The Law of Information Assurance - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

The Law of Information Assurance

Description:

... Consent Decrees have made clear FTC and other agencies view that companies must be PRO-ACTIVE ... Security Division: http://csrc.nist.gov/index.html ... – PowerPoint PPT presentation

Number of Views:145
Avg rating:3.0/5.0
Slides: 24
Provided by: douglasjs
Category:

less

Transcript and Presenter's Notes

Title: The Law of Information Assurance


1
The Law ofInformation Assurance
  • Douglas J. Sylvester
  • ASU College of Law
  • Faculty Fellow, Center for the Study of
  • Law, Science, and Technology

2
Definitions
  • Cybersecurity Law (often termed Information
    Assurance or Information Security) is
    concerned with the legal and extra-legal issues
    surrounding the security and integrity of digital
    information and systems.
  • Pre 9/11, Cybersecurity Law was generally
    concerned with the ability of IT companies and
    government to prevent economic malicious acts
    (hacking, spam, D.O.S. attacks, etc).
  • Post 9/11, Cybersecurity Law is increasingly
    concerned with the prevention of criminal acts,
    both domestic and international that affect
    critical infrastructurescyberterrorism
  • Not just information assurance.
  • Privacy, Anti-terrorism, Corporate
    Accountability, Government Restrictions,
    Anti-Surveillance, Property Protections

3
Government Records and Security
  • Numerous Laws pertaining to Government (mainly
    federal) policies for record retention and data
    security
  • Electronic Records Management and Federal Records
    Act
  • Expanding scope of records to include
    electronic media
  • Federal Managers Financial Integrity Act of 1982
  • Develop security policies and consistent
    accounting
  • Federal Property and Administration Service Act
  • National Archives and Records Act
  • Freedom of Information Act and Electronic Freedom
    of information Act
  • E-Government Act 0f 2002
  • Privacy Provisions CIPSEA
  • Requiring federal agencies to protect
    confidentiality of all data gathered under a
    pledge of confidentiality
  • Data may only be used for statistical purposes
  • Security Provisions Title III, Federal
    Information Security Management Act (FISMA)
  • Accreditation and Compliance through NIST
    processes
  • Requiring non security related systems to be
    secure, promulgation of agency security policies
  • OMB governance
  • 4-steps initiation, certification,
    accreditation, continuous monitoring

4
Information Access
  • Numerous Federal Laws require Information be Made
    Available to the Public
  • FOIA E-FOIA (1996)
  • APA
  • Other Laws Require Information be Kept Secure
  • HIPAA
  • GLB
  • Security and Information Assurance?
  • Most Laws do not have individual requirements
  • HIPAA GLB
  • Federal System Must Be Secured
  • Integrated Networks
  • Dangers of Hacks and Vulnerabilities?

5
Freedom of Information Act
  • Requires disclosure of any available data unless
  • Relevant to national security
  • Personal privacy
  • Original intent to disclose data to individuals
    about information government has collected on
    them
  • More corporations request than individuals
  • 1996Passage of E-FOIA
  • All government agencies must make reading room
    documents electronically available
  • Tracking Integrity
  • Assessments

6
Secure Government Computer Use
  • National Communication System
  • Established in 1963 after Cuban Missile Crisis
  • Link together and evolve communication facilities
    of federal agencies
  • Updated by executive orders over time
  • Tasked with developing a national
    telecommunications infrastructure responsive to
    national security and emergency needs
  • Committee of Principles Agents that own or
    lease telecommunication assets part of NCS
  • Secretary of DHS is in charge

7
Securing Computers for National Security
  • National Security Directive 42 (NSD-42) 1990
  • Securing computers used for national security
  • Created Committee on National Security Systems
    (CNSS), an inter-agency group
  • Creates security course requirements among many
    other things.
  • Secretary of Defense in charge for strategy,
    vision, etc.
  • NSA Directory to take care of the technical
    details.
  • Clinger-Cohen 1996 or Information Technology
    Management Reform Act (ITMRA)
  • Government must shop and compare when buying
    technology
  • Many of these functions now under DHS

8
Cryptography
  • Pre-1996 view
  • Encrpytion technology munitions
  • Dual-use standards
  • Bureau of Industry and Security
  • Export Administration Regulations
  • Forbade export of encryption technologies (export
    transmission)
  • In some casescriminalized creation
  • prior restraint cases
  • In 1996 US government offered to reduce export
    restrictions for escrow encryption
  • Licenses granted upon review (30-day for lt64 bit)
  • 2002-04
  • New regulations governing encryption technologies
  • BIS review of gt64 bit encryption (cursory)
  • Relatively free export today
  • BUT
  • Department of Homeland Security
  • Guidelines on dual use materials

9
FISMA
  • Following 9/11 Federal Government Gets Serious
    About Information Security
  • Passage of E-Government Act of 2002
  • Federal Information Security Management
    Act(FISMA)
  • Numerous National Security Directives
  • Explicitly Adopts
  • Risk-based policy for cost-effective security
  • Requires All Federal Agencies To develop
  • Plan for security
  • Ensure that appropriate officials are assigned
    security responsibility
  • Periodically review the security controls in
    their information systems andAuthorize system
    processing prior to operations and, periodically,
    thereafter.
  • E-FOIA Act of 1996
  • Requires Tracking and Integrity of Data

10
FISMA Implementation
  • National Institute of Standards and Technology
  • Computer Security Division
  • Non Legal Institution That Provides Guidance
  • Standards
  • Impacts
  • Minimum security
  • Assessments
  • Effectiveness
  • Certifying and Accrediting
  • Guidance for certifying and accrediting
    information systems.
  • Cost-Effective Systems
  • Due Diligence for All Federal Contracts
  • Does NIST have Legal Authority?
  • Does it Matter?

