Computer Security And The LawI.
IntroductionYou are a computer administrator for a large manufacturing company. Inthe middle of a production run, all the mainframes on a crucial network grind toa halt. Production is delayed costing your company millions of dollars. Uponinvestigating, you find that a virus was released into the network through aspecific account. When you confront the owner of the account, he claims heneither wrote nor released the virus, but he admits that he has distributed hispassword to “friends” who need ready access to his data files.
Is he liable forthe loss suffered by your company? In whole or in part? And if in part, for howmuch? These and related questions are the subject of computer law. The answersmay very depending in which state the crime was committed and the judge whopresides at the trial. Computer security law is new field, and the legalestablishment has yet to reach broad agreement on may key issues. Advances in computer security law have been impeded by the reluctance onthe part of lawyers and judges to grapple with the technical side of computersecurity issues1.
This problem could be mitigated by involving technicalcomputer security professional in the development of computer security law andpublic policy. This paper is meant to help bridge to gap between technical andlegal computer security communities. II. THE TECHNOLOGICAL PERSPECTIVEA. The Objectives of Computer SecurityThe principal objective of computer security is to protect and assurethe confidentiality, integrity, and availability of automated informationsystems and the data they contain.
Each of these terms has a precise meaningwhich is grounded in basic technical ideas about the flow of information inautomated information systems. B. Basic ConceptsThere is a broad, top-level consensus regarding the meaning of mosttechnical computer security concepts. This is partly because of governmentinvolvement in proposing, coordinating, and publishing the definitions of basicterms2. The meanings of the terms used in government directives andregulations are generally made to be consistent with past usage.
This is not tosay that there is no disagreement over the definitions in the technicalcommunity. Rather, the range of such disagreement is much narrower than in thelegal community. For example there is presently no legal consensus on exactlywhat constitutes a computer3. The term used to establish the scope of computer security is “automatedinformation system,” often abbreviated “AIS. ” An Ais is an assembly ofelectronic equipment, hardware, software, and firmware configured to collect,create, communicate, disseminate, process, store and control data or information.
This includes numerous items beyond the central processing unit and associatedrandom access memory, such as input/output devises (keyboards, printers, etc. )Every AIS is used by subjects to act on objects. A subject is anyactive entity that causes information to flow among passive entities calledobjects. For example, subject could be a person typing commands which transferinformation from a keyboard (an object) to memory (another object),or a process running on the central processing unit that is sending informationfrom a file(an object) to a printer a printer(another object). 2Confidentiality is roughly equivalent to privacy. If a subjectcircumvents confidentiality measures designed to prevent it’s access to anobject, the object is said to be “comprised.
” Confidentiality is the mostadvanced area of computer security because the U. S. Department of Defense hasinvested heavily for many years to find way to maintain the confidentiality ofclassified data in AIS 4. This investment has produced the Department ofDefense trusted computer system evaluation criteria5, alternatively calledthe Orange Book after the color of it’s cover. The orange book is perhaps thesingle most authoritative document about protecting the confidentiality of datain classified AIS.
Integrity measures are meant to protect data form unauthorizedmodification. The integrity of an object can be assessed by comparing it’scurrent state to it’s original or intended state. An object which has beenmodified by a subject with out proper authorization is sad to “corrupted. “Technology for ensuring integrity has lagged behind that for confidentiality4.
This is because the integrity problem has until recently been addressed byrestricting access to AIS to trustworthy subjects. Today, the integrity threatis no longer tractable exclusively through access control. The desire for wideconnectivity through networks and the increased us of commercial off the shelfsoftware has limited the degree to which most AIS’s can trust acceleratingover the past few years, and will likely become as important a priority asconfidentiality in the future. Availability means having an AIS system and it’s associated objectsaccessible and functional when needed by it’s user community.
Attacks againstavailability are called denial of service attacks. For example, a subject mayrelease a virus which absorbs so much processor time that the AIS system becomesoverloaded. This is by far the least well developed of the three securityproperties, largely for technical reasons involving the formal verification ofAIS designs4. Although such verification is not likely to become a practicalreality for many years, techniques such as fault tolerance and softwarereliability are used to migrate the effects of denial service attacks. C. Computer Security RequirementsThe three security properties of confidentiality, integrity, andavailability are acvhied by labeling the subjects and objects in an AIS andregulating the flow of information between them according to a predetermined setof rules called a security policy.
