Cybersecurity Law Test 2

US v. Nosal

-David Nosal worked for Korn/Ferry (recruiting firm) -Left company and worked for them as a contractor with a noncompetition agreement - Nosal launch a competing business -Downloaded data from Korn/Ferry using his credentials -used former assistant login info -charged with 1030, economic espionage -Narrow view

Civil Actions Under CFAA

-court case must be brought within 2 years of act -damage or loss must have occurred

US v. Roberto Rodriguez

-former Social security administration worker -used system to find women's personal information and stalk them -Broad view

US v. John

-former citigroup employee -gave customer information to half-brother (got information from Citigroup system and her computer) -brother used information to commit fraud -broad -5th circuit

Criticisms of CFAA

-some say it does not prevent more harmful cybersecurity events -to big of a punishment for crimes that do little to no harm to people or property -stops researchers from being able to help cybersecurity issues -limits ability to engage in active defense of their computers and networks (hacking back)

DCMA The defendant either

1. designed or produced primarily for circumvention 2. made available despite only limited commercial significance other than circumvention 3. marketed for use in circumvention of the controlling technological measure

Things that do not apply to the trafficking provisions of Section 1-2

1. nonprofit libraries, archives, and educational institutions 2. law enforcement and intelligence activities 3. reverse engineering for interoperability4. encryption research 5. preventing minors from accessing the Internet 6. protection of personally-identifying information 7. security testing

DCMA A plaintiff alleging a violation of a2 must prove

1. ownership of valid copyright on a work 2. effectively controlled by a technological measure which has been circumvented 3. that third parties can now access 4. third parties access without authorization 5. access without authorization in a manner that infringes or facilitates infringing a right protected by the copyright act

Knowing Violations of the Economic Espionage Act

1831-1832 apply to acts that are done knowingly: 1. awareness of the nature of one's conduct 2. an awareness of or a firm belief in or knowledge to a substantial certainty of the existence of a relevant circumstance such as whether the info has economic value

Sections 5a CFAA

5a-knowing transmission that intentionally damages a computer without authorization

Trademark

A brand that has exclusive legal protection for both its brand name and its design (10 years)

Protected Computer

A computer used exclusively by a financial institution or government entity or used in interstate or foreign commerce. (does not have to be in the US)

grey hat hackers

A cross between black and white—they will often illegally break into systems merely to flaunt their expertise to the administrator of the system they penetrated or to attempt to sell their services in repairing security breaches.

Patent

An exclusive right issued by the U.S. Patent Office that enables the recipient to manufacture, sell, or otherwise control an invention for a period of 20 years from the date of the grant.

What act spells out federal punishments related to hacking which includes imprisonment of uupt to 20 years

Computer Fraud and Abuse Act

Injunctions

Court orders that prohibit a certain activity in order to prevent actual or threatened misappropriation

DCMA

Digital Millennium Copyright Act

New vs. Old hacker ethics

Hacker ethics have started to contradict new rules with hacking so a new type of ethics needed to by determined

First time violations of Sections 5a/5b CFAA

In order to convict someone for 5a/5b and the defendant has not been convicted under the CFAA before one of these must be shown: 1. financial loss during a single year (at least $5000) 2. modification or impairment or future modification/impairment of medical examination, diagnosis, treatment, or care 3. physical injury to someone 4. public health or safety threat 5. damage to a federal gov computer 6. damage of at least 10 protected computer during a year

CFAA Narrow view

Individuals are only liable for CFAA violations if their initial access to the system or data was not permitted. How the individual used the data is irrelevant

Budapest Convention

International convention that requires countries to adopt measures that address 1.illegal access 2. data interference 3. misuse of devices 4. computer related cruad 5. computer related fprgery etc... also required to develop procedures to expedite the preservation of stored data, search and seizing sata,empower authorities to collect data in real time etc...

Statute of Limitations

Plaintiffs must bring economic espionage act civil actions within 3 years of the date the misappropriation was discovered or should have been discovered through exercise of reasonable diligence

DCMA 1st ammendment

Some people think section 1201 goes against freedom of speech- code is speech, it makes research harder-case by case decision

Library of Congress

The librarian can grant exceptions to a1 temporarily for 3 years-things are used for something

Old hackers

Wikileaks

CFAA Broad View

authorized access may include- if someone is given access to a computer to do something lawful and they do something unlawful that is a crime

black hat hackers

break into other people's computer systems and may just look around or may steal and destroy information

Section 1201 Penalties

civil and criminal

DCMA Broad View

creates a new anti-circumvention right distinct from the traditional exclusive rights of a copyright owner

Purpose and intent required under 1832

defendant must have intended to commit crime

White hack hacker

ethical hackers, can sometime be paid employees or contractors working for companies as security specialists, try to find security holes by hacking

Social engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

What is ethical hacking

hacking performed by a company or individual in an attempt to identify potential threats on a computer or network. Try to find security weak points before they are found by malicious hackers

First time violators of 5c CFAA

if someone has not been convicted of CFAA before the gov can only charge a misdemeanor by fine and a year in prison

Section 5c CFAA

intentional access without authorization that causes damages and loss

Section 5b of CFAA

intentionally access without authorization that recklessly causes damage

Limitation of Budapest Convention

nations that are common sources of hacks against US are not part of convention

Is not knowing the law an excuse for commiting a crime

no

CFAA

primary U.S. federal statute and prohibits and penalizes certain forms of computer hacking, imposes criminal and civil penalties for those who hack without authorization or exceeds authorized access to the computer

Section 1831 Economic Espionage

prohibits economic espionage to benefit a foreign government or entity

DCMA a1

prohibits the act of circumventing technology that controls access to copyrighted material

Economic Espionage Act 1996

prohibits the theft of US companies' trade secrets either to benefit a foreign government or to economically benefit anyone other than the owner

Section 1832 Economic Espionage

prohibits theft of trade secrets to benefit one company at the expense of another company

DCMA a2

prohibits trafficking in technology that facilitates circumventing of access control measures

DCMA b1

prohibits trafficking in technology that facilitates circumvention of measures that protect against copyright infringement

Vulnerability Disclosure Program

provide guidelines and safe harbors for outside parties to report vulnerabilities-may receive limited authorization or compensation without getting in trouble

Civil Seizures are what?

remedies that wronged can seek

Civil Seizures

seizure of property that is necessary in order to prevent spreading or use of trade secret that has been misappropriated

Pen testing

set of practices carried out usually by an outside company hired by a corporation to attempt to access their systems

Misappropriation

the act of taking what belongs to someone else and using it illegally for one's own gain

Copyright

the exclusive legal right, given to an originator or an assignee to print, publish, perform, film, or record literary, artistic, or musical material, and to authorize others to do the same. (life of author +70 years)

DCMA Narrow View

there must be a link between the access that is being circumvented and the infringement of copyrighted content, 2. does not create a broad new property right, instead it protects circumvention that is reasonably related to a property right that is currently provided by the copyright act

Economic Espionage applies to what type of intellectual property

trade secrets

Pen testing requires

well-documented, written agreements, certification to be a pen tester (white hat hacker), without these it turns into grey hat or black hat hacking

Trade secrets

all forms or ideas/information that owner has kept a secret and the information has economic value or potential (lasts forever)

Defend Trade Secrets Act

allows companies to bring a civil suit if they have been victim to misappropriation

Damages- Defend Trade Secrets Act

allows plaintiffs to recover damages for actual loss caused by misappropriation as well as damages for unjust enrichment that are not included in the actual loss total