Embedded Files
Stored Communications Act
Stored Communications Act
Computer Fraud and Abuse Act (CFAA)
Computer Fraud and Abuse Act (CFAA)
1030(e)(6) Exceeding Auth Access
• (6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter
• Idea is to hold insiders liable for intentional damage, while outsiders can be liable for intentional, reckless, or negligent damage
The Computer Fraud and Abuse Act (CFAA) draws a significant distinction between insiders and outsiders, delineating between individuals who have legitimate access to a computer system, such as employees, and those who do not. This differentiation is reflected in the statute's language regarding authorization and exceeding authorization, with certain provisions applying exclusively to outsiders while others encompass both insiders and outsiders.
For instance, Section 1030(a)(3) of the CFAA, which pertains to trespass into a government computer, is intended to target outsiders, specifically non-government employees who unlawfully access government systems. This limitation acknowledges Congress's reluctance to criminalize the actions of ordinary government employees who may inadvertently access restricted systems in the course of their duties.
The rationale behind this distinction stems from concerns about both external hackers and internal threats posed by insiders. The infamous Morris worm case serves as a prime example, highlighting how insiders, like Robert Tappan Morris, who had privileged access to computer systems, can also engage in harmful activities.
The technical definition of exceeding authorized access encompasses accessing a computer with legitimate authorization, such as an employee within an organization, and using that access to obtain or alter information in a manner not permitted. For organizations, implementing access controls is crucial to restrict employees' access to specific systems based on their roles and responsibilities. For example, employees in the marketing department may have access to systems related to advertising and consumer modeling but should be excluded from payroll systems.
By maintaining robust access barriers, organizations can mitigate the risk of insider threats and unauthorized access to sensitive information. This approach allows organizations to effectively manage access privileges and prevent insiders from using their legitimate access in one domain to gain unauthorized access to other sensitive systems.
In summary, the distinction between insiders and outsiders under the CFAA underscores the importance of implementing effective access controls and security measures to safeguard against both external and internal threats to computer systems. By delineating between authorized and unauthorized access, organizations can mitigate the risk of insider misuse and protect sensitive information from unauthorized access and alteration.
Code-Based Authorization
Code-Based Authorization
Illustrative Cases: Bell Aerospace• Employees of Bell Aerospace take both paper and computer files in order to create a competing venture• Employees had authorization to access computer files until they were escorted off property
Illustrative Case: Nosal• Complicated history, but for our purposes, Nosal was a former employee of Korn/Ferry International (executive recruiting firm)• While being paid under a noncompetition agreement, he worked with other employees to create a... competitor to KFI• Nosal asked his former assistant for data dumps from KFI• This access by the former assistant was unauthorized access• Employer defines authorization (not employee who obtained info for Nosal)• Also: theory means that fooling a customer service representative into revealing information in a computer is aCFAA
Illustrative Cases: Middleton• "Bad leaver" scenario• Former employee of slip.net, after firing, logs in with his personal slip.net account, and uses SU to take over the account of a current employee• Detected and blocked, but finds another way in• Accesses system and deleted billing, other databases• Access was unauthorized
Illustrative Case: Nosal• Complicated history, but for our purposes, Nosal was a former employee of Korn/Ferry International (executive recruiting firm)• While being paid under a noncompetition agreement, he worked with other employees to create a... competitor to KFI• Nosal asked his former assistant for data dumps from KFI• This access by the former assistant was unauthorized access• Employer defines authorization (not employee who obtained info for Nosal)• Also: theory means that fooling a customer service representative into revealing information in a computer is aCFAA
Illustrative Cases: Middleton• "Bad leaver" scenario• Former employee of slip.net, after firing, logs in with his personal slip.net account, and uses SU to take over the account of a current employee• Detected and blocked, but finds another way in• Accesses system and deleted billing, other databases• Access was unauthorized
What do these cases tell us?
• Watch out employees (and employers!)
