School Essays and College Papers Forum

Please register if you're new to this forum. Enjoy and hope you find the help you need from here! For more essays, you can visit:

Computer Security And The Law

Go down

Computer Security And The Law

Post  MBAstudent on Tue Feb 23, 2010 1:12 am

I. Introduction

You are a computer administrator for a large manufacturing company. In
the middle of a production run, all the mainframes on a crucial network grind to
a halt. Production is delayed costing your company millions of dollars. Upon
investigating, you find that a virus was released into the network through a
specific account. When you confront the owner of the account, he claims he
neither wrote nor released the virus, but he admits that he has distributed his
password to "friends" who need ready access to his data files. Is he liable for
the loss suffered by your company? In whole or in part? And if in part, for how
much? These and related questions are the subject of computer law. The answers
may very depending in which state the crime was committed and the judge who
presides at the trial. Computer security law is new field, and the legal
establishment has yet to reach broad agreement on may key issues.

Advances in computer security law have been impeded by the reluctance on
the part of lawyers and judges to grapple with the technical side of computer
security issues[1]. This problem could be mitigated by involving technical
computer security professional in the development of computer security law and
public policy. This paper is meant to help bridge to gap between technical and
legal computer security communities.


A. The Objectives of Computer Security

The principal objective of computer security is to protect and assure
the confidentiality, integrity, and availability of automated information
systems and the data they contain. Each of these terms has a precise meaning
which is grounded in basic technical ideas about the flow of information in
automated information systems.

B. Basic Concepts

There is a broad, top-level consensus regarding the meaning of most
technical computer security concepts. This is partly because of government
involvement in proposing, coordinating, and publishing the definitions of basic
terms[2]. The meanings of the terms used in government directives and
regulations are generally made to be consistent with past usage. This is not to
say that there is no disagreement over the definitions in the technical
community. Rather, the range of such disagreement is much narrower than in the
legal community. For example there is presently no legal consensus on exactly
what constitutes a computer[3].

The term used to establish the scope of computer security is "automated
information system," often abbreviated "AIS." An Ais is an assembly of
electronic equipment, hardware, software, and firmware configured to collect,
create, communicate, disseminate, process, store and control data or information.
This includes numerous items beyond the central processing unit and associated
random access memory, such as input/output devises (keyboards, printers, etc.)

Every AIS is used by subjects to act on objects. A subject is any
active entity that causes information to flow among passive entities called
objects. For example, subject could be a person typing commands which transfer
information from a keyboard (an object) to memory (another object),
or a process running on the central processing unit that is sending information
from a file(an object) to a printer a printer(another object).2

Confidentiality is roughly equivalent to privacy. If a subject
circumvents confidentiality measures designed to prevent it's access to an
object, the object is said to be "comprised." Confidentiality is the most
advanced area of computer security because the U.S. Department of Defense has
invested heavily for many years to find way to maintain the confidentiality of
classified data in AIS [4]. This investment has produced the Department of
Defense trusted computer system evaluation criteria[5], alternatively called
the Orange Book after the color of it's cover. The orange book is perhaps the
single most authoritative document about protecting the confidentiality of data
in classified AIS.

Integrity measures are meant to protect data form unauthorized
modification. The integrity of an object can be assessed by comparing it's
current state to it's original or intended state. An object which has been
modified by a subject with out proper authorization is sad to "corrupted."
Technology for ensuring integrity has lagged behind that for confidentiality[4].
This is because the integrity problem has until recently been addressed by
restricting access to AIS to trustworthy subjects. Today, the integrity threat
is no longer tractable exclusively through access control. The desire for wide
connectivity through networks and the increased us of commercial off the shelf
software has limited the degree to which most AIS's can trust accelerating
over the past few years, and will likely become as important a priority as
confidentiality in the future.

Availability means having an AIS system and it's associated objects
accessible and functional when needed by it's user community. Attacks against
availability are called denial of service attacks. For example, a subject may
release a virus which absorbs so much processor time that the AIS system becomes
overloaded. This is by far the least well developed of the three security
properties, largely for technical reasons involving the formal verification of
AIS designs[4]. Although such verification is not likely to become a practical
reality for many years, techniques such as fault tolerance and software
reliability are used to migrate the effects of denial service attacks.

