Photo by Photo by Rene Sandajan

Cybercrime and Cybersecurity – The Legal and Regulatory Environment

What will we learn?

In this article we will look at the environment in which eForensics exists; the legal and regulatory regimes in which systems and cyber criminals operate. We perform forensic analysis on systems to investigate a crime and hopefully prosecute a criminal; but to do that we need to understand which laws and regulations have been broken. There are pitfalls in working out what laws and regulations are in operation for a particular context; as what is illegal in one regime may not be in another, and is it the law in the location of the system or the criminal that applies? The information here forms the underlying legal knowledge in the CISSP certification and underpins the International Information Systems Security Certification Consortium (ISC)2 body of knowledge.

Introduction

eForensic analysis becomes essential and necessary in a society where the Internet assumes the biggest and on-going change in our lifetime. It will take place as a result of a crime or investigation. However, what is relevant and worth searching for, or even what can be legally analyzed, depends on the legal systems and regulations, the criminal and, maybe, even customers or users affected

The laws broken may be existing laws pertaining to theft or threats of violence where the computer systems are central, or the computer system may be on the periphery of the crime, or it may be specific information systems or computer privacy laws and regulations that are relevant; possibly even a combination of all of them. These laws and regulations may conflict, and what is illegal in one country or region may not be illegal in another.

As a cyber security expert we need to understand what we are aiming to prove and what data we can legally investigate before we begin our work.

In addition to existing laws within the legal systems at work, specific cyber laws were created to protect individuals, companies and governments against cyber crime; which can be divided in three categories:

• Computer-assisted crime is where a computer is used as a tool to assist on committing a crime,

---

• Computer-targeted crime happens when a computer was the main target and victim of an attack,

---

• The last category includes situations where the computer happens to be involved in a crime; but is not the attacker or attackee; and is peripheral to the crime itself.

---

These categories were created to facilitate the law enforcement of cyber crimes. Laws can be general and include numerous scenarios, instead of the need to create specific laws for each individual case.

The idea is to use the existing laws for any crime where possible, allowing an easier understanding of the basis for prosecution for all people involved, including the judge and jury, who can then provide the verdict and sentence based on existing guidelines and standards.

The downside of introducing specific cyber laws is that, for example, when companies are attacked they just want to ensure that the vulnerability exposed is fixed and avoid any embarrassment that would adversely affect the company reputation. Even when information as to an attack leaks out companies do not seem interested on spending time and money in courts; preferring to minimize the time of embarrassment. This is the main reason as of why cyber criminals are unpunished and easily get away with such illegal actions. Not many companies wish to be known as victim of a cyber attack since that can adversely influence customer confidence and scare away investors

Legal Systems

There are essentially four different models of legal systems; civil law, common law, religious law, and customary law.

Civil law

In civil law, employed by most countries, a legislative branch of the government develops and documents statutes and laws, and then a judiciary has some latitude for interpreting them. The legislation is prescriptive so legal precedence, whilst existing, has little force. In some such systems, such as that derived from Roman law or the later ‘Napoleonic code’, the judge assesses the proof as a measure of guilt of the criminal.

Common law

This system, used in the UK, US, Canada, Australia and other former British colonies amongst others, is often derived from the English legal system. A legislative branch of government still produces statues and laws, but great emphasis is placed on judicial interpretation, precedent and existing case law; which can even override and supersede the legislation and statute if a conflict is found to occur. Thus, time is important in this system as judicial interpretation may develop and traditional interpretation of custom and “natural” law acts as a basis for the system. The judiciary and its interpretation of the legislation and precedent in existing case law has a greater role in this system than in the civil law system. In the English legal system and its derivatives the role of the jury to interpret the evidence in assessing the burden of proof is common.

Religious law

In religious law, such as Sharia Law adopted by several Islamic countries and groups, religious texts and doctrine provide the basis for the legal system, rather than separate statute and legislation. Here the given target religion is accepted by the majority of the people or their rulers; such that they essentially become laws to which the people abide. The laws enforced may be interpreted from the appropriate religious texts by religious leaders; such as imams or ayatollahs.

