1

The Law ofInformation Assurance

Douglas J. Sylvester

ASU College of Law

Faculty Fellow, Center for the Study of

Law, Science, and Technology

2

Definitions• Cybersecurity Law (often termed “Information Assurance” or

“Information Security”) is concerned with the legal and extra-legal issues surrounding the security and integrity of digital information and systems.

• Pre 9/11, Cybersecurity Law was generally concerned with the ability of IT companies and government to prevent economic malicious acts (hacking, spam, D.O.S. attacks, etc).

• Post 9/11, Cybersecurity Law is increasingly concerned with the prevention of criminal acts, both domestic and international that affect “critical infrastructures”—cyberterrorism

• Not just “information assurance.” – Privacy, Anti-terrorism, Corporate Accountability, Government

Restrictions, Anti-Surveillance, Property Protections

3

Government Records and Security

• Numerous Laws pertaining to Government (mainly federal) policies for record retention and data security– Electronic Records Management and Federal Records Act

• Expanding scope of “records” to include electronic media – Federal Managers Financial Integrity Act of 1982

• Develop security policies and consistent accounting

– Federal Property and Administration Service Act

– National Archives and Records Act

– Freedom of Information Act and Electronic Freedom of information Act

– E-Government Act 0f 2002• Privacy Provisions: CIPSEA

– Requiring federal agencies to protect confidentiality of all data “gathered under a pledge of confidentiality”

– Data may only be used for “statistical purposes”

• Security Provisions: Title III, Federal Information Security Management Act (FISMA)

– Accreditation and Compliance through NIST processes» Requiring non “security” related systems to be secure, promulgation of

agency security policies» OMB governance» 4-steps: initiation, certification, accreditation, continuous monitoring

4

Information Access

• Numerous Federal Laws require Information be Made Available to the Public– FOIA; E-FOIA (1996)– APA

• Other Laws Require Information be Kept Secure– HIPAA– GLB

• Security and Information Assurance?– Most Laws do not have individual requirements

• HIPAA; GLB

• Federal “System” Must Be Secured– Integrated Networks

• Dangers of Hacks and Vulnerabilities?

5

Freedom of Information Act

• Requires disclosure of any available data unless– Relevant to national security– Personal privacy

• Original intent to disclose data to individuals about information government has collected on them– More corporations request than individuals

• 1996—Passage of E-FOIA– All government agencies must make “reading room”

documents electronically available• Tracking + Integrity

– Assessments

6

Secure Government Computer Use

• National Communication System– Established in 1963 after Cuban Missile Crisis

• Link together and evolve communication facilities of federal agencies

• Updated by executive orders over time

– Tasked with developing a national telecommunications infrastructure responsive to national security and emergency needs• Committee of Principles – Agents that own or lease

telecommunication assets part of NCS

• Secretary of DHS is in charge

7

Securing Computers for National Security

• National Security Directive 42 (NSD-42) 1990– Securing computers used for national security– Created Committee on National Security Systems

(CNSS), an inter-agency group• Creates security course requirements among many other

things.

– Secretary of Defense in charge for strategy, vision, etc.– NSA Directory to take care of the technical details.

• Clinger-Cohen 1996 or Information Technology Management Reform Act (ITMRA)– Government must shop and compare when buying

technology

• Many of these functions now under DHS

8

Cryptography

• Pre-1996 view– Encrpytion technology = munitions

• Dual-use standards• Bureau of Industry and Security

– Export Administration Regulations» Forbade export of encryption technologies (export = transmission)» In some cases—criminalized creation » “prior restraint” cases

• In 1996 US government offered to reduce export restrictions for escrow encryption– Licenses granted upon review (30-day for <64 bit)

• 2002-04– New regulations governing encryption technologies – BIS review of >64 bit encryption (cursory)

• Relatively “free” export today– BUT– Department of Homeland Security

• Guidelines on “dual use” materials

9

FISMA

• Following 9/11: Federal Government Gets “Serious” About Information Security– Passage of E-Government Act of 2002

• Federal Information Security Management Act(FISMA)

– Numerous National Security Directives

• Explicitly Adopts:– “Risk-based policy for cost-effective security”

• Requires All Federal Agencies To develop:– Plan for security– Ensure that appropriate officials are assigned security

responsibility– Periodically review the security controls in their information

systems; andAuthorize system processing prior to operations and, periodically, thereafter.

• E-FOIA Act of 1996– Requires Tracking and Integrity of Data

10

FISMA: Implementation

• National Institute of Standards and Technology

– Computer Security Division• Non Legal Institution That Provides Guidance:

– Standards

» Impacts

» Minimum security

» Assessments

» Effectiveness

» Certifying and Accrediting

• Guidance for certifying and accrediting information systems.

– Cost-Effective Systems• Due Diligence for All Federal Contracts

• Does NIST have Legal Authority?– Does it Matter?

