CSE 3482 Introduction to Computer Security Law & Ethics Instructor: N. Vlajic, Winter 2017
Learning Objectives Upon completion of this material, you should be able to: Differentiate between law and ethics. Identify major US laws that relate to the practice of information security. Identify relevant professional organizations and their Codes of Ethics.
Required Reading Computer Security, Stallings: Chapter 19
Introduction
Introduction (cont.) Law written set of rules adopted and enforced by a government to define expected behavior these rules attempt to balance individual freedoms and social order, which may be in conflict laws are largely drawn from the ethics of a culture Ethics informal set of values and beliefs about right and wrong behavior in a given culture some ethics are thought to be universal murder, theft, assault are legally and ethically unacceptable in most world s cultures Key difference between law and ethics: law caries the sanction of a governing authority and ethics do not!
Introduction (cont.) In majority of cases, what is legal is also ethical and the other way around. However, with the society operating a dynamic and ever-changing environment, there are cases when law and ethics are in conflict.
Introduction (cont.) Relationship between Law and Ethics Edward Snowden NSA Leak Case Breaking into Somebody s Email Account Screening of Web-traffic by Employer / Government http://210.46.97.180/zonghe/book/203-entrepreneurship(fifth%20edition)- Harcourt%20Colledge%20Publishers-Donald%20F.%20Kuratko/chapter_6.htm
Introduction to Law
Introduction to Law (cont.)
Introduction to Law (cont.)
Introduction to Law (cont.) Categories of Common Law in Canada and USA: Public Law(s): regulate 1) organization & functioning of the state 2) relationship between state & its subjects concerned with matters that affect society as a whole deals with regulation of behavior generally Private Law(s): regulate relationship between individuals & groups that are not of public importance deals with disputes between parties regulates rights and duties of individuals to each other
Introduction to Law (cont.) Subcategories of Law Public Law(s) Constitutional Law related to interpretation & application of the Constitution of Canada, including the Charter of R&F (freedom of expression & religion, freedom from unreasonable search & seizure, ) Administrative Law addresses actions and operations of government & government agencies Criminal Law deals with behaviors that results in injury to people and/or property (murder, break and enter, sexual assault, etc.) Private / Civil Law(s) Family Law deals with various relationships of family life Contract Law outlines requirements for legally binding agreements Tort Law seeks compensation for loss caused by negligence Property Law outlines relationship between individuals & property Labour Law outlines relationship between employers & employees
Civil vs. Criminal Law
Civil vs. Criminal Law (cont.) Criminal vs. Civil Law Principles In Criminal Law, to convict someone, the guilt must be proven beyond reasonable doubt. In Criminal Law, the sentence to the offender may include one or a combination of the following: fine restitution compensate for victim s loss or damages probation community service imprisonment In Civil Law, to convict someone, the guilt must be proven on balance of probabilities. In Civil Law, monetary remedies (damages) are most common.
Civil vs. Criminal Law (cont.) beyond reasonable doubt evidence = = clear and convincing evidence ( merely possibility that what something is true is NOT sufficient) balance of probabilities evidence = = evidence with 50% threshold (produces a belief that what is presented is more likely true than not true) More evidence is needed to find the defendant at fault in criminal than in civil ones.
Civil vs. Criminal Law (cont.) http://www.sba.pdx.edu/faculty/maggief/chap1.pdf
http://www.sclifflaw.com/wp-content/uploads/2013/06/comparisons-between-criminal-law-and-civil-law.jpg
Civil vs. Criminal Law (cont.) Every crime has two essential parts: the action or "actus reus" and the intent or "mens rea" (guilty mind). For example, the crime of arson has two parts: actually setting fire to a building and doing it wilfully and deliberately. Setting a fire by accident may not be a crime. For most criminal cases both the action and the intent must be proven. If either element is missing, then NO crime has been committed. http://www.lawlessons.ca/lesson-plans/2.1.definition-and-principles
Law and Computer Security victim Is a DDoS a Civil or a Criminal offence? In US, as of 2008, DDoS is considered a criminal offence under Computer Misuse Act. In Canada, DDoS is also a criminal offence under Criminal Code 430: Unauthorized Use of Computer & Mischief.
Law and Computer Security (cont.) In the early days of computer security, information security professionals were pretty much left on their own to defend their systems against attacks. They did not have much help from the criminal and civil justice systems. When they did seek assistance from law enforcement, they were met with reluctance by overworked agents who did not have a basic understanding of how something that involved a computer could actually be a crime Fortunately, both our legal system and the man and women of law enforcement have come a long way over the past two decades CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 630)
Law and Computer Security (cont.) The first computer security issues addressed by legislators were those involving computer crime. Early computer crime prosecutions were attempted under traditional criminal law, and many were dismissed because judges thought that applying traditional law to this modern type of crime was too far of a stretch. Legislators responded by passing specific statutes that defined computer crime and laid out specificpenaltiesfor variouscrimes Every information security professional should have basic understanding of the law as it relates to information technology. However, the most important lesson to be learned is knowing when it is necessary to call in an attorney CISSP: Certified Information Systems Security Professional Study Guide, by J. M. Steward, E. Tittel, M. Chapple (pp. 633)
Law and Computer Security (cont.) To minimize their & their organization s liability, information security professionals must: keep informed about new laws, regulations and ethical issues as they emerge understand the scope of organization s legal and ethical responsibilities educate the management and employees about their legal and ethical obligations and the proper use of information technology
Computer Crime Computer Crime criminal activity in which either of the following is true: computer is a target e.g., somebody attempts to control a computer or interfere with its availability (examples: development and distribution of malware, DDoS attacks, ) computer is a storage device e.g., somebody uses a computer to store stolen or inappropriate content computer is a communication tool e.g., somebody uses computer(s) to conduct illegal sale of drugs or guns Is computer crime the same in different countries?