Chapter 4. Government Cyber-security Policies

Increasingly, governments are recognizing that they need to adopt policies that specifically address the issue of computer security in the private sector. This may include the adoption of legislation imposing certain duties on private sector corporations. Experience has shown that tailoring the level of regulatory intervention to the particular facts and circumstances at hand is a key ingredient to successful regulation.155 With this caution in mind, governments are beginning to impose duties on private sector, without mandating particular technologies or standards. In Europe, responsibility for computer security is imposed across all sectors by the Data Protection Directive.156 In Singapore, the government has made computer security a component of the regulatory requirements for the financial sector, broadly defined. In the United States, in recent years, federal legislation has been adopted imposing explicit computer security responsibilities on the banking industry and the health care industry.157 We discuss these more fully below, but first we emphasize some of the important roles the government can play vis-‡-vis the private sector without regulation.

Non-regulatory Roles of Government

There are a number of ways in which government can directly influence the security of privately owned and operated computer systems. Not all of these policy options are regulatory; many of the most effective options may be non-regulatory in nature.

Research: An important role for the government is in conducting and funding research on computer security. The U.S. National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

NIST's Computer Security Division works to improve information systems security by:

•Raising awareness of IT risks, vulnerabilities, and protection requirements;

•Researching, studying, and advising agencies about IT vulnerabilities;

•Devising techniques for the cost-effective security of sensitive Federal systems;

•Developing standards, metrics, tests, and validation programs to promote, measure, and validate security in systems and services;

•Establishing minimum security requirements for Federal systems; and

•Developing guidance to increase secure IT planning, implementation, management and operation.158

In sharing research publicly, government agencies may need to overcome a tradition of secrecy. The normally super-secret National Security Agency in the United States has posted on its public web site its Security Recommendation guides.159

Standards: The government is also an important participant in private sector standards setting processes. Standards processes are non-regulatory, voluntary, and consensus-based, but government experts may make important contributions, especially if the government supports its own computer security research.

Awareness, Education, and Capacity-Building: Another major non-regulatory role of the government is to educate the public and work with the private sector to promote awareness of vulnerabilities and responses.160 Special studies and reports of the kind described above are one means of accomplishing this goal. The European Commission has called on Member States to launch public education and awareness campaigns, including mass media and efforts targeted at all stakeholders. Convening of expert bodies and issuance of reports and strategy documents help raise awareness. Education also includes scholarship and human resources development programs. The European Commission has recommended that education systems of Member States should give more emphasis to courses focused on computer security.

155 See, Smedinghoff, supra note ___(39).

156 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281/31, Nov. 23, 1995,

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett.

157 Health Insurance Portability and Accountability Act of 1996, Pub. Law 104-191, http://aspe.hhs.gov/admnsimp/pl104191.htm; Financial Services Modernization Act of 1999, Pub. Law 106-102, Nov. 12, 1999, 15 U.S.C. Section 6801 et seq., http://www4.law.cornell.edu/uscode/15/6801.html; http://www.ftc.gov/privacy/glbact/.

158 NIST’s Computer Security Resource Center (CSRC) publishes information on a broad range of security topics, including cryptographic standards and applications, security testing, security research, system certification and accreditation guidelines, return on security investments, small business computer security, and federal agency security practices. http://csrc.nist.gov/. NIST publications are available at http://csrc.nist.gov/publications/index.html.

159 National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/.

Information Sharing: Another important government role is to promote information sharing about computer security vulnerabilities, warnings of new viruses and attacks, and recommendations on solutions, patches, and best practices.161 The government may fund such information sharing centers, such as the CERT (Computer Emergency Response Team) coordination centers that are being established around the globe. For example, the U.S. CERT at Carnegie Mellon University is a federally funded research and development center that provides assistance in handling computer security incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing security information and training materials.162 Other countries that have established or are establishing CERT centers include Malaysia, Japan, Australia, and Korea. Mcert is a CERT for small and medium sized enterprises in Germany, created as a public-private partnership by Germany's ICT Association BITKOM, seven industry sponsors and the German Government. Multinational structures are being created to promote information sharing regionally and internationally. In June 2001, the European Commission issued a Communication calling for a strengthening of the CERT system in Europe and better coordination among the CERTs operating in Member States.163 In February 2003, the Commission took a further step, announcing its intent to establish a Network and Information Security Agency to build on national efforts regarding cybersecurity and to serve as a coordinating and advisory entity.164 APEC has launched an initiative for a regional CERT aimed at providing in-country training to enhance CERT capabilities in developing countries in the region and to develop CERT guidelines.165 The G8 has created a network of “24x7 contacts” – round-the-clock duty offices at law enforcement agencies to facilitate information sharing and cooperation in criminal investigations of cybercrimes. Non-G8 nations may participate₁₆₆.

