Introduction to Legal Issues in Cybersecurity
Just as it is important to know security definitions before getting technical, it is arguably even more important to understand the law surrounding it. Learn about all that here!
Before starting, I am personally from the UK so I will mostly be covering UK law here. However, some of what I will talk about applies to almost any country with maybe some slight changes depending on the country.
It is ALWAYS recommended to go and research your own country’s laws regarding cyber security and hacking before getting started in this field. It might be boring now, but it could save you from spending time in a dark prison cell!
Legal Issues
A Penetration Tester (or Ethical Hacker) must understand the legal implications of hacking a network, even in an ethical manner.
The laws that are applicable to hacking are mainly defined in the Computer Misuse Act 1900 and the Police and Justic Act 2006 which includes anti-hacking legislation.
It's important to define and explain the concept of cybercrime. Cybercrime is ANY criminal activity completed using computers and the Internet. This includes anything from downloading illegal music files to stealing money from bank accounts.
Cybercrime also includes non-monetary offenses like creating and distribution of viruses on other computers or posting confidential business information on the Internet.
In general, cybercrime can be split into two main categories:
Crimes facilitated by a computer - a computer, mobile phone or other device is used to store, manipulate, and distribute data related to criminal activity.
Crimes where the computer is the target - attacks against computer systems from criminals
Generally, crimes related to the first are traditional crimes (fraud, theft, etc.). Many are now perpetrated within cyberspace and as such, they are referred to as cybercrime or computer crimes.
On the other hand, crimes related to the second are crimes which are exclusively committed by computer systems against other computer systems (DoS attacks, stealing data, hacking).
One of the most prominent forms of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming.
Both of these methods lure users to fake websites, where they are asked to enter personal information - login information, usernames, passwords, phone numbers, addresses, credit cards, etc... which are used to steal identity.
For this reason, it is always smart to check the URL or address of a site to make sure it is legitimate before entering personal information.
Laws and Ethics
There are two main approaches for human controls which define correct social behaviour. These are also applicable in Digital Security and they are:
Legal System - adapted quite well to information and communicate technology by reusing some old forms of legal prosecution (copyrights, patents) and by creating laws where no adequate ones existed (malicious access)
Ethics - can be applied without changes, since ethics is more situational and personal
Legal System - Relevant Laws (UK)
In the UK, one of the most relevant laws which applies to cybercrime is the Computer Misuse Act of 1990.
The CMA specifies three main sections:
Unauthorized access to computer material
Unauthorized access with intent to commit or facilitate commission of further offences
Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
Two additional sections were added. The latest (2015) was added by the Serious Crime Act. This is defined as 3ZA:
Unauthorized acts causing, or creating risk, of serious damage
Earlier, in 2006, Section 37 of the Police & Justice Act inserted a new section (3A) into the CMA which specifies that it is illegal to make, supply or obtain articles for use in offence under section 1, 3 or 3ZA.
Additionally, section 38 makes transitional and saving arrangements for the 1990 Act so as to provide that the amendments do not apply in relation to offences committed before the coming into force of the amendments or acts done before that time.
Data Protection Laws
Another legislation is the Data Protection Act 1998. It was designed to protect personal data stored by a third party and defines the concept of Personal Data (data from which a living individual can be identified).
For instance, take a name, address and date of birth. Only together can they be used to identify you. And only together can be defined as personal data. Each piece on its own is not enough to identify someone and as a consequence should NOT be considered personal data.
The Act also specifies the concepts of Sensitive Personal Data. This is personal data consisting of information as to:
racial or ethnic origin
political opinions
religion
health
sex life
criminal activity
It needs to be treated with greater care. Information about these matters could be used in a discriminatory way and is likely to be private nature.
The Act regulates the "processing" of personal data and it is the Information Commissioner who has power to enforce the Act.
The Data Protection Act contains 8 key principles:
be processed fairly and lawfully
be processed for specific lawful purposes
be adequate, relevant and not excessive
be accurate and up to date
not be kept for any longer than is necessary
be processed in accordance with the rights of individuals
be kept secure
not be transferred outside the European Economic Area without adequate protection
In May of 2018, the DPA 1998 was superseded by the DPA 2018 based on the General Data Protection Regulation (GDPR). This expands the number of data protection obligations required of companies and strengthened rights.
The aim of GDPR is to protect all EU citizens from privacy and data breaches. The key principles of data privacy are still the same. However, many changes have been implemented. Some include:
Increase Territorial Scope
Penalties
Consent
Breach Notification
Right to Access
Right to Be Forgotten
Data Portability
Privacy by Design
Data Protection Officers
Increase Territorial Scope
The biggest change is the extended jurisdiction that exist with the GDPR. This applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company's location.