The security policy specifies which subjectlabels can access which object labels. For example, suppose you went shoppingand had to present your drives license to pick up some badges assigned to you atthe entrance, each listing a brand name. The policy at some stores is that youcan only buy the brand name listed on one of your badges. At the check-out lane,the cashier compares the brand names of each object you want to buy with nameson your badges. If there’s a match, she rings it up.
But if you choose abrand name that doesn’t appear on one of your badges she puts it back on theshelf. You could be sneaky and alter a badge, or pretend to be your neighborwho has more badges than you, or find a clerk who will turn a blind eye. Nodoubt the store would employ a host of measures to prevent you from cheating. The same situation exists on secure computer systems.
Security measure areemployed to prevent illicit tampering with labels, positively identify subjects,and provide assurance that the security measures are doing the job correctly. A comprehensive list of minimal requirements to secure an AIS are presented inThe Orange Book5. IIIThe Legal PerspectiveA. Sources Of Computer LawThe three branches of the government, legislative, executive, and judicial,produce quantities of computer law which are inversely proportional to theamount of coordination needed for it’s enactment.
The legislative branch,consisting of the Congress and fifty state legislators, produce the smallestamount if law which is worded in the most general terms. For example, theCongress may pass a bill mandating that sensitive information in governmentcomputers be protected. The executive branch, consisting of the president andnumerous agencies, issues regulations which implement the bills passed bylegislators. Finally, the judicial branch serves as an avenue of appeal anddecides the meaning of the laws and regulations in specific cases. After thedecisions are issued, and in some cases appealed, they are taken as the word ofthe law in legally similar situations.
B. Current Views On Computer CrimeCurrently there is no universal argument in the legal community on whatconstitutes a computer crime. One reason is the rapidly changing state ofcomputer technology. For example in 1979, the U. S.
Department of justicepublication6 partitioned computer crime into three categories: 1) Computerabuse, “the broad range of international acts involving a computer where one ormore perpetrators made or could have made gain and one or victims suffered orcould have suffered a loss. ” Computer crime, “Illegal computer abuse theimplies direct involvement of computers in committing a crime. 3) Computerrelated crimes “Any illegal act for which a knowledge of computer technology isessential for successful prosecution. ” These definitions have become blurred bythe vast proliferation of computers and computer related products over the lastdecade. For example, does altering an inventory bar code at a store constitutecomputer abuse’should a person caught in such an act be prosecuted both undertheft and computer abuse laws? Clearly, advances in computer technology shouldbe mirrored by parallel changes in computer laws. Another attempt to describe the essential features of computer crimes has beenmade by wolk and Luddy1.
They claim that the majority of crimes committedagainst or which the use of a computer can be classified. These crimes areclassified as follows: 1) sabotage, “involves an attack against the entirecomputer system, or against it’s sub components, and may be the product offoreign involvement or penetration by a competitor. ” 2) Theft of services,”using a computer at someone else’s expense. 3) Property crime involving the”theft of property by and through the use of a computer. A good definition ofcomputer crime should capture all acts which are criminal and involve computersand only those acts. Assessing the completeness of a definition seemsproblematic, tractable using technical computer security concepts.
IV. ConclusionThe development of effective computer security law and public policycannot be accomplished without cooperation between the technical and legalcommunities. The inherently abstruse nature of computer technology and theimportance of social issues it generates demands the combined talents of both. At stake is not only a fair and just interpretation of the law as it pertains tocomputers, but more basic issues involving the protection of civil rights. Technological developments have challenged these rights in the past and havebeen met with laws and public policies which have regulated their use. Forexample the use of the telegraph and telephone gave rise to privacy lawspertaining to wire communications.
We need to meet advances in automatedinformation technology with legislation that preserves civil liberties andestablishes legal boundaries for protecting confidentiality, integrity, andassured service. Legal and computer professionals have a vital role in meetingthis challenge together. REFERENCES1Stuart R. Wolk and William J.
Luddy Jr. , “Legal Aspects of Computer Use” Prentice Hall, 1986,pg. 1292National Computer Security Center, “Glossary of Computer Security Terms” October 21,19883Thomas R. Mylott III, “Computer Law for the Computer Professional,”Prentice Hall, 1984,p. g. 131.
e4 Gasser, Morrie, “Building a Secure Computer System” Van Nostrand,1988. 5 Department of Defense, “Department of Defense Trusted Computer SystemEvaluation Criteria,” December 19856 United States Department of Justice, “Computer Crime, Criminal JusticeResource Manual,” 1979COMPUTER SECURITY AND THE LAWI. IntroductionYou are a computer administrator for a large manufacturing company. Inthe middle of a production run, all the mainframes on a crucial network grind toa halt.
