Presentation on theme: "Law and Ethics for Security"— Presentation transcript:
1Law and Ethics for Security CS461/ECE422Computer Security IFall 2011
2OverviewCybercrimeIntellectual propertyLaw and privacyEthics
3Reading Material Chapter 18 of text Secrets of Computer Espionage: Tactics and Countermeasures, Joel McNamara, Chapter 2. On compass.CyberLaw web course from DoD.
4Motivation Need to understand legal environment Protect self/organizationFrom law suitsFrom tainted evidenceFrom attackersUnderstand personal rights and obligationsCaveat: I am not a legal professional...
5Four Lanes of the RoadCyberLaw course identifies four classes of investigatorsService ProviderLaw EnforcementIntelligenceWar FighterLaws affect them differently
6Computer Crime Historically difficult to prosecute Lack of computer expertiseLaws referred only to the physicalExample: computer break in case that had to be stated in terms of lost computer time instead of lost dataVictims are hesitant to come forwardA bank doesn’t want its customers to know it has been compromisedCheaper/easier just to absorb the cost or pay off the attacker
7Role of Computer in Crime Computer is the source of the crime, e.g., theftExisting theft laws applyComputer is means used to commit crime, e.g., net botsUnique to computersComputer used as storage device, e.g., store stolen passwords, proprietary corporate info, pornographic infoComputer incidental to the crime, .e.g, computer was used to send discussing crime, stores spread sheets tracking illegal salesComputer contains evidence to prosecute other crime. Search and seizure concerns
8Computer Fraud and Abuse Act (CFAA) of 1986 Criminalize unauthorized access to “protected computers”Federal computersComputers owned by large financial institutionsComputers user for communication or interstate commercePretty much any computer on the InternetUSAPA includes foreign computers if they affect interstate commerceCriminalizesComputer extortion, Computer Fraud, Theft of financial information, trafficking in passwords, transmitting malware.Maximum penalty of 20 years and $250,000 fineMust cause at least $5,000 damageRobert Morris of the original worm sentenced to 400 hours community service and $10,500
9Economic Espionage Act of 1996 Addresses theft of trade secretsFBI can be involved in a foreign government is suspectedRedefines “goods, wares, or merchandise” to include company's “proprietary economic information”.
10Intellectual property from Computer Perspective SoftwareProtected by copyright. In some cases patentDatabasesIf it contains information of commercial value could be protected by copyrightDigital content, e.g. audio files, video files, web site contentAlgorithmsPatentable algorithms, e.g. RSA
11Digital Millennium Copyright Act (DMCA) Encourages technical controlsTo prevent accessTo prevent copyingDigital Rights Management (DRM)Service providers must track IP assignment to satisfy DMCA requests
12Tension between Privacy and Security Understanding expectations of privacyRelevant laws and technologies4th amendmentWiretappingPatriot ActKey Escrow/DESFreedom of Information Act
13European Union Data Protection Directive Principles of information use:Notice: organization must notify individuals of what information they are collecting on themConsent: individuals must be able to choose whether their information is disclosedConsistency: organization must follow items 1 and 2Access: individuals can access, update, delete data collected on themSecurity: organizations must provide adequate securityOnward transfer: third parties receiving data must provide same controlsEnforcement: individual (or government on individuals behalf) can take action on failure
144th Amendment Fundamental privacy protection The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
15USA PATRIOT Act (USAPA) Covers many thingsIn our scope, augments or clarifies previous laws addressing electronic privacyAcronymUniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
16Wiretapping Can wiretap only for “serious” crime Require court orders Wiretap act established in 1968Set of serious crimes has grown, false info on student loan applications?Require court ordersPen Registers and Tap-and-trace devices only capture “header” information, e.g., dialed numbers but not conversationFull wiretap also captures contentMust demonstrate probable cause for full wiretapWiretapping reports ts.aspx
17Electronic Wiretapping Electronic Communication Privacy Act of 1986 (ECPA)Expands Wiretap Act to include electronic communicationsThree exceptions that don’t require court authorizationIndividual can monitor communication resulting from a break in on her computerBanner that alerts computer is private implies consent to monitoringMonitor to prevent misuse of system (by non-govt entity)USAPA said only a single court jurisdiction needed to be involved in issuing warrants
18Electronic Search Stored Communications Act of ECPA Covers privacy of stored electronic dataStored with a third partySince the data is outside your control, you do not have the same expectation of privacy that you would say in your houseNo search warrant and court order neededOnly subpoena and prior notice (to ISP)Google’s transparency reportWhat does this mean for cloud computing?Currently being tussled with in court
19Ensuring Wiretap Availability Communications Assurance for Law Enforcement Act of 1994 (CALEA)Requires that telecommunication carriers use equipment that is compatible with wiretappingEnforced by FBI groupExpensive to comply withEstimated telcos will spend 0.5 to 2.7 billion dollars to comply over 5 years.
