Legislation Driving IT Security

Stephen Revill, Consultant | August 2002

Introduction

Bruce Schneier, in his book Secret and Lies, reports on a major security breach at Citibank. In the mid 1990s a Russian hacker using sniffing technology acquired the passwords of two correspondents banks to abscond with approximately $12 million in client funds. The hacker operating out of St Petersburg, was caught, but in the meantime millions of dollars were withdrawn by people who believed their funds were vulnerable. These customers lost confidence in Citibank's security systems and Citibank not only lost business but also damaged its reputation.

These kinds of incidents happen frequently, but most are covered up. However, it is likely to be only a matter of time before a major security breach at an international conglomerate will result in a collapse in business confidence similar to that, which affected Arthur Andersen as a result of the Enron affair. Information security management is a matter that is central to the health of most major businesses. It is a matter of managing the business risks as well as the technical risks. Part of those business risks involves understanding the legal implications of security breaches.

Information Security and the Management of Risk

Information security has traditionally been seen as largely a technical problem to be solved by technology solutions. That is certainly true - at least up to a point.

First, there is a basic problem of access and that in turn requires a method of identifying and authenticating persons who are entitled to the access level required. It also requires a method of keeping out everyone else that is not entitled to exercise those access rights. The technology solutions have ranged from basic password mechanisms, access tokens, right through to various forms of biometrics.

Secondly, there is the problem of integrity and non repudiation. In the digital world, we are dealing with bits and bytes (basically electronic impulses) that can be modified and then replicated to provide plain text or image versions that for all intents and purposes look as genuine as the original product. Hash functions as part of digital signatures and different forms of public key encryption can help here. Other techniques include digital watermarking and different types of copy protection.

Thirdly, there is the issue of confidentiality which to date has traditionally been dealt with by increasingly complex levels of cryptography. This is an issue made more complicated in a networked environment. That environment can be open to intrusion by viruses such as worms and Trojan horses that can appropriate secret information such as passwords and credit card details for redirection to unauthorised third parties. Various forms of anti virus software on the market wage an ongoing war against emergent strains.

Fourthly, there is the threat of attacks on networks and systems resulting in damage, loss of availability, or redirection of business traffic by different forms of spoofing technologies. There are also the ubiquitous denial of service attacks that have plagued the businesses of such well known on-line service providers such as Amazon. In these cases the basic line of defence is a good firewall system, with the use of demilitarised zones for web enabled parts of the network. This technology can be supported by the use of intrusion detection systems and vulnerability scanners.

Despite all this, technology cannot and will not ever provide all of the answers for information security. Especially if the products themselves remain untargeted without regard to the particular risks to which your organisation is exposed. As Schneier says, computer insecurity is a fact of life and must be accepted as such. The focus should be not only be on the technology products available but also on the underlying security policies which an organisation adopts to identify the threats, assess the risks, determine the response, and initiate appropriate counter measures. Part of this process is to understand the legal risks if a security breach should occur and the measures you should be taking to limit the losses. You also need to understand the legal tools that are available to help you formulate a set of counter measures to aggressively respond to attacks on your system.

Legal Risk and its Management

A company may be liable to broad range of people in the event of a major breach of security or a resulting system shut down. You may be exposed not only to the claims of those with whom you have contracts but to others to whom you owe duties of care under statute or under a general law. You may also be exposed to claims from your shareholders.

For example, suppose you act as an application service provider and general outsourcer of the technology infrastructure that supports an e-procurement service run by an industry association for its members. If you have failed to take reasonable steps to secure and maintain the firewall, by, for example, forgetting to apply security patches, the availability of which has been well published, then you could be sued by the association members for negligence. The fact that you have no contract with those association members, does not stop them from suing you.

You might also be liable to consumers for breaches of privacy laws if you have not taken reasonable steps to secure the personal information held about them. Under the Privacy Act, you are required to ensure that personal information is protected from loss, access or misuse by the adoption of such security safeguards as are reasonable to take in the circumstances. In this context it is worth noting the existence of information security standards developed by Standards New Zealand. These standards include recommended practices for information security management (AS/NZS 17799) and best practice processes for securing of computer operations (NZS6656).

