CET324 - Advanced Cybersecurity

Legal and Ethical Aspects

1
Objectives

• Cybercrime and international convention

• Copyright, patent and intellectual property
• Privacy and data protection issues in cybersecurity
• Ethical issues and professional code of conduct.

2
Computer crime
Computer crime, or cybercrime, is a term used broadly
to describe criminal activity in which computers or
computer networks are a tool, a target, or a place of
criminal activity.

3
 Types of Computer Crime
Computer crime based on the role that the computer plays in the criminal activity:

Computers as
Computers as Computers as
communications
targets storage devices
tools
Involves an attack Using the Crimes that are
on data integrity, computer to store committed online,
system integrity, stolen password such as fraud, child
data lists, credit card, pornography, and
confidentiality, proprietary the illegal sale of
privacy, or corporate prescription drugs,
availability information, or controlled
pirated commercial substances,
software alcohol, or guns
4
International
convention on
cybercrime.
The first international
treaty, signed in 2001,
on crimes committed
via the internet and
other computer
networks.

(page 1 of 2)

5
International convention on cybercrime (page 2 of 2)

Details: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
6
Motivation for the convention: https://www.youtube.com/watch?v=QORdKwxeR04
 Law Enforcement Challenges
• Law enforcement agency difficulties:
• Lack of investigators knowledgeable and experienced in
dealing with this kind of crime
• Required technology may be beyond their budget
• The global nature of cybercrime
• Lack of collaboration and cooperation with remote law
enforcement agencies
• Convention on Cybercrime introduces a common terminology for
crimes and a framework for harmonizing laws globally.
• The deterrent effect of law enforcement on computer and
network attacks correlates with the success rate of criminal
arrest and prosecution.

7
 Cybercrime Victims
Are influenced by
the success of
cybercriminals and
the lack of success
of law
enforcement

Reporting rates tend to

Many of these be low because of a lack
organizations have of confidence in law
not invested enforcement, concern
sufficiently in about corporate
technical, physical, reputation, and a
and human-factor concern about civil
resources to prevent liability
attacks
8
Copyrights
Unauthorized use

Trademarks
Unauthorized use or
colorable imitation

Patents
Unauthorized
making, using or
selling

Intellectual Property Infringement

9
 Copyright
• Activity: If you have an idea to sort trillions of
electronic records in nano-seconds, do copyright law
covers your idea?
• Protects tangible or fixed expression of an idea but not
the idea itself

• Creator can claim and file copyright at a national

government copyright office if:
• Proposed work is original
• Creator has put original idea in concrete form
10
 Copyright Rights
• Examples include:
• Copyright law protects the
tangible or fixed expression • Literary works
of an idea, not the idea • Musical works
itself.
• Dramatic works
• Copyright owner has these • Pantomimes and choreographic
exclusive rights, protected
against infringement: works
• Pictorial, graphic, and sculptural
• Reproduction right works
• Modification right • Motion pictures and other
• Distribution right audiovisual works
• Public-performance right • Sound recordings
• Public-display right • Architectural works
• Software-related works 11
 Patent
• Grant a property right to the inventor

• “The right to exclude others from making, using, offering for sale,
or selling” the invention in the country or “importing” the
invention into the country. Types:

Utility Design Plant

• Any new and • New, original, • Discovers and
useful process, and ornamental asexually
machine, design for an reproduces any
article of article of distinct and
manufacture, manufacture new variety of
or composition plant
of matter

12
 Trademark
• A word, name, symbol, or device

• Used in trade with goods,Indicates source of goods

• Distinguishes them from goods of others

• Trademark rights may be used to:

• Prevent others from using a confusingly similar mark

• But not to prevent others from making the same goods or from selling the
same goods or services under a clearly different mark