Alternatively, the government may promote the creation of privately funded, voluntary information sharing systems, such as the Information Sharing and Analysis Centers (ISACs) that are operating in various forms around the globe. For instance, the United States has established industry ISACs for certain sectors (such as the financial services sector, the telecommunications sector, and the electrical power industry), and other countries, such as Canada, Germany, Japan, and the Netherlands, have ISACs as well. The UK is pursuing the WARP Concept (Warning, Advice & Reporting Point), an initiative to establish a ‘network’ across the UK to provide better and more timely advice and warnings relating to electronic attack, and for receiving incident reports.

160 Awareness is the first principle in the OECD’s computer security guidelines. Organization for Economic Cooperation and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, July 25, 2002, http://www.oecd.org/pdf/M00034000/M00034292.pdf. The G8 has recommended that countries should raise awareness to facilitate stakeholders’ understanding of the nature and extent of their critical information infrastructure, and the role each must play in protecting them. In addition, the G8 has recommended that countries conduct training to enhance their response capabilities. Presidents’ Summary: Meeting of G8 Ministers of Justice and Home Affairs, Paris, May 5, 2003, http://www.g8.utoronto.ca/justice/justice030505.htm.

161 Information sharing has been a major themes of most international initiatives, including those of the G8. OAS and APEC. 158 NIST’s Computer Security Resource Center (CSRC) publishes information on a broad range of security topics, including cryptographic standards and applications, security testing, security research, system certification and accreditation guidelines, return on security investments, small business computer security, and federal agency security practices. http://csrc.nist.gov/. NIST publications are available at http://csrc.nist.gov/publications/index.html.

162 National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/.

163 European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM(2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm. 161 Information sharing has been a major themes of most international initiatives, including those of the G8. OAS and APEC.

164 European Commission, Proposal for a Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD),

http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf.

165 “Protecting Developing Economies from Cyber Attack – Assistance to Build Regional Cyber-security Preparedness,” APEC Media Release, Mar. 18, 2003, http://www.apecsec.org.sg/whatsnew/press/PressRel_ProtectgFromCyberAttack_180303.html.

166 G8, Meeting of Justice and Interior Ministers - Action Plan, Dec. 10, 1997, http://birmingham.g8summit.gov.uk/prebham/washington.1297.shtml.

The government may also form public-private committees or fora for exchange of security-related information. An example is the U.S. National Security Telecommunications Advisory Committee (NSTAC), which is composed of 30 chief executives representing major communications and network service providers and information technology companies and government officials responsible for national security and emergency communications systems.167 NSTAC provides industry-based advice to the President on issues and problems related to implementing national security and emergency preparedness communications policy.

Criminal Law

Another way in which the government protects private systems is through the criminal law. International and regional institutions have recommended that every nation, as part of the legal framework promoting trust and confidence in cyberspace, should adopt basic criminal laws against activities that attack the confidentiality, integrity, or availability of computer data and computer systems.168 The framework of applicable criminal law comprises both substantive as well as procedural law, implicating search and seizure as well as privacy concepts that may have unique application in the cyber context.

The UN was perhaps the first international body to recognize the importance of addressing cybercrime.169

In December 2000 and January 2002, the UN General Assembly adopted Resolutions 55/63 and 56/121 on Combating the Criminal Misuse of Information Technologies.170 Resolution 55/63 declares that states should review their laws to eliminate “safe havens” for those who carry out cybercrime. Resolution 55/63 recommends, inter alia, that states take appropriate measures to prevent the criminal misuse of information technologies, international cooperation in investigation

and enforcement efforts, and the preservation and timely sharing of electronic data and evidence. Resolution 55/63 also recommends educating law enforcement authorities and the general public on cybercrime issues.

Substantive Criminal Law Offenses

There are various ways to conceptualize cybercrimes, and various names exist for specific offenses, but in general, laws addressing cybercrime issues have crystallized around four kinds of activity:

• Data interception: intentional interception, without right, of non-public transmissions of computer data. This covers interception of email of another person, for example, and is aimed at protecting the confidentiality of communications. Some legal frameworks already make it a crime to intercept telephone conversations without legal authorization, for example. This well-known concept in the telecom world could have analogous application in the cyber context.

