In this article we will talk about Cybercrime, and in previous article we already discussed about Deception Methods.
Laws prohibit undesired behaviors. Unfortunately, the advancements in information system technologies are much greater than the legal system of compromise and lawmaking. A number of laws and regulations affect cyberspace. Several specific laws guide the policies and procedures developed by an organization to ensure that they are in compliance.
A computer may be involved in a cybercrime in a couple of different ways. There is computer-assisted crime, computer-targeted crime, and computer-incidental crime. Child pornography is an example of computer-incidental crime—the computer is a storage device and is not the actual tool used to commit the crime.
The growth in cybercrime is due to a number of different reasons. There are many tools widely available on the Internet now, and potential users do not need a great deal of expertise to use these tools.
Organizations Created to Fight Cybercrime
There are a number of agencies and organizations out there to aid the fight against cybercrime. Click each of the links in the figure to visit the websites for these organizations to help keep up with the important issues.
In the United States, there are three primary sources of laws and regulations: statutory law, administrative law, and common law. All three sources involve computer security. The U.S. Congress established federal administrative agencies and a regulatory framework that includes both civil and criminal penalties for failing to follow the rules.
Criminal laws enforce a commonly accepted moral code backed by the authority of the government. Regulations establish rules designed to address consequences in a rapidly changing society enforcing penalties for violating those rules. For example, the Computer Fraud and Abuse Act is a statutory law. Administratively, the FCC and Federal Trade Commission have been concerned with issues such as intellectual property theft and fraud. Finally, common law cases work their ways through the judicial system providing precedents and constitutional bases for laws.
The Federal Information Security Management Act (FISMA)
Congress created FISMA in 2002 to change the U.S. government’s approach to information security. As the largest creator and user of information, federal IT systems are high value targets for cyber criminals. FISMA applies to federal agencies’ IT systems and stipulates that agencies create an information security program that includes the following:
- Risk assessments
- Annual inventory of IT systems
- Policies and procedures to reduce risk
- Security awareness training
- Testing and evaluation of all IT system controls
- Incident response procedure
- Continuity of operations plan
Many industry specific laws have a security and/or a privacy component. The U.S. government requires compliance from organizations within these industries. Cybersecurity specialists must be able to translate the legal requirements into security policies and practices.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act is a piece of legislation that mainly affects the financial industry. A portion of that legislation, though, includes privacy provisions for individuals. The provision provides for opt-out methods so that individuals can control the use of information provided in a business transaction with an organization that is part of the financial institution. The GLBA restricts information sharing with third-party firms.
Sarbanes-Oxley Act (SOX)
Following several high-profile corporate accounting scandals in the U.S., congress passed the Sarbanes-Oxley Act (SOX).The purpose of SOX was to overhaul financial and corporate accounting standards and specifically targeted the standards of publicly traded firms in the United States.
Payment Card Industry Data Security Standard (PCI DSS)
Private industry also recognizes how important uniform and enforceable standards are. A Security Standards Council composed of the top corporations in the payment card industry designed a private sector initiative to improve the confidentiality of network communications.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules governing how to protect credit card data as merchants and banks exchange the transaction. The PCI DSS is a voluntary standard (in theory) and merchants/vendors can choose whether they wish to abide by the standard. However, vendor noncompliance may result in significantly higher transaction fees, fines up to $500,000, and possibly even the loss of the ability to process credit cards.
Import/Export Encryption Restrictions
Since World War II, the United States has regulated the export of cryptography due to national security considerations. The Bureau of Industry and Security in the Department of Commerce now controls non-military cryptography exports. There are still export restrictions to rogue states and terrorist organizations.
Countries may decide to restrict the import of cryptography technologies for the following reasons:
- The technology may contain a backdoor or security vulnerability.
- Citizens can anonymously communicate and avoid any monitoring.
- Cryptography may increase levels of privacy above an acceptable level.
Businesses are collecting ever-increasing amounts of personal information about their customers, from account passwords and email addresses to highly sensitive medical and financial information. Companies large and small recognize the value of big data and data analytics. This encourages organizations to collect and store information. Cyber criminals are always looking for ways to obtain such information or access and exploit a company’s most sensitive, confidential data. Organizations that collect sensitive data need to be good data custodians. In response to this growth in data collection, several laws require organizations that collect personal information to notify individuals if a breach of their personal data occurs. To see a list of these laws click here.
Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) addresses a myriad of legal privacy issues that resulted from the increasing use of computers and other technology specific to telecommunications. Sections of this law address email, cellular communications, workplace privacy, and a host of other issues related to communicating electronically.
Computer Fraud and Abuse Act (1986)
The Computer Fraud and Abuse Act (CFAA) has been in force for over 20 years. The CFAA provides the foundation for U.S. laws criminalizing unauthorized access to computer systems. The CFAA makes it a crime to knowingly access a computer considered either a government computer or a computer used in interstate commerce, without permission. The CFAA also criminalizes the use of a computer in a crime that is interstate in nature.
The Act criminalizes trafficking in passwords or similar access information, and the act makes it a crime to transmit a program, code, or a command knowingly that results in damage.