What is a servicemark?
A servicemark is the same as a trademark except that it identifies
and distinguishes the source of a service rather than a product 13
Intellectual Property Relevant to Network
and Computer Security
• A number of forms of intellectual property are relevant in the
context of network and computer security,Examples of some of
the most prominent:
Digital
Software Databases content Algorithms
• Programs produced by • Data that is • Includes audio • An example of
vendors of commercial collected and and video files, a patentable
software organized in multimedia algorithm is
• Shareware such a fashion courseware, the RSA public-
• Proprietary software that it has Web site key
potential content, and any cryptosystem
created by an
organization for commercial other original
internal use value digital work
• Software produced by
individuals
14
 Privacy
• Overlaps with computer security
• Dramatic increase in scale of information collected and
stored
• Motivated by law enforcement, national security,
economic incentives
• Individuals have become increasingly aware of access and
use of personal information and private details about their
lives
• Concerns about extent of privacy compromise have led to a
variety of legal and technical approaches to reinforcing privacy
rights

15
 European Union (EU)
Directive on Data Protection
• Adopted in 1998 to:
• Ensure member states protect fundamental privacy rights when
processing personal information
• Prevent member states from restricting the free flow of personal
information within EU. Organized around principles of:

Notice Consent Consistency Access

Onward
Security Enforcement
transfer

Now GDPR regulation sets out the rights of the individual and establishes the obligations
of those processing and those responsible for the processing of the data. 16
 GDPR
• Sets out the rights of the individual and establishes the obligations of those
processing and those responsible for the processing of the data.

• The regulation addresses several fundamental issues.

• Data subject's rights: the individual whose personal data is being processed.
• clear consent to the processing of personal data
• easier access to his or her personal data
• the rights to rectification, to erasure and 'to be forgotten'
• the right to object, including to the use of personal data for the purposes of
'profiling'
• the right to data portability from one service provider to another

• Compliance
• obligation to implement appropriate security measures
• notification of personal data breaches,
17
 GDPR
• Monitoring and compensation
• member states to establish an independent supervisory authority at
national level
• establish mechanisms to create consistency in the application of data
protection law across the EU
• one stop shop a company with subsidiaries in several member states will
only have to deal with the data protection authority in the member state of
its main establishment

• Transfers to a third country

• Covers transfer of personal data to third countries and international
organisations
• The Commission in charge of assessing the level of protection given by a
territory or processing sector in a third country
• Overview: https://www.digitaltrends.com/computing/what-is-the-gdpr/ 18
 Data Privacy
• Guidelines needed for policy to manage the use and reuse of big data.
• Consent
• Ensuring participants can make informed decisions about their participation
in the research
• Privacy and confidentiality
• Privacy is the control that individuals have over who can access their
personal information
• Confidentiality is the principle that only authorized persons should have
access to information
• Ownership and authorship
• Addresses who has responsibility for the data, and at what point does an
individual give up their right to control their personal data
• Data sharing – assessing the social benefits of research
• The social benefits that result from data matching and reuse of data from
one source or research project in another
• Governance and custodianship
• Oversight and implementation of the management, organization, access,
and preservation of digital data
19
 Ethical Issues
Ethics: • Basic ethical principles
A system of moral developed by civilizations apply
principles that • Unique considerations
relates to the surrounding computers and
benefits and harms information systems
of particular actions, • Scale of activities not possible
and to the rightness before
and wrongness of • Creation of new types of
motives and ends of
entities for which no agreed
those actions.
ethical rules have previously
been formed
20
Professional/Ethical Responsibilities
• Concern with balancing professional responsibilities with ethical or moral
responsibilities
• Types of ethical areas a computing or IT professional may face:
• Ethical duty as a professional may come into conflict with loyalty to employer

• “Blowing the whistle”

• Expose a situation that can harm the public or a company’s customers

• Potential conflict of interest

• Organizations have a duty to provide alternative, less extreme opportunities

for the employee
• In-house ombudsperson coupled with a commitment not to penalize employees for exposing
problems

