An InformationWeek article cites and discusses a recent research done by BIOS maker Phoenix Technologies saying that 8 out of every 10 computer attacks against businesses could be stopped if enterprises checked the identify of not only the user but the machine logging onto its network. The study, conducted for Phoenix by a California research firm, looked at data from cases prosecuted by federal authorities between 1999 and 2006 to reach its conclusion that attacks based on logging in with stolen or hijacked credentials cost businesses far more, on average, than the typical worm or virus assault. According to the research, when a privileged account is penetrated by an unauthorized user, the average damage is $1.5 million, while the average damage from a single virus attack is under $2,400.

The study and the conclusion are valuable in what they show - that enterprises should take extra measures not only to secure their infrastructure, but also to educate their users to protect their credentials better. But the research methods are inherently flawed.

First, the research was based on data obtained from prosecuted federal cases. Usually such cases are brought under the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) which criminalizes unauthorized access to protected computer (quite broadly defined) and conduct varying from hacking to employees copying data before leaving the company. The problem with relying on such data is that the government, with its limited resources, can criminally prosecute only the cases with highest damages or with the biggest public outrage (which is ultimately related to damages.) Also, often unauthorized access cases relate to misappropriation of secret information, which value is usually very high.  Relying on such cases to show high damages is circular.

Second, the federal prosecutors very rarely prosecute authors of worms or viruses. Usually the authors cannot be caught, are in a foreign jurisdiction, or otherwise able to avoid section 1030 criminal prosecution. Also, over the past 6 or seven years (the date range used in the study) the worm or virus attacks have had a relatively minor damage factor - disabling computers, displaying foul messages, or formatting hard drives. For many enterprises, the damage is usually limited to the cost of lost productivity and restoring the computer (usually from a ghosted hard drive image).

The research, although based on a flawed method and data, nonetheless confirms an important aspect of enterprise information security - people are usually the weakest link.  Regardless of how good your firewall and network settings are, one employee’s weak or stolen password can provide an open highway to an attacker. To solve this, businesses should have strong password policies and, most importantly, educate their employees on how to safeguard their (and their employer’s) online identity.

The National Institute of Standards and Technology (NIST) has issued a draft publication to provide guidance to home users, including federal workers engaged in telework, on improving the security of home computers that run on the Windows XP Home Edition operating system.

Although in draft, this is still an extremely useful guide to home users on how to secure their machines.

Draft Special Publication 800-69, "Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist."

David Lennon, a U.K. teenager has been sentenced by a Magistrate Judge in Wimbledon Magistrates Court to a two-month curfew for sending 5 million e-mails to Domestic & General Group which crashed its servers. The conviction came under the Computer Misuse Act which explicitly outlaws the "unauthorized access" and "unauthorized modification" of computer material. 

Lennon’s case was reviewed earlier by another judge who held that massive amounts of e-mail did not violate the Computer Misuse Act because e-mail servers were set up to receive e-mail and therefore each individual email constitutes an "authorized modification" to the server under the Act. The previous ruling was challenged by the prosecution and was sent back to the Magistrate Court.

The Magistrate Judge, in realizing that some damage has been made, said,

Even given his age at the time, this was a grave offense and caused serious damage, so I need to impose something to make him think again.

It is interesting to note how the U.K. Courts have struggled with applying the Computer Misuse Act in computer contexts such as this one. Arguably, as the initial court held, sending e-mail messages to a server is "authorized" and should not be criminal even if done on a large scale basis (5 million).  In reality, some damage has been done to the servers because they crashed under the heavy load, and the Magistrate Judge seemed to realize this, but still seem uncomfortable.  In the United States, early e-mail spam cases were brought under the Computer Fraud and Abuse Act (or state equivalents) with mixed success. Although it is not exactly clear whether the CAN-SPAM Act has had any significant impact on the amount of spam, it has provided an easy to use and clear tool to fight spam in the United States.

