The foundation of all security systems is
formed by moral principles and practices of those people involved and the
standards of the profession. That is, while people are part of the solution,
they are also most the problem. Security problems with which an organization
may have to deal include: responsible decision making, confidentiality,
privacy, piracy, fraud & misuse, liability, copyright, trade secrets, and
sabotage. It is easy to sensationalize these topics with real horror
stories; it is more difficult to deal with the underlying ethical issues
involved.
The student should be made aware of his
individual responsibility in making ethical decisions associated with
information security.
2. Confidentiality & Privacy
Computers can be used symbolically to
intimidate, deceive or defraud victims. Attorneys, government agencies and
businesses increasingly use mounds of computer generated data quite legally to
confound their audiences. Criminals also find useful phony invoices, bills and
checks generated by the computer. The computer lends an ideal cloak for
carrying out criminal acts by imparting a clean quality to the crime.
The computer has made the invasion of our
privacy a great deal easier and potentially more dangerous than before the
advent of the computer. A wide range of data are collected and stored in
computerized files related to individuals. These files hold banking
information, credit information, organizational fund raising, opinion polls,
shop at home services, driver license data, arrest records and medical
records. The potential threats to privacy include the improper commercial use
of computerized data, breaches of confidentiality by releasing confidential
data to third parties, and the release of records to governmental agencies for
investigative purposes.
The basic law that protects our privacy is
the Fourth Amendment to the United States Constitution, which mandates that
people have a right to be secure in homes and against unreasonable search and
seizure. In addition, many laws have been enacted to protect the individual
from having damaging information stored in computerized databases.
3. Piracy
Microcomputer software presents a particular
problem since many individuals are involved in the use of this software.
Section 117 of the copyright laws, specifically the 1980 amendment, deals with
a law that addresses the problem of backup copies of software. This section
states that users have the right to create backup copies of their software.
That is, users may legally create a backup copy of software if it is to be
held in archive. Many software companies provide a free backup copy to users
that precludes the need for to users purchase software intended to defeat copy
protection systems and subsequently create copies of their software. If the
software purchased is actually leased, you may in fact not even be able to
make backup copies of the software. The distinction between leasing and
buying is contained within the software documentation. The copyright statement
is also contained in the software documentation. The copyright laws regarding
leased material state that the leasor may say what the leaseholder can and
cannot do with the software. So it is entirely up to the owner of the software
as to whether or not users may make backup copies of the software. At a time
when federal laws relating to copyright protection are evolving, several
states are considering legislation that would bar unauthorized duplication
of software.
The software industry is prepared to do
battle against software piracy. The courts are dealing with an increasing
number of lawsuits concerning the protection of software. Large software
publishers have established the Software Protection Fund to raise between
$500,000 and $1 million to promote anti-piracy sentiment and to develop
additional protection devices.
4. Fraud & Misuse
The computer can create a unique environment
in which unauthorized activities can occur. Crimes in this category have
many traditional names including theft, fraud, embezzlement, extortion, etc.
Computer related fraud includes the introduction of fraudulent records into a
computer system, theft of money by electronic means, theft of financial
instruments, theft of services, and theft of valuable data.
5. Liability
Under the UCC, an express warranty is an
affirmation or promise of product quality to the buyer and becomes a part of
the basis of the bargain. Promises and affirmations made by the software
developer to the user about the nature and quality of the program can also be
classified as an express warranty. Programmers or retailers possess the right
to define express warranties. Thus, they have to be realistic when they state
any claims and predictions about the capabilities, quality and nature of their
software or hardware. They should consider the legal aspects of their
affirmative promises, their product demonstrations, and their product
description. Every word they say may be as legally effective as though stated
in writing. Thus, to protect against liability, all agreements should be in
writing. A disclaimer of express warranties can free a supplier from being
held responsible for any informal, hypothetical statements or predictions
made during the negotiation stages.
Implied warranties are also defined by the
UCC. These are warranties that are provided automatically in every sale. These
warranties need not be in writing nor do they need to be verbally stated. They
insure that good title will pass to the buyer, that the product is fit for the
purpose sold, and that it is fit for the ordinary purposes for which similar
goods are used (merchantability)..
6. Patents and Copyright Law
A patent can protect the unique and secret
aspect of an idea. It is very difficult to obtain a patent compared to a
copyright (please see discussion below). With computer software, complete
disclosure is required; the patent holder must disclose the complete details
of a program to allow a skilled programmer to build the program. Moreover, a
United States software patent will be unenforceable in most other countries.
Copyright law provides a very significant
legal tool for use in protecting computer software, both before a security
breach and certainly after a security breach. This type of breach could deal
with misappropriation of data, computer programs, documentation, or similar
material. For this reason the information security specialist will want to be
familiar with basic concepts of to copyright law.
The United States, United Kingdom,
Australia, and many other countries have now amended or revised their
copyright legislation to provide explicit copyright laws to protect computer
program. Copyright law in the United States is governed by the Copyright Act
of 1976 that preempted the field from the states. Formerly, the United States
had a dual state and Federal system. In other countries, such as Canada, the
courts have held that the un-revised Copyright Act is broad enough to protect
computer programs. In many of these countries the reform of copyright law is
actively underway.
7. Trade
Secrets
A trade secret protects something of value
and usefulness. This law protects the unique and secret aspects of ideas,
known only to the discoverer or his confidants. Once disclosed the trade
secret is lost as such and can only be protected under one of the following
laws. The application of trade secret law is very important in the computer
field, where even a slight head start in the development of software or
hardware can provide a significant competitive advantage.
8. Sabotage
The computer can be the object of attack in
computer crimes such as the unauthorized use of computer facilities,
alternation or destruction of information, data file sabotage and vandalism
against a computer system. Computers have been shot, stabbed, short-circuited
and bombed.
B. Laws and Legislation
The types and numbers of security laws and
legislation at all governmental levels are expanding rapidly. Often, we forget
that such legislation may affect each of us, as well as the organization. For
more information see module four: “Information Systems Security Laws and
Legislation”.
The following items should be discussed in terms
of both Ethics and Law. Where do Ethics and Law converge? Are they the same?
The foundations of all secure systems are the moral principles and practices
and the professional standards of all employees of the organization, i.e.,
while people are part of the solution, they are also most of the problem. The
following issues are examples of security problems which an organization may
have to deal with:
C.
Professionalism
Students should be encouraged to become involved
professionally while they are in school and to continue their professional
involvement throughout their career. Several societies and professional
organizations are concerned with security, including:
-
The Computer Security Institute
-
Computer Professionals for Social Responsibility
-
Data Processing Management Association
-
Security Management Magazine
-
Licensing and Certification
a. Institute For Certification of Computer Professionals
b. IISSCC (ISC^2)
In addition, there are two government
agencies actively involved in the professionalism. The first is the National
Computer Security Center that hosts the National Computer Security
Conference each year. The second is NIST that has an outreach charter.
Discuss Costs and benefits of professional participation.