[ISN] Security Managers Could Face Court Penalties

From: InfoSec News (isn@private)
Date: Sun Jun 20 2004 - 23:18:31 PDT

  • Next message: InfoSec News: "[ISN] Book review: The Zenith Angle by Bruce Sterling"

    By Mitch Wagner  
    June 18, 2004 
    San Francisco - Routine efforts to improve network security could be
    used against IT managers in court, warned cybercrime attorney Mark
    Security managers who fail to secure their company's information could
    be making it harder to prosecute computer crime, said Rasch, who
    delivered a keynote at the NetSec 2004 conference here this week.
    "For trade secrets to be entitled to legal protection, the person
    holding the trade secret has to demonstrate that they used reasonable
    efforts to ensure its secrecy," Rasch said.
    And sometimes a security manager's efforts to secure information can
    be used against him by a plaintiff's attorney. For example, imagine
    that a security manager writes a memo listing 10 measures that must be
    taken to secure corporate information, and the company only implements
    two of them. "That memo is a plaintiff's lawyer's dream," Rasch said.
    Likewise, security managers are routinely cautious in deploying
    patches to Microsoft software and other products. The patches are
    tested, and rolled out over a period of time. That caution be used by
    a plaintiff's lawyer to prove negligence. "They'd ask how much it
    would cost to install the patch? They'd say it doesn't cost much.  
    You'd say it isn't just one patch, there are thousands of patches. But
    the jury just hears about the one patch," Rasch said.
    Likewise, companies that generate security logs but don't look at them
    are letting themselves in for legal trouble, Rasch said. The
    corporation is presumed to be aware of the information contained in
    those logs.
    Rasch is senior vice president and chief security counsel for
    Solutionary, a managed security service provider. He is former head of
    the U.S. Justice Department's computer crime unit, and prosecuted
    Robert Tappan Morris, who released one of the first Internet worms in
    1988. Rasch also prosecuted the Hanover hackers, as described in "The
    Cuckoo's Egg," by Clifford Stoll.
    Another problem with computer law is that laws are written so broadly
    that they criminalize normal activities, Rasch said.
    "We define computer law so broadly that it covers things we never
    meant, and then we tell people, don't worry, you would never be
    prosecuted," Rasch said. There is no way to make the law so precisely
    worded that we prosecute only what we want to prosecute; we rely on
    prosecutorial discretion to stop unreasonable prosecutions. Computer
    crime is defined as unauthorized access to a computer, he said. By
    that standard, any time an employee violates a company policy barring
    personal use of the Internet, that employee is committing a felony -
    even if the policy is routinely violated and never enforced, Rasch
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 01:37:17 PDT