Customary law

In this existing regional customs accepted by the majority of the people over a period of time provide the basis for the legal system to the extent that they essentially become laws to which the people abide. These customs may later be codified to some extent. This model is seen in the other legal models in “duty of care” and “best practice” interpretation as what would be expected of a “reasonable man” as a measure; such as in the tort law of the civil law branch of common law.

Types of Laws

Within common law itself, civil law plays a part, alongside criminal law, tort law and administrative law. As groups of countries collaborate, such as in the European Union (EU), the combinations become more complex, but the types of law are common at the core due to the prevalence of the English legal system and its derivatives in the UK, US, Australia, etc.

Criminal law

In criminal law the aim is law and order of the common citizen and deterrence of criminals when punishing offenders; so the victim of the crime is considered society itself from the view of prosecution, even though the actual victim may be a person or persons. Hence, the existence of the Crown Prosecution Service (CPS) in the UK for pursuing the criminal through the courts under criminal law with an aim to remove the offender from affecting society. The criminal is incarcerated or even deprived of his or her life under some circumstances so there is an emphasis on burden of proof being “beyond reasonable doubt”.

Civil law

Here the individual has been wronged and seeks legal recourse in terms of damages from a civil defendant, rather than loss of liberty, with the evidence essentially reduced from “beyond all reasonable doubt” to a likelihood known as a “preponderance”, i.e. more likely than not.  The damages for the wrongdoing may be statutory as prescribed by law, compensatory to attempt to balance loss or injury, or punitive to discourage and deter from future legal violation.

Tort law

This is a branch of civil law related to wrongdoing against an individual measured against “best practice” or “duty of care”, where the action taken or negligence of responsibility of an individual or organization is considered to be outside the bounds expected of behavior of a “reasonable, right thinking, or prudent man”; and in this relates back to custom, and often may change over time. Here again, the burden of proof is on preponderance of the evidence weighing against the defendant. This is the largest source of lawsuits and damages under major legal systems.

This is particularly important in the realms of cyber security laws. In protecting customer data the “Prudent Man Rule” is applied to set the bar for duty of care in what processes, infrastructure and practices a right thinking person would consider necessary as a minimum. If a business is seen to be below that bar of expectation then the organization and business stakeholders are considered negligent in providing the necessary due care to protect its customers, assets and business stakeholders.

A company has to exercise due diligence continuously in reviewing its own and third party partners and processes to ensure that the necessary standard of due care is being met. As the technologies and threats in the industries adapt all of the time, due diligence ensures the minimum bar changes accordingly. Whenever a new third party is brought into a company processes the necessary due diligence in assessing that party for past criminal history, threats and their own due care protection standards and due diligence processes must be performed.

Contract Law

Agreements between companies and individuals can be broken, whether verbal or documented in writing, and damages for wrongdoing can occur. This is again a type of civil law.

Administrative and Regulatory law

This covers governance, compliance and regulatory laws relating to government and government agencies. Governments enact these laws with less influence from the judiciary. Compliance laws, such as Sarbannes-Oxley, come under this branch of the legal system.

Intellectual Property Laws

One of the targets in many cyber crimes is stealing intellectual property, so companies go to great technical lengths and legal lengths to protect it. Whilst intellectual property isn’t physical in nature, companies require creativity and then investment to capitalize on it. It takes a number of forms from trademark, copyright, licenses, patents and even simple trade secrets that a company entrusts to its staff.

A trademark is a name, image or logo for a brand that is used in marketing and is associated with a brand by its customers and competitors; and it may be formally registered or unregistered. Whilst stealing the logo itself is not usually a major criminal target, in phishing attacks a log may be used to misrepresent the cyber criminals web site as that of the company owning the brand.