• Data interference: intentional damage to, deletion, degradation, alteration, or suppression of data in someone else's computer without right. This covers, for example, intentionally sending viruses that delete files, or hacking a computer and changing or deleting data, or hacking a web site and changing its appearance. The element of intent is important to distinguish criminal activity from mere production of defective software or unintentionally forwarding viruses.

• System interference: intentionally causing serious hindrance, without right, to the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data. This covers things like denial of service attacks or introducing viruses into a system in ways that interfere with its normal usage. “Serious harm” is an element of this offense that distinguishes criminal activity from other, ordinary online behavior, such as sending one or just a few unsolicited emails.

167 See http://www.ncs.gov/NSTAC/attf.html

168 International bodies recommending adoption of cybercrime laws include the UN, EU, COE, G8, APEC, and OAS. For an extended discussion of the activities and recommendations of these and other international bodies regarding cybercrime, see, Westby Guide, supra note ___.

169 In 1995, the UN issued under its International Review of Criminal Policy the United Nations Manual on the Prevention and Control of Computer-Related Crime (1995) http://www.uncjin.org/Documents/EighthCongress.html.

170 UN General Assembly, Resolution 55/63, Combating the criminal misuse of information technologies, Dec. 4, 2000,

http://www.unodc.org/pdf/crime/a_res_55/res5563e.pdf ; UN General Assembly, Resolution 56/121, Combating the criminal misuse of information technologies, Jan. 23, 2002, http://www.unodc.org/pdf/crime/a_res_56/121e.pdf . See also UN Resolution 57/239 (2002).

• Illegal access: intentionally accessing, without right, the computer system of another. It can be thought of as the cyberspace equivalent of trespass. (Looked at another way, illegal access is an offense against the confidentiality of stored data and therefore is analogous to illegal interception, which is an offense against the confidentiality of data in transit.) In some legal systems, the definition of the crime of illegal access is limited to situations in which confidential information (medical or financial information) is taken, copied or viewed or where there is an intent to obtain confidential information or where access is obtained only by defeating security measures.

The Council of Europe has adopted a Convention that addresses these points.171

Articles 2-5 of the Council of Europe Convention on Cybercrime address these four basic cybercrimes. However, in the Convention itself these provisions are drafted in broad terms that could cover a wide range of common behavior. The Convention also has an Explanatory Report that aids in interpreting the Convention. Article 2 of the Convention calls upon states to establish as a criminal offense “when committed intentionally, the access to the whole or any part of a computer system without right” (emphasis added). On its face, this provision could arguably make it a crime to send an unsolicited email, since the sender of an unsolicited email “accesses” the recipient’s computer (or the mail server of the recipient’s ISP) without right. Nations following the Therefore it is key in interpreting the Council of Europe Convention on Cybercrime to clarify whether “without right” is meant to include common activities inherent in the Internet. The Explanatory Report states, “legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalized.” (Para. 38.)

These would include, for example, sending electronic mail without it having been first solicited by the recipient; accessing a web page, directly or through hypertext links; or using “cookies” or “bots” to collect information. (Para. 46, 48.)172

Computer-facilitated Crime

Discussions of computer crime often extend into activities that are not crimes against computers, but are crimes facilitated by the use of computers. For example, theft and fraud are crimes in virtually every legal system whose laws were crafted in the “offline” world. But theft and fraud can equally take place in the “on-line” world. Similarly, crimes such as infringement of intellectual property rights or dissemination of child pornography, also are not limited to computer crimes – but they are crimes that may be facilitated by use of a computer. In many cases, existing criminal sanctions apply to offenses committed online. A critical analysis of a multiplicity of factors would need to be taken into account to assess not only whether existing criminal laws apply both online and offline, but also whether special, separate offenses for computer-related crime or crime facilitated by a computer would be necessary.

Articles 7-10 of the Council of Europe Convention on Cybercrime depart from this principle, and reach more broadly, covering crimes involving the use of a computer to engage in conduct that is normally already a crime offline (i.e., forgery, fraud, and the distribution, production or possession of child pornography, and copyright infringement to name a few). Adopting special provisions for computer-facilitated offenses may be unnecessary in some legal systems and might improperly suggest that a crime committed online is worse than the same crime committed offline.173

171 The treaty, ETS no. 185, is online at http://conventions.coe.int/treaty/EN/cadreprincipal.htm along with an extensive Explanatory Report. It is very important that nations looking to the convention as a model also carefully consider the Explanatory Report, which has extensive explanations of the meaning of the treaty’s sometimes cryptic provisions. The convention, which has not taken effect as of August 2003, has some positive and some negative elements. The convention is very broad, reaching far beyond computer crime as such. And while it requires signatories to adopt laws giving the government access to computer data (for all crimes) and while it states that such powers must be subject to procedural safeguards protecting privacy, the treaty fails to specify such procedural safeguards. Accordingly, developing countries should be cautious in approaching the Council of Europe convention as a model. A major section of the treaty aims to require governments to cooperate with other countries seeking to search and seize computers, compel disclosure of data stored in computers, and carry out real-time interceptions – in all kinds of criminal cases – in other countries. It also covers extradition for computer crimes as defined under the treaty.

