- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
The long view of security strategies for your network.
The first article in Volume 3, Part 3: "Cybercrime and the U.S. Criminal Justice System," is by Professor Susan W. Brenner, JD NCR Distinguished Professor of Law and Technology at the University of Dayton School of Law; topics include
• Differences from civil justice system
• Basic institutional structure
• Relationship between state and federal criminal justice systems
• Criminal justice system and cybercrime
• Extensive references and suggested readings.
Some of the key concepts discussed by Professor Brenner are:
• Under the Computer Fraud and Abuse Act (18 USC §1030), prosecution at the federal level requires a demonstration of interference with interstate or foreign commerce.
• Violations of copyright, but not of trademarks, are brought only by federal prosecutors.
• Fifth Amendment prohibition of double jeopardy does not preclude re-prosecution at the same level if a mistrial is declared; furthermore, a different level of government (for example a state) can prosecute the defendant for the same actions if they are violations of its laws.
One of the most interesting sections in the chapter concerns striking back at hackers – sometimes called hack back. In her sections on affirmative defenses and on hack back, Professor Brenner points out that under current U.S. law, there is no provision for allowing victims of computer trespass to use unauthorized access to the computers and networks of those they believe to be their attackers. As she writes, "… The law does absolve citizens who take the law into their own hands under very limited situations; this is very different from a blanket authorization for online retaliatory behavior. Aside from anything else, such behavior is objectionable because of the [risk] that innocent parties will be targeted for retaliation; the consequences of this risk are particularly intolerable in cyberspace, where it can be impossible to know precisely from which system an attack was launched…."
I must add that even if we do know which system is used to launch an attack, we still don't know whether the system is the property of the attacker or merely the property of an innocent victim subverted by the attacker.
Other interesting discussions in the chapter touch on defenses proffered by some people accused of crimes such as launching denial-of-service (DoS) attacks or involved in child pornography: if not the devil, at least a Trojan horse made my computer do it. Lay juries have actually acquitted at least one accused who claimed that malware whose presence was never detected on his computer was responsible for the DoS attack with which he was charged. Legal scholars, writes Professor Brenner, have argued that such a defense should be dismissed if there is no evidence of malware on the computer involved or if there is no demonstrable proof that malware found on the system is capable of the particular legal trespass involved in the case.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.