Chapter 1
Introduction to Cybersecurity Law
A sense of excitement and anxiety rush over you simultaneously upon receiving an invitation to present your cybersecurity program to senior executives of your company. At last, you have achieved recognition for creating a cybersecurity program that meticulously follows industry standards! Your proposal has passed several independent assessments and even garnered approving nods from internal audit. Filled with confidence and thinking your life as a leader and manager in cybersecurity couldnāt be better, you embark enthusiastically on your carefully prepared presentation. Then, shortly after your opening remarks, your organizationās chief legal counsel chimes in, āHave you ensured our cybersecurity program complies with and supports all the legal statutes we must adhere?ā Your answer to this question will get the immediate attention of the senior leadership of your company ā and imprint the question of your subject-matter competency on their minds. As the champion of your organizationās cybersecurity program, your challenge is to answer this question skillfully in order to earn the confidence and respect of those with the authority to support and fund your cybersecurity initiatives.
This chapter will help you to:
ā¢ Communicate effectively with your companyās legal counsel by having a working knowledge of how the US legal system applies to cybersecurity.
ā¢ Seek out and implement ways to improve your companyās cybersecurity program to avoid post-cyberattack lawsuits.
ā¢ Upgrade your cybersecurity policies to comply with state, federal, and regulatory statutes.
1.1 Infamous Cybercrimes
You may have seen many headlines, articles, or lists showcasing computer hacking and other cybercrime events; however, few focus on the cybercriminals who have been charged, prosecuted, and convicted for their cyber offenses. Before we begin our cybersecurity law journey, I think it only appropriate to offer some examples of what happened when the crime was over and the offenders were punished.
Significant cybercrime court cases of the past five years include:
ā¢ October 18, 2012 ā Top executives of Kolon Industries indicted for stealing Dupontās Kevlar trade secrets. Using computers to copy intellectual property and then to destroy the data, Kolon pleaded guilty and paid $360 million in restitution. Several executives were sentenced to prison terms (E.I. DuPont de Nemours, 2011).
ā¢ July 26, 2013 ā Five Russian and Ukrainian hackers charged in $300 million crime from the theft and use of 160 million credit card numbers from Carrefour SA, JCPenney, JetBlue Airways, Visa, and others (Williams, 2015).
ā¢ August 27, 2014 ā Former acting director of cybersecurity at the US Department of Health and Human Services (HHS) convicted on child pornography charges. Ultimately he was sentenced to 25 years (Robinson, 2014).
ā¢ December 17, 2015 ā Six defendants from China, Germany, Singapore, and the US plead guilty to $100 million software piracy scheme. Over a period of six years 170,000 stolen Microsoft and Adobe activation keys were sold illegally (US Department of Justice, 2015).
ā¢ September 1, 2016 ā A Romanian hacker known as āGucciferā received a 52-month prison sentence for 100 counts of unauthorized access to a protected computer and aggravated identity theft (US Department of Justice, 2016).
TIP: Use the examples above to compare with your security technologies and practices currently in place and ask yourself if your methods would have detected trade secret theft, hacker intrusions, a senior executive violating a security policy, use of pirated software, or employee identify theft.
1.2 Civil vs. Criminal Cybersecurity Offenses
As the manager of cybersecurity, you may need to deal with both civil and criminal cases.
ā¢ Criminal cases will result from either an insider committing a cyber offense or an external party hacking into your computer systems.
ā¢ Civil cases will arise from your organization suing a company, or they sue you for some harm caused by a cyberattack.
For both instances, your cyberseurity program will need to address each scenario. You must also be ready to be either the plaintiff or the defendant.
ā¢ In a civil case, as the plaintiff, you would be claiming that some entity has failed to fulfill a legal duty. For example, you would be the plaintiff if your company is bringing suit against a cloud service provider that exposed your customersā data due to an incorrectly configured firewall.
ā¢ As a defendant, an entity would be accusing your organization of the same. In criminal cases, the government or a private entity will bring the case against you (the defendant), and your role will be to gather evidence to disprove the alleged offense. For example, you will be the defendant if a class action lawsuit is brought against your company following a hacking incident where customer data was stolen.
By now, you should be contemplating how to ensure your cybersecurity program supports these legal scenarios. The determination of whether it is a civil or criminal matter begins with the establishment of the crime.
1.2.1 Clarifying the Definition of Cybercrime
No universal definition of cybercrime exists; however, a general consensus exists that cybercrime falls into two categories. The first category is current crimes that are now committed using computers and networks. The second includes crimes that have specifically evolved in the computer age and use sophisticated methods to commit crime. Definitions of cybercrime have fundamental similarities in a broad sense; however, a diverse array of opinions nonetheless exists.
ā¢ Not surprising many courts also have varying interpretations of cybercrime including how to even spell the term with it often referred to as cyber crime, cyber-crime, or cybercrime.
