Cyber Crime And Cyber Security Laws

We live in an era where data protection and privacy are a necessity. The world is turning into a digital space with most companies –if not all –moving into cloud-based services offering IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service), SaaS (Software-as-a-Service) or Storage, Database, Information, Process, Application, Integration, Security, Management, Testing-as-a-service. This document will show how cyber laws are forcing these companies into protecting the consumers’ private information on one hand and will present on the other hand the legal actions taken against those who will access and/or use the consumers private information without authorization.

Introduction

The world has always been evolving. From technology to climate, to education, to health or eating habits, there is hardly anything in life that does not continually change. As human beings, we sometimes welcome change with open arms and sometimes fear makes us avoid it. One of the greatest evolutions today is technology. During the 1990’s, when the internet first started being used in households and businesses, it was probably hard to believe that it would become something that we will not be able to function without.

Today’s businesses to make profit can hardly remain relevant in a fast-paced, ever-changing, and competitive industry without innovating and using cutting-edged technologies. We can almost say the same for consumers for whom it became practically impossible to do daily activities such as paying bills, shopping, doing groceries, communicating with loved ones (close or far), or watching the news, without using technology. Technology and the development of the cyberspace have defied the boundaries and made geography become irrelevant; therefore, have taken the world to the next level of evolution.

While this may be true, the evolution of technology didn’t come without consequences. Criminals are now relying on advanced technologies to promote their criminal activities. Drug dealers, sex traffickers, identity and intellectual property thieves, bank frauds, or cyber stalkers and bullies, just to name a few, are all taking advantage of the internet to make their crimes more profitable thus making it easier to hurt people at a bigger scale. Their methods evolve and become more and more sophisticated over time.

In this paper, we will dive deeper to explain and understand what a cybercrime is, present who are the perpetrators of those crimes, and the impact they have on the economy. We will also talk about who is vulnerable to these criminals and how organizations around the world, particularly in the United States, put in place rules and regulations governing the cyber space known as Cyber Law as well as the security measures they implement to mitigate the risks, prevent these threats , and protect us as much possible.

1. Cybercrime

Before jumping into information security and cyber law, we need to know the reason why we need them. In this section, we will dig deeper to understand what a cybercrime is.

1.1 Definition and History

Crimes have existed since we can remember, way before technology. According to Christians beliefs, the very first crime was reported in the Bible, when Cain, son of Adam and Eve (the very first humans beings created) killed his brother Abel.

The first documented cyber security incident was in the 1970s. Attackers known “phreakers” were the first hackers. They found a way to steal long distance phone time by discovering the correct codes and tones that would result in free long-distance service. In 1986, Clifford Stoll (systems administrator at the Lawrence Berkeley National Laboratory) invented the first digital forensic techniques and determined that a user had an unauthorized access to his network after noticing irregularities in the accounting data. Stoll then used the honey pot tactic to collect enough data in order to track down the intrusion to its source. His investigation led to the arrest of the Markus Hess and co-conspirators, who were stealing and selling military information, passwords and other data to the KGB. After this intrusion, the Morris worm virus (created by Robert Morris, a Cornell University student) was found. More than 6,000 computers were damaged by that virus resulting in a financial impact of $98 millions[5].

In 1990, the FBI (Federal Bureau of Investigation) confiscated 42 computers and over 20,000 floppy disks that were involved in an illegal credit card use and telephone services. In 1992, the first polymorphic virus was released. In 2001, Microsoft’s DNS servers are attacked corrupting the Microsoft’s websites. In 2007, the eBay website was attacked blocking the users and closing the sales. In 2008, Canadian porn site “SlickCash” is fined to pay Facebook an amount of $500,000 after being caught trying to gain unauthorized access to Facebook’s friendfinder functionality. [4]

Criminals in the twenty first century have evolved their practices and became more sophisticated. They are motivated by several reasons such as self-interest, politics financial gain, fame, or damage and disturbance, and rely on technology to further their criminal operations. Cybercrimes are now considered to be the most significant crimes confronting the United States by the FBI (Federal Bureau of Investigation) [2].

Looking at this past history of cybercrimes, we can see that the difference between a cybercrime and a real-world crime is the use of a digital device. The definitions of cybercrime have varied as there is not one agreed upon. As an example, Techopedia defines cybercrime or computer crime as “a crime in which a computer is the object of the crime or is used as a tool to commit an offense.”[1]; whereas Symantec Corporation defines it as “any crime that is committed using a computer or network, or hardware device.”[2]. Although there is not a singular definition, there is only one common denominator : technology.

