In this article we will talk about Cyber Laws and Liability, and in previous article we already discussed about What is Malware?.
Ethics is the little voice in the background guiding a cybersecurity specialist as to what he should or should not do, regardless of whether it is legal. The organization entrusts the cybersecurity specialist with the most sensitive data and resources. The cybersecurity specialist needs to understand how the law and the organization’s interests help to guide ethical decisions.
Cyber criminals that break into a system, steal credit card numbers, and release a worm are performing unethical actions. How does an organization view the actions of a cybersecurity specialist if they are similar? For example, a cybersecurity specialist may have the opportunity to stop the spread of a worm preemptively by patching it. In effect, the cybersecurity specialist is releasing a worm. This worm is not malicious, though, so does this case get a pass?
The following ethical systems look at ethics from various perspectives.
During the 19th century, Jeremy Benthan and John Stuart Mill created Utilitarian Ethics. The guiding principle is that any actions that provide the greatest amount of good over bad or evil are ethical choices.
The Rights Approach
The guiding principle for the Rights Approach is that individuals have the right to make their own choices. This perspective looks at how an action affects the rights of others to judge whether an action is right or wrong. These rights include the right to truth, privacy, safety, and that society applies laws fairly to all members of society.
The Common-Good Approach
The Common-Good Approach proposes that the common good is whatever benefits the community. In this case, a cybersecurity specialist looks at how an action affects the common good of society or the community.
No clear-cut answers provide obvious solutions to the ethical issues that cybersecurity specialists face. The answer as to what is right or wrong can change depending on the situation and the ethical perspective.
Laws prohibit undesired behaviors. Unfortunately, the advancements in information system technologies are much greater than the legal system of compromise and lawmaking. A number of laws and regulations affect cyberspace. Several specific laws guide the policies and procedures developed by an organization to ensure that they are in compliance.
A computer may be involved in a cybercrime in a couple of different ways. There is computer-assisted crime, computer-targeted crime, and computer-incidental crime. Child pornography is an example of computer-incidental crime—the computer is a storage device and is not the actual tool used to commit the crime.
The growth in cybercrime is due to a number of different reasons. There are many tools widely available on the Internet now, and potential users do not need a great deal of expertise to use these tools.
Organizations Created to Fight Cybercrime
There are a number of agencies and organizations out there to aid the fight against cybercrime.
In the United States, there are three primary sources of laws and regulations: statutory law, administrative law, and common law. All three sources involve computer security. The U.S. Congress established federal administrative agencies and a regulatory framework that includes both civil and criminal penalties for failing to follow the rules.
Criminal laws enforce a commonly accepted moral code backed by the authority of the government. Regulations establish rules designed to address consequences in a rapidly changing society enforcing penalties for violating those rules. For example, the Computer Fraud and Abuse Act is a statutory law. Administratively, the FCC and Federal Trade Commission have been concerned with issues such as intellectual property theft and fraud. Finally, common law cases work their ways through the judicial system providing precedents and constitutional bases for laws.
The Federal Information Security Management Act (FISMA)
Congress created FISMA in 2002 to change the U.S. government’s approach to information security. As the largest creator and user of information, federal IT systems are high value targets for cyber criminals. FISMA applies to federal agencies’ IT systems and stipulates that agencies create an information security program that includes the following:
- Risk assessments
- Annual inventory of IT systems
- Policies and procedures to reduce risk
- Security awareness training
- Testing and evaluation of all IT system controls
- Incident response procedure
- Continuity of operations plan
Many industry specific laws have a security and/or a privacy component. The U.S. government requires compliance from organizations within these industries. Cybersecurity specialists must be able to translate the legal requirements into security policies and practices.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act is a piece of legislation that mainly affects the financial industry. A portion of that legislation, though, includes privacy provisions for individuals. The provision provides for opt-out methods so that individuals can control the use of information provided in a business transaction with an organization that is part of the financial institution. The GLBA restricts information sharing with third-party firms.
Sarbanes-Oxley Act (SOX)
Following several high-profile corporate accounting scandals in the U.S., congress passed the Sarbanes-Oxley Act (SOX).The purpose of SOX was to overhaul financial and corporate accounting standards and specifically targeted the standards of publicly traded firms in the United States.
Payment Card Industry Data Security Standard (PCI DSS)
Private industry also recognizes how important uniform and enforceable standards are. A Security Standards Council composed of the top corporations in the payment card industry designed a private sector initiative to improve the confidentiality of network communications.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules governing how to protect credit card data as merchants and banks exchange the transaction. The PCI DSS is a voluntary standard (in theory) and merchants/vendors can choose whether they wish to abide by the standard. However, vendor noncompliance may result in significantly higher transaction fees, fines up to $500,000, and possibly even the loss of the ability to process credit cards.
Import/Export Encryption Restrictions
Since World War II, the United States has regulated the export of cryptography due to national security considerations. The Bureau of Industry and Security in the Department of Commerce now controls non-military cryptography exports. There are still export restrictions to rogue states and terrorist organizations.
Countries may decide to restrict the import of cryptography technologies for the following reasons:
- The technology may contain a backdoor or security vulnerability.
- Citizens can anonymously communicate and avoid any monitoring.
- Cryptography may increase levels of privacy above an acceptable level.