Production is delayed costing your company millions of dollars. Uponinvestigating, you find that a virus was released into the network through aspecific account. When you confront the owner of the account, he claims heneither wrote nor released the virus, but he admits that he has distributed hispassword to “friends” who need ready access to his data files. Is he liable forthe loss suffered by your company? In whole or in part? And if in part, for howmuch? These and related questions are the subject of computer law.
The answersmay very depending in which state the crime was committed and the judge whopresides at the trial. Computer security law is new field, and the legalestablishment has yet to reach broad agreement on may key issues. Advances in computer security law have been impeded by the reluctance onthe part of lawyers and judges to grapple with the technical side of computersecurity issues1. This problem could be mitigated by involving technicalcomputer security professional in the development of computer security law andpublic policy.
This paper is meant to help bridge to gap between technical andlegal computer security communities. II. THE TECHNOLOGICAL PERSPECTIVEA. The Objectives of Computer SecurityThe principal objective of computer security is to protect and assurethe confidentiality, integrity, and availability of automated informationsystems and the data they contain.
Each of these terms has a precise meaningwhich is grounded in basic technical ideas about the flow of information inautomated information systems. B. Basic ConceptsThere is a broad, top-level consensus regarding the meaning of mosttechnical computer security concepts. This is partly because of governmentinvolvement in proposing, coordinating, and publishing the definitions of basicterms2. The meanings of the terms used in government directives andregulations are generally made to be consistent with past usage. This is not tosay that there is no disagreement over the definitions in the technicalcommunity.
Rather, the range of such disagreement is much narrower than in thelegal community. For example there is presently no legal consensus on exactlywhat constitutes a computer3. The term used to establish the scope of computer security is “automatedinformation system,” often abbreviated “AIS. ” An Ais is an assembly ofelectronic equipment, hardware, software, and firmware configured to collect,create, communicate, disseminate, process, store and control data or information.
This includes numerous items beyond the central processing unit and associatedrandom access memory, such as input/output devises (keyboards, printers, etc. )Every AIS is used by subjects to act on objects. A subject is anyactive entity that causes information to flow among passive entities calledobjects. For example, subject could be a person typing commands which transferinformation from a keyboard(an object) to memory (another object),or a process running on the central processing unit that is sending informationfrom a file(an object) to a printer a printer(another object).
2Confidentiality is roughly equivalent to privacy. If a subjectcircumvents confidentiality measures designed to prevent it’s access to anobject, the object is said to be “comprised. ” Confidentiality is the mostadvanced area of computer security because the U. S. Department of Defense hasinvested heavily for many years to find way to maintain the confidentiality ofclassified data in AIS 4. This investment has produced the Department ofDefense trusted computer system evaluation criteria5, alternatively calledthe Orange Book after the color of it’s cover.
The orange book is perhaps thesingle most authoritative document about protecting the confidentiality of datain classified AIS. Integrity measures are meant to protect data form unauthorizedmodification. The integrity of an object can be assessed by comparing it’scurrent state to it’s original or intended state. An object which has beenmodified by a subject with out proper authorization is sad to “corrupted. “Technology for ensuring integrity has lagged behind that for confidentiality4. This is because the integrity problem has until recently been addressed byrestricting access to AIS to trustworthy subjects.
Today, the integrity threatis no longer tractable exclusively through access control. The desire for wideconnectivity through networks and the increased us of commercial off the shelfsoftware has limited the degree to which most AIS’s can trust acceleratingover the past few years, and will likely become as important a priority asconfidentiality in the future. Availability means having an AIS system and it’s associated objectsaccessible and functional when needed by it’s user community. Attacks againstavailability are called denial of service attacks. For example, a subject mayrelease a virus which absorbs so much processor time that the AIS system becomesoverloaded. This is by far the least well developed of the three securityproperties, largely for technical reasons involving the formal verification ofAIS designs4.
Although such verification is not likely to become a practicalreality for many years, techniques such as fault tolerance and softwarereliability are used to migrate the effects of denial service attacks. C. Computer Security RequirementsThe three security properties of confidentiality, integrity, andavailability are acvhied by labeling the subjects and objects in an AIS andregulating the flow of information between them according to a predetermined setof rules called a security policy. The security policy specifies which subjectlabels can access which object labels. For example, suppose you went shoppingand had to present your drives license to pick up some badges assigned to you atthe entrance, each listing a brand name. The policy at some stores is that youcan only buy the brand name listed on one of your badges.
