Lesson 3 Cyber Legal Environment: One of the Prime Drivers for Incident Response

Overview Our Ethics Today’s Criminal Justice System Cyber Crime Legislation USA Patriot Act

CRIMINAL JUSTICE SYSTEM Current System The Process Recidivism

Current System Law enforcement generally overworked Understaffed Under-budgeted Lacking cyber expertise Court systems even more backlogged

Normal Case Victim notifies law enforcement Police gather evidence and develop suspects Search warrants executed Interviews/Interrogations Suspect(s) charged Case turned over to prosecutor Grand Jury Court Case

Agencies Ready to Respond Local Law Enforcement DHS US CERT – FBI’s Internet Crime Complaint Center – – U.S. Secret Service – DoJ’s Computer Crime and Intellectual Property Section –

Current Trends Agencies developing expertise Sensitive to victims needs –“They don’t confiscate your machine” More Cases being opened Many cases leading to success –Mafiaboy –Russian E-Bay Scam –Melissa Author (David Smith) –Deceptive Duo

Recommendation Be patient, but persistent Always describe issue/loss in plain english Maintain chain of custody Estimate Dollar Loss Do not rule out civil court use –“Preponderance of the evidence”

Applicable U.S. Criminal Code Software Piracy Using Computers/Networks to commit “normal” crimes –Plethora of U.S.C. can be used Computer Fraud and Abuse Act, 18 U.S.C sect 1030 (Network Crime) Wiretapping & Snooping (aka sniffing) –Wiretap Act, 18 U.S.C. sect 2511 –Electronic Communications Privacy Act (ECPA), 18 U.S.C. sect 2701

Traditional Crimes Criminal Trademark, 18 U.S.C Criminal Copyright, 18 U.S.C and 17 U.S.C. 506(a) Child Pornography, 18 U.S.C. 2252A Criminal Trade Secrets, 18 U.S.C. 1831/1832 Threats & Harassment 18 U.S.C. 844(e) & 875, 47 U.S.C. 223 (a)(1)(C, E)

Computer Fraud and Abuse Act (1) Defines certain “protected computers” –U.S. Govt Networks –Financial networks –Networks that affect interstate or foreign commerce or communication Damage to a “protected computer” is a criminal act Defines loss thresholds

Computer Fraud and Abuse Act (2) Trespass on a Govt system is a criminal act Trafficking in info which can allow unauthorized access Threatening to damage Accessing a protected computer Attempts are a criminal act Defines loss thresholds

Computer Fraud and Abuse Act (3) Certain privacy intrusions are a criminal act –Prohibits unauthorized access to obtain: Financial data from federal agency or on a protected computer

Legal Aspects of Monitoring Real-time monitoring: –Two statutes govern: Wiretap statute Pen/Trap statute –Pen Register: outgoing connection data –Trap & Trace: incoming connection data ECPA covers access to stored communications –Covers voice mail, , “logs” But, there are exceptions

Intercept/Monitoring Exceptions Computer Trespass Exception –Bannered Systems allow monitoring Consent of a Party (victim?) Provider exception –To protect provider’s “rights/property” –When done in “normal ops” –Limited exception –Not an investigators privilege

Electronic Communications Privacy Act (ECPA) Applies to stored info –Communications ( , voic –Transactional data (connection logs) –Subscriber/session information 18 U.S.C governs access and disclosure Public Providers cannot offer info Private Provides can share info

Related Recent E-Comm Security Legislation that could impact Forensics Gramm-Leach-Bliley Act (Fall 2002) –Financial Privacy, Safeguards, and Pretexting HIPAA ( >14 Apr 2003) – Safeguards to ensure patient confidentiality

Gramm-Leach-Bliley Act Financial Privacy, Safeguards, and Pretexting Federal Trade Commission has oversight Public Law , Title V Requires financial institutions to notify customers about their privacy practices and allow consumers to "opt out" of having their nonpublic personal information disclosed The Act's security provisions require the Commission and certain other federal agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer information. Source FTC:

Gramm-Leach-Bliley Act Security Issues Designate an employee or employees to coordinate its [safeguards] program Assess risks in each area of its operations Design and implement an information security program to control these risks Require service providers (by contract) to implement appropriate safeguards for the customer information at issue Adapt its program in light of material changes to its business that may affect its safeguards Source FTC:

HIPAA Update Health Insurance Portability Accessibility and Accountability Act Health and Human Services issued patient-data privacy guidelines Passed by Congress in April deadline for basic HIPAA compliance Applies to companies providing health care services and any business associates handling protected patient data Source Network World, Mar 10, 2003, Pg 30