1.2 Types of cybercrimes

There are various types of cybercrimes such as :

• Hacking: The attacker gets an unauthorized access to an individual or organization’s computer(s) or server(s) from a remote location
• Phishing: The attacker trick users by sending malicious email attachments in order to gain access to their computer, their accounts’ passwords, or confidential information like PII (personal identifiable information).
• Identity theft: The attacker steals personal identifiable information (PII) from an individual in order to steal funds, participate in a tax fraud or even commit crimes in the victim’s name.
• Intellectual property theft: The attacker violates copyrights or steals confidential information from an individual or an organization.
• Cyber stalking/bullying: The attacker harasses the victim through online messages and emails.
• Denial of service (DOS): The attacker takes a service down by overwhelming the system with traffic in order to make the resources unavailable for the victim.
• Botnet: Network of compromised computers controlled remotely by the attacker.
• Distributed Denial of service (DDoS): The attacker uses a botnet to render an online service unavailable and take the network down by overwhelming the site with traffic. Once the network is down, the attacker hacks into the system.
• Social engineering : The attacker tricks the user into giving confidential information such as account’s password or PII (personal identifiable information) by phone or email. The attacker will usually pose as a trusted source.
• Virus dissemination: The attacker hides malwares into software or web pages links luring the victim into infecting his computer.
• Prohibited/Illegal Content: The attacker will share and distribute inappropriate content considered as highly distressing and offensive. This can include contents such as sexual content, child pornography or terrorism related activities.
• Online scams: The attacker sends ads or spams emails either containing a promise of an unrealistic amount of money in order to install a malware in the victim’s computer compromising it or to lure the victim in to sending the attacker’s money.
• Exploit kits: The attacker takes advantage of a vulnerability existing on the victim’s computer in order to gain access.

1.3 Actors of cyber crimes

• Script kiddies: Generally, lacks technical expertise to write its own scripts or code but use existing ones to hack into computers. They have no intention of developing their skills.
• Scammers: Uses emails of fake ads or fake awards in order to access the victim’s system remotely.
• Phishers: Uses usurpation of identity of a trusted source (email or website) to get the victim’s confidential information.
• Political/religious/commercial groups: Develop malware to gain access to confidential information of the victim/target for political reasons.
• Insiders: Reside within the organization and can do serious damages with and without knowledge. They are considered to be the biggest threat an organization can face because they are already inside. The ones with knowledge of the security infrastructure pose even a bigger threat.
• Advanced persistent threats (APT) agents: Try to gain and maintain ongoing access to the victim’s network. They typically target organization in areas such as national defense, manufacturing or financial industry in order to steal high value information (intellectual property or military plans ) over a long period of time rather than to cause damage to the organization.
• White hat hackers: break in to the victim’s systems or networks to identify and notify the owner of the security vulnerabilities. They are generally hired by the owners for that purpose, so they can improve their security.
• Black hat hackers: break in to the victim’s systems or networks for personal financial gain or other malicious reasons.
• Gray hat hackers: breaks in to the victim’s systems or network without malicious intent. They generally do that to spread public awareness of the vulnerability existence in the system.
• Green hat hackers: newbies working to improve their skills.

1.4 Impact of cybercrimes

Impact on the Economy:

A recent research study, Economic Impact of Cybercrime – No Slowing Down, (2018), presented by the Center for Strategic and International Studies (CSIS) assessed and revealed that the cost of cybercrime is now up to 0.8% of global gross domestic product (GDP) or $600bn a year, compared to 0.7% of GDP in 2014. It represents a steady and significant growth due to a 34% increase from $445bn, which is an average rise of 11.3% a year for the three years to June 2017. Raj Samani, chief scientist and fellow at McAfee, said that 95% of security incidents are not reported so the previous data is based on the reported incidents available. He continued by saying that “The cost of doing business in the digital age is to protect your IT systems and investments, and the economic impact of cybercrime should be one of the most important things businesses are focusing on because failure to protect their intellectual property, financial information and IT networks does have an economic impact.”. A prediction of $6 trillion is costs has been attributed to cybercrimes crimes globally and Robert Herjavec, founder and CEO at Herjavec group, a Manages Security Services Provider, confirmed that we are progressively getting close to that prediction. Cybercrimes has an immediate impact on the economy and according to Raj Samani, “a cyber risk is a business risk”.

Impact on Society:

Consumers increasingly allow technology into their personal lives which means that their personal information such as account information, conversations on social media, personal identifiable information(PII), website passwords, or geolocations, just to name a few, are stored on different systems. Thieves in the cyber world will steal people’s money and even their identity with which they can take out loans, get credit cards, accumulate debt and, then disappear. Money comes and go, but it would take years for someone to rehabilitate his identity. On the other hand, someone’s files can be destroyed by a virus or a lost database can result in unwanted calls.The Norton Cyber Security Insights reported that Forty percent of Millennials experienced cybercrime in 2016, 3/10 people cannot detect a phishing attack, 13% have to guess between a real message and a phishing email, 86% of people said they may have experienced a phishing incident. 7/10 consumers wish they could make their home Wi-Fi network more secure and only 27% believe it is likely their home Wi-Fi network could be compromised. Nobody is safe from cybercrimes. The only way to be totally safe would be to get completely off the grid which is impossible considering that information is recorded when a baby is born or even for a procedure as basic as getting a driver’s license. Therefore, everyone should take the necessary precautions to mitigate the risks of being a victim.

