1 the broader picture chapter 12 copyright 2003 prentice-hall

1

The Broader Picture

Chapter 12

Copyright 2003 Prentice-Hall

2

The Broader Picture

Laws Governing Hacking and Other Computer Crimes

Consumer Privacy

Employee Workplace Monitoring

Government Surveillance

Cyberwar and Cyberterror

Hardening the Internet Against Attack

3

Figure 12-1: Laws Governing Hacking U.S. National Laws

Title 18, Section 1030

Enabling Legislation

Computer Fraud and Abuse Act of 1986

National Information Infrastructure Protection Act of 1996

Homeland Security Act of 2002 Prohibitions

Criminalizes intentional access of protected computers without authorization or in excess of authorization (Hacking)

4

Figure 12-1: Laws Governing Hacking

U.S. National Laws Title 18, Section 1030

Prohibitions

Criminalizes the transmission of a program, information, code, or command that intentionally causes damage without authorization of a protected computer (Denial-of-Service and Viruses)

5


U.S. National Laws Title 18, Section 1030

Punishment

For first offenses, usually 1-5 years; usually 10 years for second offenses

For theft of sensitive government information, 10 years, with 20 years for repeat offense

For attacks that harm or kill people, up to life in prison

6


U.S. National Laws Title 47

Electronic Communications Privacy Act of 1986 (ECMA)

Prohibits the reading of information in transit and in storage after receipt

Other federal laws for fraud, etc.

7


U.S. State Laws

Federal laws only protect some computers

State laws for purely intrastate crimes vary widely

8


Laws Around the World Vary

The general situation: lack of solid laws in many countries

Cybercrime Treaty of 2001

Signatories must agree to create computer abuse laws and copyright protection

Nations must agree to work together to prosecute attackers

9

The Broader Picture


Consumer Privacy





10

Figure 12-2: Consumer Privacy

Introduction

Scott McNealy of SUN Microsystems: “You have zero privacy now. Get over it!”

But privacy is strong in European Union countries and some other countries

11


Credit Card Fraud and Identity Theft Widespread Concern (Gartner)

One in 20 consumers had suffered credit card number theft in 2002

One in 50 consumers had suffered identity theft in 2002

Only about a fifth of this is online, but online theft is growing the most rapidly

12


Credit Card Fraud and Identity Theft Carders steal credit card numbers

Many merchants fail to protect credit card numbers

Carders test and sell credit card numbers

Merchants also suffer fraud from consumers and carders

Identity theft: Set up accounts in person’s name Victim may not discover identity theft until long

afterward

13


Tracking Customer Behavior

Within a website and sometimes across websites

Some information is especially sensitive (health, political leanings, etc.)

Access to data and analysis tools are revolutionizing the ability to learn about people

14


Tracking Customer Behavior What consumers wish for

Disclosure of policies

What information will be collected?

How the information will be used by the firm collecting customer data?

Whether and with whom the information will be shared

15


Tracking Customer Behavior What consumers wish for

Ability of consumer to see and correct inaccurate personal information

Limiting collection and analysis to operational business needs

Limiting these needs

Opt in: No use unless customer explicitly agrees

16

Figure 12-2: Consumer Privacy Corporate Responses

Privacy disclosure statements

TrustE certifies corporate privacy behavior

Platform for Privacy Preferences (P3P); Standard format for privacy questions

Federal Trade Commission

Enforces privacy statements

Imposes fines and required long-term auditing

Does not specify what should be in the privacy statement

17


Corporate Responses

Opt out: Customer must take action to stop data collection and sharing

No opt: No way to stop data collection and sharing

Passport and Liberty Alliance Identity management services Register once, giving personal information Give out to merchants selectively

18


Consumer Reactions Checking privacy disclosure statements (rare)

Not accepting cookies (rarer)

Anonymous websurfing services (extremely rare)

19


U.S. Privacy Laws No general law

Health Information Portability and Accountability Act (HIPPA) of 1996

Protects privacy in hospitals and health organizations

Focuses on protected information that identifies a patient

20


U.S. Privacy Laws

Gramm-Leach-Bliley Act (GLBA) of 1999

Protects financial data

Allows considerable information sharing

Opt out can stop some information sharing

21

Figure 12-2: Consumer Privacy U.S. Privacy Laws

Children’s Online Privacy Protection Act of 1998

Protects the collection of personal data from children under 13

Applies in child-oriented sites and any site that suspects a user is under 13

No protection for older children

Registration for Kids.US domain is controlled

State privacy laws vary widely

22


International Laws

European Union Charter of Fundamental Rights

Right to protection of personal information

Personal information must be processed for specific legitimate purposes

Right to see and correct data

Compliance overseen by independent authority

23


International Laws

E.U. Data Protection Directive of 1995

Opt out with opt in for sensitive information

Access for review and rectification

Independent oversight agency

Data can be sent out of an EU country only to countries with “adequate” protections

24


International Laws

Safe harbor

Rules that U.S. firms must agree to follow to get personal data out of Europe

Are GLBA rules to be considered in financial industries? E.U. is resisting.