Because of cases such as this one, the U.K. Computer Misuse Act has been considered insufficient to stop crimes such as large scale spam or denial-of-service attacks and amendments have been proposed which would increase penalties and would criminalize behavior such as "maliciously impairing the operation of a computer or preventing access to programs or data." [Will Sturgeon, U.K. cybercriminals threatened with 10-year term, CNET , Jan. 26, 2006]

A recent (Aug. 1) holding from the U.S. District Court for the Middle District of Florida says that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act (CFAA).  The court granted the defendant Speed’s motion to dismiss the complaint, but gave Lockheed leave to amend. Lockheed Martin Corp. v. Speed, M.D. Fla., Case No. 6:05-cv-1580, 8/1/06. Opinion here.

"Exceed Authorization" Background

Under CFAA, a party accessing a computer (as it is broadly defined) without "authorization" gives rise to criminal and civil liability. Section 1030(a)(4) makes it a violation to knowingly, and with intent to defraud, access a protected computer "without authorization" or "exceed[] authorized access" to commit fraud and obtain something of value.

Many civil cases have been filed under CFAA, generally in the employment or trade secret misappropriation contexts, where an employee has copied valuable company information before joining a new employer, usually a competitor. Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.

Generally, "exceed authorization" under CFAA has been construed somewhat broadly (as Judge Posner’s case suggests) to cover access to information even when the employee, in computer security terms, has authorization to access the information.

Facts of the Case

Departing employees (and before their employer learned about their imminent departure) used their access privileges to burn a stack of CDs with valuable company files for use in their new jobs. The employer, Lockheed Martin, alleged that the employee file-copying activities violated multiple subsections of the CFAA. Lockheed invoked the civil remedies provision of the CFAA.

Change of Sea?

The August 1st Speed case may suggest a change of sea, or at least a circuit split. By holding that because the access occurred while the employee still enjoyed access privileges to the company’s computer system, it cannot be said that the access "exceeds" the employee’s authority. This holding is in direct contradiction to Judge Posner’s Citrin holding. Judge Presnell said that he "respectfully disagrees" with the Seventh Circuit because its decision "effectively turns the plain reading of the statutory definition of ‘exceeds authorized access’ on its head." He suggested that Judge Posner had "stretch[ed]" the meaning of "without authorization" to cover those who have access but act badly. "Congress did not so stipulate," Presnell wrote.

In addition, the court was worried that adopting Citrin could result in far-reaching CFAA liability for employees. For example, the Citrin theory may permit an employer to pursue a CFAA claim against employees who check personal e-mail accounts on company time, a minor offense to invoke a criminal statute, or as a bargaining chip in a complex employment dispute.

An interesting article on CNET describes U.K. police’s attempts to seize encryption keys used by suspects to encrypt data which may help the police solve the crimes. According to a "senior police officer,"

Because British law enforcement officers don’t have the authority to seize encryption keys, an increasing number of criminals are able to evade justice.
..
There are more than 200 PCs sitting in property cupboards which contain encrypted data, for which we have considerable evidence that they contain data that relates to a serious crime. Not one of those suspects has claimed that the files are business-related, and in many cases, the names of the files indicate that they are important to our investigations.

A controversy was stirred earlier this summer when the British government announced that it planned to activate Part 3 of the Regulations of Investigatory Powers (RIP) Act, which allows the police, in some circumstances, to demand an encryption key from a suspect.  Under Part 3 of the RIP Act, if  the police suspected someone had encrypted incriminating data, officers could issue an order under Section 49 of the Act, ordering the suspect to hand over the key. Failure to do so could lead to a prosecution under Section 53 of the Act.

Critics of the Act point out that the law is dangerous, is badly written, and cannot be properly implemented. For example, under the Act, defendants could be prosecuted for simply losing an encryption key. Furthermore, critics point that the code of practice lacks clear powers against use of the RIP Act to obtain private data. Because of clear procedures, businesses may take their encryption keys out of U.K. jurisdiction so that their secret business information is not in jeopardy of being revealed by an overzealous prosecutor or one with an improper agenda.

On the other hand, the British Home Office has defended law enforcement’s position that the time is right to activate Part 3 of the Act because law enforcement are finding that an increasing number of their investigations are thwarted by encryption. It is easy for police officers to point to cases where child abuse victims remain unidentified because a suspect has encrypted information.