ā¢ Contributing to the disparity of definitions is the changing landscape of technology. Cloud computing, software-defined infrastructure, and outsourcing have all but obliterated many definitions of cybercrime. A clear and concise definition of cybercrime establishes the proper foundation for developing policies and practices to detect, prevent, and mitigate offenses. I will discuss more about policy creation in Chapter 6.
An understandable definition of cybercrime bridges the gap between the law and your cybersecurity program and brings clarity to the portions of your cybersecurity program that address criminal offenses.
1.2.2 Challenging Your Current Definition of Cybercrime
Is the current description of the crimes clear and concise enough to create actionable policies and practices? Many definitions just state that computer crime is the commission of a crime through the use of equipment and networks. I argued just such a point with a client once and even performed a breach of security simulation to prove the point. The exercise consisted of USB sticks strewn across their parking lot, with the hope that a few unsuspecting employees would pick them up and attempt to read the data. Approximately a dozen employees were detected by the clientās endpoint security software plugging the USB sticks into their computers. The exercise showed that no crime had been committed according to their definition as neither a computer nor a network was used to commit the offense. Their legal department agreed and subsequently made modifications to their definition of cybercrime. How do you feel your employees would do with a similar test?
1.2.3 Creating a Strong Cybercrime Definition
Depending on geographical location and jurisdiction, cybercrime definitions vary. You will want your cybercrime definition to hold true regardless of the rapidity of legislative and technological change, as well as adhere to multiple legal jurisdictions. Consider peer-testing your cybercrime with a definition that I have developed over my career of working with numerous companies. This definition has evolved from dozens of legal department reviews:
Cybercrime is a criminal act in which computerized equipment, automated service, or communications mechanism is either the object or the means of perpetrating legal or regulatory restricted or prohibited offenses.
Such a definition has a number of advantages:
ā¢ Including the word offenses in the definition rather than citing specific examples such as theft or fraud makes the definition timeless.
ā¢ The use of the words equipment, service, and communications frees the definition from being dependent on specific technologies.
ā¢ You will not need to cite specific examples such as cybertheft or computer fraud in your definition, as those examples will always be a crime regardless of a cyber component.
To ensure that your cybersecurity program defines cybercrime adequately in an actionable sense, be sure to validate the definition with your company lawyers.
1.2.4 Cybercrime Categories in the Incident Response Plan
Once you have a vetted and approved cybercrime definition, donāt forget about identifying the likely types of cybercrimes to which your organization is exposed. Naming cybercrimes within the definition will burden the description unduly by limiting its applicability and usefulness, which is why it is important to identify them separately. The proper place to address the identified cybercrimes is in your companyās incident response plan, a set of instructions or tasks specifying the actions necessary to respond to a specific security emergency. Emergencies could include virus outbreaks, loss or theft of an employee-assigned laptop containing sensitive information, or a ransomware attack. Using a risk assessment as your guide, focus on the cybercrimes with the highest possible likelihood of occurrence which have a correspondingly high potential of impact.
To aid in the identification of cybercrimes, you will find it helpful to examine the four primary categories:
1. Personal Cybercrimes. These types of crimes target people and consist of cyberbullying, cyberstalking, identity theft, identity impersonation, fraud scams, data theft, ransomware attacks, etc.
2. Institutional Cybercrimes. These types of crimes target companies or governments and consist of denial of service attacks, cybervigilantism, cyber terrorism, cyber-slander, hacktivism, website defacement, etc.
3. Property Cybercrimes. These types of crimes target digital property and consist of data theft, computer sabotage, data destruction, etc.
4. Inchoate Cybercrimes. Inchoate is a specific legal term that is used to describe crimes that have been started, but not completed. An example of this type of crime would be where a hacker has completed the initial steps of an attack of a network or computer (target). These steps could include scanning a target for potential vulnerabilities, verifying the vulnerabilities exist on the target, and installing malicious software to siphon away confidential data. In this example, all the hacker would need to do to complete the crime is activate the malicious software remotely. What would make this an inchoate crime is that the last step of activating the malicious software is never completed. Despite the fact that such crimes are incomplete and no harm as yet occured, they were nonetheless attempted, demonstrating a substantial criminal effort was under way. Inchoate crimes also include cyber conspiracy, cybersolicitation, cyberstalking, and other types of attempted crimes.
TIP: The tone and scope of a cybersecurity program start with a proper cybercrime definition. The definition will shape the construction of information and asset protection policies and practices. Address specific high-risk cybercrimes within your incident response plan.
1.3 Understanding the Four Basic Elements of Criminal Law
It would be nearly impossible to build connections to the law in your cybersecurity plan without at least knowing the fundamentals of criminal law. If you know how the legal system determines guilt or innocence, you ...