varies from outright banning to little or no

regulation.

Control over import and export is a vital method of

maintaining a level of control over encryption technology in

general.

Laws and restrictions center on cryptography.

Commercial transactions and network communications

have expanded the use of cryptographic methods to

include secure network communications.

United States Law

Export controls on commercial encryption products are administered by

the Bureau of Industry and Security (BIS) of the U.S. Department of

Commerce.

Encryption protection has been accorded the same level of attention as the

export of weapons for war.

With the rise of the Internet, this position has somewhat relaxed.

– The United States updated its encryption export regulations to provide treatment

consistent with the regulations adopted by the European Union (EU).

– The member nations of the Wassenaar Arrangement agreed to remove key

length restrictions on encryption hardware and software.

– This action effectively removed “mass market” encryption products from the list

of dual-use items controlled by the Wassenaar Arrangement.

United States Law

The U.S. encryption export control policy rests on three

principles:

– Review of encryption products prior to sale.

– Streamlined post-export reporting.

– License review of certain exports of strong encryption to

foreign government end users.

U.S. rules require notification to the BIS for export in all

cases.

United States Law

The restrictions are lessened for “Mass Market” products as

defined by all of the following:

– They are generally available to the public by being sold,

without restriction, from stock at retail selling points by any of

these means:

– Over-the-counter transactions

– Mail-order transactions

– Electronic transactions

– Telephone call transactions

United States Law

The restrictions are lessened for “Mass Market” products as

defined by all of the following (continued):

– The cryptographic functionality cannot be easily changed by a user.

– They are designed for installation by a user without substantial support

by the supplier.

– Details of the items are accessible and will be provided to the

appropriate authority in the exporter's country to ascertain compliance

with export regulations.

Mass-market commodities and software employing a key length

greater than 64 bits for the symmetric algorithm must be

reviewed in accordance with BIS regulations.

Non-U.S. Laws

Export control rules for encryption technologies fall under

the Wassenaar Arrangement.

The Wassenaar Arrangement was established to contribute

to regional and international security and stability.

– It promotes transparency and greater responsibility in

transfers of conventional arms and dual-use goods and

technologies, thus preventing destabilizing accumulations.

Many nations have more restrictive policies than those

agreed upon as part of the Wassenaar Arrangement.

Digital Signature Laws

On October 1, 2000, the Electronic Signatures in Global and

National Commerce Act was enforced in the United States.

The existence of the E-Sign law and Uniform Electronic

Transactions Act (UETA) has enabled e-commerce

transactions to proceed.

The resolution of the technical details via court actions will

probably have little effect on consumers.

Digital Signature Laws

Non-U.S. Laws

– The UN General Assembly adopted the United Nations

Commission on International Trade Law (UNCITRAL) Model Law

on Electronic Signatures.

– These model laws have become the basis for many national

and international efforts in this area.

Digital Signature Laws

Canada

– Adopted a national model bill for electronic signatures to

promote e-commerce.

• Uniform Electronic Commerce Act (UECA) allows the use of

electronic signatures in communications with the government.

– Individual Canadian provinces have passed similar legislation.

• They define digital signature provisions for e-commerce and

government use.

Digital Signature Laws

The European Union

– The European Commission adopted a Communication on

Digital Signatures and Encryption: “Toward a European

Framework for Digital Signatures and Encryption.”

Digital Rights Management

The Digital Millennium Copyright Act (DMCA) was enacted on

October 20, 1998.

– This Act makes it illegal to develop, produce, and trade any device or

mechanism designed to circumvent technological controls used in copy

protection.

Copy protection methods are cryptographic in nature.

This provision has the ability to eliminate and/or severely research

into encryption, and the strengths and weaknesses of specific

methods.

The Digital Millennium Copyright Act (Section 1201(g)) allows

exemptions for legitimate research.

Digital Rights Management

There are specific exemptions for research, provided four

elements are satisfied:

– The person has lawfully obtained the encrypted copy,

phonorecord, performance, or display of the published work.

– Such act is necessary to conduct such encryption research.

– The person made a good faith effort to obtain authorization

before the circumvention.

– Such act does not constitute infringement under this title.

Privacy Laws

Governments in Europe and the United States have taken

different approaches to control privacy via legislation.

United States Laws

The Electronic Communications Privacy Act (ECPA) of 1986

addresses myriad legal privacy issues related computers and

technology specific to telecommunications.

– Sections of this law address e-mail, cellular communications,

workplace privacy, and other electronic communication issues.

– Prohibits an employer's monitoring an employee's computer

usage, including e-mail, unless consent is obtained.

– Protects electronic communications from wiretap and outside

eavesdropping.

– Users have a reasonable expectation of privacy under the Fourth

Amendment to the Constitution.

United States Laws

The use of a warning banner typically displayed whenever a

network connection occurs serves four main purposes:

– They establish the level of expected privacy (usually none on a

business system) and serve as consent to real-time monitoring

from a business standpoint.

– The banner tells the user that their connection to the network

signals their consent to monitoring.