11

NIST

• Minimum Standards– Periodic assessments of risk—focused on “harms”– Cost-effectively reduce information security risks to an

acceptable level– Plans for networks, facilities, information systems, or

groups of information systems, as appropriate;– Security awareness training – Periodic testing and evaluation – Procedures for detecting, reporting, and responding to

security incidents; and– Plans and procedures to ensure continuity of operations

for information systems that support the operations and assets of the organization.

12

From Government to the Public

• These Same Standards Will Become (or are) Public Standards– Statutory Minimum Standards

• Health Information and Financial Information

– Common Law• More Important

– “Industry Standards” + Reasonableness

13

HIPAA

• Health Insurance Portability and Accountability Act – Included in massive document and accompanying explanatory

regulations (2002) are numerous privacy provisions

– Imposes liability on covered entities for failing to protect privacy of patient and insured records

– Sets forth minimum standards for securing• Authentication standards• Disclosure• Training• Access• Review

– Does not provide specific technical standards• Legislates security through liability

14

GRAMM-LEACH-BLILEY

• Gramm-Leach-Bliley Act

– Covering “financial institutions”, broadly construed

– Imposes privacy obligations

– Does not set forth minimum standards for security• Many point to HIPAA’s regulations and requirements as

fostering a “best practices” that can be borrowed in GLB analysis

15

Cyberterrorism And Compliance

16

National Strategy to Secure Cyberspace

• Final Version Released Feb. 18, 2003– Sets forth federal gov’t plans

• Creates no new regulations

• Sets forth no rigid guidelines

• Phrased merely in “suggestive” terms

– So why worry about it?• Creation of “Best Practices”

• Common-law Civil Liability

• Increased Government Involvement– Increased prosecution?

17

“Suggested” Duties

• Provides support for view that companies have responsibility to 3rd parties to ensure appropriate security

• “Each …organization has a responsibility to secure its own portion of cyberspace…each sector must be aware of its roles and responsibilities…”

• Organizations have internal responsibility and accountability for information security—BOD and CEO responsibility

• Recommends that boards form IT-Security committees– CIO

• Mirrors GLB requirements suggesting broader application– Following Sarbanes-Oxley, corporate accountability will only

increase

18

Securing Cyberspace Cont.

• “Suggested” Minimum Best Practices– Security as Continuous Process

• Unacceptable for companies to “wait and see”

• Various Consent Decrees have made clear FTC and other agencies view that companies must be PRO-ACTIVE– CISS-approved Security Audits and Follow-ups

– Monitoring, Review and Disclosure• Recommends that CEOs are responsible for their

companies continued monitoring and auditing of security practices

• Suggests that companies disclose names of security auditors and internal security governance.

– Education• Imposes on industry the responsibility to ensure that

employees are trained in cybersecurity issues

19

Homeland Security

• Enacted (and funded!) in Nov. 2002

• Various provisions affect Cybersecurity Issues– Undersecretary for Information Analysis and

Infrastructure Protection• Responsible for implementing the Securing Cyberspace

initiatives (teeth may be coming after all)

– Continued emphasis on cooperation of IT industry with government in surveillance• Civil and criminal liability, potential, for failing to cooperate

– Amendment of federal privacy regulations forbidding linking of government information with private• May require increasingly burdensome information

disclosures to government databases

20

Areas of Potential Liability

• Failure to Report & Cooperate– California “Hacker Disclosure Law” (2003)

• Anyone suffering “attacks” must disclose

• Anyone suffering “hacks” must notify

• Whispers of possible enforcement

• Failure to ensure security– Creation of “best practices” and civil liability

• HIPAA

• Securing Cyberspace

• Privacy Guidelines– Reconciling with the other requirements!

21

Examples of a Failure of Due Care

• Failure to Implement Known Software Patches

• Failure to Install Latest Updates

• Failure to Close Known Backdoors

• Failure to Detect the Dry Run

• Failure to Control Active Content

• Failure to Employee Good Anti-Human Engineering Techniques

• Failing to Disclose Information Sharing Practices

22

Current Grace Period

• Few If Any Lawsuits– Many filed—not much recovery

• Little Court or Government Mandated Compliance– Consent decrees have no teeth

• An Opportunity to Get Ahead– Lower risk profile– Develop Favored Status

• Don’t Get Complacent!– Things are changing– Attacks are on the Rise– Government is Watching– Media is Watching

23

Reading Material

• Congressional Research Service Reports on Secrecy and Information Policy– http://www.fas.org/sgp/crs/secrecy/index.html

• Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives

• http://www.fas.org/irp/crs/RL32357.pdf

• The Internet and the USA Patriot Act: Potential Implications for Electronic Privacy, Security, Commerce, and Government

• http://www.epic.org/privacy/terrorism/usapatriot/RL31289.pdf

• Secrets of Computer Espionage: Tactics and Countermeasures, Joel McNamara, Chapter 2.

• Security in Computing, Charles Pfleeger and Shari Lawrence Pfleeger, Chapter 9.• Homepage: National Institute of Standards andTechnology: Computer Security

Division: http://csrc.nist.gov/index.html