Tero John Kenneth Tero

Chapter 2: The Legal Environment and Its Impact on Information Technology

Homeland Security Act of 2002

With the event of September 11, 2001, fresh in our minds and the Department of Homeland Security
releasing its National Strategy for Securing Cyberspace in 2002.

19 militants associated with the Islamic extremist group Al-Qaeda hijacked four airliners and carried out
suicide attacks against targets in the United States. Two of the planes were flown into the towers of the World
Trade Center in New York City, a third plane hit the Pentagon just outside Washington, D.C., and the fourth plane
crashed in a field in Pennsylvania.

Often referred to as 9/11, the attacks resulted in extensive death and destruction, triggering major U.S.
initiatives to combat terrorism.

The passage of the Homeland Security Act of 2002 and the inclusion of the Cyber Security
Enhancement Act within that act makes the need to be aware and practice cyber security or information
assurances everyones business (private and public).

The Cyber Security Enhancement Act (H.R. 3482) was incorporated into the Homeland Security
Act of 2002. The act demands life sentences for those hackers who recklessly endanger lives. Also, the act
included provisions that seek to allow Net surveillance to gather telephone numbers, Internet Protocol (IP)
addresses, and universal resource locaters (URLs) or e-mail information without recourse to a court where
an immediate threat to a national security interest is suspected. Finally, Internet Service Providers (ISPs)
are required to hand over users records to law enforcement authorities, overturning current legislation that
outlaws such behavior.

The Homeland Security Act added additional phrasing that seeks to outlaw the publication
anywhere of details of tools such as Pretty Good Privacy (PGP), which encode e-mails so that they cannot
be read by snoops. This provision allows police to conduct Internet or telephone eavesdropping randomly
with no requirement to ask a courts permission first. As mentioned earlier, this law has a provision that
calls for punishment of up to life in prison for electronic hackers who are found guilty of causing death to
others through their actions. Any hacker convicted of causing injuries to others could face prison terms up
to 20 years under cyber-crime provisions, which are in Section 225 of the Cyber Security Enhancement Act
provision of the Homeland Security Act.

The Homeland Security Act of 2002 was created to prevent terrorist attacks within the United States
and reduce the vulnerability of the United States to terrorism. It plays a major role in the security of
cyberspace because it enforces many limitations and restrictions to users of the Internet. For example, one
goal of the act is to establish an Internet-based system that will only allow authorized persons the access
to certain information or services. Owing to this restriction, the chances for vulnerability and attacks may
decrease. The impact of this act will contribute to the security of cyberspace because its primary function
is to protect the people of the United States from any form of attack, including Internet attacks.

Section 214 of the Homeland Security Act is titled Protection of Voluntarily Shared Critical
Infrastructure Information. This section states that the act [Protects] critical infrastructure information
accompanied by an express statement protecting its disclosure [It] protects systems, which include
physical systems, computer-based virtual systems, and information that affect national security. This
section is like The National Strategy for Securing Cyberspace, which is discussed later; both promote
security of the nations infrastructures. Overall, with the implementation of these strategies, it is hoped that
the United States will gradually reduce its vulnerability and, most importantly, be protected from threats and
attacks. In the future, the Internet will become one of the most important assets to many companies. It is
very important that a strong security is established today so that tomorrows security will be indomitable.

Privacy on the Information Superhighway

As we all know, there is a tremendous amount of information that companies and agencies can retrieve on
any individual. People, corporations, and government are active in trading personal information for their
own gain.

Online identity theft is a major concern regarding E-commerce security. Striking millions of people
every year, identity theft is carried out when someone uses anothers name or personal information (such
as a credit number) in fraudulent manner and without the others consent. Such action can be carried out
on purchasing products, taking out loans, accessing bank accounts, and much more. The most common
way personal information is stolen is through stealing business records, but other ways such as dumpster
diving or stealing information found in the trash, stealing mail, and simply snatching someones wallet or
purse have been found as tools to gain private information. Other tools include IP spoofing and spoofing or
spam e-mail soliciting donations, funds, and deals.

This type of crime is a big threat and a growing concern for Internet users. According to the FTCs
Identity Theft Survey Report, approximately 10 million individuals were victims of identity theft. Credit card
information theft accounts for the major portion (over 50 percent) of identity theft with an estimated annual
cost of $53 billion. Identity theft is the fastest growing crime in the United States. Many of the reported
vulnerabilities were due to people errors, credit card skimming, and laptop theft. Coupled with the increased
number of hacker attacks, the need for increased security has never been higher.