• People do bad things with data. But the CFAA is about access to computers, not the use of data
• Have a protocol for revoking authorization, particularly for "key person" technical
These cases highlight several important lessons for both employees and employers. Firstly, employees should be aware that employers may resort to the Computer Fraud and Abuse Act (CFAA) to penalize individuals who leave employment under unfavorable circumstances. Conversely, employees should recognize the CFAA as a tool to address legitimate concerns regarding insiders who misuse data.
Over the course of one's career, encountering a "bad leaver scenario" where a key technical insider must be terminated is almost inevitable. In such situations, precautions should be taken to prevent unauthorized access to systems before the employee is aware of their termination. An illustrative example from the movie "Jerry Maguire" emphasizes the importance of promptly revoking access to all systems and recovering work equipment to mitigate risks posed by technically sophisticated insiders who may attempt to sabotage systems.
Lessons from these cases underscore the necessity of revoking passwords and usernames, explicitly informing the employee of their loss of authorization, and physically escorting them out of the workplace to clearly establish their status as an outsider. Failure to take these measures can result in situations akin to Brekka, where employees transfer sensitive information to personal devices, leaving employers with limited recourse.
Thus, it is crucial for both employees and employers to anticipate potential conflicts and adopt proactive measures to safeguard against unauthorized access and mitigate associated risks effectively.
Contract-Based Authorization (1st & 7th circuits only)
Contract-Based Authorization (1st & 7th circuits only)
Individuals can be held liable under the Computer Fraud and Abuse Act (CFAA), particularly focusing on violations related to contracts or agreements regarding computer access. This approach is followed in the First and Seventh Circuits in the United States. Employees in these regions should pay close attention to employment agreements and end user license agreements (EULAs) as they can define authorization terms. Violating these agreements may render an individual unauthorized and in violation of the CFAA.
Government employee cases, such as Czubinski and Rodriguez, demonstrate that accessing files outside of one's assigned responsibilities can lead to unauthorized access under the CFAA. Even actions like making false threats over police radios, as seen in McFadden, can be considered unauthorized use under the CFAA due to violating usage rules.
The case of Olson highlights the importance of having policies and procedures in place to prevent employees from browsing files they are not supposed to access. In this case, the court ruled that Olson's access was authorized because the employer failed to implement measures to restrict unauthorized browsing.
The Shurgard Storage case introduces the concept of agency law, where employees may lose their authorization if they act in ways adverse to their employer's interests. This can create legal complexities, especially for employees transitioning to new companies.
The case of Lori Drew on Myspace illustrates the limitations of using EULAs to justify CFAA prosecutions. While Drew was initially convicted for violating Myspace's terms of service, her conviction was overturned on appeal due to concerns about criminalizing common online behaviors that may violate EULAs.
Some courts, particularly in the Seventh Circuit, subscribe to an agency theory that states employees owe a duty to their employers. If an employee acts against the interests of their employer or engages in transgressive behavior, they may sever the agency relationship, rendering their authorization invalid. While this view is not widely accepted, it's essential to be aware of it as it can impact employees and employers.
In cases involving government employees, courts have shown a greater willingness to use the Computer Fraud and Abuse Act (CFAA) to prosecute individuals who misuse computer systems or access unauthorized information.
On the other hand, consumer-focused End User License Agreements (EULAs) typically do not clearly define authorization. This ambiguity can be advantageous, as it prevents one-sided agreements from determining whether individuals are considered computer criminals.
Overall, these cases emphasize the importance of understanding the legal implications of contractual agreements and the potential consequences of unauthorized access under the CFAA.
Social norms Authorization
Social norms Authorization
An example is the Morris case where a graduate student released a worm disrupting the early internet. Despite having insider access, the court ruled Morris's use of functions like 'send mail' and 'finger' for spreading the worm as unauthorized, as they were intended for different purposes according to social norms of that time.
