http://nwc.securitypipeline.com/showArticle.jhtml?articleID=22100927 By Mitch Wagner June 18, 2004 San Francisco - Routine efforts to improve network security could be used against IT managers in court, warned cybercrime attorney Mark Rasch. Security managers who fail to secure their company's information could be making it harder to prosecute computer crime, said Rasch, who delivered a keynote at the NetSec 2004 conference here this week. "For trade secrets to be entitled to legal protection, the person holding the trade secret has to demonstrate that they used reasonable efforts to ensure its secrecy," Rasch said. And sometimes a security manager's efforts to secure information can be used against him by a plaintiff's attorney. For example, imagine that a security manager writes a memo listing 10 measures that must be taken to secure corporate information, and the company only implements two of them. "That memo is a plaintiff's lawyer's dream," Rasch said. Likewise, security managers are routinely cautious in deploying patches to Microsoft software and other products. The patches are tested, and rolled out over a period of time. That caution be used by a plaintiff's lawyer to prove negligence. "They'd ask how much it would cost to install the patch? They'd say it doesn't cost much. You'd say it isn't just one patch, there are thousands of patches. But the jury just hears about the one patch," Rasch said. Likewise, companies that generate security logs but don't look at them are letting themselves in for legal trouble, Rasch said. The corporation is presumed to be aware of the information contained in those logs. Rasch is senior vice president and chief security counsel for Solutionary, a managed security service provider. He is former head of the U.S. Justice Department's computer crime unit, and prosecuted Robert Tappan Morris, who released one of the first Internet worms in 1988. Rasch also prosecuted the Hanover hackers, as described in "The Cuckoo's Egg," by Clifford Stoll. Another problem with computer law is that laws are written so broadly that they criminalize normal activities, Rasch said. "We define computer law so broadly that it covers things we never meant, and then we tell people, don't worry, you would never be prosecuted," Rasch said. There is no way to make the law so precisely worded that we prosecute only what we want to prosecute; we rely on prosecutorial discretion to stop unreasonable prosecutions. Computer crime is defined as unauthorized access to a computer, he said. By that standard, any time an employee violates a company policy barring personal use of the Internet, that employee is committing a felony - even if the policy is routinely violated and never enforced, Rasch said. _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 01:37:17 PDT