Introduction to Legal Issues in Cybersecurity

 
 

Just as it is important to know security definitions before getting technical, it is arguably even more important to understand the law surrounding it. Learn about all that here!


Before starting, I am personally from the UK so I will mostly be covering UK law here. However, some of what I will talk about applies to almost any country with maybe some slight changes depending on the country.

It is ALWAYS recommended to go and research your own country’s laws regarding cyber security and hacking before getting started in this field. It might be boring now, but it could save you from spending time in a dark prison cell!

Legal Issues

Penetration Tester (or Ethical Hacker) must understand the legal implications of hacking a network, even in an ethical manner.

The laws that are applicable to hacking are mainly defined in the Computer Misuse Act 1900 and the Police and Justic Act 2006 which includes anti-hacking legislation.

It's important to define and explain the concept of cybercrime. Cybercrime is ANY criminal activity completed using computers and the Internet. This includes anything from downloading illegal music files to stealing money from bank accounts.

Cybercrime also includes non-monetary offenses like creating and distribution of viruses on other computers or posting confidential business information on the Internet.

In general, cybercrime can be split into two main categories:

  • Crimes facilitated by a computer - a computer, mobile phone or other device is used to store, manipulate, and distribute data related to criminal activity.

  • Crimes where the computer is the target - attacks against computer systems from criminals

Generally, crimes related to the first are traditional crimes (fraudtheft, etc.). Many are now perpetrated within cyberspace and as such, they are referred to as cybercrime or computer crimes.

On the other hand, crimes related to the second are crimes which are exclusively committed by computer systems against other computer systems (DoS attacksstealing datahacking).

One of the most prominent forms of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming.

Both of these methods lure users to fake websites, where they are asked to enter personal information - login information, usernames, passwords, phone numbers, addresses, credit cards, etc... which are used to steal identity.

For this reason, it is always smart to check the URL or address of a site to make sure it is legitimate before entering personal information.


Laws and Ethics

There are two main approaches for human controls which define correct social behaviour. These are also applicable in Digital Security and they are:

  • Legal System - adapted quite well to information and communicate technology by reusing some old forms of legal prosecution (copyrights, patents) and by creating laws where no adequate ones existed (malicious access)

  • Ethics - can be applied without changes, since ethics is more situational and personal

Legal System - Relevant Laws (UK)

In the UK, one of the most relevant laws which applies to cybercrime is the Computer Misuse Act of 1990.

The CMA specifies three main sections:

  • Unauthorized access to computer material

  • Unauthorized access with intent to commit or facilitate commission of further offences

  • Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

Two additional sections were added. The latest (2015) was added by the Serious Crime Act. This is defined as 3ZA:

Unauthorized acts causing, or creating risk, of serious damage

Earlier, in 2006, Section 37 of the Police & Justice Act inserted a new section (3A) into the CMA which specifies that it is illegal to makesupply or obtain articles for use in offence under section 1, 3 or 3ZA.

Additionally, section 38 makes transitional and saving arrangements for the 1990 Act so as to provide that the amendments do not apply in relation to offences committed before the coming into force of the amendments or acts done before that time.


Data Protection Laws

Another legislation is the Data Protection Act 1998. It was designed to protect personal data stored by a third party and defines the concept of Personal Data (data from which a living individual can be identified).

For instance, take a name, address and date of birth. Only together can they be used to identify you. And only together can be defined as personal data. Each piece on its own is not enough to identify someone and as a consequence should NOT be considered personal data.

The Act also specifies the concepts of Sensitive Personal Data. This is personal data consisting of information as to:

  • racial or ethnic origin

  • political opinions

  • religion

  • health

  • sex life

  • criminal activity

It needs to be treated with greater care. Information about these matters could be used in a discriminatory way and is likely to be private nature.

The Act regulates the "processing" of personal data and it is the Information Commissioner who has power to enforce the Act.

The Data Protection Act contains 8 key principles:

  1. be processed fairly and lawfully

  2. be processed for specific lawful purposes

  3. be adequate, relevant and not excessive

  4. be accurate and up to date

  5. not be kept for any longer than is necessary

  6. be processed in accordance with the rights of individuals

  7. be kept secure

  8. not be transferred outside the European Economic Area without adequate protection

In May of 2018, the DPA 1998 was superseded by the DPA 2018 based on the General Data Protection Regulation (GDPR). This expands the number of data protection obligations required of companies and strengthened rights.

The aim of GDPR is to protect all EU citizens from privacy and data breaches. The key principles of data privacy are still the same. However, many changes have been implemented. Some include:

  • Increase Territorial Scope

  • Penalties

  • Consent

  • Breach Notification

  • Right to Access

  • Right to Be Forgotten

  • Data Portability

  • Privacy by Design

  • Data Protection Officers

Increase Territorial Scope

The biggest change is the extended jurisdiction that exist with the GDPR. This applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company's location.