A significant and well published security breach could also result in legal proceedings being taken against you under the Fair Trading Act, if you have made claims about the security of your systems on your web site, that turn out to have been misleading or deceptive.

If you are a director of a publicly listed company whose share price heads south as a result of a series of hacking incidents, shareholders may start asking questions about the steps you have taken to ensure a reasonable level of security for your company's information systems. A director cannot be held personally liable for every security breach of a company's IT infrastructure. However, he or she is responsible to ensure that systems are in place for the implementation and maintenance of security policies that accord with industry standards and the courts' notion of what constitutes a reasonable standard of care.

The key thing here is to ensure that you have a well thought out set of security polices following a thorough audit of your system and the conduct of a structured risk assessment programme.

Audits allow you to identify critical vulnerabilities and identify the business operations that are at risk. They also should allow you to determine what is reasonably required to minimise legal risk. Audits will help to refine your security policies and plan for anticipated incident responses.

The other half of the equation is monitoring for compliance. Your systems are constantly changing so your security policies can become outdated quickly. It is also important to foster a culture of security consciousness amongst the people in your organisation to deal with the very real risks associated with computer and human interface. Ongoing education courses should be undertaken to ensure maintenance of internal staff security compliance.

The point here is that the risk management process you should be using to identify threats, to assess risks and to determine responses, is the same process you should be using to better manage your legal risk. The only trick is to ensure the scope of your e-security risk assessment is widened to include legal consequences as well as immediate business and security consequences of potential security breaches.

New Laws for the Maintenance of IT Security

So far I have talked about the management of security risks and the management of the legal risks associated with IT security breaches. The focus have been on the existing legal landscape.

There are very few specific statutes on our books that deal explicitly or directly with issues concerning the protection of electronic information and the maintenance of information technology security. There are however some new developments in the pipeline.

Electronic Transaction Bill

The purpose of this Bill is to facilitate the use of electronic technology by removing legal impediments to the conduct of business electronically.

Today I want to touch on only one aspect of the Bill namely, electronic signatures. This is directly relevant to the issues of identity, authentication, integrity and non repudiation that I talked about earlier.

Under the Bill the general rule is that a legal requirement for a signature will be met by means of an electronic signature if:

• the electronic signature adequately indicates the signatory's approval of the information to which the signature relates; and

• is as a reliable and is appropriate, given the purposes for which and the circumstances in which, the signature is required.

There is also a requirement for consent from the person receiving the electronic signature.

What then is a "reliable" electronic signature? The Bill provides a set of criteria.

An electronic signature will be presumed to be reliable if:

• the means of creating the electronic signature is linked to the signatory and no other person (the identity and authorisation issue)

• the means of creating the electronic signature was under the control of the signatory and of no other person (the non repudiation issue)

• any alteration to the electronic signature made after the time of signing is detectable (the integrity issue)

• any alteration to the information to which the signature relates is detectable (the integrity issue).

Although all of this is expressed in "technology neutral" language, it is tolerably clear that the Bill gives a strong endorsement to digital signatures and public key encryption as the legally favoured method for the use of electronic signatures in e-commence.

However, in attempting to make the legislation "future proof" by using technology neutral language, the proposed law falls short of the degree of precision required to avoid the introduction of:

• expert evidence on the reliability of the particular encryption algorithm; and

• evidence of the way in which the private key was created and used.

In other jurisdictions similar provisions are supported by the existence of regulations which describe in detail what will be sufficient to satisfy the presumption of reliability.

The new law will, therefore, only go some way towards reducing compliance and transaction costs for business. Further legislative reform is likely to be called for.

Crimes Amendment Bill (No 6)

I spoke at this conference last year when the Crimes Amendment Bill was in the queue for legislative enactment.

The Bill is still in the queue and the date of its passage is still not clear.

It is an important Bill because it introduce laws that will better facilitate the prosecution of people who engage in electronic commerce fraud, computer trespassing and theft, or people who write the tools that facilitate these crimes.

As Schneier says:

"We need to ensure that people put themselves at risk when committing crimes in cyberspace".

Under the Bill, the risks to which people may be exposed if they engage in illicit behaviour are significant, at least by reference to the possible sentences that can be handed out.