The large number of users on the Internet has resulted in the availability of an enormous amount
of private information on the network. This information unfortunately seems to be available for the taking by
anyone who might be interested. A persons bank balance, Social Security number, political leanings, and
an individuals medical record and much more are there for anyone who may want it. These are some
examples

Cellular telephones. Your calls can be intercepted and your access number cribbed by
eavesdroppers with police scanners.
Registering to vote. In most states, voter-registration records are public and online. They typically
list your birth date, phone number, and address.
Supermarket scanners. Many grocery stores let you register for discount coupons that are used to
track what you purchase.
Browsing on the Web. Many sites mark visitors with magic cookies that record what you have
been looking for and when you do it.

Are they entitled to your information? What is the governments policy regarding privacy of an
individual and keeping strong security policy? Ideally, we would like to limit the amount of monitoring that
the government can do on us, but is the government able to monitor our communications on the information
superhighway? How will this affect our right to privacy as guaranteed by the U.S. Constitution? The focus
of the following section will then be to address these issues paying especially close attention to the security-
based measures that have affected the ideal of individual right to privacy.

The National Strategy for Securing Cyberspace

Over the years, the government has drastically changed its operations, and businesses have not could
function the way they used to. These activities now rely on IT infrastructures called cyberspace. Over the
years, cyberspace threats have increased dramatically. However, securing cyberspace is not a simple task.
It involves a coordinated effort by the government, businesses, and individual users. Exhibit 2.1 represents
some of the roles and responsibilities in securing cyberspace.

As technology continues to emerge, new vulnerabilities emerge as well. The number of

vulnerabilities and incidents has continued to increase exponentially. The number of vulnerabilities reported
increased from 171 in 1995 to over 8000 in 2006 (Computer Emergency Response Team [CERT], Carnegie
Mellon University). The strategy to eliminate all threats and vulnerabilities is almost impossible these days.
Although it is difficult to eliminate these occurrences, another strategy would be to reduce them. The United
States plans to

Reduce threats and deter malicious hackers through effective programs to identify and punish them
Identify and remediate those existing vulnerabilities that could create the most damage to critical
systems if exploited
Develop new systems with less vulnerability and assess emerging technologies for vulnerabilities

Exhibit 2.1 Roles and Responsibilities in Securing Cyberspace

Priority 1 Priority 2 Priority 3 Priority 4 Priority 5

National National National Securing National
Cyberspace Cyberspace Cyberspace Governments Security and
Security Security Security Cyberspace International
Response Threat and Awareness Cyberspace
System Vulnerability and Training Security
Reduction Program Corporation
System
Home x x
user/small
business
Large x x x x x
enterprises
Critical sectors/ x x x x x
infrastructures
National issues x x x x
and
vulnerabilities
Global x
Source: From U.S. government, Author unknown, Cyberspace Threats and Vulnerabilities, http:// www.whitehouse.gov/pcipb/case_for_action.pdf.

Methods That Provide for Protection of Information

Multiple pieces of legislation have been passed that allow for the protection of information. Through
amendments to the original legislation, intellectual property rights and computer-related issues have been
addressed. The acts that are currently included in law fall into two applications: commercial and
government. Some of the acts provide criminal penalties but are only applicable if the criminal accessed a
federal computer or entered a federal system. These acts tend to have stiffer penalties, as all the information
in a federal computer is deemed sensitive.

The Trade Secrecy and Protection Act establishes security for sensitive information in federal government
computer systems. This act only covers information on federal computers but is viewed as a precursor to
the same type of law for a commercial setting. The Computer Security Act of 1987 and the Computer
Security Enhancement Act of 1997 enhance the Trade Secrecy and Protection Act by establishing minimum
security standards for guarding federal systems. Few of the acts applicable to commercial purposes allow
criminal penalties. Generally, civil prosecution is the only remedy allowed. The Identity Theft and
Assumption Deterrence Act of 1998 criminalizes the unauthorized use or transfer of identification and
extended the definition of victims to include individuals whose identity was compromised. The Identity Theft
Penalty Enhancement Act (HR 1731) established penalties for aggravated identity theft and increased
penalties for employees who gain access to information at work used in identity theft crimes.