Penalties

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or £20 million (whichever is greater)

Consent

The request for consent must be given in a clear and easily accessible form, with the purpose for data processing explained. Consent must also be easy to withdraw.

Breach Notification

Notification of a breach has become mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals". This must be done within 72 hours of first becoming aware of the breach.

Right to Access

Data subjects have the right to obtain confirmation that their personal data is being processed from the data controller, where and for what purpose.

Additionally, the controller must provide, upon request, a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten

The right to be forgotten enables data subjects to have their personal data erased, cease further distribution of their data and have third parties stop processing of the data.

Data Portability

This is the right for a data subject to receive the personal data concerning them, and have the right to transmit that data to another controller

Privacy by Design

At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Data Protection Officers

Data Protection Officer or DPO must be appointed for those controllers and processors whose main activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.


International Laws

Where the Internet is concerned, legislation is often the weakest form of protection. Since international boundaries are relatively meaningless, there are difficulties in defining the jurisdiction of courts.

The UK has signed a number of international treaties, including membership of the United Nations, the International Court of Justice, the International Crime Court, and the Commission for International Trade Law.

Additionally, the UK is a signatory to the Cybercrime Treaty of 2001 in Budapest.

There are also many bilateral agreements-treaties with just one other signatory. For example, the basis upon which law enforcement agencies co-operate rely on extradition and mutual legal assistance treaties.

The CMA 1990 is unusual in that it extends the court's jurisdiction to events occurring outside the UK; the test is that there MUST be a significant link. However, there is no obligation to prosecute just because a link exists.


Ethical Issues

It is impossible to develop laws to describe and enforce all forms of behaviour acceptable to society. Instead, a society relies on ethics and moral principles to prescribe generally accepted standards or proper behaviour.

Ethics is concerned with standards of behaviour and considerations of what is "right" and what is "wrong". It is difficult to state hard ethical rules because definitions of ethical behaviour are a function of an individual's experience, background, nationality, belief, culture, values, etc..

Ethical computing should incorporate ethical norms. Furthermore, if an individual is a certified professional in ethical computing, that individual is required to adhere to higher ethical and legal standards.

For instance, if you are a member of the British Computing Society, you are obliged to adhere to their ethical code.

A good table to define the difference between Laws and Ethics is as follows:


Cybercriminals

The types of cybercriminals vary. There is a tendency nowadays for criminals to focus much of their effort on online activity as it is easier to conduct and more difficult to be caught. Some categories of cyber crime are:

  • Organized Crime

  • Professional Hackers

  • Military or Nation States

  • Terrorists

  • Activists or Hacktivists

ORGANIZED CRIME

There is no doubt that criminal organizations are getting more and more involved in crime within cyberspace. It is apparently more profitable than drug dealing and certainly less risky.

Organized crime uses teams of programmers and hackers. They are specialized in developing malware primarily for stealing money, either through fraudblackmail or extortion.

The degree of sophistication of organized crime is at the level of production facilities with "departments" working together to generate the final product - right down to Quality Assurance.

PROFESSIONAL HACKERS

These are the professional assassins available for hire to do dirty work. Working in the underground, they can be hired via the Dark Web to perform attacks against a chosen target such as hackingmalware attacks, etc..

MILITARY OR NATION STATES

Often operating on behalf of governments, military identify the use of cyber tools in warfare as the fifth dimension of warfare. Many countries, including the UK, have developed cyber-battalions specialized in cyber warfare.

TERRORISTS

Terrorist groups use cyber attacks against institutions or governments. At times, they employ these methods to gain funds or information for use in traditional attacks.

Nowadays, their ultimate aim seems to obtain or create military grade software that could launch a cyber attack on infrastructure.

A current example is the Islamic State Hacking Division, which recently claimed responsibility for several cyber attacks, including the ones against France and the US.

ACTIVISTS OR HACKTIVISTS

Hacktivism has become a popular way for large numbers to express their view on governments and/or other organizations. This type of hacking is often referred to as hacking with a cause, and it generally has a social and political agenda behind it.

An example of this is the collective which calls itself Anonymous, made infamous by several cyber attacks executed against high profile targets such as Sony in 2011, or HBGary Federal in 2011.


Conclusion

Not the most exciting article, but this is INCREDIBLY IMPORTANT. If you want to get into cyber security, you need to know at the least the very basics of the laws that govern your potential future job.

I hope this taught you something if you’re in the UK and if not, I hope it has helped you understand the legal side a little more and I would encourage you to research your own country’s laws - I am by no means a legal expert on every country!

Thank you for reading and have a good day/night wherever you are in the world.

Previous
Previous

Introduction to the Reconnaissance Phase

Next
Next

Introduction to Cyber Security & Ethical Hacking