C. Computer Security Requirements

The three security properties of confidentiality, integrity, and
availability are acvhied by labeling the subjects and objects in an AIS and
regulating the flow of information between them according to a predetermined set
of rules called a security policy. The security policy specifies which subject
labels can access which object labels. For example, suppose you went shopping
and had to present your drives license to pick up some badges assigned to you at
the entrance, each listing a brand name. The policy at some stores is that you
can only buy the brand name listed on one of your badges. At the check-out lane,
the cashier compares the brand names of each object you want to buy with names
on your badges. If there's a match, she rings it up. But if you choose a
brand name that doesn't appear on one of your badges she puts it back on the
shelf. You could be sneaky and alter a badge, or pretend to be your neighbor
who has more badges than you, or find a clerk who will turn a blind eye. No
doubt the store would employ a host of measures to prevent you from cheating.
The same situation exists on secure computer systems. Security measure are
employed to prevent illicit tampering with labels, positively identify subjects,
and provide assurance that the security measures are doing the job correctly.
A comprehensive list of minimal requirements to secure an AIS are presented in
The Orange Book[5].

III The Legal Perspective

A. Sources Of Computer Law

The three branches of the government, legislative, executive, and judicial,
produce quantities of computer law which are inversely proportional to the
amount of coordination needed for it's enactment. The legislative branch,
consisting of the Congress and fifty state legislators, produce the smallest
amount if law which is worded in the most general terms. For example, the
Congress may pass a bill mandating that sensitive information in government
computers be protected. The executive branch, consisting of the president and
numerous agencies, issues regulations which implement the bills passed by
legislators. Finally, the judicial branch serves as an avenue of appeal and
decides the meaning of the laws and regulations in specific cases. After the
decisions are issued, and in some cases appealed, they are taken as the word of
the law in legally similar situations.

B. Current Views On Computer Crime

Currently there is no universal argument in the legal community on what
constitutes a computer crime. One reason is the rapidly changing state of
computer technology. For example in 1979, the U.S. Department of justice
publication[6] partitioned computer crime into three categories: 1) Computer
abuse, "the broad range of international acts involving a computer where one or
more perpetrators made or could have made gain and one or victims suffered or
could have suffered a loss." Computer crime, "Illegal computer abuse the
implies direct involvement of computers in committing a crime. 3) Computer
related crimes "Any illegal act for which a knowledge of computer technology is
essential for successful prosecution." These definitions have become blurred by
the vast proliferation of computers and computer related products over the last
decade. For example, does altering an inventory bar code at a store constitute
computer abuse? Should a person caught in such an act be prosecuted both under
theft and computer abuse laws? Clearly, advances in computer technology should
be mirrored by parallel changes in computer laws.

Another attempt to describe the essential features of computer crimes has been
made by wolk and Luddy[1]. They claim that the majority of crimes committed
against or which the use of a computer can be classified. These crimes are
classified as follows: 1) sabotage, "involves an attack against the entire
computer system, or against it's sub components, and may be the product of
foreign involvement or penetration by a competitor." 2) Theft of services,
"using a computer at someone else's expense. 3) Property crime involving the
"theft of property by and through the use of a computer. A good definition of
computer crime should capture all acts which are criminal and involve computers
and only those acts. Assessing the completeness of a definition seems
problematic, tractable using technical computer security concepts.

IV. Conclusion

The development of effective computer security law and public policy
cannot be accomplished without cooperation between the technical and legal
communities. The inherently abstruse nature of computer technology and the
importance of social issues it generates demands the combined talents of both.
At stake is not only a fair and just interpretation of the law as it pertains to
computers, but more basic issues involving the protection of civil rights.
Technological developments have challenged these rights in the past and have
been met with laws and public policies which have regulated their use. For
example the use of the telegraph and telephone gave rise to privacy laws
pertaining to wire communications. We need to meet advances in automated
information technology with legislation that preserves civil liberties and
establishes legal boundaries for protecting confidentiality, integrity, and
assured service. Legal and computer professionals have a vital role in meeting
this challenge together.


Posts : 108
Points : 322
Join date : 2010-01-24

View user profile

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum