(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. Mike Chapple
Чтение книги онлайн.

Читать онлайн книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple страница 89

СКАЧАТЬ

      Computer Crime

      none The U.S. laws discussed in this chapter are federal laws. But keep in mind that almost every state in the union has also enacted some form of legislation regarding computer security issues. Because of the global reach of the internet, most computer crimes cross state lines and, therefore, fall under federal jurisdiction and are prosecuted in the federal court system. However, in some circumstances, state laws can be more restrictive than federal laws and impose harsher penalties.

      Computer Fraud and Abuse Act

      The Computer Fraud and Abuse Act (CFAA) was the first major piece of cybercrime-specific legislation in the United States. Congress had earlier enacted computer crime law as part of the Comprehensive Crime Control Act (CCCA) of 1984, but the CFAA was carefully written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states' rights and treading on thin constitutional ice. The major provisions of the original CCCA made it a crime to perform the following:

       Access classified information or financial information in a federal system without authorization or in excess of authorized privileges

       Access a computer used exclusively by the federal government without authorization

       Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself)

       Cause malicious damage to a federal computer system in excess of $1,000

       Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual

       Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system

      When Congress passed the CFAA, it raised the threshold of damage from $1,000 to $5,000 but also dramatically altered the scope of the regulation. Instead of merely covering federal computers that processed sensitive information, the act was changed to cover all “federal interest” computers. This widened the coverage of the act to include the following:

       Any computer used exclusively by the U.S. government

       Any computer used exclusively by a financial institution

       Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system

       Any combination of computers used to commit an offense when they are not all located in the same state

      CFAA Amendments

      In 1994, Congress recognized that the face of computer security had drastically changed since the CFAA was last amended in 1986 and made a number of sweeping changes to the act. Collectively, these changes are referred to as the Computer Abuse Amendments Act of 1994 and included the following provisions:

       Outlawed the creation of any type of malicious code that might cause damage to a computer system

       Modified the CFAA to cover any computer used in interstate commerce rather than just “federal interest” computer systems

       Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage

       Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages

      Since the initial CFAA amendments in 1994, Congress passed additional amendments in 1996, 2001, 2002, and 2008 as part of other cybercrime legislation. We'll discuss those as they come up in this chapter.

      Although the CFAA may be used to prosecute a variety of computer crimes, it is also criticized by many in the security and privacy community as an overbroad law. Under some interpretations, the CFAA criminalizes the violation of a website's terms of service. This law was used to prosecute Aaron Swartz for downloading a large number of academic research papers from a database accessible on the MIT network. Swartz committed suicide in 2013 and inspired the drafting of a CFAA amendment that would have excluded the violation of website terms of service from the CFAA. That bill, dubbed Aaron's Law, never reached a vote on the floor of Congress.

      Ongoing legislative and judicial actions may affect the broad interpretations of the CFAA in the United States. For example, in the 2020 case Sandvig v. Barr, a federal court ruled that the CFAA did not apply to the violations of the terms of use of a website because that would effectively allow website operators to define the boundaries of criminal activity. As this book went to press, the U.S. Supreme Court was considering a similar case, Van Buren v. United States, with the possibility of creating a definitive precedent in this area.

      National Information Infrastructure Protection Act of 1996

      In 1996, the U.S. Congress passed yet another set of amendments to the Computer Fraud and Abuse Act designed to further extend the protection it provides. The National Information Infrastructure Protection Act included the following main new areas of coverage:

       Broadens the CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce

       Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits

       Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony

      Federal Sentencing Guidelines

      The Federal Sentencing Guidelines released in 1991 provided punishment guidelines to help federal judges interpret computer crime laws. Three major provisions of these guidelines have had a lasting impact on the information security community:

       The guidelines formalized the prudent person rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well.

       The guidelines allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their СКАЧАТЬ