The Law of Information Assurance

1
The Law ofInformation Assurance

• Douglas J. Sylvester
• ASU College of Law
• Faculty Fellow, Center for the Study of
• Law, Science, and Technology

2
Definitions

• Cybersecurity Law (often termed Information
  Assurance or Information Security) is
  concerned with the legal and extra-legal issues
  surrounding the security and integrity of digital
  information and systems.
• Pre 9/11, Cybersecurity Law was generally
  concerned with the ability of IT companies and
  government to prevent economic malicious acts
  (hacking, spam, D.O.S. attacks, etc).
• Post 9/11, Cybersecurity Law is increasingly
  concerned with the prevention of criminal acts,
  both domestic and international that affect
  critical infrastructurescyberterrorism
• Not just information assurance.
• Privacy, Anti-terrorism, Corporate
  Accountability, Government Restrictions,
  Anti-Surveillance, Property Protections

3
Government Records and Security

• Numerous Laws pertaining to Government (mainly
  federal) policies for record retention and data
  security
• Electronic Records Management and Federal Records
  Act
• Expanding scope of records to include
  electronic media
• Federal Managers Financial Integrity Act of 1982
  
• Develop security policies and consistent
  accounting
  
• Federal Property and Administration Service Act
  
• National Archives and Records Act
  
• Freedom of Information Act and Electronic Freedom
  of information Act
• E-Government Act 0f 2002
• Privacy Provisions CIPSEA
• Requiring federal agencies to protect
  confidentiality of all data gathered under a
  pledge of confidentiality
• Data may only be used for statistical purposes
  
• Security Provisions Title III, Federal
  Information Security Management Act (FISMA)
• Accreditation and Compliance through NIST
  processes
• Requiring non security related systems to be
  secure, promulgation of agency security policies
• OMB governance
• 4-steps initiation, certification,
  accreditation, continuous monitoring

4
Information Access

• Numerous Federal Laws require Information be Made
  Available to the Public
• FOIA E-FOIA (1996)
• APA
• Other Laws Require Information be Kept Secure
• HIPAA
• GLB
• Security and Information Assurance?
• Most Laws do not have individual requirements
• HIPAA GLB
• Federal System Must Be Secured
• Integrated Networks
• Dangers of Hacks and Vulnerabilities?

5
Freedom of Information Act

• Requires disclosure of any available data unless
• Relevant to national security
• Personal privacy
• Original intent to disclose data to individuals
  about information government has collected on
  them
• More corporations request than individuals
• 1996Passage of E-FOIA
• All government agencies must make reading room
  documents electronically available
• Tracking Integrity
• Assessments

6
Secure Government Computer Use

• National Communication System
• Established in 1963 after Cuban Missile Crisis
• Link together and evolve communication facilities
  of federal agencies
• Updated by executive orders over time
• Tasked with developing a national
  telecommunications infrastructure responsive to
  national security and emergency needs
• Committee of Principles Agents that own or
  lease telecommunication assets part of NCS
• Secretary of DHS is in charge

7
Securing Computers for National Security

• National Security Directive 42 (NSD-42) 1990
• Securing computers used for national security
• Created Committee on National Security Systems
  (CNSS), an inter-agency group
• Creates security course requirements among many
  other things.
• Secretary of Defense in charge for strategy,
  vision, etc.
• NSA Directory to take care of the technical
  details.
• Clinger-Cohen 1996 or Information Technology
  Management Reform Act (ITMRA)
• Government must shop and compare when buying
  technology
• Many of these functions now under DHS

8
Cryptography

• Pre-1996 view
• Encrpytion technology munitions
• Dual-use standards
• Bureau of Industry and Security
• Export Administration Regulations
• Forbade export of encryption technologies (export
  transmission)
• In some casescriminalized creation
• prior restraint cases
• In 1996 US government offered to reduce export
  restrictions for escrow encryption
• Licenses granted upon review (30-day for lt64 bit)
• 2002-04
• New regulations governing encryption technologies
  
• BIS review of gt64 bit encryption (cursory)
• Relatively free export today
• BUT
• Department of Homeland Security
• Guidelines on dual use materials

9
FISMA

• Following 9/11 Federal Government Gets Serious
  About Information Security
• Passage of E-Government Act of 2002
• Federal Information Security Management
  Act(FISMA)
• Numerous National Security Directives
• Explicitly Adopts
• Risk-based policy for cost-effective security
• Requires All Federal Agencies To develop
• Plan for security
• Ensure that appropriate officials are assigned
  security responsibility
• Periodically review the security controls in
  their information systems andAuthorize system
  processing prior to operations and, periodically,
  thereafter.
• E-FOIA Act of 1996
• Requires Tracking and Integrity of Data

10
FISMA Implementation

• National Institute of Standards and Technology
• Computer Security Division
• Non Legal Institution That Provides Guidance
• Standards
• Impacts
• Minimum security
• Assessments
• Effectiveness
• Certifying and Accrediting
• Guidance for certifying and accrediting
  information systems.
• Cost-Effective Systems
• Due Diligence for All Federal Contracts
• Does NIST have Legal Authority?
• Does it Matter?