– Consent can also be obtained to look at files and records.

United States Laws

The Patriot Act of 2001 substantially changed the levels of

checks and balances in U.S. privacy laws.

– It extends the tap and trace provisions of wiretap statutes to

the Internet.

– It mandates technological modifications at ISPs to facilitate

electronic wiretaps on the Internet.

– It permits the Justice Department to roll out of the Carnivore

program – an eavesdropping program for the Internet.

– It permits federal law enforcement personnel to investigate

computer trespass and enacts civil penalties for trespassers.

United States Laws

In 1999, the Gramm-Leach-Bliley Active Directory, which

has privacy provisions for individuals, affected the financial

industry.

– GLB privacy provisions include an opt-out method for

individuals.

– Some internal information sharing is required under the Fair

Credit Reporting Act (FCRA) between affiliated companies, but

GLB ended sharing to external third-party firms.

United States Laws

The Identity Theft and Assumption Deterrence Act (ITADA)

governs identity privacy and the establishment of identity

theft crimes.

It is a violation of the federal law to use another's identity

knowingly.

– The collection of information is governed by GLB, which makes

it illegal for someone to gather identity information on another

person under false pretenses.

– Student records have even further protections under the

Family Education Records and Privacy Act of 1974.

United States Laws

Fair and Accurate Credit Transactions Act of 2003 includes

identity-theft provisions.

– They are designed to be consumer-friendly.

– They include a free credit report annually.

– They require merchants to leave all but the last five digits of a

credit card number off store receipts.

– They establish a national system of fraud detection allowing

consumers to have a single number to call to receive advice,

set off a nationwide fraud alert, and protect their credit

standing.

United States Laws

– Medical and health information and privacy implications.

The U.S. Congress enacted the Health Insurance Portability &

Accountability Act (HIPAA) of 1996.

– HIPAA mandates changes in the way health and medical data

is stored, exchanged, and used.

– HIPAA restricts data transfers to ensure privacy, including

security standards and electronic signature provisions.

– Mandates a uniform level of protection regarding all health

information of an individual and is housed or transmitted

electronically.

United States Laws

– The standard mandates safeguards for physical storage,

maintenance, transmission, and access to individuals' health

information.

– Organizations that use electronic signatures will have to meet

standards ensuring information integrity, signer

authentication, and nonrepudiation.

– This law was designed to help users to fight identity theft

through early notification of the loss of control over personal

information stored in computer systems. In other words, it is

designed to force firms to notify users whenever their personal

information has become compromised.

European Laws

The governments of Europe have developed a

comprehensive concept of privacy administered via a set of

statutes known as data protection laws.

– These privacy statutes cover all personal data, whether

collected and used by the government or private firms.

– These laws are administered by the state and national data

protection agencies in each country.

European Laws

Privacy laws in Europe focus on the concept that privacy is

a fundamental human right that demands protection

through government administration.

– The Data Protection Directive has a provision allowing the

European Commission to block transfers of personal data to

any country outside the EU.

– The EU expressed concerns about the adequacy of data

protection in the United States following the differences in

approach between the United States and the EU with respect

to data protection.

Computer Trespass

Computer trespass is unauthorized entry into a computer system

via any means, including remote network connections. The

unauthorized entry into a computer system via any means,

including remote network connections.

– For crimes that are committed within a country's borders, national laws

apply.

– For cross-border crimes, international laws and international treaties

are the norm.

– Enforcement actions stemming from these agreements have been

rare, with most actions employing national laws where applicable.

Computer Trespass

Computer trespass is a crime in many countries.

National laws exist in many countries, including the EU,

Canada, and the United States.

– These laws vary by state, but they all have similar provisions

defining the unauthorized entry into, and use of, computer

resources as a crime.

Convention on Cybercrime

– The product of four years of work by the Council of Europe,

United States, Canada, Japan, and other countries.

– The convention is similar to a draft treaty.

Computer Trespass

Convention on Cybercrime

– Pursues a common criminal policy aimed at protecting the

society against cybercrime by adopting legislation and

promoting international cooperation.

– The convention deals with infringements of copyright,

computer-related fraud, child pornography, and violations of

network security.

Ethics

Sarbanes-Oxley Act of 2002

– It targets a series of financial reporting irregularities at the highest

levels of corporate leadership.

– Although it is aimed at the senior executive’s abuse of financial

reporting systems, these systems are major IT components of a firm.

– Notes: The inclusion of IT becomes a de facto standard event.

Sarbanes-Oxley Act of 2002

– Should the tampering of the electronic records that maintain a

company’s ability to perform accurate financial reporting occur, the

potential for a violation under this statute can occur.

Ethics

Sarbanes-Oxley has ramifications through the chain of

information used to report the current state of corporate

financial condition.

– Controls and oversight over all processes used to produce

financial reports must include aspects of the Enterprise Resource

Planning (ERP) software and the business processes surrounding

how it performs its specific functions in the enterprise.

– Validation of results from this process are subject to review and

given the complexity of the process, reviews and audits of IS

processes can be used for monitoring compliance.