Copyright is the right of an owner of a musical, artistic or literary work to own, duplicate, distribute and amend that work themselves. Often cyber criminals will duplicate a copyrighted work and sell it or provide it for download as their own property.

A patent is a legal agreement protecting the use of an idea or invention such that the patent holder has exclusive rights on the use and licensing of that idea for a period of time covered by the patent. Some rogue nations and cyber criminals will ignore the patent and use the invention or idea as their own, and legal recourse is then required by the patent holder to obtain compensation.

A license is a contract between a vendor and consumer or business to use software within the bounds of an “end user license agreement”, and not duplicate, modify, redistribute or sell on that software.

A trade secret is proprietary information belonging to a business in a competitive market that its staff and third parties should not divulge, and is often subject to a non-disclosure agreement (NDA) that is a contract between the business and a third party or employee to not divulge that secret. The business must exercise due care to protect that trade secret.

Data Privacy Laws

With the rise in cyber crime and stealing of customer data being a regular objective of the cyber criminal, most countries and states introduced their own data protection laws. These cover the processes and expected standard behavior for protecting data, but often also include clauses as to where that data can be located and what countries and under what circumstances it can be shared.

In the US the Privacy Act of 1974 protects the data held by the US government on its citizens, and how it is collected, transferred between departments, and used; with individuals having legal recourse on being able to request access to the data held about them, with national security providing the main limitation to that access. Similarly, in the European Union the EU Data Protection Directive sets the boundaries on the collection and flow of personal data between member nations; with a fine line between the needs of commerce between different member nations and the privacy of the individual. The EU principles are considered more stringent than those of the US, so the EU-US Safe Harbor legal framework allows that EU data to be shared with US organizations if they adhere to the more stringent EU Data Protection Directive principles.

The EU Data Protection Directive principles are:

• Individuals must be notified how their personal data is collected and used

---

• Individuals must be able to opt out of sharing their data with third parties

---

• Individual must opt in to shared sensitive personal data

---

• Reasonable protections must be in place to protect the personal data

---

This latter rule brings in the duty of care legal measure.

The United States Code Section 1030 Title 18, usually known as the Computer Fraud and Abuse Act defines the environment in which systems are considered to have been attacked in government and commercial organizations and the recourse against the criminal. This was amended by the Patriot Act 2001 as a response to the September 11th attacks to allow easier implementation of wiretaps by law enforcement agencies and easier sharing of data between those agencies, along with more stringent punishment for damaging a protected system from the original act or dealing with individuals on the sanctions list. The Identity Theft Act further amends the original act to provide additional protection for the individual.

Standards

International bodies, industries, and some groups of companies may produce their own standards to which individuals and companies may comply, and claiming such compliance is a requirement for taking part in that industry from a financial or regulatory perspective, or may be required as part of a contract. So, companies supporting the payments with debit and credit cards usually have to adhere to the PCI-DSS standards mandated by the card industry vendors, or health service vendors in the US must deliver to HIPAA data security standards for patient data as mandated by US administrative law.

In the early days of networked IT (1995) the British Standards Institute started to develop BS7799 that outlines how an information security management system should be designed, built and maintained; with guidelines on what is necessary in the forms of policies and processes; along with the technologies necessary to holistically protect sensitive information from the physical, to the network, to the electronic. From this the ISO/IEC 27000 standards were developed; using an iterative process where objectives and plans are formed (Plan), then implemented (Do), the results measured to see if the objectives were met (Check), and then amendments made as necessary (Act) – the whole iterative process is known as the PDCA cycle.