Another case involves John, an employee at a bank who misused sensitive information to steal identities, resulting in a breach of the Computer Fraud and Abuse Act (CFAA). Despite the Brekka case, where an employee misused data but was deemed not to violate the CFAA, John's actions were considered beyond normative behavior for bank employees, leading to a CFAA violation.
John's scheme involved recruiting others, including family members, to make fraudulent purchases using stolen credit card information from Home Depot. Despite the substantial computer intrusion and theft, the conspiracy only resulted in $80,000 in losses. John received a nine-year prison sentence for violating the CFAA.
United States v. Czubinski Case Brief Summary | Law Case Explained
https://caselaw.findlaw.com/court/us-11th-circuit/1549806.html
- Roberto Rodriguez, accessed sensitive information from the Social Security Administration's databases without authorization and was convicted under the Computer Fraud and Abuse Act. He also received a 12-month sentence for violating the Act. Rodriguez had been warned about the policy against unauthorized use and the consequences of such actions, and some of his victims testified against him.
https://www.pacourts.us/assets/opinions/Superior/out/J-A27025-22o%20-%20105484757217760006.pdf?cb=1
- McFadden: Ds transmit over terminal "[wle don't care about that bullshit, we say fuck the USA. We hate America and we have anthrax in the back of our car, pussy." False threat = unauthorized access.
https://scholar.google.com/scholar_case?case=12579364078054038401&q=State+v.+Olson+1987&hl=en&as_sdt=2006&as_vis=1 https://casetext.com/case/state-v-olson-9
- Olson, a police officer at a university campus, had access to a system where any police officer could retrieve information about students. With such easy access, individuals often began looking up personal information, including Olson who printed out information on women he found attractive. Despite this behavior, the appeals court determined that Olson's access was authorized. It's a big problem
- Later, convicted of computer trespass for accessing a government database without authorization and looking at information about female university students. However, the court found that he had proper authorization to access to the computer's resources, and therefore reversed the conviction. The title of the act was "Computer Trespass," indicating that the offense was entering the database without permission, not using the information obtained.
https://law.justia.com/cases/federal/district-courts/FSupp2/119/1121/2327594/#:~:text=INTRODUCTION-,Shurgard%20Storage%20Centers%2C%20Inc.,obtaining%20the%20plaintiff's%20trade%20secrets.
- An employee leaked trade secrets to Safeguard while still employed at Shurgard.
- The court applied agency law, which states that the authority of an agent terminates if they acquire adverse interests without the knowledge of the principal or if they breach loyalty to the principal.
- Consequently, the employee was deemed to have no authorization for their actions.
https://casetext.com/case/united-states-v-drew-25
- The story of Megan Meier and Lori Drew is a tragic one that unfolded on social media platform Myspace. Megan, a teenager struggling with insecurities like many others her age, developed an online relationship with a boy named Josh Evans. Little did she know, Josh Evans was a fictional persona created by Lori Drew, a neighborhood woman who knew Megan. Lori Drew's intentions were malicious as she aimed to bully Megan. Under the guise of Josh Evans, Lori engaged in hurtful conversations with Megan, eventually pushing her to the brink by telling her to commit suicide. After Megan's death, the legal system grappled with how to hold Lori Drew accountable for her actions. Traditional avenues were limited due to legal complexities and the lack of clear culpability under existing laws.
- Eventually, a prosecutor in Los Angeles found a novel approach: Lori Drew had violated Myspace's terms of use. By creating a fake account and engaging in harmful behavior contrary to Myspace's rules, Lori had technically breached her authorization to use the platform. Lori Drew was convicted at the trial court level, sparking a debate about the potential criminalization of common online behaviors that violate terms of service agreements. However, on appeal, the conviction was overturned. The court recognized the impracticality of expecting users to fully understand and comply with complex terms of service agreements, especially when the legality of certain actions is unclear.
https://casetext.com/case/us-v-john-11
- John, a bank employee, commits identity theft using his computer access. While the CFAA focuses on unauthorized access rather than use, John's actions breach expected norms of use and the established relationship between the computer owner and user. Unlike in the Brekka case, where contract concerns were central, John's activities are unanimously considered unauthorized due to their criminal nature and breach of expected norms.