National security

The terrorist threat posed to nations now expands to the digital world. Theresa Payton, a Former White House chief information officer, Edge2016 Security Conference, refers to cybercrime as the ‘greatest threat to our national security, over terrorism.’ She also mentioned that terrorists are able to fund their activities through cybercrime. [10]

2. Cyber security Law

Now that we have a better understanding of cybercrimes, we can now study the laws organizations put in place to prosecute those who are participating in cybercriminal activities when they are caught. We will also discuss about how these organizations put policies in place to force companies to protect the consumer’s privacy.

2.1 Definition

In 1986, the Congress passed its first hacking-related legislation, the Federal Computer Fraud and Abuse Act, after multiple incidents followed the Morris worm virus incident which damaged more than 6,000 computers and resulted in estimated damages of $98 million. Computer tampering was then a felony crime punishable by significant jail time and monetary fines.[5] IT security incidents have tremendously increased with time due to the growth of internet users, pushing governments to introduce federal laws to fight IT crimes.

Cyberlaw, according to Techopedia, is “the area of law that deals with the Internet’s relationship to technological and electronic elements, including computers, software, hardware and information system”.

2.2 Challenges and opportunities

The rise of cybercrime made law enforcement job more difficult. Although cyber law allows the perpetrator to brought to justice, it is still hard to identify who it is and where he is located. With the security incidents becoming more and more sophisticated, the law enforcement agencies were forces to adapt and improve their responses to cybercrime. It is no longer unusual to see police forces from different countries working together to bring the criminal to justice. Interpol and Europol are international

law enforcements who play a big role in international incidents. The goal of law enforcement is not only to arrest the criminals but also seize all servers and domain involved in the crime.

Opportunities:

• The law enforcements agencies are able to protect the consumers and other organizations against cybercrimes
• The law enforcements agencies have platforms available for the consumers and other organizations to report cybercrimes
• The law enforcements agencies across the world are collaborating to fights against cyber crimes
• As cybercrimes become more sophisticated, so do the law enforcement agencies.
• The law enforcements agencies have the authority to seize and shutdown all servers and domains involved in a crime.

Challenges:

• The rise of security incidents makes it difficult to the law enforcement agencies to keep up
• The absence of physical evidence makes it harder to catch the criminal
• The geographical boundaries make it sometimes harder to catch a criminal
• Having qualified law enforcement agents is a challenge due to the lack of technical expertise to contribute to the theory aspect of cyber the criminology discipline
• Research in cyber criminology discipline needs to be highly encouraged as there is a death of researcher in that field.

2.3 Cyber security laws and regulations

Organizations must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. At least 28 states in the united states have enacted many laws in the past two to three years to protect the data they hold, due to the advent of cybersecurity threats and attacks against government. Some of these laws require to destroy or dispose of personal information so it is unreadable or indecipherable, address the security of health care data, financial or credit information, social security numbers or other specific types of data.

• Controlled Unclassified Information (CUI) : federal non-classified information that requires safeguarding compliant with the security controls delineated in NIST SP 800-171r1 or NIST SP 800-53r4.
• Digital Millennium Copyright Act (DMCA) and Higher Education Opportunity Act (HEOA): requires that U-M manage a digital copyright compliance program that consists.
• Export Control (ITAR/EAR/OFAC): Export controlled research on which Non-US citizens are not allowed to work and the data cannot be stored on systems outside of the US
• Family Educational Rights and Privacy Act (FERPA): oversees the release of, and the access to student education records.
• Federal Information Security Management Act (FISMA): applies to federal contracts and ensures the security of data in the federal government, keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.
• General Data Protection Regulation (GDPR): affects organizations worldwide including universities and regulates how the personal data of people located in the European union are protected
• Gramm-Leach-Bliley Act (GLBA) : oversees how financial and higher education institutions protect personal their users’ financial information
• Health Insurance Portability and Accountability Act (HIPAA) : operates in healthcare and includes privacy and security rules that govern how protected health information (PHI) is collected, disclosed, and secured limiting the access only to authorized people.
• Payment Card Industry Data Security Standard (PCI DSS): provides guidelines for handling credit card information
• Protection of Human Subjects (Common Rule): protection of an individual personal identifiable data obtained by an investigator when conducting research.
• Red Flags Rule for Identity Theft Prevention: requires to businesses involved in loans, credit report use or online payment to have methods to detect and prevent identity theft.
• Social Security Number Privacy Act : protects social security numbers.
• Cybersecurity Information Sharing Act (CISA) : passed in the Senate October 27, 2015, this law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.
• Cybersecurity Enhancement Act of 2014: signed December 18, 2014, it provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.
• Federal Exchange Data Breach Notification Act of 2015: requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach.
• National Cybersecurity Protection Advancement Act of 2015: allows the Department of Homeland Security’s (DHS’s) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.