• Professional societies should provide a mechanism whereby society

members can get advice on how to proceed

21
 Codes of Conduct
• Ethics are not precise laws or sets of facts
• Many areas may present ethical ambiguity
• Many professional societies have adopted ethical codes of
conduct which can:

1
• Be a positive stimulus and instill confidence

2
• Be educational

3
• Provide a measure of support

4
• Be a means of deterrence and discipline

5
• Enhance the profession's public image
22
 Ethics and Codes of Conduct

• BCS code of ethics and professional conduct:

• http://www.britsoccrim.org/docs/CodeofEthics.pdf
• https://www.bcs.org/membership/become-a-member/bcs-code-of-conduct/

• ACM code of ethics and professional conduct:

• https://ethics.acm.org/2018-code-draft-1/

• IEEE code of ethics :

• https://www.ieee.org/about/compliance.html

23
 Comparison of Codes of Conduct
• All codes place their emphasis on the responsibility of professionals to other people
• Do not fully reflect the unique ethical problems related to the development and use
of computer and IT technology
• Common themes:
• Dignity and worth of other people
• Personal integrity and honesty
• Responsibility for work, Confidentiality of information
• Public safety, health, and welfare
• Participation in professional societies to improve standards of the profession
• The notion that public knowledge and access to technology is equivalent to social
power

24
 The Rules
The rules are as follows:

1. The people who design, develop, or deploy a computing artifact are morally
responsible for that artifact, and for the foreseeable effects of that artifact. This
responsibility is shared with other people who design, develop, deploy or
knowingly use the artifact as part of a sociotechnical system.

2. The shared responsibility of computing artifacts is not a zero-sum game. The

responsibility of an individual is not reduced simply because more people become
involved in designing, developing, deploying, or using the artifact. Instead, a
person’s responsibility includes being answerable for the behaviors of the artifact
and for the artifact’s effects after deployment, to the degree to which these effects
are reasonably foreseeable by that person.

25
 The Rules
The rules are as follows:

3. People who knowingly use a particular computing artifact are morally

responsible for that use.

4. People who knowingly design, develop, deploy, or use a computing artifact can
do so responsibly only when they make a reasonable effort to take into account
the sociotechnical systems in which the artifact is embedded.

5. People who design, develop, deploy, promote, or evaluate a computing artifact

should not explicitly or implicitly deceive users about the artifact or its foreseeable
effects, or about the sociotechnical systems in which the artifact is embedded.

26
 Summary
• Cybercrime and computer crime
• Types of computer crime
• Law enforcement challenges
• Working with law enforcement
• Intellectual property
• Types of intellectual property
• Intellectual property relevant to network and computer security
• Privacy
• Privacy law and regulation
• Organizational response
• Computer usage privacy
• Ethical issues
• Ethics and the IT professions
• Ethical issues related to computers and information systems
• Codes of conduct
• The rules
27
 Lab session: task
Assume you are a midlevel systems administrator for one section of a larger organization. You try
to encourage your users to have good password policies and regularly run password-cracking
tools to check that those in use are not guessable. You have become aware of a burst of hacker
password-cracking activity recently. In a burst of enthusiasm, you transfer the password files from
a number of other sections of the organization and attempt to crack them. To your horror, you
find that in one section for which you used to work (but now have rather strained relationships
with), something like 40% of the passwords are guessable (including that of the vice-president of
the section, whose password is “president”!). You quietly sound out a few former colleagues and
drop hints in the hope things might improve. A couple of weeks later you again transfer the
password file over to analyse in the hope things have improved. They haven’t. Unfortunately, this
time one of your colleagues notices what you are doing. Being a rather “by the book” person, he
notifies senior management, and that evening you find yourself being arrested on a charge of
hacking and thrown out of a job.

• Did you do anything wrong?

• Briefly indicate what arguments you might use to defend your actions. Make reference to the
Professional Codes of Conduct outline by ACM, IEEE or BSC.
• Share you work with your classmates via the designated discussion page
• Read, like or reply to posts from your classmates.
28