20CALEA Expansions Recent FCC expansions IP telephony must be CALEA compliant if server-orientedVonage, yes. Skype, no.Expanded definition of service provider to include Universities2006 ruling confirms that Universities must comply but private network communication is exempted (e.g., staying within UIUC network)
21Foreign Intelligence Surveillance Act (FISA) Addresses intelligence community instead of law enforcementGenerally another country is involvedInfo can be used in criminal courts with restrictionsSeparate court reviews requests
22USAPA extensions to FISA Roving wiretapsSpecify target instead of phone number or type of communicationMay over monitor to gather right data, e.g. LibraryReduced Burden of Proof for Pen registerCan use on non-citizen simply to further investigationCitizens protected by First Amendment...
23FISA and the War fighter Do FISA restrictions apply to the war fighter?
24Privacy Functional Requirements Common Criteria functional requirements for privacyAnonymityCannot determine real user identityPseudonymityLike anonymity but can make user accountable for resource useUnlinkabilityCannot tie together multiple instances of resource use to the same individualUnobservabilityOthers cannot tell that resource is being used
25International Law Most western countries have similar laws E.U. Data Protection Act in fact leads in personal privacyDifficulty in enforcing computer crime nowAttackers generally bounce through multiple countriesLook for talks from NCSA or CITES peopleFrench restrictions on EncryptionIllegal to use encryption in France until the late 1990’sNow requires registration and key escrowSimilar constraints in China and IndiaChina laws against speech causing civil unrestBad press against Google, Yahoo, Cisco, Microsoft and othersE.g., “democracy” and “freedom” gets no hits on the Chinese version of Microsoft’s portal
26CryptographyUntil 1998, US had stringent restrictions on export of strong encryptionCryptography as munitionsNational SecurityPGP source and “Warning: this T-shirt may be a controlled munition”,In 1996 US government offered to reduce export restrictions for escrow encryptionClipper chip, Capstone, ForezzaEncryptions algorithms not fully explainedEarlier details of reasons for DES not fully explainedAssumed NSA changed design for a backdoor
27Industry Pressure on Compliance Three major regulations:Sarbanes-Oxley Act (SOA or SOX)Gramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Compliance – providing assurance that controls are in place and effective.Not sufficient to just implement security services – must demonstrate continual control and management involvement.
28Gramm-Leach-Bliley Act of 1999 Requires financial institutions to protect confidentiality of customers’ nonpublic personal data“Customer Records”Social Security, Drivers License, BirthdateCredit Card NumbersLoan and Account numbersAuthorized federal agencies (including SEC and FDIC) to work out the specific regulationsSpecifies a point employee, risk assessments, regular tests, and process for updating security plan
29Health Insurance Portability and Accountability Act of 1996 Requires health-oriented companies to take reasonable safeguards to ensure the integrity and confidentiality of individually identifiable health informationClaims or equivalent encounter informationPayment and Remittance AdviceClaim Status Inquiry/ResponseEligibility Inquiry/ResponseReferral Authorization Inquiry/ResponseSecurity of Health and Human Services in chargeDrove many technology changes in the health sector
30Sarbanes-Oxley Act of 2002 (SOX) Response to EnronRequires companies to produce annual reports on internal financial controlsDirected by SECCost of complianceHeavy auditing requirementsLack of clarity early on concerned many companiesSome companies de-listed rather than comply
31Ethics Just because it is legal doesn’t mean it is right And visa versaWhat are you moral guidelines?ReligionAbsolute right and wrongNatural lawGreatest goodEnds justify the meansWhatever seems good at the timeWhat my boss tells me
32Professional Codes of Conduct ACMIEEEAITPState of Illinois Ethics trainingBoy Scout Law
33Conflicts of InterestBetween Software Professional and Employer
34Find Flaw in Insulin Pump From recent DEFCON presentation.Authentication and encryption problem in wireless Insulin Pump. With 10 lines of perl can remotely adjust pump operationTell people of flaw? Work with manufacturer?What are the ethical issues and consequences?
35Forced InoculationDiscussed inYou have a piece of software that will fix a vulnerability that is being exploited by the malware du jourDo you send out your own worm to inoculate?
36Key Points Laws and policy describe security and privacy intents Laws cover a range of computer issuesIntellectual PropertyGovernment security enforcementComputer crimeComputer investigationUnderstanding laws importantMany laws written without sufficient technical reviewImpacts you or your companyLarge societal implications