security
 The
 Wild West
 Information Security

   Much has been made of the information security measures that companies must take in order
   to comply with state and federal legislation as well with industry mandated standards. 
   Companies non-compliant with industry standards may be subject to penalties that may vary
   according to the degree of non-compliance and any subsequent loss of data. Additionally,
   companies that neglect to implement appropriate information security controls may be subjected
   to investigation and penalties by the Federal Trade Commission (FTC) or sued in Federal court.
 
by Heather Mark

    The current wave of data security legislation is focused on compelling organizations to protect sensitive data.  As stated in previous articles, in the 108th session of congress over 150 bills were introduced related to privacy and in the 109th congress, over 60 bills related to privacy have already been introduced.  To date, over 35 states have created laws requiring that companies not only protect sensitive information but also notify customers should the information be compromised.  Having been a victim in one of the more recent merchant credit card thefts, I am a proponent of laws requiring better protections of sensitive data.  I am struck, however, by the apparent disparity in our system that requires the burden of protecting data to rest solely on the shoulders of the companies. 
    As stated on the International Criminal Court’s website: “The whole purpose of criminal law generally is to serve a deterrent function, by persuading potential perpetrators of crimes to refrain from such actions because of the sanctions they might face.”  While this is certainly an overgeneralization of the principles and tenants of the U.S. Criminal system, it is still very valid.  Criminal law is used to:
    • Punish those who commit infractions and,
    • Deter potential criminals from committing infractions. 
    If one looks at the US legislation today, it is clear that our criminal laws related to cyber-crime have not kept pace with the increasingly sophisticated types of attacks companies are experiencing from the Internet and have instead been focused upon ensuring the potential victims take steps to prevent the crime from occurring.  The question is, however: what is being done to deter individuals from attempting to breach network security and steal information?
    There are a number of state and Federal laws relative to computer crime that are aimed at preventing cyber-crime.  The Federal Government’s principal law for combating computer crime in the United States is the Computer Fraud and Abuse Act (CFAA) of the US Criminal Code (18 U.S.C . §1030). While originally drafted and passed in 1984 (partly in response to the movie War Games), the act has undergone a number of revisions designed to strengthen the law.   The Cyber Security Enhancement Act of 2003, for example, was passed to strengthen criminal penalties associated with computer crime. In short, the CFAA makes it illegal to knowingly attempt to breach another’s computer network or system.  Specifically, the code states that the following activities are illegal:

  • Having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

  • • Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:

    • Information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

    • Information from any department or agency of the United States; or

    • Information from any protected computer if the conduct involved an interstate or foreign communication;”


    The code cites other activities related to unauthorized access to computers as being illegal as well.  Penalties under this code can range from 5 –20 years including fines and penalties depending upon the severity of the crime. 
    A new law that is being applied more frequently to prosecute cyber-criminals is the US PATRIOT Act. The PATRIOT Act, passed in 2002, provided the Federal Government with significantly expanded authority to collect electronic evidence.  While ostensibly designed to protect against terrorism, many aspects of the PATRIOT Act are applicable to electronic communications.  The PATRIOT Act also granted new authorities related to computer crime and electronic evidence collection. One of the more profound changes is related to 18 U.S.C. §1030(c)(2)(c) and (e)(8).  The clarification provided changes the interpretation of the original law.  Originally the law stated that in order to violate subsections (a)(5)(A) of the CFAA, an offender had to “intentionally [cause] damage without authorization.” Section 1030 defined “damage” as “impairment to the integrity or availability of data, a program, a system, or information that (1) caused loss of at least $5,000…” The question arose however, as to whether an offender must intend the damage or whether a violation occurs if the person only intends to access the computer and in fact ends up causing the $5,000 loss.   Section 814 of the Act restructures the statute to make clear that an individual need only intend to data the computer or information on it, and not a specific dollar amount of loss or other special harm. This means that a person who simply attempts to compromise a system through SQL Injection or some other attack, need not be successful or have intended to cause $5,000 damage.  According to the guidance, the intent to commit the crime coupled with the resulting loss is enough to constitute a felony.
    The penalties appear to be severe enough to deter a potential hacker from attempting to breach network security and misappropriate or damage information.  Unfortunately, in this case appearances may be deceiving.  The difficulties in identifying and tracing computer attacks render prosecution of such crimes extremely difficult and highly unlikely in most cases. Additionally, computer crimes often cross several jurisdictions and may even originate from outside the country in which the attack occurred.  International cooperation in computer crimes is somewhat troublesome to coordinate and provides significant challenges.  Compounding the problem is that local, state and federal law enforcement organizations are facing increasingly sophisticated criminals in rapidly growing numbers.  It is an unfortunate fact that today, law enforcement organizations are outgunned and outnumbered by cyber criminals.  This means that very few attackers are ever identified and even fewer are prosecuted.
    In 2001, the United States Bureau of Justice Statistics initiated a pilot program to begin tracking cybercrime statistics.  In 2004, the Cybercrime survey found that only 12% of companies detecting a network intrusion reported the incident to law enforcement agencies.  Some studies have shown that of the reported attacks, less than 2% are investigated and then successfully prosecuted. This lack of reporting in and of itself is indicative of a bias against companies that get hacked.  The backlash is infrequently aimed at the perpetrator of the cyber-attack.  Rather it is the company that bears the brunt of public and regulatory scrutiny for a perceived deficiency, even if their systems were compliant with relevant industry and regulatory mandates. 
    Consider the example of a bank that is held-up by an armed robber.  If a person walks into a bank and demands money from the teller, the perception is that some very bad person robbed a bank.  We all feel very sorry for the victims in this case.  Contrast this with a company that is subjected to a data compromise.  Regardless of the sophistication of the attacker and the controls in place at the time of the compromise, the perception invariably is that the company is somehow at fault for not preventing the theft. 
    The end result is that people who choose to hack into computer systems often do so with near impunity. To protect your organization and help ensure successful prosecution of attackers, your company should ensure that sufficient security controls exist to prevent and, just as importantly, detect network attacks.  Controls include the use of intrusion detection systems, comprehensive logging, file integrity products, and others.  Additionally, it is important for companies to be familiar with the laws that may apply and reporting processes when compromise is suspected.  If you suspect your company has been the victim of a network penetration or attempted penetration, report the information to the Internet Crime Compliant Center at: www.ic3.gov/.

Dr. Heather Mark has a Ph.D. in Public Policy. She frequently writes on issues of information security and policy compliance. For further information, you can contact Dr. Mark at .


<- back to articles