We are currently in a very interesting time where information security and the legal system
are being slammed together in a way that is straining the resources of both systems.
The information security world uses terms and concepts like “bits,” “packets,” and
“bandwidth,” and the legal community uses words like “jurisdiction,” “liability,” and
“statutory interpretation.” In the past, these two very different sectors had their own
focus, goals, and procedures that did not collide with one another. But as computers
have become the new tools for doing business and for committing traditional and new
crimes, the two worlds have had to independently approach and interact in a new
space—now sometimes referred to as cyberlaw.
Today’s CEOs and management not only need to worry about profit margins, market
analysis, and mergers and acquisitions. Now they need to step into a world of practicing
security due care, understanding and complying with new government privacy and
information security regulations, risking civil and criminal liability for security failures
(including the possibility of being held personally liable for certain security breaches),
and trying to comprehend and address the myriad of ways in which information security
problems can affect their companies. Business managers must develop at least a
passing familiarity with the technical, systemic, and physical elements of information
security. They also need to become sufficiently well-versed in the legal and regulatory
requirements to address the competitive pressures and consumer expectations associated
with privacy and security that affect decision making in the information security
area, which is a large and growing area of our economy.
Just as businesspeople must increasingly turn to security professionals for advice in
seeking to protect their company’s assets, operations, and infrastructure, so too must
they turn to legal professionals for assistance in navigating the changing legal landscape
in the privacy and information security area. Laws and related investigative techniques
are being constantly updated in an effort by legislators, governmental and private
information security organizations, and law enforcement professionals to counter each
new and emerging form of attack and technique that the bad guys come up with. Thus,
the security technology developers and other professionals are constantly trying to outsmart
the sophisticated attackers, and vice versa. In this context, the laws provide an
accumulated and constantly evolving set of rules that tries to stay in step with the new
crime types and how they are carried out.
Compounding the challenge for business is the fact that the information security situation
is not static; it is highly fluid and will remain so for the foreseeable future. This is
because networks are increasingly porous to accommodate the wide range of access
points needed to conduct business. These and other new technologies are also giving rise
to new transaction structures and ways of doing business. All of these changes challenge
the existing rules and laws that seek to govern such transactions. Like business leaders,
those involved in the legal system, including attorneys, legislators, government regulators,
judges, and others, also need to be properly versed in the developing laws (and customer
and supplier product and service expectations that drive the quickening evolution of new
ways of transacting business)—all of which is captured in the term “cyberlaw.”
Cyberlaw is a broad term that encompasses many elements of the legal structure that are
associated with this rapidly evolving area. The rise in prominence of cyberlaw is not surprising
if you consider that the first daily act of millions of American workers is to turn on their
computers (frequently after they have already made ample use of their other Internet access
devices and cell phones). These acts are innocuous to most people who have become accustomed
to easy and robust connections to the Internet and other networks as a regular part of
their lives. But the ease of access also results in business risk, since network openness can
also enable unauthorized access to networks, computers, and data, including access that
violates various laws, some of which are briefly described in this chapter.
Cyberlaw touches on many elements of business, including how a company contracts
and interacts with its suppliers and customers, sets policies for employees handling
data and accessing company systems, uses computers in complying with
government regulations and programs, and a number of other areas. A very important
subset of these laws is the group of laws directed at preventing and punishing the unauthorized
access to computer networks and data. Some of the more significant of these
laws are the focus of this chapter.
Security professionals should be familiar with these laws, since they are expected to
work in the construct the laws provide. A misunderstanding of these ever-evolving laws,
which is certainly possible given the complexity of computer crimes, can, in the extreme
case, result in the innocent being prosecuted or the guilty remaining free. Usually it is
the guilty ones that get to remain free.
This chapter will cover some of the major categories of law that relate to cybercrime and
list the technicalities associated with each. In addition, recent real-world examples are documented
to better demonstrate how the laws were created and have evolved over the years.
This entry was posted on 8:45 AM and is filed under
Hacking
,
hacking on XP
. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