• You face seven years imprisonment for accessing a computer dishonestly and either causing loss or obtaining any property, service or other valuable benefit.

• Ten years is the maximum sentence you can get for damaging or altering any computer system that the attacker knows or ought to know will result in damage to life.

• If you mean to interfere with any data or software in any computer system without authority or otherwise do something that you know will cause a computer system to fail or deny service to authorised users, you can be put away for seven years .

• There is also a potential two year prison sentence for anyone who:

• distributes or has available for distribution, software that is held out as being useful for the commission of a crime, where that software can be used to access a computer system without authorisation;

• possesses hacking related software with an intent to use it to commit a crime;

• simply accesses a computer system to look around, knowing that he or she is unauthorised to do so, but intending to access the system all the same.

In addition to these new proposed crimes, existing crimes against personal privacy are to be updated and expanded to cover not only unauthorised interception of private telephone communications, but also unauthorised interception of other kinds of private communications such as those conducted by pagers, fax or email. The prison sentence here can be anything up to two years.

The Bill - once it eventually passes - is to be welcomed. However, is some respects, commentators have questioned whether parts of the cure provided by the new legislation is worse than the disease.

For example, it has been suggested that the Bill could operate to criminalise the use of "cookies" in electronic circumstances. Under the Bill it will be an offence to add or cause to add data to any computer system without authority. It is unclear whether consent to the placing of a cookie on a user's hard drive will be appropriately informed, even when the user has configured his or her browser to accept or reject cookies.

It has also been suggested that the new offence against distributing hacking software may result in prosecution of those who merely point out or warn against the hacking potential of the product in its promotion literature. Some argue this amounts to an unacceptable form of censorship because it prevents a factual description of a product. There is a world of difference between telling the public that a product can be used for an illegal purpose and encouraging or inciting its use for an illegal purpose.

The Ministry of Justice has promised that this "glitch" in the Bill will be fixed. The whole process does not, however, engender great confidence especially given early problems such as the omission of any sanction against denial of service attacks which was only remedied once the Bill had passed through the select committee stage.

Law and Order and National Security

It would be expected that any tightening up of the law on computer crimes and interference with personnel privacy would be accompanied by a beefing up of "eavesdropping powers" of various agencies to maintain law and order and national security.

There has been much talk in the press about the scope of the exceptions available under the Crimes Amendment Bill to agencies such as the SIS and GCSB to monitor or hack into computer systems for national security purposes.

This raises a number of issues relating to civil rights and policy making that I will leave for discussion on another day.

Instead I will touch briefly upon a new piece of legislation that the government plans to introduce into Parliament when it reconvenes in the next couple of weeks.

The new Bill called the Telecommunications (Interception Capability) Bill is intended to place a legal obligation on network operators and ISPs to intercept or retrieve communications and to make that information available to the authorities under a interception warrant issued by the High Court.

Telecommunication operators are already under a duty to intercept call data for voice communications under a call data warrant. The new law will take this process further by extending the requirement to intercept other types of communication made through the internet or by email or by voice mobile.

The government is to make a provision in its budget to pay for the provision of interception capability for existing fixed and mobile voice networks. Cabinet papers indicate that the cost will be in the region of $12 million but it is not clear whether the industry considers that amount to be sufficient.

Currently, the costs of existing call data interceptions for voice communications are recovered from the authorities on a cost recovery basis. However, the Law Commission recommends that recompense can only be allowed under order from the District Court, and then only if the court decides that the cost of compliance would impose extraordinary financial hardship on the network operator or the ISP concerned.

The Law Commission also recommends that third parties be obliged to hand over encryption keys and/or assist the authorities to decrypt communications the subject of the warrant. This rule will not apply to people being investigated by the Police.

This raises questions about the security of encryption keys once they are in the hands of the authorities. It could result in a loss of trust in the security of the processes currently used by businesses to secure their electronic communications.

Concluding Remarks

My talk has only covered domestic laws. The internet is, of course, an international network and many of the issues I have touched on can only be properly managed by international co-operation and alignment of laws between the different nation states. Jim O'Neill takes up the story here by looking at developments that are occurring on the international scene.