HIPAA Tenets Basic tenet: “apply administrative, physical, and technical safeguards to ensure confidentiality Companies worried about being held liable and the consequent damages Perception is 14 April opens up the litigation floodgates HIPAA’s 3 guidelines – Electronic Data Interchange (EDI) – Privacy – Security Source Network World, Mar 10, 2003, Pg 30

HIPAA Security Issues After 14 April HHS must investigate complaints – Potential penalty: up to $25K/yr per type of violation Creating need for encrypted Increased emphasis on audit and access control for patient data – For every record accessed you need to know who, what, and when Strong Authentication techniques – Individual passwords that are role based (DR, RN, LPN) VPN client software for remote access Source Network World, Mar 10, 2003, Pg 30

USA PATRIOT ACT of 2001 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act

Major Sections Criminal Law Intelligence Cross-Flow

Organization Title II -- Enhanced Surveillance Procedures Title III -- International Money Laundering Title IV -- Strengthening The Border Title VII-- Increased Info Sharing For CIP Title VIII -- Strengthening Criminal Laws Title IX -- Improved Intelligence Title X -- Miscellaneous

Criminal Law

Subpoenas for Electronic Evidence Sec 210 Old: Subpoena limited to customer’s name, address, length of service, and means of payment In many cases, users register with ISPs under false names New: Update and expand records available by subpoena Old list, plus means and source of payment, credit card or bank account number, records of session times and durations, and any temporarily assigned network address Not subject to sunset

Pen Register, Trap and Trace Sec 216 Old: “telephone lines” and “numbers dialed” Did not clearly cover computer comms Court could only authorize use in single judicial district New: clearly applies to computer comms, for any non-content info–“dialing, routing, addressing, and signaling information” Info relevant to ongoing criminal investigation Nationwide federal pen/trap orders New LE reporting requirement Not subject to sunset

Computer Trespassers Sec 217 Old: Computer owners were often not clearly “parties” to hacker intrusions into the computer, so the owner generally not deemed able to consent to LE monitoring New: Victims of computer attacks can authorize persons “acting under color of law” (LE or CI) to monitor trespassers on their computer systems Subject to sunset

Computer Trespasser Defn Any person who accesses a “protected computer” without authorization –“protected computer” - one used in interstate or foreign commerce or communication Thus has no reasonable expectation of privacy In communication to, through, or from Explicitly excludes any person “known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer”

Computer Trespasser Requirements Investigator may intercept comms of computer trespasser transmitted to, through, or from Owner or operator of protected computer authorizes interception –[note: best if in writing] Person who intercepts is lawfully engaged in ongoing investigation Person acting under color of law has reasonable grounds to believe contents will be relevant to investigation Investigators intercept only comms sent or received by trespassers

Civil Liability for Unauthorized Disclosures Sec 223 Old: civil remedies for unauthorized interception, disclosure, or use of communications against any person or entity New: All civil remedies against persons or entities, other than the US New section allows monetary damages against US if employees improperly disclose intercept Adds administrative discipline provisions Not subject to sunset

“Domestic Terrorism” Sec 802 Old: no definition of “domestic terrorism” New : activities primarily w/in territorial jurisdiction of US Acts dangerous to human life and violate US criminal laws Appear intended to intimidate or coerce civilian population Influence policy of a govt by intimidation or coercion, or affect conduct of a govt –mass destruction –assassination – kidnapping

Crimes at U.S. Facilities Abroad Sec 804 Old: defined special maritime and territorial jurisdiction of US New: extends jurisdiction to U.S. diplomatic, consular, military, or other premises and related private residences overseas for offenses committed by or against U.S. natl. Not offenses by members or employees of U.S. armed forces and persons accompanying (covered under another law)

“Federal Crime of Terrorism” Sec 808 Old: defined “federal crime of terrorism” by listing offenses New: adds several offenses, including aircraft violence and computer crimes Also attacks on military comm systems, and material support to terrorist orgs (including training and expert advice) Longer statute of limitations (Sec 809) Add offenses to RICO (Sec 813)

Deterrence and Prevention of Cyberterrorism Sec 814 Old: “Damage” = –$5000 loss (per computer?) –physical injury to person –threat to public health or safety –impairing medical care Did not define “loss” Extraterritorial application unclear New –Any impairment if used by or for govt entity for justice, natl defense, natl security –$5000 aggregated loss if multiple victims Extraterritorial clear ‘Loss’ includes, damage assessment, restoration, lost revenue, response, consequential damages “Person” includes govt Not subject to sunset

Critical Infrastructures Protection Sec 1016 Continuous natl effort required to ensure cyber and physical infrastructure service Requires extensive modeling and analytic capabilities National Infrastructure Simulation and Analysis Center (NISAC) $20,000,000 authorized for DTRA for FY02

Summary Legislation Maturing Quickly Plays a vital role in ID and IR