11
NIST
  • Minimum Standards
  • Periodic assessments of riskfocused on harms
  • Cost-effectively reduce information security
    risks to an acceptable level
  • Plans for networks, facilities, information
    systems, or groups of information systems, as
    appropriate
  • Security awareness training
  • Periodic testing and evaluation
  • Procedures for detecting, reporting, and
    responding to security incidents and
  • Plans and procedures to ensure continuity of
    operations for information systems that support
    the operations and assets of the organization.

12
From Government to the Public
  • These Same Standards Will Become (or are) Public
    Standards
  • Statutory Minimum Standards
  • Health Information and Financial Information
  • Common Law
  • More Important
  • Industry Standards Reasonableness

13
HIPAA
  • Health Insurance Portability and Accountability
    Act
  • Included in massive document and accompanying
    explanatory regulations (2002) are numerous
    privacy provisions
  • Imposes liability on covered entities for failing
    to protect privacy of patient and insured records
  • Sets forth minimum standards for securing
  • Authentication standards
  • Disclosure
  • Training
  • Access
  • Review
  • Does not provide specific technical standards
  • Legislates security through liability

14
GRAMM-LEACH-BLILEY
  • Gramm-Leach-Bliley Act
  • Covering financial institutions, broadly
    construed
  • Imposes privacy obligations
  • Does not set forth minimum standards for security
  • Many point to HIPAAs regulations and
    requirements as fostering a best practices that
    can be borrowed in GLB analysis

15
Cyberterrorism And Compliance
16
National Strategy to Secure Cyberspace
  • Final Version Released Feb. 18, 2003
  • Sets forth federal govt plans
  • Creates no new regulations
  • Sets forth no rigid guidelines
  • Phrased merely in suggestive terms
  • So why worry about it?
  • Creation of Best Practices
  • Common-law Civil Liability
  • Increased Government Involvement
  • Increased prosecution?

17
Suggested Duties
  • Provides support for view that companies have
    responsibility to 3rd parties to ensure
    appropriate security
  • Each organization has a responsibility to
    secure its own portion of cyberspaceeach sector
    must be aware of its roles and responsibilities
  • Organizations have internal responsibility and
    accountability for information securityBOD and
    CEO responsibility
  • Recommends that boards form IT-Security
    committees
  • CIO
  • Mirrors GLB requirements suggesting broader
    application
  • Following Sarbanes-Oxley, corporate
    accountability will only increase

18
Securing Cyberspace Cont.
  • Suggested Minimum Best Practices
  • Security as Continuous Process
  • Unacceptable for companies to wait and see
  • Various Consent Decrees have made clear FTC and
    other agencies view that companies must be
    PRO-ACTIVE
  • CISS-approved Security Audits and Follow-ups
  • Monitoring, Review and Disclosure
  • Recommends that CEOs are responsible for their
    companies continued monitoring and auditing of
    security practices
  • Suggests that companies disclose names of
    security auditors and internal security
    governance.
  • Education
  • Imposes on industry the responsibility to ensure
    that employees are trained in cybersecurity issues

19
Homeland Security
  • Enacted (and funded!) in Nov. 2002
  • Various provisions affect Cybersecurity Issues
  • Undersecretary for Information Analysis and
    Infrastructure Protection
  • Responsible for implementing the Securing
    Cyberspace initiatives (teeth may be coming after
    all)
  • Continued emphasis on cooperation of IT industry
    with government in surveillance
  • Civil and criminal liability, potential, for
    failing to cooperate
  • Amendment of federal privacy regulations
    forbidding linking of government information with
    private
  • May require increasingly burdensome information
    disclosures to government databases

20
Areas of Potential Liability
  • Failure to Report Cooperate
  • California Hacker Disclosure Law (2003)
  • Anyone suffering attacks must disclose
  • Anyone suffering hacks must notify
  • Whispers of possible enforcement
  • Failure to ensure security
  • Creation of best practices and civil liability
  • HIPAA
  • Securing Cyberspace
  • Privacy Guidelines
  • Reconciling with the other requirements!

21
Examples of a Failure of Due Care
  • Failure to Implement Known Software Patches
  • Failure to Install Latest Updates
  • Failure to Close Known Backdoors
  • Failure to Detect the Dry Run
  • Failure to Control Active Content
  • Failure to Employee Good Anti-Human Engineering
    Techniques
  • Failing to Disclose Information Sharing Practices

22
Current Grace Period
  • Few If Any Lawsuits
  • Many filednot much recovery
  • Little Court or Government Mandated Compliance
  • Consent decrees have no teeth
  • An Opportunity to Get Ahead
  • Lower risk profile
  • Develop Favored Status
  • Dont Get Complacent!
  • Things are changing
  • Attacks are on the Rise
  • Government is Watching
  • Media is Watching

23
Reading Material
  • Congressional Research Service Reports on Secrecy
    and Information Policy
  • http//www.fas.org/sgp/crs/secrecy/index.html
  • Computer Security A Summary of Selected Federal
    Laws, Executive Orders, and Presidential
    Directives
  • http//www.fas.org/irp/crs/RL32357.pdf
  • The Internet and the USA Patriot Act Potential
    Implications for Electronic Privacy, Security,
    Commerce, and Government
  • http//www.epic.org/privacy/terrorism/usapatriot/R
    L31289.pdf
  • Secrets of Computer Espionage Tactics and
    Countermeasures, Joel McNamara, Chapter 2.
  • Security in Computing, Charles Pfleeger and Shari
    Lawrence Pfleeger, Chapter 9.
  • Homepage National Institute of Standards
    andTechnology Computer Security Division
    http//csrc.nist.gov/index.html
Write a Comment
User Comments (0)
About PowerShow.com