1 / 170

Information Security

Information Security. Legal Considerations Dr. Randy Kaplan. Computer Crime. Legal Considerations Law enforcement has always lagged behind technology The computer offers a new venue for committing crimes - one that is almost unlimited. Computer Crime. Legal Considerations

pia
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security • Legal Considerations • Dr. Randy Kaplan

  2. Computer Crime • Legal Considerations • Law enforcement has always lagged behind technology • The computer offers a new venue for committing crimes - one that is almost unlimited

  3. Computer Crime • Legal Considerations • In the history of the Computer Fraud and Abuse Act 1980 is considered the “dawn of the computer age.” • There are documented cases of computer crime as far back as 1960

  4. Computer Crime • 1984 • Comprehensive Crime and Control Act of 1984 • Provisions to address unauthorized access and use of computers and computer networks • Congress wanted to provide a “clearer statement” of this activity

  5. Computer Crime • This clarification was for - • Law enforcement • Those who own and operate computers • Those who may be tempted to commit crimes by unauthorized access

  6. Computer Crime • Consider the environment at the time • Mainframe (large scale computers) still prevalent • Lots of minicomputers • 2 years after the IBM PC was introduced - MS-DOS was the operating system of the day

  7. Computer Crime • Most computer crime of the day consisted of gaining access to computer systems to - • use data contained on these computers to the perpetrator’s advantage • do damage • simply have access to the computer resource

  8. Computer Crime • Congress made it a felony to access classified information in a computer without authorization • Access to financial records or credit histories stored in a financial institution was a misdemeanor • It was also a misdemeanor to trespass into a government computer

  9. Computer Crime • Congress did not add these provisions to existing laws • Rather, they created a new statute, 18 U.S.C. Section 1030.

  10. Computer Crime • After Section 1030 was enacted - • Congress continued to investigate problems associated with computer crime to determine whether federal laws required revision • Throughout 1985 both the House and Senate held hearings on potential computer crime bills

  11. Computer Crime • In 1986, the work of Congress culminated in the Computer Fraud and Abuse Act (CFAA) • Enacted in 1986 • Amended 18 U.S.C. Section 1030

  12. CFAA • Congress attempted to strike a balance • Federal government’s interest in computer crime • Interest of States to proscribe and punish these offenses

  13. CFAA • Congress addressed federalism concerns • Limit federal jurisdiction • Only cases with a compelling federal interest • Where the computers of the federal government or certain financial institutions are involved or -

  14. CFAA • the crime itself is interstate in nature

  15. CFAA • The CFAA clarified a number of provisions in the original section 1030 • Criminalized additional computer-related acts

  16. Damage or Destruction of Data • Penalize those who intentionally damage or destroy data belonging to others • Penalize those who steal property via computer that occurs as part of a scheme to defraud

  17. Damage or Destroy • Penalize those who intentionally damage or destroy data belonging to others • Covers activities like: • DNOS attacks • Distribution of malicious code

  18. Password Trafficking • Congress also included a provision criminalizing the trafficking passwords and similar items

  19. Amendments • CFAA amended • 1988 • 1989 • 1990 • 1994 • CFAA amended • 1996 • 2001 • 2002

  20. Types of Criminal Activities • CFAA identifies seven types of criminal activities • Obtaining National Security Information • Compromising the confidentiality of a computer • Trespassing in a Government computer

  21. Types of Criminal Activities • CFAA identifies seven types of criminal activities • Accessing a Computer to defraud and obtain value • Knowing Transmission and Intentional Damage • Intentional Access and Reckless Damage

  22. Types of Criminal Activities • CFAA identifies seven types of criminal activities • Intentional Access and Damage • Trafficking of Passwords • Extortion Involving Threats to Damage Computer

  23. Civil Action • The CFAA allows victims, under certain circumstances, who suffer specific types of loss or damage for compensatory damages and other injunctive or other equitable relief

