Wireless Operational Security

C.2 Security Risks and Legal Protections Recap

Federal statutes address crimes against federal institutions, interstate crimes, and acts against the security of the country, such as terrorism. Because of the nature of computer networks, interstate commerce and federal telecommunications laws are often used to prosecute hackers. Early on, laws written for telephone fraud were applied to computer crime; more recently, computer-specific crime laws, as well as new sentencing guidelines for computer criminals, have been enacted. Practitioners should be familiar with the laws of whatever state or country in which their organizations operate . They should also know exactly what evidence and documentation will be required to make a case against an alleged intruder. From a compliance and enforcement standpoint, at a minimum, a practitioner in the United States should be aware of the following regulatory requirements as wireless networks are designed and managed:

• Computer Fraud and Abuse Act of 1996. [1] This act was enacted to clarify the definitions of criminal fraud and abuse for federal computer crimes. This Act also removed the obstacles that had been in the way to prosecute violators of these crimes, and further defined the legal aspects of computer crime to eliminate any misunderstandings. It makes it a crime to knowingly access a federal-interest computer without authorization to obtain certain defense, foreign relations, financial information, or atomic secrets. It is also a criminal offense to use a computer to commit fraud, to "trespass" on a computer, and to traffic in unauthorized passwords. Section 1030 of the Act was amended on October 26, 2001, by Section 202 of the USA Patriot Act antiterrorism legislation to expand the ability of service providers to get government help with hacking, denial-of-service attacks, and related Computer Fraud and Abuse Act violations.

• Economic Espionage Act of 1996. [2] This law extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage.

• Health Insurance Portability and Accountability Act of 1996 . [3] HIPAA requires that all health care organizations that transfer medical records and information electronically follow certain standards for ensuring that the records remain secure and confidential.

• The Gramm-Leach-Bliley Act of 1999. [4] This law limits the instances when a financial institution may disclose nonpublic personal information of a consumer to nonaffiliated third parties. It requires a financial institution to disclose its privacy polices and practices with respect to information shared with affiliates and nonaffiliated third parties.

• Identity Theft and Assumption Deterrence Act of 1998. 5 This Act was created to address the problem of identity theft in several concrete ways. It directed the Federal Trade Commission (FTC) to establish the federal government's central repository for identity theft complaints and to provide victim assistance and consumer education. This Act makes it a federal crime to "knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable State or local law."

• National Information Infrastructure Protection Act of 1996 . [6] This law amends the Computer Fraud and Abuse Act to provide more protection to computerized information and systems by defining new computer crimes and by extending protection to computer systems used in foreign or interstate commerce or communications.

• President's Executive Order on Critical Infrastructure Protection. [7] Supports the President's Infrastructure Protection and Continuity Board by modeling, simulating, and analyzing cyber infrastructure, and telecommunications and physical infrastructure to mitigate systems threats. It also facilitates the security of the critical infrastructure of the United States and encourages secure disclosure and protected exchange of critical infrastructure information to enhance recovery from infrastructure attacks.

• The Homeland Security Act of 2002. [8] This Act provides for over-sight authority on issues involving the "protection of government and private networks and computer systems from domestic and foreign attack (and) prevention of injury to civilian populations and physical infrastructure caused by cyberattack."

• Sarbanes-Oxley Act of 2002 .[9] This act affects corporate governance, privacy of personal information, and financial disclosure, and requires encryption and protection of data that are stored on and passed from personal digital assistants (PDAs) and wireless devices. A brief summary of SEC Actions and SEC Related Provisions pursuant to the Sarbanes-Oxley Act of 2002 is provided:

  • Restoring Confidence in the Accounting Profession: The Act established the Public Company Accounting Oversight Board.

    • Section 108(b): On April 25, 2003, the SEC recognized the Financial Accounting Standards Board as the accounting standard setter.

    • Section 108(d): On July 25, 2003, the SEC issued a study on principles-based accounting.

    • Section 109: The Act established an independent funding source for the FASB.

  • Title II: On January 22, 2003, the SEC adopted rules improving the independence of outside auditors .

    • Section 303: On April 24, 2003, the SEC adopted rules for-bidding the improper influence on outside auditors.

    • Section 802: On January 22, 2003, the SEC adopted rules governing the retention of audit records by outside auditors

  • Improving the "Tone at the Top"

    • Section 302: On August 27, 2002, the SEC adopted rules requiring CEOs and CFOs to certify financial and other information in their companies' quarterly and annual reports .

    • Section 304: This section requires management to return bonuses or profits from stock sales received within 12 months of a restatement resulting from material noncompliance with financial reporting requirements as a result of misconduct .

    • Section 306: On January 15, 2003, the SEC adopted rules prohibiting company officers from trading during pension fund blackout periods.

    • Section 402: This section prohibits companies from making loans to insiders.

    • Section 403: On August 27, 2002, the SEC adopted rules that accelerated deadlines and mandated electronic filing of disclosures of insider transactions in company stock.