ISO27000

The ISO (International Organization for Standardization) and International Electrotechnical Commission (IEC) standards bodies jointly issue the ISO27000 Information Technology – Security Techniques family of standards for information security management best practice for risks and controls; which was, as mentioned, derived from the earlier BS7799 British Standard and the later ISO/IEC 17799 standard. These bodies have a committee called Joint Technical Committee 1 (JTC 1) Subcommittee 27 SC27 that meets twice a year to consider and ratify the standards and amendments to provide the “information security management system” (ISMS), with the 27000 base standard providing an overview of the complete family of policy-oriented standards and the vocabulary used throughout. The individual standards are as follows:

These aren’t laws, but many contracts will insist that participants adhere to the complete body of the standard, or its individual components. Adherence to the standard or its components can also be used as a quality measure, and can act as a selling point; and in negotiations this can be important. Therefore, this standard can appear in the enacting of contract law.

The individual components cover investigation and forensic analysis, as well as relationships with third parties. However, one of the key areas where the standard impacts the legal environment for cyber security is in the influence it has had on other standards and regulations that can be enforced as the cost of doing business in some industries, e.g. PCI-DSS in companies involved in credit card sales.  When evaluating compliance or where criminal responsibility is being assessed ISO/IEC27000 provides a basis by which what is expected of the “reasonable man” can be measured from a legal perspective.

Information Technology Infrastructure Library (ITIL)

ITIL, like the foundations of ISO/IEC27000 was developed by the UK government, with an aim of standardizing and documenting service management and aligning IT with the business with a common language. IT should provide good customer service to the business it serves. Whilst not providing a security framework it does cover support, change and maintenance processes and all of the foundations for business continuity and disaster recovery management with great strength in incident management.

It covers supplier management, service level management, service catalog management, availability management, incident management, event management, problem management, change management, knowledge management, release and deployment management, service testing and validation, and the requirements of a configuration management system.  It has processes for service design, service operation and service transition. Across all of this is continual process improvement as a result of service reporting and service measurement. At the core of ITIL is the concept of IT as a service.

Again, ITIL is referenced in contracts and often used as a selling point, but in the legal world outside of contracts is more useful as a measure of the expectations for the “reasonable man”.

Control Objectives for Information and Related Technologies (COBIT)

This was produced by the Information Systems Audit and Control Association in 1996 as a general framework of processes, policies, and governance for the management of IT as a whole, not just security; and the current version aligns with ITIL and ISO27000 standards to provide a full framework and model for IT as the basis of a capability maturity model.

It splits IT into domains; Plan and Organize, Acquire and Implement; Deliver and Support; and Monitor and Evaluate; and across these includes a framework, process descriptions, control objectives, management guidelines, and maturity models.

Whilst ISO27000 provides high level guidelines and processes, the COBIT model contains specific details, such as for user access management and compliance, and how to work with third parties; with a lot of helpful security details particularly in the Plan and Organize, and Acquire and Implement domains; with the processes heavily emphasized in the other two domains.

Again, as in ISO/IEC27000, COBIT is often referenced as a selling point or in contracts, but also provides specific processes that tie up with the “reasonable man” assessment from a legal perspective.

Payment Card Industry Data Security Standard (PCI-DSS)

The major card companies (e.g. Visa, MasterCard, American Express, JCB, etc) got together in 2006 to come up with a set of standards for data security that could be measured and enforced for companies wishing to participate in payment card processing. Annually a Qualified Security Assessor (QSA) creates a report on compliance to the standards that are split into 12 requirements in 6 groups.

The aim of the PCI-DSS standards is to ensure consistency across the card payments industry in the way that customer details and the necessary card data useful for making payments is protected and handled. It covers requirements for technology, processes and the relationships with the business and the staff involved. From a customer perspective this acts to protect customers in that companies adhering to the PCI standards can be trusted to look after the data and later fraud would be unexpected. Reviews of continued compliance is required by any company adopting PCI; with the QSA making an assessment and recommendations for any areas of improvement required.