11
NIST

• Minimum Standards
• Periodic assessments of riskfocused on harms
• Cost-effectively reduce information security
  risks to an acceptable level
• Plans for networks, facilities, information
  systems, or groups of information systems, as
  appropriate
• Security awareness training
• Periodic testing and evaluation
• Procedures for detecting, reporting, and
  responding to security incidents and
• Plans and procedures to ensure continuity of
  operations for information systems that support
  the operations and assets of the organization.

12
From Government to the Public

• These Same Standards Will Become (or are) Public
  Standards
• Statutory Minimum Standards
• Health Information and Financial Information
• Common Law
• More Important
• Industry Standards Reasonableness

13
HIPAA

• Health Insurance Portability and Accountability
  Act
• Included in massive document and accompanying
  explanatory regulations (2002) are numerous
  privacy provisions
• Imposes liability on covered entities for failing
  to protect privacy of patient and insured records
• Sets forth minimum standards for securing
• Authentication standards
• Disclosure
• Training
• Access
• Review
• Does not provide specific technical standards
• Legislates security through liability

14
GRAMM-LEACH-BLILEY

• Gramm-Leach-Bliley Act
• Covering financial institutions, broadly
  construed
• Imposes privacy obligations
• Does not set forth minimum standards for security
• Many point to HIPAAs regulations and
  requirements as fostering a best practices that
  can be borrowed in GLB analysis

15
Cyberterrorism And Compliance
16
National Strategy to Secure Cyberspace

• Final Version Released Feb. 18, 2003
• Sets forth federal govt plans
• Creates no new regulations
• Sets forth no rigid guidelines
• Phrased merely in suggestive terms
• So why worry about it?
• Creation of Best Practices
• Common-law Civil Liability
• Increased Government Involvement
• Increased prosecution?

17
Suggested Duties

• Provides support for view that companies have
  responsibility to 3rd parties to ensure
  appropriate security
• Each organization has a responsibility to
  secure its own portion of cyberspaceeach sector
  must be aware of its roles and responsibilities
• Organizations have internal responsibility and
  accountability for information securityBOD and
  CEO responsibility
• Recommends that boards form IT-Security
  committees
• CIO
• Mirrors GLB requirements suggesting broader
  application
• Following Sarbanes-Oxley, corporate
  accountability will only increase

18
Securing Cyberspace Cont.

• Suggested Minimum Best Practices
• Security as Continuous Process
• Unacceptable for companies to wait and see
• Various Consent Decrees have made clear FTC and
  other agencies view that companies must be
  PRO-ACTIVE
• CISS-approved Security Audits and Follow-ups
• Monitoring, Review and Disclosure
• Recommends that CEOs are responsible for their
  companies continued monitoring and auditing of
  security practices
• Suggests that companies disclose names of
  security auditors and internal security
  governance.
• Education
• Imposes on industry the responsibility to ensure
  that employees are trained in cybersecurity issues

19
Homeland Security

• Enacted (and funded!) in Nov. 2002
• Various provisions affect Cybersecurity Issues
• Undersecretary for Information Analysis and
  Infrastructure Protection
• Responsible for implementing the Securing
  Cyberspace initiatives (teeth may be coming after
  all)
• Continued emphasis on cooperation of IT industry
  with government in surveillance
• Civil and criminal liability, potential, for
  failing to cooperate
• Amendment of federal privacy regulations
  forbidding linking of government information with
  private
• May require increasingly burdensome information
  disclosures to government databases

20
Areas of Potential Liability

• Failure to Report Cooperate
• California Hacker Disclosure Law (2003)
• Anyone suffering attacks must disclose
• Anyone suffering hacks must notify
• Whispers of possible enforcement
• Failure to ensure security
• Creation of best practices and civil liability
• HIPAA
• Securing Cyberspace
• Privacy Guidelines
• Reconciling with the other requirements!

21
Examples of a Failure of Due Care

• Failure to Implement Known Software Patches
• Failure to Install Latest Updates
• Failure to Close Known Backdoors
• Failure to Detect the Dry Run
• Failure to Control Active Content
• Failure to Employee Good Anti-Human Engineering
  Techniques
• Failing to Disclose Information Sharing Practices

22
Current Grace Period

• Few If Any Lawsuits
• Many filednot much recovery
• Little Court or Government Mandated Compliance
• Consent decrees have no teeth
• An Opportunity to Get Ahead
• Lower risk profile
• Develop Favored Status
• Dont Get Complacent!
• Things are changing
• Attacks are on the Rise
• Government is Watching
• Media is Watching

23
Reading Material

• Congressional Research Service Reports on Secrecy
  and Information Policy
• http//www.fas.org/sgp/crs/secrecy/index.html
• Computer Security A Summary of Selected Federal
  Laws, Executive Orders, and Presidential
  Directives
• http//www.fas.org/irp/crs/RL32357.pdf
• The Internet and the USA Patriot Act Potential
  Implications for Electronic Privacy, Security,
  Commerce, and Government
• http//www.epic.org/privacy/terrorism/usapatriot/R
  L31289.pdf
• Secrets of Computer Espionage Tactics and
  Countermeasures, Joel McNamara, Chapter 2.
• Security in Computing, Charles Pfleeger and Shari
  Lawrence Pfleeger, Chapter 9.
• Homepage National Institute of Standards
  andTechnology Computer Security Division
  http//csrc.nist.gov/index.html