At the check-out lane,the cashier compares the brand names of each object you want to buy with nameson your badges. If there’s a match, she rings it up. But if you choose abrand name that doesn’t appear on one of your badges she puts it back on theshelf. You could be sneaky and alter a badge, or pretend to be your neighborwho has more badges than you, or find a clerk who will turn a blind eye. Nodoubt the store would employ a host of measures to prevent you from cheating. The same situation exists on secure computer systems.
Security measure areemployed to prevent illicit tampering with labels, positively identify subjects,and provide assurance that the security measures are doing the job correctly. A comprehensive list of minimal requirements to secure an AIS are presented inThe Orange Book5. IIIThe Legal Perspective A. Sources Of Computer LawThe three branches of the government, legislative, executive, and judicial,produce quantities of computer law which are inversely proportional to theamount of coordination needed for it’s enactment.
The legislative branch,consisting of the Congress and fifty state legislators, produce the smallestamount if law which is worded in the most general terms. For example, theCongress may pass a bill mandating that sensitive information in governmentcomputers be protected. The executive branch, consisting of the president andnumerous agencies, issues regulations which implement the bills passed bylegislators. Finally, the judicial branch serves as an avenue of appeal anddecides the meaning of the laws and regulations in specific cases. After thedecisions are issued, and in some cases appealed, they are taken as the word ofthe law in legally similar situations. B.
Current Views On Computer CrimeCurrently there is no universal argument in the legal community on whatconstitutes a computer crime. One reason is the rapidly changing state ofcomputer technology. For example in 1979, the U. S. Department of justicepublication6 partitioned computer crime into three categories: 1) Computerabuse, “the broad range of international acts involving a computer where one ormore perpetrators made or could have made gain and one or victims suffered orcould have suffered a loss. ” Computer crime, “Illegal computer abuse theimplies direct involvement of computers in committing a crime.
3) Computerrelated crimes “Any illegal act for which a knowledge of computer technology isessential for successful prosecution. ” These definitions have become blurred bythe vast proliferation of computers and computer related products over the lastdecade. For example, does altering an inventory bar code at a store constitutecomputer abuse’should a person caught in such an act be prosecuted both undertheft and computer abuse laws? Clearly, advances in computer technology shouldbe mirrored by parallel changes in computer laws. Another attempt to describe the essential features of computer crimes has beenmade by wolk and Luddy1. They claim that the majority of crimes committedagainst or which the use of a computer can be classified.
These crimes areclassified as follows: 1) sabotage, “involves an attack against the entirecomputer system, or against it’s sub components, and may be the product offoreign involvement or penetration by a competitor. ” 2) Theft of services,”using a computer at someone else’s expense. 3) Property crime involving the”theft of property by and through the use of a computer. A good definition ofcomputer crime should capture all acts which are criminal and involve computersand only those acts. Assessing the completeness of a definition seemsproblematic, tractable using technical computer security concepts.
IV. ConclusionThe development of effective computer security law and public policycannot be accomplished without cooperation between the technical and legalcommunities. The inherently abstruse nature of computer technology and theimportance of social issues it generates demands the combined talents of both. At stake is not only a fair and just interpretation of the law as it pertains tocomputers, but more basic issues involving the protection of civil rights. Technological developments have challenged these rights in the past and havebeen met with laws and public policies which have regulated their use.
Forexample the use of the telegraph and telephone gave rise to privacy lawspertaining to wire communications. We need to meet advances in automatedinformation technology with legislation that preserves civil liberties andestablishes legal boundaries for protecting confidentiality, integrity, andassured service. Legal and computer professionals have a vital role in meetingthis challenge together. REFERENCES1Stuart R.
Wolk and William J. Luddy Jr. , “Legal Aspects of Computer Use” Prentice Hall, 1986,pg. 129 2National Computer Security Center,”Glossary of Computer Security Terms” October 21,1988 3Thomas R. MylottIII, “Computer Law for the Computer Professional,” Prentice Hall, 1984,p.
g. 131. e 4Gasser, Morrie, “Building a Secure Computer System” VanNostrand, 1988. 5Department of Defense, “Department of Defense TrustedComputer System Evaluation Criteria,” December 1985 6United StatesDepartment of Justice, “Computer Crime, Criminal Justice Resource Manual,” 1979COMPUTER SECURITY AND THE LAWI. IntroductionYou are a computer administrator for a large manufacturing company.