So, adherence to PCI is usually contractual, which is how it relates to the law; yet again anyone dealing with payment card data would be expected to follow the recommendations within the standard and, thus, fits with the “reasonable man” assessment within legal frameworks. Whilst US federal law doesn’t mandate companies adhere to PCI-DSS if dealing with card data, the laws in some states within the US and elsewhere do refer to it so it is likely to become the law in the future. MasterCard and Visa require service providers and merchants to be validated for PCI-DSS compliance, and banks must be audited, whereas validation isn’t mandatory for all entities.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA act is a US federal law that covers many areas, but part of it also includes standards for data privacy that overlap with the data privacy laws in some countries and also tie back to the “reasonable man” rule in the gray area between law and standard. Therefore, many information security certifications (CISSP), and standards reference the act and its standards worldwide.

The objective of the HIPAA regulatory framework was to provide a secure way for the health insurance of US citizens to be shared between providers when changing or losing jobs, ensuring the citizens not only had any confidential personal information or medical condition information protected physically, but also that the policies were in place to ensure their health insurance benefit position was maintained.

The act is in two parts. The first part (Health Care Access, Portability, and Renewability) covers the policies for which US citizens maintain their health insurance across providers, what their entitlement is when switching providers; and as such isn’t applicable to the information security realm at the detail level. The second part (Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform) and its details on data privacy is more relevant to information security professionals, and it is here than granular standards exist and there is an overlap with data privacy laws elsewhere. The Privacy Rule and Security Rule subsections are key here, and the latter includes the standards. The Security Rule is split into Administrative Safeguards, Physical Safeguards and Technical Safeguards and includes standards for encryption, checksums, etc as well as risk management and risk assessment processes. In interpretation of adherence to these process standards the “reasonable man” rule is again brought into use from a legal perspective as the prescriptiveness of the standards is open to interpretation and applicability at many levels.

National Institute of Standards and Technology (NIST)

This is not like the other paragraphs here in that it refers to a standards issuing body as a whole, like the ISO/IEC or BSI bodies referenced earlier; but is mentioned due to its issuing of very detailed build, hardening, and usage standards for IT and security that are often referenced by other standards (e.g. it is often used as best practice build and configuration standards for PCI-DSS compliance) and again act as a yardstick for the “reasonable man” rule in assessing whether a reasonable attempt was made to secure data.

The NIST maintains an Information Technology Portal with a standard Cybersecurity Framework, Computer Security Resource Centre, and other documentation and groups:

http://www.nist.gov/

The US government maintains a standard configuration document for Windows 7 and Red Hat Enterprise Linux 5 on this site that shows how builds should be done. Of more interest beyond the “reasonable man” debate are the standards and guidelines for eForensic analysis.

The Part of the Computer System

The computer may be a key part of the criminal or civil act, as in the breaking of cyber laws; or may be a peripheral part of the crime itself, as in electronic fraud; or may just be a part of the evidence gathering to build a picture of the crime or criminal. The legal systems and industry standards have specific definitions for the role of the computer system in these contexts.

Where the computer plays a role as a tool of the criminal, but the crime is general even though the computer is central to the commission of the crime, this is known as a “computer as tool” scenario. Stealing credit card information to commit fraud or penetrating a system to steal company intellectual property secrets would be examples of this scenario.

Where the crime has the computer as the primary target or “victim” of the crime, particularly where information or cyber security laws are broken, are “computer system as target” scenarios. Hacking to install malware, deployment of computer viruses, and distributed denial of service attacks would fall into examples of this scenario.

Types of Cyber Crime

A crime being forensically investigated may be an existing law resulting from theft or a violent act, so fraud using a computer is still fraud and a threat of violence online is still a threat of violence, and a computer could be used in hacking to bring about violence or death.

It may also be investigation is required for a specific cyber crime that has been broken pertaining only to the use of a computer, such as hacking or denial of service for “fun” or political motivation.

Finally regulations may be broken using a computer that can be considered legal and contractual; so a system built to Payment Card Industry-Data Security Standards compliance may be a key term in a contract so non-compliance to the regulations leads to a contractual violation.

How do we apply this knowledge?