The Draft Code of Practice for the Investigation of Protected Electronic Information - Part III of the Regulation of Investigatory Powers Act 2000 is open to review and comment until August 31, 2006.

It is interesting how a similar proposal would fare under U.S. law. The Fifth Amendment of the U.S. Constitution may in fact prevent seizing encryption keys if the ‘actions which would render testimony against oneself’ are considered covered under the protections of the Fifth Amendment. It can be argued that there is no difference between the demand for someone to surrender their encryption key and their ‘giving testimony or surrendering evidence against themselves.’  Many would point to the example of the safe combination and whether law enforcement can force someone to divulge the combination to the safe where incriminating evidence would be found. Although the Framers did not specifically envision complicated encryption keys being used to protect incriminating evidence, they certainly sought to protect one from having to serve on a silver platter information to law enforcement which would then be used to obtain conviction.

On August 3, the U.S. Senate ratified the Council of Europe Convention on Cybercrime, a treaty aimed at facilitating international cooperation in the prevention, investigation, and prosecution of crimes involving electronic evidence. The U.S. is the 16th country to ratify the convention which has been in force since July 1, 2004, among the 15 nations that have ratified it so far (Albania, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, France, Hungary, Lithuania, Macedonia, Norway, Romania, Slovenia and Ukraine.)

International Sharing of Electronic Evidence

The treaty is not just about cybercrime - it provides for international sharing of electronic evidence of all crimes … whether they involve computers or not. Thus, the treaty may come into play in a robbery case as long as there is evidence stored in an electronic form in a country which is a signatory to the treaty. Essentially, the treaty provides a tool for foreign governments to request interception of electronic communications and the sharing of electronic data in the United States and allows the U.S. to request the same from other countries which are parties to the treaty.

According to Jeffrey Price, of counsel to the Washington, DC office of Steptoe & Johnson who has worked on the treaty since its inception in 2001, the treaty will not require changes in U.S. law, but it may not permit changes in U.S. law either, because substantive provisions of the law of cybercrime will now be internationalized. Thus, the treaty becomes a major piece of legislation in the area of cybercrime and electronic evidence sharing between law enforcement agencies in different countries.  One of the first things that U.S. ISPs and other network operators may anticipate is increase volume of requests for intercepts and data from foreign law enforcement agencies because the main sources of electronic information are in the U.S.

Dual Criminality Lacking?

Some critics claim that the treaty lacks a "dual criminality" requirement so that Americans may be investigated in the United States for things that are not crimes in the U.S. Professor Orin Kerr, formerly with the Department of Justice’s Computer Crimes Division and now prominent scholar on cybercrime, has suggested that the "dual criminality" is a traditional requirement of extradition, but not of international evidence collection. He suggests that the U.S. approach has been "to help a foreign country investigate foreign offenses even if the same conduct is not a crime in the U.S. as long as cooperation does not raise any constitutional difficulties." According to Prof. Kerr, the cybercrime treaty maintains this traditional approach.

In late June, the Office of Management and Budget (OMB) issued a mandate to federal agencies to take certain measures to protect the privacy and security of personally identifiable information stored on removable devices. A deadline for implementing the OMB’s security mandate was Monday, August 7, 2006. The mandate guidelines were based on National Institute of Standards and Technology (NIST) requirements and inspectors general at several agencies have already begun reviewing compliance with the OMB checklist mandate.

The 45-day deadline imposes requirements that are beyond execution in such a short period of time. Brett Bobley, CIO of the National Endowment for the Humanities, says that he does not think any agency can say it meets every requirement in the OMB memo,

Within the [past] 45 days your goal is to show your IG that you have thoroughly looked through [the] guidelines and determined where you meet it and where you don’t. Once you know the areas where your policies and procedures fall short, you can start to take corrective action.

While Mr. Bobley is correct that full compliance is impossible, the OMB should be proud even if agencies take a serious hard look at their information privacy and security policies and chart plans to improve how data is handled.