CHICAGO -- Using the law as a sword to improve information security within the enterprise is a double-edged practice....
On one side, regulations and lawsuits can target the attackers who hurt companies. But those same companies may find themselves cut by the laws they turned to for redress.
For example, a class-action lawsuit has been filed in California seeking damages from Microsoft for its reliance on patches for fixing security holes in its Windows operating system. The lawsuit, filed in Los Angeles District court, says Microsoft's failure to keep Windows secure puts users' personal data at risk.
This approach may make some sense to people, especially those who have been hit by Blaster and other network worms because they can't keep up with all the patches Microsoft releases. Yet such a lawsuit, if successful, could set a precedent for holding the makers of applications liable for security holes.
"What happens when [homegrown] applications you create contain vulnerabilities?" said Michael Rasmussen, research director with Forrester Research on Wednesday, the opening day of Information Security magazine's Security Decisions conference.
Lawsuits are one way to influence business behavior. Regulations are another. So far, there hasn't been an all-encompassing federal law in the United States targeting cybersecurity. The White House's only attempt to influence cybersecurity, the National Strategy to Secure Cyberspace released earlier this year, relies on market forces to improve security.
Congress has been more forthcoming about addressing information security matters, at least as part of more general regulations. Its approach has been to take a market-specific strategy with such laws as the Health Insurance Portability and Accessibility Act (health care) and the Gramm-Leach-Bliley Act (financial services). Some have suggested more laws are needed that specifically target security issues. Yet others think security is less a matter for government and more one for business pressures and user education.
Chul Choi, a consultant with IBM in Canada, said that improving information security requires a cultural shift. People, for example, learn that driving fast is illegal during drivers' education class. Students taking computer classes don't learn about the legal ramifications of what they are doing. "Sometimes people don't realize what they are doing is illegal," he said.
Regulations that were intended to stop criminals can also snag enterprises unintentionally. For example, the Electronic Communications Privacy Act covers the interception of communications, so companies can seek criminal and civil penalties for people who sniff a company's network to gain sensitive information. On the other hand, companies and their employees may find themselves inadvertently violating the law.
Honeypots, for example, may cross legal lines. A company using honeypots could violate the rights of the attackers because they intercept their data. "That's like someone breaks into your house and you push them out and then you are guilty of assault," said Curtis Karnow, an attorney with law firm Sonnenschein, Nath & Rosenthal.
Choi sees plenty of room within existing laws to cover information security matters. For example, laws covering property protection and negligence can be expanded to include cyber-matters. "We just need to make them more specific to cybercrime," he said. "Vandalism can be expanded to include spam, for example."
Echoing those sentiments, Karnow said there are laws that have been around for 500 years, such as those designed to stop trespassing and negligence, which can be effective when used to address cybersecurity matters. "Legislators want to make their mark on this area," he said. "But a lot of times, they passed laws without a good grasp of the technology."