Control authorization within your institution and shape how the Computer Fraud and Abuse Act (CFAA) applies to you and your employees, consider the following strategies:
Implement Access Controls: Tailor access controls based on employees' roles to limit access to specific systems and data. Avoid having a single administrative login for all employees, as it poses security risks.
Use Banners: Display banners on computer systems reminding employees of acceptable use policies, including prohibition of unlawful activities and unauthorized data transfer.
Revoke Credentials Quickly: Disable access credentials promptly when separating from employees, especially those with technical expertise who may find ways to access systems even after termination.
Employee Manuals and Training: Develop employee manuals outlining acceptable computer use policies and provide training to ensure employees understand and adhere to these policies.
Enforce Policies: Regularly monitor and enforce policies to ensure compliance. Actively police violations to maintain a secure computing environment.
Let's say if they had systems to detect fake profiles in their databases and remove users who made them, as well as those who contacted children, it could have made a difference. MySpace might have been able to argue that what Lori Drew did was not only wrong but also against their policies, which were actively enforced to prevent such actions. Similarly, Facebook has numerous policies and procedures in place, actively monitoring and intervening when older users interact with underage ones to determine appropriateness. This kind of enforcement could improve compliance with the Computer Fraud and Abuse Act (CFAA).
Indicate Important Terms: Clearly identify and emphasize critical terms in contracts and use policies to ensure employees understand which rules are essential and subject to disciplinary action.
Require Justification for Sensitive Data Access: Implement mechanisms requiring employees to justify their need for accessing sensitive data, promoting accountability and discouraging unauthorized use.
By implementing these measures, you can better control authorization within your institution and mitigate potential CFAA violations by employees.
Digital Millennium Copyright Act (DMCA) 1999
Digital Millennium Copyright Act (DMCA) 1999
Digital Millennium Copyright Act of 1999
Digital Millennium Copyright Act of 1999
• Gives protection to both access and copy control
- Prohibits the circumvention of technological protection measures (e.g., DRM)
- Prohibits the manufacture and distribution of tools that aid in such circumvention
- Circumvention means to avoid, bypass, or disable
• DMCA 17 USC § 1201
- No person shall circumvent a technological measure that effectively controls access to a work protected under this title
Digital Millennium Copyright Act (DMCA), enacted in 1999, aims to protect digital media from unauthorized access and copying. It addresses issues arising from digital media distribution and the ease of making perfect digital copies, threatening the creative industry's revenue.
The DMCA prohibits the circumvention of technical protection measures (TPMs) that control access to copyrighted works. It also prohibits the creation and distribution of tools primarily designed for circumventing access or copy controls. However, the law's application to cybersecurity activities is unclear and poses challenges.
Some activities in cybersecurity, such as reverse-engineering software for testing or research purposes, may inadvertently violate the DMCA. Companies have used the DMCA to threaten researchers and cybersecurity professionals engaging in such activities.
For example, ElcomSoft, a company that developed software to decrypt Adobe eBooks, faced legal action under the DMCA. While ElcomSoft ultimately won the case, it highlights the legal uncertainties surrounding the DMCA's application.
Additionally, product manufacturers have attempted to use the DMCA to protect their products from aftermarket competition. For instance, companies like Chamberlain and Lexmark have argued that encryption embedded in their products constitutes a technological protection measure under the DMCA.
Furthermore, software makers have argued that decompiling code, a common practice in cybersecurity for analyzing software behavior, violates the DMCA's provisions.
Given these challenges, cybersecurity professionals must be cautious when engaging in activities that may involve circumventing access or copy controls. It's essential to understand the legal implications and adopt strategies to mitigate risks, such as marketing tools as neutral or emphasizing consent for testing activities.