To perform forensic analysis we obviously first have to protect the evidence, but what evidence we are allowed to access and what is useful requires first understanding which laws are believed to have been broken, the role of the computer, and what laws are in place for the analyst doing the work. It isn’t necessarily legal to perform forensic analysis and access personal data for a potential criminal without breaking a privacy law.

The most difficult tasks are when the criminal is in one country or state, the target system is in another, the victim in yet another, and multiple countries have been traversed. Even within a single country like Australia or the United States different laws can apply state to state. The complexity is why so many computer related crimes remain unprosecuted, along with the shame for a company in having been breached. The key to applying the legal knowledge before doing what is needed to achieve a prosecution is identifying what is common between the states and countries involved, and new international frameworks of cooperation are being drawn up to assist in this.

International Legal Cooperation in Cyber Security

The increase in cyber crime and the need for coordinated anti-terrorist cooperation across state and international boundaries has led to frameworks being drawn up, such as the Safe Harbor cooperation between the EU and US. More international work between governments is currently underway to make this easier, not initially due to basic cybercrime, but the need to combat terrorism and terrorist funding. The trick is to identify a common subset on protection against fraud and personal data and work out from that to identify the maximum commonality between all legal state or national entities, and then aim to prosecute in the area where the criminal is most likely to be sentenced; remembering that avoiding breaking the law during the analysis in any of the state or nations during the forensic investigation is a necessity.

Post-graduate degrees specifically covering international cyber crime and security are beginning to spring up; such as that being studied by the authors. Personal experience has shown that the specific state knowledge of experienced lawyers can come to nothing in this internationally complex area, so specializations in this niche area are likely to grow in importance.

The International, Federal and State Interpretation – Which Laws Apply?

In determining which laws apply to a particular scenario there are four separate considerations that may include different states, countries, and even international groups, such as the EU. When a possible crime occurs involving a computer and data in the modern world, to work out which laws apply, we must consider the location of the cyber criminal, the location of the system being attacked, the location of any victims, and the locations over which the data forming the “attack” occurs.

Crime Applicability and Investigation – An Example

Consider a mobile phone payments application for purchasing foreign currency for international travellers. The user is from the UK, lands in Singapore, but uses a cellphone tower in Malaysia to enact transactions hosted on a system in Australia. Which laws apply? In this example, certain compliance restrictions on checking transactions in Malaysia and Singapore may mean that the application should use geolocation and cell tower identification to shut down to avoid an impossible legal situation. In forensic analysis after the fact where access to personal data might be restricted where the analysis is performed, this gets even more complex.

So, if a crime has been deemed to have occurred consider the issue of identifying which country the crime has been committed in. Then assess which Police or agencies will prosecute. However, taking the example of the different privacy acts enforced under the EU, US, Australian, New Zealand, laws etc, and even sharing the evidence with the Police forces can be an issue, because that the personal data of the individual can only be seen by authorised agents of their own country. Often its best to segregate the data and even store it in location in the given country (such as required for many China financial systems) to avoid the complexities and gives the best chance for prosecution of the criminal.

What have we learned?

We have looked at the basic types of legal system and how they differ in different countries, and the different types of laws and regulations that can be broken with different results for the defendant or perpetrator. We have then applied this to examples using computers to see how complex the environment is under which cyber security experts must operate to investigate a crime and see what laws and regulations apply.

About the Author

Colin Renouf is a long standing IT worker, inventor, and author; currently an Enterprise Solution Architect in the finance industry, but having worked in multiple roles and industries over the period of decades. An eternal student, Colin has studied varied subjects in addition to IT. Having written and contributed to several books and articles on subjects ranging from IT architecture, Java, dyslexia, cancer, and security; he is even referenced on one of the most fundamental patents in technology and has been involved in the search for the missing MH370 aircraft. Colin has two incredibly smart and intelligent children; Michael and Olivia; who he loves very much. He would like to thank his co-author and best friend Iana; her lovely sister Taina, brother Tiago, mother Marciaa, and father Jose. What more is there to say, but thank you Red Bull!