172 Further point of caution: the Explanatory Report also states that the phrase “without right” may refer to conduct undertaken without contractual authority. This interpretation seems unwise, for it could make violations of a service provider’s terms of service into a criminal offense.

173 That said, child pornography, which is internationally condemned, is easily facilitated by computers and governments should be sure that their laws adequately prohibit the production and dissemination of such material, lest they become havens for its production or online hosting. Likewise, protection of intellectual property is one of the important building blocks of cyberlaw.

Application of basic criminal law concepts

Nations may also want to consider how common concepts of the criminal law such as “aiding and abetting” or “attempt” apply to cybercrime. Thus, if a law has the concept of an attempted offense, then that concept might apply to cybercrime. For example, launching a virus with intent to disrupt service might be a crime under the concept of intent even if the virus didn’t work as intended. Similarly, if a nation’s law has the concept of aiding and abetting, that might be applied to cyber-crime, such that one who intentionally produces a virus and provides it to another knowing or intending that it will be used to destroy data or interfere with a system may be guilty of data or network interference caused by the virus even if the virus was introduced into a network by someone else.

Privacy Protections

Consideration of cybercrime often leads to questions about the standards under which the government is authorized to obtain access to the electronic communications and computer data that may constitute evidence of cybercrime and other types of crime. Many countries have procedural laws granting the government investigative powers to access information stored in computers. These include judicial orders for the disclosure of stored data and warrants for the immediate search and seizure of computers and computerized data. Many countries also allow real-time interception of communications and the traffic data or transactional data that shows the origin and destination of communications. A major part of the Council of Europe Convention on Cybercrime requires governments to adopt laws on search and seizure of computer evidence, disclosure to governments of computerized records of any kind, and electronic interception of communications – for all kinds of crimes.

Government seizures or compelled disclosures of data stored in computers and government interceptions of communications and traffic data constitute an intrusion on personal privacy and therefore need to be subject to procedural safeguards.174 As the OECD states in its Guidelines for the Security of Information Systems and Networks, “Security should be implemented in a manner consistent with the values recognized by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”175 The European Commission has stated, “Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.”176 Especially in developing and transitional societies, unregulated government surveillance can seriously undermine trust in the Internet.

UN Resolution 55/63 (December 2000) provides that states, as they adopt laws regarding investigative access to communications and computer data, should protect individual freedoms and privacy. In 1990, the Eighth UN Congress on the Prevention of Crime and the Treatment of Offenders issued a series of recommendations concerning the adoption of investigative procedures, evidentiary rules, forfeiture, and international cooperation in cybercrime investigations.177 In 1995, the UN published its Manual on the Prevention and Control of Computer-Related Crime.178 This extensive document examines a wide range of issues related to crime and technology, including procedural law, substantive criminal law, international cooperation, data protection, security, and privacy.

174 The right to privacy is recognized as a fundamental human right under the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights, and the American Convention on Human Rights.

175 Ehttp://www.oecd.org/document/42/0,2340,en_2649_201185_15582250_1_1_1_1,00.html

176 European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm.

177 Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Aug. 27-Sept. 7, 1990, report prepared by the Secretariat, UN publication, Sales No. E.91.IV.2, chap I. For the text of these recommendations, see United Nations Commission on Crime Prevention and Criminal Justice, Report on the Eighth Session, Apr. 27-May 6, 1999, E/CN.15/1999/12, http://www.un.org/documents/ecosoc/docs/1999/e1999-30.htm.

178 UN, International Review of Criminal Policy - United Nations Manual on the Prevention and Control of Computer-Related Crime,

http://www.uncjin.org/Documents/EighthCongress.html.

179 Another valuable resource is the report of UN Economic and Social Council’s Commission on Crime Prevention and Criminal Justice effectively summarizes UN and other international work in the cybercrime and cyber-security area. Effective measures to prevent and control computer-related crime, E/CN.15/2002/8, Report of the Secretary-General, United Nations, Economic and Social Council, Commission on Crime Prevention and Criminal Justice, Eleventh Session, Vienna, Apr. 16-25, 2002, http://www.unodc.org/pdf/crime/commissions/11comm/8e.pdf.