Overall, the DMCA's impact on cybersecurity remains a gray area, and further legal clarity is needed to navigate these complexities effectively.
Law of Armed Conflict (LOAC)
Law of Armed Conflict (LOAC)
Understanding the Future of Warfare
Understanding the Future of Warfare
Historical Perspective:
Traditionally, future wars could be predicted based on advancements in weaponry.
Examples from ancient Greece and Rome illustrate this concept.
Cyber Conflict:
Unlike traditional warfare, cyberwar presents unprecedented challenges.
Comparable to the pre-atomic era, where the destructive power of bombs altered warfare.
Difficult to imagine the full extent and consequences of cyber conflicts.
Insights from Eligible Receiver:
Experimentation by the NSA provides glimpses into potential cyber conflicts.
Revealed vulnerabilities in critical systems, including Department of Defense and 911 networks.
Characteristics of Cyber Conflict:
Many cyber attacks are non-kinetic but serve political objectives.
Targets extend beyond traditional battlefield to media and information environments.
Focuses on espionage rather than direct sabotage or warfare.
Unique Aspects of Cyber Conflict:
Geographic scope is limitless, occurring rapidly and simultaneously across multiple locations.
Requires meticulous planning and coordination with intelligence.
Bound by physical realities, such as the vulnerability of underground internet cables.
Challenges in Attribution and Response:
Difficulty in determining the intent of cyber actors.
Intrusions can be used for various purposes, including crime, espionage, or preparing for conflict.
Attribution of cyber attacks often delayed, leading to uncertainty in response.
Classifying Cyber Conflict:
Can be viewed through different lenses: crime?, espionage?, sabotage?, defensive action?, or war?
Each classification offers distinct advantages and drawbacks in strategic analysis.
Conclusion:
The future of warfare is increasingly defined by cyber conflicts, presenting unique challenges and uncertainties. Understanding the nature and implications of cyber warfare requires careful analysis and classification within various strategic frameworks.
LOAC
In response to the user's detailed explanation of the Law of Armed Conflict (LOAC) and its application to cyber conflict, it's evident that LOAC plays a crucial role in setting norms for engagement and conflicts. LOAC aims to mitigate the devastating effects of total wars by establishing boundaries for legitimate aggression and outlining principles such as distinction, proportionality, and precaution.
The principle of distinction underscores the importance of identifying combatants from non-combatants, a challenge exacerbated in cyber conflict where the designation of combatants is less clear-cut. The concept of proportionality emphasizes minimizing civilian casualties and damage to civilian property, both in offensive and defensive actions, raising questions about the justifiability and necessity of cyber self-defense.
Furthermore, the principle of precaution dictates that attacks should avoid civilian populations, posing challenges in cyber conflict where civilian infrastructure often serves as conduits for cyber attacks. The use of civilian networks for military purposes blurs the lines between civilian and military targets, potentially violating LOAC principles and raising concerns about the resurgence of total war tactics that target civilian populations directly.
Armed Conflict: Four High-Level Legal Issues
1. General ban on threats or uses of force in international relations
2. When is cyber an "armed attack" that triggers LOAC conduct requirements?
3. Some aggression is considered an "armed attack" and can justify actions in self defense
4. UN Security Council powers: what threats to peace and aggression could authorize a response from the UN?
Office of Foreign Asset Control (OFAC) list. It's also known as the SDN list
Estimates of Quantum Resilience for Current Cryptosystems, under Various Assumptions of Error Rates and Error-Correcting Codes
Estimates of Quantum Resilience for Current Cryptosystems, under Various Assumptions of Error Rates and Error-Correcting Codes
National Academies of Sciences, Engineering, and Medicine. 2019. Quantum Computing: Progress and Prospects. Washington, DC: The National Academies Press. https://doi.org/10.17226/25196.
Page updated
Google Sites
Report abuse