[ISN] Security Managers Could Face Court Penalties

InfoSec News isn at c4i.org
Mon Jun 21 02:18:31 EDT 2004


http://nwc.securitypipeline.com/showArticle.jhtml?articleID=22100927

By Mitch Wagner  
June 18, 2004 

San Francisco - Routine efforts to improve network security could be
used against IT managers in court, warned cybercrime attorney Mark
Rasch.

Security managers who fail to secure their company's information could
be making it harder to prosecute computer crime, said Rasch, who
delivered a keynote at the NetSec 2004 conference here this week.

"For trade secrets to be entitled to legal protection, the person
holding the trade secret has to demonstrate that they used reasonable
efforts to ensure its secrecy," Rasch said.

And sometimes a security manager's efforts to secure information can
be used against him by a plaintiff's attorney. For example, imagine
that a security manager writes a memo listing 10 measures that must be
taken to secure corporate information, and the company only implements
two of them. "That memo is a plaintiff's lawyer's dream," Rasch said.

Likewise, security managers are routinely cautious in deploying
patches to Microsoft software and other products. The patches are
tested, and rolled out over a period of time. That caution be used by
a plaintiff's lawyer to prove negligence. "They'd ask how much it
would cost to install the patch? They'd say it doesn't cost much.  
You'd say it isn't just one patch, there are thousands of patches. But
the jury just hears about the one patch," Rasch said.

Likewise, companies that generate security logs but don't look at them
are letting themselves in for legal trouble, Rasch said. The
corporation is presumed to be aware of the information contained in
those logs.

Rasch is senior vice president and chief security counsel for
Solutionary, a managed security service provider. He is former head of
the U.S. Justice Department's computer crime unit, and prosecuted
Robert Tappan Morris, who released one of the first Internet worms in
1988. Rasch also prosecuted the Hanover hackers, as described in "The
Cuckoo's Egg," by Clifford Stoll.

Another problem with computer law is that laws are written so broadly
that they criminalize normal activities, Rasch said.

"We define computer law so broadly that it covers things we never
meant, and then we tell people, don't worry, you would never be
prosecuted," Rasch said. There is no way to make the law so precisely
worded that we prosecute only what we want to prosecute; we rely on
prosecutorial discretion to stop unreasonable prosecutions. Computer
crime is defined as unauthorized access to a computer, he said. By
that standard, any time an employee violates a company policy barring
personal use of the Internet, that employee is committing a felony -
even if the policy is routinely violated and never enforced, Rasch
said.





More information about the ISN mailing list