  24. Key Terms • Two terms are common to most prosecutions under section 1030 • Protected Computer • Authorization

  25. Protected Computer • “protected computer” • a statutory term of art that has nothing to do with the security of the computer

  26. Protected Computer • “protected computer” • protected computer refers to computers that are used in interstate or foreign commerce (e.g. Internet) and computers of the federal government and financial institutions

  27. Protected Computer • “protected computer” • did not appear in the CFAA until 1996 • Congress was attempting to correct deficiencies identified in earlier versions of the statute

  28. Protected Computer • “protected computer” • In 1994 Congress amended the CFAA • Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer”

  29. Protected Computer • “protected computer” • Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer” • Expands the scope of the act • Include certain non-governmental computers

  30. Protected Computer • “protected computer” • The 1994 amendment inadvertently removed protections for computers that were government and financial computers not used in interstate commerce

  31. Protected Computer • “protected computer” • In 1996 “protected computer” defined as • a computer used by the federal government or financial institution OR • a computer used in interstate or foreign commerce

  32. Protected Computer • “protected computer” • This definition did not explicitly cover - • an attacker within the U.S. attacks a computer system located abroad • individuals in a foreign country routing communications through the U.S. as they hacked abroad

  33. Authorization • Criminal offenses will usually involve • access without authorization • exceed authorized access • The term “without authorization” is not defined in the Act • One court found its meaning to be elusive

  34. “Exceeds Authorized Access” • Defined by the CFAA • To access a computer with authorization • Use this access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter

  35. Insiders • The legislative history of the CFAA reflects an expectation • Persons who exceed authorized access are likely to be insiders • Persons who act without authorization are likely to be outsiders

  36. Insiders • As a result of this expectation - • Congress restricted the circumstances under which an insider could be held liable for violating section 1030

  37. Insiders • “Insiders who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage.”

  38. Outsiders • Breaking into a computer • can be punished for any intentional, reckless, or other damage they cause by their tresspass

  39. Outsiders • Have not rights to use a protected computer system and they should there be subject to a wider range of criminal prohibitions • Those who act without authorization can be convicted under any of the access offenses contained in the CFAA

  40. Authorization • The universe of individuals who lack any authorization to access a computer is relatively easy to define • Determining whether individuals who possess some legitimate authorization to access a computer have exceeded that authorized access may be more difficult

  41. Exceeds Authorized Access • To access a computer with authorization and to use such access to obtain or alter information in the computer accessor is not entitled so to obtain or alter

  42. Scope of Authorization • Hinges upon the facts of each case • Simple prosecution - • a defendant without authorization to access a computer may intentionally bypass a technological barrier that prevented her from obtaining information on a computer network

  43. Scope of Authorization • Many cases will involve exceeding authorized access • Establishing the scope of authorized access will be more complicated • The extent of authorization my depend on an employment agreement

  44. Scope of Authorization • May depend on • terms of service notice • log-on banner outlining the permissible purposes for a accessing a computer or computer network

  45. Scope of Authorization • In one case • an insider • limited authorization to to use a system • strayed far beyond the bounds of his authorization • The court treated him as acting without authorization

  46. Scope of Authorization • United States vs. Morris • Convicted under a previous version of Section 1030(a)(5) which punished “intentionally accessing a Federal interest computer without authorization.”

  47. Morris’s Crime • Created an Internet program known as a worm which spread to computers across the country and caused damage • To enable the word to spread Morris exploited vulnerabilities in two processes he was authorized to use - sendmail and fingerd

  48. Morris’s Appeal • Morris argued that because he had authorization to engage in certain activities such as sending electronic mail on some university computers he merely exceeded authorized access rather than having gain unauthorized access

  49. Morris’s Appeal • The Second Circuit rejected Morris’ argument on three grounds • (1) It held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization

  50. Morris’s Appeal • Congress did not intend an individual’s access to one federal interest computer to protect him from prosecution no matter what other federal interest computers he accesses

More Related