X. Legal

Rugged is knowing the limits of the law on the cyber frontier, understanding standards for self protection, and knowing whom to turn to if you are a victim.

As on the western frontier 150 years ago, there are few laws that protect us on the cyber frontier.  It takes time and outrage to spur politicians to enacting safeguards and for the most part laws regulating the Internet or setting standards for consumer protection aren’t mature.  To protect themselves organizations and businesses must maintain sufficient basic processes over time so as not to be found negligent.

This section is divided into several pages about cyber law for specific groups:

  1. Individual home user
  2. Small business/non-profit
  3. Public business
  4. Federal government
  5. State or Local government

Areas each group needs to examine for itself are:

  1. What data must I safeguard from computer compromise?
  2. What laws/regulations exist that I must not break?
  3. What is due diligence for me?
  4. When do I need outside help

Metrics  for Management Decisions

FISMA (the Federal Information Security Management Act of 2002) was an attempt to update old laws regarding computers to set standards for the US government to protect its digital assets.  It had good intentions in spirit, but it became apparent that it was possible to skip the intent of the law and become compliant on paper without improving actual system security, as evidenced by the 26 million account breach in the Veterans Administration in 2006.   In the last couple of years, SANS has reorganized many of the controls in the NIST 800-53A into a prioritized list.  The SANS Consensus Audit Guidelines (CAG) have been adapted by the Office of Management and Budget (OMB) to become the foundation for determining the quantity, distribution and use of hardware, platforms, software, vulnerabilities, patches, connections and more across civilian computer systems: FISMA requirements for 2011.  All this information is sporadically being loaded into a large database called Cyberscope which will become mandatory as more agencies acquire the tools to upload the data into Cyberscope.  One of the requirements for Cyberscope is to identify the security products used across government and encourage vendors to develop products where  the data from them are transferable between each other.  This open source effort,  to develop the Security Content Automation Protocol (SCAP) is what the name implies: to have the security content from various programs speak a common language and structure (protocol)  to allow automated exchange of data between programs.  One of the Cyberscope criteria is to list what products each agency and its bureaus have that are SCAP compliant.  A summary of SCAP (as explained in the NIST 800-126) is available from the above  X. Legal – SCAP drop down menu.

Cloud Computing

Because of the Google lawsuit against the Department of the Interior, there is  a lot of press around cloud services (Google and Microsoft) being “FISMA certified”.  FISMA does not specify any required certification.  Other regulations require that government computer systems be “Certified and Accredited” meaning that a set of standards published by NIST was used in the setup and maintenance of a government computer system.  Certification and Accreditation of a government system was 2 points out of 100 on the “FISMA scorecard”.  Federal guidelines on cloud computing are specified in FedRAMP (Federal Risk and Authorization Management Program) but FedRAMP is very general.  NIST has also released Draft Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) and Draft A NIST Definition of Cloud Computing (SP 800-145).

Negligence and Due Diligence — Much of IT security comes down to maintaining “due diligence“.  Businesses want to have enough precautions in place that they cannot be accused of negligence in protecting PII they store as well as other data/information (definition of negligence  and discussion of negligence).  Unfortunately, IT security is not a “set it and forget it” job and good security requires processes and procedures that are repeatedly, routinely maintained on a daily, weekly and monthly basis.  It requires good management to maintain that level of diligence over time, maintaining the focus on protecting data.

Victims — Whom to report what to, and where to get help

  • US Secret Service:  report identity crimes, credit card crimes, electronic crimes
  • US Federal Trade Commission (FTC): The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them.  Report consumer fraud,  online shopping fraud, violations of children’s privacy, deceptive commercial email (forward to spam@uce.gov), if “remove me” or “unsubscribe” requests don’t work.
  • Your Internet provider: report spam to their abuse mailbox (usually abuse@ provider’s name.com )
  • Internet Crime Complaint Center (IC3) is a partnership among the FBI, The National White Collar Crime Center (NW3C) and the Bureau of Justice Assisstance (BJA).  Their mission is to receive, develop and refer criminal complaints.  They provide victims of cyber crimes an easy to use reporting mechanism.  When complaints reach a critical mass the FBI will launch an investigation.
  • Internal Revenue Service (IRS): check with them to verify if charitable organizations are legitimate.  Report Identity theft to IRS
  • Add suspected phishing sites to http://phishtank.com (free registration required)

To post a comment enter a Name (first, initials or an alias. Name is visible to everyone that visits this website).  You must also enter your valid email address (not visible on website; only visible to IT Security) which will be used to validate RBST.


