Upload
john-sterlicchi
View
212
Download
0
Embed Size (px)
Citation preview
reports
In terms of IT, most of the anti-terror-ism legislation enacted share the follow-ing characteristics:• A legal separation between data that
relates to the content of an electroniccommunication and the data whichrelates to the fact that an electroniccommunication event has occurred(e.g. telephone numbers connected,duration of connection). Additionallythere is usually a requirement for telecommunications providers(e.g. Internet Service Providers andpublic telecommunications opera-tors) to retain data about all commu-nication events (e.g. all Internetaccess or all telephone contacts). Inthe UK this period is likely to be oneyear.
• A gateway which permits the authori-ties to access the content of a commu-nication. — This is usually subject to awarrant issuing procedure, which canbe subjected to varying degrees of directjudicial oversight.
• A gateway which permits the authori-ties to access data about a communica-tion event without recourse to directjudicial oversight — Indirect judicialoversight can occur on grounds such aswhether access to the data is propor-tionate (e.g. in terms of human rightsin Europe) or infringes constitutional-ly-protected rights (e.g. in the US).
• A gateway which allows many publicauthorities to exchange information inrelation to any minor criminal acts. —The argument is that minor crimesinvolving, for example identity theft,mobile phone theft or credit card theftcould all occur in connection with ter-rorism.
• A gateway which allows many publicauthorities to exchange information inrelation to financial or personal affairs(e.g. taxation or education records heldby the authorities). — The argument isthat an investigation, which initiallyconcerns a small financial transaction,could widen to involve terrorism (e.g.
the sums of money posted to the 11September terrorists were a few thou-sand dollars).
• A gateway which allows many publicauthorities to pass over information inrelation to their areas of responsibility(e.g. an investigation commenced bythe police could discover financialirregularities which are then handedover to the tax authorities).
• A gateway which requires many privateauthorities to provide information tothe authorities in relation to travel andfinancial affairs (e.g. most affected arethe airline and banking sector).
• A gateway which permits the authori-ties in one country to cooperate andexchange information with the authori-ties in another country; the agreedCouncil of Europe CybercrimeConvention will be increasingly impor-tant in this regard.
• A very truncated debate by the legisla-ture which, by and large, has had totrust the executive (in the UK, forexample, the House of Commons scru-tinized a 130 page act within one weekof Parliamentary time).Most legislation contains a sunset clause,
which will negate the above requirements,if the perceived threat, which arises fromterrorism (and the organized crime, whichcan support such activities) diminishes.However, since most governments are talk-ing of a ‘long-haul’ in the fight against ter-rorism, one suspects that this is one pieceof legislation where the sun will never set.
7
Terrorism laws impact onnetwork providersBy Chris Pounder
When President Bush signed the USA Patriot Act into law before Christmas, hewas not acting alone. Most European countries, including the UK with its Anti-Terrorism, Crime and Security Act, and Canada have followed suit.
The report went a step further and saidsoftware and computer vendors should beheld liable for system breaches if they do
not drastically improve the security oftheir products.
However, the report does not
detail any specific sanctions for suchoffenses.
The Computer Science andTelecommunications Board (CSTB), apart of the National Academy of Sciences,said in its report, “Cyber-security Todayand Tomorrow: Pay Now or Pay Later,”that many US companies do not imple-ment the necessary level of securitybecause that can be expensive.
Authors Herb Lin and MarjoryBlumenthal wrote: “The unfortunatereality is that relative to the magnitudeof the threat, our ability and willingness
Companies shoddy aboutcyber-attacksBy John Sterlicchi
As security concerns mount after the horrific 11 September attacks, a new reportfound US companies are not doing enough to protect their IT systems from thethreat of cyber-attacks.
march.qxd 2/14/02 8:23 AM Page 7
reports
to deal with threats has, on balance,changed for the worse. From an opera-tional standpoint, cyber-security todayis far worse than what best practices canprovide.”
The report urged lawmakers to take“steps that would increase the exposure ofsoftware and system vendors and systemoperators to liability for system breaches”.
The report also found that payback isuncertain “because serious cyber-attacksare rare”. But the CSTB warned short-changing security could be catastrophicfor companies.
The CSTB recommended that compa-nies should establish and provide adequate resources to an internal entitywith responsibility for providing direct
defensive operational support to systemadministrators.
It also recommended that ensuring thatadequate information security tools areavailable and that everyone is properlytrained in their use.
“The degree to which a computer sys-tem and the information it holds can beprotected and preserved is a broad con-cept,” the CSTB said. “Security can becompromised by bad system design,imperfect implementation, weakadministration of procedures, orthrough accidents, which can facilitateattacks.”
The report also concluded that much ofthe blame for the state of security in cor-porate and government networks belongs
to administrators and CIOs who fail toimplement readily available technologiessuch as firewalls and intrusion-detectionsystems or follow industry best practices.
Many security problems exist notbecause a fix is unknown but because some responsible party has notimplemented a known fix, the reportsaid.
In addition, the authors recommendedthat vendors should develop better securi-ty interfaces for their products to simplifyadministration and conduct better testingof their products for security vulnerabili-ties.
The authors also said simple and clearblueprints for secure operation that userscan follow should be put in place.
The objective is to specify those securitystandards, which licensed telecommuni-cations operators should attain; failure toattain could then eventually result inenforcement action arising from aninfringement of OFTEL’s licensing condi-tions.
The draft guidelines propose thatPTOs, for example, should be under anobligation to meet “essential require-ments for network security and integri-ty”. This obligation includes therequirement to take “all reasonablepracticable steps to maintain networkavailability in the event of catastrophicnetwork failure, fire, earthquake orflood” and to take all reasonably practi-cal steps to maintain “network integrityagainst malfunctions caused by electri-cal conditions, signalling protocols ortraffic loads”. PTOs, should also install
“appropriate fire warning systems andpower back-up systems in theirexchanges”.
OFTEL has indicated that the factors itwill assess are whether a PTO:• Has invested properly in technical and
non-technical measures in order main-tain network security and integrity.
• Has undertaken an analysis of risk andconsequent impact of any network fail-ure.
• Has implemented, documented andmanaged complete contingency plans.
• Can demonstrate continual manage-ment commitment to all the policiesand procedures that have been devel-oped in the interests of network securi-ty and integrity.In summary, the guidelines run to
about 25 pages of single spaced text.General sections relate to physical
security procedures, network security,management and operational proce-dures, network testing and integrity,abnormal electrical conditions, accessnetwork frequency plan, inappropriateuse of signalling protocols, terminalequipment and excessive traffic loads.In addition, there are sections on spe-cific problem areas where integrity and continuity are important – forexample, in relation to the networkswhich support the emergency 999 ser-vices and other bodies and individualswho might have special needs (e.g. AAroadside recovery, NHS Direct andthose being remotely monitored in con-nection with specific medical conditions).
David Edmonds, Director General ofTelecommunications, said “All publictelecoms operators have a licence obliga-tion to ensure that the security andintegrity of their network is maintained atall times and that for the first timeOFTEL has set out guidelines on themeasures we expect operators to have inplace to meet this obligation”. Edmondsadded his own Nelsonian touch:“OFTEL expects operators to ensure theyare prepared for an event such as a fire orpower cut so that services to consumerscan continue uninterrupted and any dis-ruption is minimal.”
8
OFTEL plans to require telcos to maintain securenetworks OFTEL has commenced a public consultation about guidelines which set out themeasures that public telecommunications operators (PTO) should take in order tomaintain network accessibility, integrity and security.
march.qxd 2/14/02 8:23 AM Page 8