Politics and Laws

George W. Bush appointed a cybersecurity czar for the first time in 2001. This is a strong message that the U.S. government realizes the importance of security, both in the government and in the private sectors. Governments all over the world have started to look at computing, and the security issues that surround it, more seriously over the last few years. There is continual dialogue about transborder issues pertaining to cryptography, what can be encrypted, at what strength, and by whom. Broader issues are also injected when an attack comes from another country that does not regulate such activity or does not consider it to be illegal behavior. Different countries’ legal systems are meeting many unprecedented challenges with regard to computer security.

As the Internet brings the world closer together, governments are beginning to reach agreements upon matters pertaining to computers, security, boundaries, and acceptable behavior. One sign of countries attempting to get in step with each other is the acceptance of the Common Criteria (which is discussed at length in Chapter 5). Until the acceptance of the Common Criteria, most countries had their own way of evaluating and testing the security and assurance of a system or device. For instance, the United States has used the Trusted Computer System Evaluation Criteria (TCSEC), which is referred to as the Orange Book. The Canadians have the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), the Europeans have the Information Technology Security Evaluation Criteria (ITSEC), and other countries have developed their own criteria on how to determine the level of trust to place in the security of particular products and systems. The Common Criteria is an attempt to take the best of all of these methods and provide the world with one way of determining a product’s security and protection level. In other words, it is an attempt to harmonize and standardize using one common tool to measure trust in products and systems.

Other than different countries viewing computer security differently, another barrier to proper security is how investigators deal with computer crimes. The courts have been running a continual game of catch-up. The legal system cannot keep ahead of (or even in step with) technology, which it must do if it is going to regulate it effectively and determine who is guilty or innocent. It is hard for a judge or jury to declare who is guilty or innocent in a computer crime because they are not educated on these types of crimes. Investigators have a hard time collecting usable evidence to present in court, and defense lawyers have few cases to cite as precedent where similar acts took place because not many cases exist yet. But more convictions are taking place every year.

In addition, these difficulties start with law enforcement, which lacks personnel skilled in computer technology and computer forensics. If a person is accused of a cybercrime, law officers must search for evidence. But what do they search for? Law enforcement personnel do not necessarily know how to dump data from memory into a file or find remnants of data after the criminal has formatted the drive, nor do they necessarily understand how computer crimes take place so they can look for the right clues. Law enforcement must know how to remove evidence from computer systems and drives in a way that does not corrupt the data and that preserves its integrity so it is admissible in court. They must gain much more computer knowledge and skills to be able to deal with computer crimes.

Note

Law enforcement has greatly increased their skills in identifying and fighting computer crime, but such tech knowledge is not yet pervasive in all departments. For the latest information on these developments, visit www.hightechcrimecops.org.

Computers are used in many types of crimes and provide many types of barriers that law enforcement and the courts are not used to dealing with. Data and communication may be encrypted, and there are jurisdiction issues if a crime took place in Europe but originated in North America. Also, much of the communication is spoofed, so law enforcement must know how to track down criminals through binary, hexadecimal, and packet header means.

These barriers and issues help criminals who are computer savvy. If they do get caught, many are not prosecuted to the extent they would be if they had committed a crime that the courts were used to dealing with.

Even though law enforcement has been lagging behind with the problem of cybercrime, initiatives exist at many levels to try and deal with the problem. Many international organizations, such as the G8, the United Nations, and the European Union, are trying to promote cooperation and harmonization in dealing with global computer crime.

The Organization for Economic Co-operation and Development (OECD) is an international group made up of 30 member countries and is actively involved with 70 other countries. This international organization is made up of, and serves, developed countries that accept the principles of a free market and representative democracy. Its purpose is to promote trade and economic growth for member and nonmember nations, and provides intergovernmental discussions on sundry economic and social issues, collecting and publishing information, and providing short-term economic forecasts.

The group covers a wide range of topics (education, trade, science and innovation, and so on) that would be more successful if all the countries followed the same standards and marched to the same drumbeat. This is not a governing body, necessarily, that cranks out standards that must be followed, but they do provide guidelines, documentation, advice, and statistics to help the different countries work together so they can all be more successful and fruitful. Many governments use this information to shape their laws and regulations so their nations can prosper nationally and internationally.

While the OECD deals with many different issues, the actual OECD Principles address financial stability through proper corporate governance. Unfortunately, there’s not much meat to them, given they are just guidelines, not laws or regulations. The theme of the Principles is proper corporate governance, transparency, adequate accounting, external independent audits, internal company controls, the eradication of conflicts of interest, and so on.

The OECD defines the purpose of these principles in the following manner:

The OECD Principles of Corporate Governance were endorsed by OECD Ministers in 1999 and have since become an international benchmark for policy makers, investors, corporations and other stakeholders worldwide. They have advanced the corporate governance agenda and provided specific guidance for legislative and regulatory initiatives in both OECD and non-OECD countries. The Financial Stability Forum has designated the Principles as one of the 12 key standards for sound financial systems. The Principles also provide the basis for an extensive programme of cooperation between OECD and non-OECD countries and underpin the corporate governance component of World Bank/IMF Reports on the Observance of Standards and Codes (ROSC).

Thus, think of the OECD Principles as the granddaddy of all corporate governance rules for the world. Different governments have built upon these principles to devise laws and regulations that made sense to their environments, including the U.S., which used them to develop SOX.

Note

The Sarbanes-Oxley Act of 2002 (SOX) is legislation enacted in response to the high-profile Enron, WorldCom, and other financial scandals to protect shareholders and the general public from accounting misdeeds and fraudulent practices in publicly owned companies.

Although SOX deals specifically with financial reporting, the OECD Principles have a farther reach because proper corporate governance provides more than just correct financial books. Corporate governance affects the volatility in retirement savings, facilitating access to capital, public savings, investment, market confidence, and so on. SOX focuses on truthful financial statements, whereas the OECD Principles focuses on the processes of corporate governance itself. The central goal of the Principles is to help encourage economic stability and growth.

Caution

You are expected to know about the OECD Principles for the CISSP exam. We will cover them in a later chapter also, but this information is not just “interesting,” it is a “need-to-know.”

Tough issues face local police forces, Interpol, international judicial systems, the FBI, the CIA, and other organizations. However, with change comes growth. Governments are developing laws and procedures to effectively deal with computer crimes. Crime-fighting agencies are increasing personnel to include people with technology skills and are requiring computer security in many parts of these organizations.