    • Section 406: On January 15, 2003, the SEC adopted rules requiring companies to disclose whether they have a code of ethics for their CEO, CFO, and senior accounting personnel.

  • Improving Disclosure and Financial Reporting

    • Section 401(a): On January 22, 2003, the SEC adopted rules requiring disclosure of all material off-balance sheet transactions.

    • Section 401(b): On January 15, 2003, the SEC adopted Regulation G, governing the use of non-GAAP financial measures, including disclosure and reconciliation requirements.

    • Section 404: On May 27, 2003, the SEC adopted rules requiring an annual management report on and auditor attestation of a company's internal controls over financial reporting.

    • Section 408: This section requires that the Commission review the Exchange Act reports of each company no less frequently than once every three years .

  • Improving the Performance of "Gatekeepers"

    • Section 301: On April 1, 2003, the SEC adopted rules directing the SROs to adopt listing standards for audit committees .

    • Section 407: On January 15, 2003, the SEC adopted rules requiring the disclosure about financial experts on audit committees.

    • Section 307: On January 23, 2003, the SEC adopted rules governing standards of conduct for attorneys appearing and practicing before the Commission.

    • Section 501: On July 29, 2003, the SEC approved new SRO rules governing research analyst conflicts of interest.

  • Enhancing Enforcement Tools

    • Section 106: This section addresses SEC access to foreign audit workpapers.

    • Section 305: This section sets standards for imposing officer and director bars and penalties.

    • Section 308: This section establishes FAIR Funds for Investors and requires a study of the same, which the SEC issued on January 24, 2003.

    • Section 602: This section addresses the SEC's authority over professionals who appear and practice before the Commission.

    • Section 603: This section grants federal courts the ability to impose penny stock bars.

    • Section 703: On January 24, 2003, the SEC issued a study on aiding and abetting liability under the federal securities laws.

    • Section 704: On January 24, 2003, the SEC issued a study of enforcement actions involving violations of reporting requirements and restatements.

    • Section 803: This section provides that debts are not dischargeable in bankruptcy if they were incurred as a result of securities fraud.

    • Section 1103: This section allows the SEC to temporarily freeze certain extraordinary payments made to securities law violators.

    • Section 1105: This section gives the SEC the authority in administrative proceedings to prohibit persons from serving as officers or directors.

• Electronic Communications Privacy Act of 1986 .[10] This legislation updated the Federal Wiretap Act to apply to the illegal interception of electronic (i.e., computer) communications, or to the intentional, unauthorized access of electronically stored data. Generally prohibits actual or attempted interception, disclosure, or use of an electronic communication by "any person," including an "electronic communication service," unless the act falls within several exceptions. The ECPA sets out the provisions for access, use, disclosure, interception, and privacy protections of electronic communications. The law covers various forms of wire and electronic communications. According to the U.S. Code, electronic communications means "any transfer of signs, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic, or photo optical system that affects interstate or foreign commerce." The ECPA prohibits unlawful access and certain disclosures of communication contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure.

• U.S. Communications Assistance for Law Enforcement Act of 1994. [11] This law amended the Electronic Communications Privacy Act and requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

• USA Patriot Act of 2002. [12] This law broadens governmental access to electronic communication, particularly if there exists a reasonable belief of immediate danger of death or serious physical injury. The focus of this Act is to protect "government-interest" computers such as those used by government agencies and their affiliates. If compromised, these computers pose great risk to national security and the viability of government function itself. This law was enacted because no clear law existed to to prohibit unauthorized access to government computers.

• State Laws. State laws differ greatly in their statutes on network penetration and intrusion ( see Appendix B). They also vary widely in their definitions of what constitutes a computer break-in, as well as the fines and punishment meted out for such violations. Each state has different laws and procedures that pertain to the investigation and prosecution of computer crimes. By the mid-1990s, nearly every state had enacted a computer crime statute . Some of these laws are very narrowly drafted, whereas others are quite broad. The language of the law is often open to interpretation. It is difficult to adequately define the scope of the law so that it covers the behavior it intends to control, but is not so broadly defined as to be applied to unrelated activities. Even more troubling, lawmakers are not computer experts, yet they are tasked with creating laws that address technologies they do not fully understand and that require the use of a technical language that is not understood . Many states claim jurisdiction on any electronic transaction that crosses their borders. Contact your local law enforcement department or district attorney's office for guidance.

As an example of the variances that exist, let's look at the Texas Computer Crimes Act, which is not substantially different from that of any other state. Therein, it states that "a person commits an offense if the person knowingly accesses a computer system without the effective consent of the owner." The offense is a felony if the person's intent is to obtain a benefit from the action. A computer system is defined by this statute as a "data processing device that functions by the manipulation of electronic or magnetic impulses" and access is defined as a person "making use of" data or information obtained from such access. A strict interpretation of this definition would mean that simply looking at someone's digital watch without permission could be a felonious act.