25 Responses to X. Legal

  1. LVW says:

    It is imperative that you do not write down your passwords on a notepad or index cards for anyone to come along and find.

    • 12345 says:

      Never use a notepad to write down anything of importance. Writing on the top sheet will leave an impression on the next several layers underneath, which are easily recovered with a pencil rubbing, something any second grader can do.
      Remove the top sheet and place on a hard surface before writing.

  2. W says:

    Quite a few regions have Ironkey USB devices that can be assigned to individuals, these have USB storage, a secure Firefox browser, and Identity Manager for keeping passwords and some other options. This is a great resource to use to protect your passwords and get secure storage for files you have to take with you for work, check with your IT folks and see if they are available where you work.

    • Ein2card says:

      The IronKey USB device is an awesome device….a bit pricey up front but a great way to securely transport sensitive data. For anyone looking to transport data, take a look into this device at http://www.ironkey.com

  3. GTM says:

    Lots of laws on the books… but little real help if you’re a victim of identity theft…..

  4. colston says:

    Standards are always a good idea, implementing them after the fact can be an arduous task.

  5. Gouger says:

    And now for the top 10…
    7-10: TBD
    6. Don’t get me started on insurance companies…
    5. I’m just going to unplug my computer and go live in a cave.
    4. The cave better have WiFi.
    3. Skynet will always win.
    2. SkyNet already has.
    1. I cannot hear video due to my being deaf!

  6. S71276D says:

    The lack of governing body to regulate fair usage of internet worldwide is hurting many nations across the world that spends considerable resources to protect networks (household or organizational). Often regulations of one country to protect cyber attacks are not recognized in the third world countries. Recent attacks on Sony, Citi Bank, Bank of America, US Government websites, etc. have reignited the debate for a governing body (like the UN) to regulate internet worldwide. On the other hand technology firm like Facebook, Google, etc. have shown resistance due to compromise on innovative solutions and cumbersome approval process. It’s a delicate topic to address but a biggest threat that current technology adopters will be facing for foreseeable future.

    • TM says:

      I agree with S71276D – The worldwide should be governed worldwide same regs for everyone. It is crazy that I call about my accounts here in the United States and for some reason I always seem to speak with someone from another country in a different time zone. Amazing but a thinking moment.

  7. 71070 says:

    I agree that there should be some form of worldwide standardization of the usage regulations. The additional quesiton then becomes how to implement and enforce them. Much easier said than done.

  8. protectmydata says:

    To quote the Chief Information System Officer (CISO) of the US Navy… more time needs to be devoted on the actual real data.

    Seems we strive to protect our data, at home, and at work, but we spend too much energy on peripheral issues for less results. The video’s were interesting.

  9. K says:

    Funny… The Secret Service investigates identity theft, but has few offices compared to FBI

  10. Pam Perret says:

    Everyone should take steps to know the law and protect thier identity.

  11. Longshot9 says:

    I like the list of reporting agencies by type of problem.

  12. Cautious but hopeful says:

    Knowing laws is good but not enough, you also need to be rich to hire lawyers so just use common sense, follow the guidance provided, purchase a good name branded antivirus, spyware software and hope for the best.

  13. concerned says:

    An up and coming field “Computer Law” . All bright young minds should consider it

  14. upr says:

    “Report Identity theft to IRS” or Secret service?. It is mentioned in both places.

  15. AID says:

    Interesting information about Cyberscope, SCAP compliant, Negligence and Due Diligence and Victims.

  16. Guest says:

    This was very interesting training, took me longer than 2 hours because I went to many of the other sites/links.

  17. RD says:

    This training was very interesting and I did learn more than one thing on every page.

  18. Corbyn says:

    The ramifications for stealing someone’s identity should be greater than what the current law allows for. It seems as if the criminal receives the lighter sentence compared to the victim. Something is wrong here.

  19. ber says:

    I wasn’t aware of the Internet Crime Complaint Center I will use it for sure

  20. tlk says:

    If there was a law that prevented an item from being put on a person’s credit report or holding that person liable without unequivocal, legal proof that that specific person was responsible for the transaction, identity theft would become futile.

  21. MT@BOEMRE says:

    Excellent information. I will read all of it again, there is a lot I do not know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s