25

The Broader Picture


Consumer Privacy





26

Figure 12-3: Employee Workplace Monitoring

Monitoring Trends

American Management Association survey

E-mail monitoring use from 15% to 46% between 1997 and 2001

Internet connections in 2001: 63% monitored

In 2001, 76% had disciplined an employee; 31% had terminated an employee

27


Why Monitor? Loss of productivity because of personal Internet

and e-mail use

Significant personal Internet and e-mail use is occurring

Employees and companies generally agree that a small amount of personal use is acceptable

Biggest concern is abnormally heavy personal use

Some employees are addicted to personal use

28


Why Monitor? Harassment

Title VII of the Civil Rights Act of 1964: sexual and racial harassment

Pornography, other adult content are fairly common

Monitoring for keywords can reduce pornography and harassment and provide a legal defense

29


Why Monitor?

Viruses and other malware due to unauthorized software

Trade secrets: Both sending and receiving must be stopped

Commercially damaging communication behavior: Can harm reputation, generate lawsuits, and run afoul of stock manipulation laws

30


The Legal Basis for Monitoring Electronic Privacy Communications Act of 1986

Allows reading of communications by service provider (firm)

Allows reading if subject agrees (make condition of employment)

Employee has no right to privacy when using corporate computers

31


The Legal Basis for Monitoring

In United States, at-will employees can be disciplined, dismissed easily

Must not discriminate by selective monitoring

Unions often limit disciplining, agreement to be monitored

In multinational firms, stronger privacy and employment rules might exist

32


Should a Firm Monitor? Danger of backlash

Are the negative consequences worth the gain?

33


Computer and Internet Use Policy Should Specify the Following No expectation of privacy Business use only No unauthorized software No pornography and harassment Damaging communication behavior Punishment for violating the policy

Employee Training in Policy is Crucial

34

The Broader Picture


Consumer Privacy





35

Figure 12-4: Government Surveillance

U.S. Tradition of Protection from Improper Searches No privacy protection in Constitution

Fourth Amendment: No unreasonable searches and seizures

Can search only with probable cause

Can only search specific things

FBI misuse of data collection during Hoover’s leadership

36


Telephone Surveillance Wiretapping

Federal Wiretap Act of 1968 for domestic crimes

Foreign Intelligence Surveillance Act of 1978 (FISA) for international terrorists and agents of foreign governments

Need warrant with probable cause and inability to get information by other means

37


Telephone Surveillance

Pen registers and trap and trace orders

Pen registers: List of outgoing telephone numbers called

Trap and trace: List of incoming telephone numbers

Not as intrusive as wiretap because content of the call is not captured

38


Telephone Surveillance

Pen registers and trap and trace orders

Electronic Communications Privacy Act of 1986 allows

Must be based on information to be collected being likely to be relevant to ongoing investigation (weak)

Judge cannot turn down warrant

39

Figure 12-4: Government Surveillance Telephone Surveillance

Communications Assistance for Law Enforcement Act of 1994

Requires communication providers to install the technology needed to be able to provide data in response to warrants

Patriot Act of 2001

Extends roving wiretaps to FISA—follow the target across media

Get billing information from telecommunications providers

40


Internet Surveillance

Extends pen register and trap and trace to Internet traffic

Same weak justification as for telephone traffic

But much more intrusive: e-mail addresses, URLs (which can be visited), etc.

41


Carnivore

Monitoring computer placed at ISP

FBI installs Carnivore computer, collects information

Can limit filtering to restrictions of warrant

No accountability through audit trails

42


The Possible Future of Government Surveillance

Intrusive airport security through face scanning

Possible national ID cards

New ability to gather and analyze information from many databases

43

The Broader Picture


Consumer Privacy





44

Figure 12-5: Cyberwar and Cyberterror

Threats

Attacking the IT infrastructure

Using computers to attack the physical infrastructure (electrical power, sewage, etc.)

Using the Internet to coordinate attacks

45


Cyberwar Conducted by governments

Direct damage

Disrupting command and control

Intelligence gathering

Propaganda

Industrial espionage

Integrating cyberwar into war-fighting doctrines

46


Cyberterrorism

By semi-organized or organized groups

Psychological focus

Indirect economic impacts (for example, losses because of reduced travel after September 11, 2001, terrorist attacks)

Goals are publicity and recruitment

Indiscriminate damage

47


Cyberterrorism

Hacktivism—politically motivated attacks by unorganized or loosely organized groups

Who is a terrorist? Spectrum from activism to full cyberterror

48

The Broader Picture


Consumer Privacy





49


Building a National and International Response Strategy National governments

Coordinated responses Intelligence gathering Research and training Economic incentives

Private enterprise

Importance of hardening individual firms

Requiring hardening to meet responsibilities

50


Hardening the Internet

Hardening the telecommunications infrastructure with decentralization and other methods

International cooperation is needed because of worldwide attackers

Hardening the underlying telecommunications system

Adding security to dialogs with VPNs

51


Hardening the Internet Hardening Internet protocols

IETF is making progress by adding confidentiality, authentication, and other protections to core Internet protocols

Generally not using digital certificates in a public key infrastructure for strong authentication

52


Hardening the Internet Making the Internet forensic

ISPs might be forced to collect and retain data for long periods of time

ISPs might be forced to do egress filtering to stop attacks at the source

The cost to ISPs would be high

1 the broader picture chapter 12 copyright 2003 prentice-hall

Documents