In this lesson, I'm going to talk about computer crime and the legal issues surrounding proactive security and getting your legal teams involved. So I want to talk about computer crime and why it's important to get authorization before you start looking at proactive security. A disclaimer, I am not an attorney. I don't pretend to be one either consult with your attorneys for any of the content related to computer crime, or anywhere where there might be a legal issue. I turn to our legal team any time, for any reason. The reason is, and well, specifically legal issues. But there's two reasons for that. Number one, if you are a public organization, or government organization, if you talk to your attorneys, it's usually covered by attorney client privilege. So most of those are records are protected, and if you're just talking internally what other team members about things don't consult your attorneys, that may not be privileged information. Now, again, I'm not an attorney, I don't pretend to be one. I'm just telling you what I've done in previous years of doing this. I get them involved, I get our attorneys involved in anywhere where there might be a legal issue for the other person, so phone recording, for example. My teams manage the telecom department so anytime anybody wants to record phone calls, I get our legal team involved saying, do you authorize this? Because while the state of Colorado does not have a notification law where you have to notify somebody that they're being recorded over the phone, other states do. So if we're talking to a resident of another state, then we have to tell people over the phone that they're being recorded. So we have to make sure that the other party, other departments on campus that want this technology understand the legal issues surrounding what they are about to do, and that's the same thing for proactive security. Make sure your attorneys are involved for anything from testing your own systems to vulnerability scanning to collecting logs. Make sure they are involved in the entire process. So let's talk about computer crime for a minute. To help you understand computer crime and what it means, let's go back to the Convention on Cybercrime that was ratified in 2001. So I'm going to read just a little bit of this, and this is directly off of the Convention's website, and what they've listed. The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with the infringements of copyright, computer-related fraud, child pornography, and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. Its main objective is to set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against computer crime, especially by adopting appropriate legislation and fostering international cooperation. Now, what does that mean? Well, that means that the world and countries realize that computer crime is going to be a huge thing. It was back in 2001, it's even worse now. What this convention did is it said, here's the common framework, here's the common things that we're concerned about and how do we work together to make sure that we're prosecuting, searching, and making sure computer crime doesn't happen. There are articles on the convention. There's nine of them that have to deal with what computer crime is, so the second one is illegal access, third one is and these are the articles themselves so the first one is actually definitions but second one is illegal access. Third is illegal interception, obtaining data where you shouldn't have data. Number four is data interference. So denial service attacks. Number five is going to be system interference and that could be like for example where your directly interfering with devices. Six, the misuse of devices could be Internet of Things and using Internet of Things to create. Seven, computer related forgery, eight is computer related fraud. Nine is offenses related to child pornography. Ten is infringements of copyright and related rights. Now, this one doesn't really get prosecuted that much, and we don't really go after it, but if it's large enough, the nations will go after them. And then number 11, attempt or aiding and abetting. The United States has a law that was passed in 1986. And what it was designed to do is, it was designed to understand computer security and define what are crimes on computers. And the 1986 US Code is called the Computer Fraud and Abuse Act. And this is the blanket law that we go after or that organizations go after, attorneys go after, US attorneys, if there's any hacking incidents or incidents that cause damage. So some of these articles, I'm going to briefly read them, but they sort of mimic the Convention on Cybercrime. The first one is Computer Espionage, second one is computer trespassing, and taking government or financial commerce information. Third is going to be computer trespassing in a government computer, fourth is committing fraud with a computer, fifth is damaging a protected computer, including worms, and viruses. Number six is going to be trafficking in passwords of a government or commerce computer. Number seven is threatening to damage a protected computer and that goes into conspiracy to violate and also the penalties surrounding those, as well. So a lot of these are prosecuted. And criminals get thrown in jail because of these. The first conviction actually happened in 1991 with the United States versus Morris. Morris created the Morris worm. His argument was, he was at MIT at the time, his argument was that he didn't mean for this virus that he created to cause damage, but it turned out that he really did. And he was actually unauthorized to produce this virus in this worm, and it started infecting all of different systems across the United States. So it was the first major worm that we've seen. But the first conviction of the Computer Fraud and Abuse Act. Many of the United States have a computer crime act. The states will actually prosecute sometimes a little bit more than the federal government. But in Colorado, we have 18-5.5-102 which is detailed and the code is computer crime. So the first one is a person commits a computer crime if the person knowingly, number one, accesses a computer network or computer system and any part thereof without authorization. Key word there is without authorization or it exceeds authorized access. This is important to understand because when we're doing penetration testing where we're looking at proactive security, do you have authorization? And the second one, or B in the code, is accessing any computer or computer network or computer system or any part thereof for the purpose of devising to defraud. Third one is accessing to retrieve any passwords or private information. Can't do that. Fourth one is accessing computer, computer network, computer system In order to commit theft or causing damage. This is the big one where, in my opinion, that you're not authorized. And you're actually causing damage, because what you're doing is taking down systems. And there's a dollar amount with each one of these in it depending on a misdemeanor versus felony is how much dollars that is. But I'm not a lawyer, not an attorney. I don't exactly know where the cutoff is there. So that's something for law enforcement to decide, and you need to consult your attorneys if you're concerned about it. And the last one is, it causes the transmission of a computer program to cause damage. So this is, let's say that you're testing out some new software for example, and you're blanket testing, and it brings down the network, or it brings down a computer system, brings down government facilities. This is what you will be prosecuted under. So again, be careful what you're using these tools for. Privacy Acts. Privacy acts are serious business. Privacy is serious business. Many states and government have laws governing privacy. Most organizations in their website or organizations as a whole, you will see a privacy policy. It outlines what rights and responsibilities you have and what the organization has for protecting your information. So you need to think about your customers. Think about your constituents. How are you protecting their information? So upcoming, which is a huge one for the entire world, is the General Data Protection Regulation, GDPR. It goes into effect in April of 2018. This outlines how you need to protect information for European customers. So the EU, essentially. Also, other states like California has different laws regarding privacy, as well. So if you only do business in one state, great. You can follow their laws, but generally that's not the case. If you're doing business with international business, business across states, interstate commerce, you need to be aware of the privacy policies of the other states. Privacy policies go a long way in insuring data remains private.