Inthe middle of a production run, all the mainframes on a crucial network grind toa halt. Production is delayed costing your company millions of dollars. Uponinvestigating, you find that a virus was released into the network through aspecific account. When you confront the owner of the account, he claims heneither wrote nor released the virus, but he admits that he has distributed hispassword to “friends” who need ready access to his data files. Is he liable forthe loss suffered by your company? In whole or in part? And if in part, for howmuch? These and related questions are the subject of computer law.
The answersmay very depending in which state the crime was committed and the judge whopresides at the trial. Computer security law is new field, and the legalestablishment has yet to reach broad agreement on may key issues. Advances in computer security law have been impeded by the reluctance onthe part of lawyers and judges to grapple with the technical side of computersecurity issues1. This problem could be mitigated by involving technicalcomputer security professional in the development of computer security law andpublic policy. This paper is meant to help bridge to gap between technical andlegal computer security communities.
II. THE TECHNOLOGICAL PERSPECTIVEA. The Objectives of Computer SecurityThe principal objective of computer security is to protect and assurethe confidentiality, integrity, and availability of automated informationsystems and the data they contain. Each of these terms has a precise meaningwhich is grounded in basic technical ideas about the flow of information inautomated information systems.
B. Basic ConceptsThere is a broad, top-level consensus regarding the meaning of mosttechnical computer security concepts. This is partly because of governmentinvolvement in proposing, coordinating, and publishing the definitions of basicterms2. The meanings of the terms used in government directives andregulations are generally made to be consistent with past usage. This is not tosay that there is no disagreement over the definitions in the technicalcommunity. Rather, the range of such disagreement is much narrower than in thelegal community.
For example there is presently no legal consensus on exactlywhat constitutes a computer3. The term used to establish the scope of computer security is “automatedinformation system,” often abbreviated “AIS. ” An Ais is an assembly ofelectronic equipment, hardware, software, and firmware configured to collect,create, communicate, disseminate, process, store and control data or information. This includes numerous items beyond the central processing unit and associatedrandom access memory, such as input/output devises (keyboards, printers, etc.
)Every AIS is used by subjects to act on objects. A subject is anyactive entity that causes information to flow among passive entities calledobjects. For example, subject could be a person typing commands which transferinformation from a keyboard(an object) to memory (another object),or a process running on the central processing unit that is sending informationfrom a file(an object) to a printer a printer(another object). 2Confidentiality is roughly equivalent to privacy. If a subjectcircumvents confidentiality measures designed to prevent it’s access to anobject, the object is said to be “comprised.
” Confidentiality is the mostadvanced area of computer security because the U. S. Department of Defense hasinvested heavily for many years to find way to maintain the confidentiality ofclassified data in AIS 4. This investment has produced the Department ofDefense trusted computer system evaluation criteria5, alternatively calledthe Orange Book after the color of it’s cover. The orange book is perhaps thesingle most authoritative document about protecting the confidentiality of datain classified AIS.
Integrity measures are meant to protect data form unauthorizedmodification. The integrity of an object can be assessed by comparing it’scurrent state to it’s original or intended state. An object which has beenmodified by a subject with out proper authorization is sad to “corrupted. “Technology for ensuring integrity has lagged behind that for confidentiality4. This is because the integrity problem has until recently been addressed byrestricting access to AIS to trustworthy subjects.
Today, the integrity threatis no longer tractable exclusively through access control. The desire for wideconnectivity through networks and the increased us of commercial off the shelfsoftware has limited the degree to which most AIS’s can trust acceleratingover the past few years, and will likely become as important a priority asconfidentiality in the future. Availability means having an AIS system and it’s associated objectsaccessible and functional when needed by it’s user community. Attacks againstavailability are called denial of service attacks. For example, a subject mayrelease a virus which absorbs so much processor time that the AIS system becomesoverloaded. This is by far the least well developed of the three securityproperties, largely for technical reasons involving the formal verification ofAIS designs4.
Although such verification is not likely to become a practicalreality for many years, techniques such as fault tolerance and softwarereliability are used to migrate the effects of denial service attacks. C. Computer Security RequirementsThe three security properties of confidentiality, integrity, andavailability are acvhied by labeling the subjects and objects in an AIS andregulating the flow of information between them according to a predetermined setof rules called a security policy. The security policy specifies which subjectla