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or £20 million (whichever is greater)
Consent
The request for consent must be given in a clear and easily accessible form, with the purpose for data processing explained. Consent must also be easy to withdraw.
Breach Notification
Notification of a breach has become mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals". This must be done within 72 hours of first becoming aware of the breach.
Right to Access
Data subjects have the right to obtain confirmation that their personal data is being processed from the data controller, where and for what purpose.
Additionally, the controller must provide, upon request, a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
The right to be forgotten enables data subjects to have their personal data erased, cease further distribution of their data and have third parties stop processing of the data.
Data Portability
This is the right for a data subject to receive the personal data concerning them, and have the right to transmit that data to another controller
Privacy by Design
At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Data Protection Officers
A Data Protection Officer or DPO must be appointed for those controllers and processors whose main activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
International Laws
Where the Internet is concerned, legislation is often the weakest form of protection. Since international boundaries are relatively meaningless, there are difficulties in defining the jurisdiction of courts.
The UK has signed a number of international treaties, including membership of the United Nations, the International Court of Justice, the International Crime Court, and the Commission for International Trade Law.
Additionally, the UK is a signatory to the Cybercrime Treaty of 2001 in Budapest.
There are also many bilateral agreements-treaties with just one other signatory. For example, the basis upon which law enforcement agencies co-operate rely on extradition and mutual legal assistance treaties.
The CMA 1990 is unusual in that it extends the court's jurisdiction to events occurring outside the UK; the test is that there MUST be a significant link. However, there is no obligation to prosecute just because a link exists.
Ethical Issues
It is impossible to develop laws to describe and enforce all forms of behaviour acceptable to society. Instead, a society relies on ethics and moral principles to prescribe generally accepted standards or proper behaviour.
Ethics is concerned with standards of behaviour and considerations of what is "right" and what is "wrong". It is difficult to state hard ethical rules because definitions of ethical behaviour are a function of an individual's experience, background, nationality, belief, culture, values, etc..
Ethical computing should incorporate ethical norms. Furthermore, if an individual is a certified professional in ethical computing, that individual is required to adhere to higher ethical and legal standards.
For instance, if you are a member of the British Computing Society, you are obliged to adhere to their ethical code.
A good table to define the difference between Laws and Ethics is as follows:
Cybercriminals
The types of cybercriminals vary. There is a tendency nowadays for criminals to focus much of their effort on online activity as it is easier to conduct and more difficult to be caught. Some categories of cyber crime are:
Organized Crime
Professional Hackers
Military or Nation States
Terrorists
Activists or Hacktivists
ORGANIZED CRIME
There is no doubt that criminal organizations are getting more and more involved in crime within cyberspace. It is apparently more profitable than drug dealing and certainly less risky.
Organized crime uses teams of programmers and hackers. They are specialized in developing malware primarily for stealing money, either through fraud, blackmail or extortion.
The degree of sophistication of organized crime is at the level of production facilities with "departments" working together to generate the final product - right down to Quality Assurance.
PROFESSIONAL HACKERS
These are the professional assassins available for hire to do dirty work. Working in the underground, they can be hired via the Dark Web to perform attacks against a chosen target such as hacking, malware attacks, etc..
MILITARY OR NATION STATES
Often operating on behalf of governments, military identify the use of cyber tools in warfare as the fifth dimension of warfare. Many countries, including the UK, have developed cyber-battalions specialized in cyber warfare.
TERRORISTS
Terrorist groups use cyber attacks against institutions or governments. At times, they employ these methods to gain funds or information for use in traditional attacks.
Nowadays, their ultimate aim seems to obtain or create military grade software that could launch a cyber attack on infrastructure.
A current example is the Islamic State Hacking Division, which recently claimed responsibility for several cyber attacks, including the ones against France and the US.
ACTIVISTS OR HACKTIVISTS
Hacktivism has become a popular way for large numbers to express their view on governments and/or other organizations. This type of hacking is often referred to as hacking with a cause, and it generally has a social and political agenda behind it.
An example of this is the collective which calls itself Anonymous, made infamous by several cyber attacks executed against high profile targets such as Sony in 2011, or HBGary Federal in 2011.
Conclusion
Not the most exciting article, but this is INCREDIBLY IMPORTANT. If you want to get into cyber security, you need to know at the least the very basics of the laws that govern your potential future job.
I hope this taught you something if you’re in the UK and if not, I hope it has helped you understand the legal side a little more and I would encourage you to research your own country’s laws - I am by no means a legal expert on every country!
Thank you for reading and have a good day/night wherever you are in the world.