Likewise, the Council of Europe Convention on Cybercrime explicitly requires that interceptions of communications and searches and seizures for stored data be conducted pursuant to the privacy principles set forth in the European Convention on Human Rights. Article 15 of the Cybercrime Convention provides:

1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms…and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

2.Such conditions and safeguards shall, as appropriate in view of the nature of the power or procedure concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation on the scope and the duration of such power or procedure.

Surveillance Standards

The Council of Europe Convention on Cybercrime itself does not spell out specific surveillance procedures that would comply with the European Convention of Human Rights. Those are found instead in the decisions of the European Court of Human Rights (summarized below), as well as in the surveillance laws of countries like Canada and the United States that have strong traditions of an independent judiciary and protection of privacy. Especially in developing and transitional societies, which may not have a fully defined set of rules for searches and seizure and surveillance in the offline world, it is important to give close attention to the development of strong standards for government surveillance in the digital context.

Under most advanced legal systems, interception of electronic communications is permissible, but only in accordance with clear standards in the law, requiring justification and prior independent approval, which in many legal systems means approval by a judge. Governments addressing interception and data access issues must be sure to address the procedural standards for government access to communications and computer data. An emerging body of international experience provides useful guidance. Based upon developing national and international standards,180 it is possible to identify the following procedural safeguards regulating the interception of communications:

• The standards for interception are transparent, fully and clearly spelled out in legislation available to the public, with sufficient precision to protect against arbitrary application and so that citizens are aware of the circumstances and conditions under which public authorities are empowered to carry out such surveillance.

• Approval is obtained from an independent official (preferably a judge),181 based on a written application giving reasons and setting forth facts justifying the intrusion, and the approval should be manifested in written order.

• Surveillance is limited only to the investigation of specified serious offenses.

• Approval is granted only upon a strong factual showing of reason to believe that the target of the search is engaged in criminal conduct.

• Approval is granted only when it is shown that other less intrusive techniques will not suffice.

• Each surveillance order should cover only specifically designated persons or accounts – generalized monitoring is not permitted.

• The rules are technology neutral – all one-to-one communications are treated the same, whether they involve voice, fax, images or data, wire line or wireless, digital or analog.

• The scope and length of time of the interception are limited, and in no event is the surveillance extended longer than is necessary to obtain the needed evidence.

• The surveillance is conducted in such a way as to reduce the intrusion on privacy to an unavoidable minimum necessary to obtain the needed evidence.

• The enabling legislation describes the use to which seized or intercepted material could be put; information obtained for criminal investigative purposes may not be used for other ends.

• The law specifies procedures for drawing up summary reports for a judge's review and precautions to be taken in order to permit inspection of the recordings by the judge and by the defense.

• In criminal investigations, all those who have been the subject of interception should be notified after the investigation concludes, whether or not charges results.

• Personal redress is provided for violations of the privacy standards.

Many of the same provisions are also applicable to search and seizure orders for computer data.

180 Perhaps the most developed body of international law on communications interception can be found in Europe, where the basic privacy principle in Article 8 of the European Convention of Human Rights has been given greater definition by the European Court of Human Rights (ECHR). The principles outlined here are drawn from the case law of the ECHR. Kopp v. Switzerland, Mar. 25, 1998, 27 EHRR 91; Klass v. Germany, 6 September 1978, 2 EHRR 214; Khan v. U.K., May 12, 2000, Reports of Judgments and Decisions, ECtHR, 2000-V; Halford v. U.K., June 25, 1997, Reports of Judgments and Decisions, ECtHR 1997-III; Huvig v. France, Apr. 24, 1990, 12 EHRR 528; Kruslin v. France, Apr. 24, 1990, 12 EHRR 547.

181 Klass v. Germany, 6 September 1978, 2 EHRR 214 (“The Court considers that, in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”).

Data Retention and Other Government Design Mandates

A number of developed countries (including the United States) have imposed design mandates on telephone common carriers (and, in some countries, ISPs), requiring that communications networks be designed to support government surveillance. In addition, some countries have adopted, or are debating the adoption of, laws requiring service providers to retain traffic data on all communications for a specified period of time (a mandate referred to as “data retention”). These mandates have been very controversial and have been criticized for threatening the privacy of citizens and the security of networks and for imposing considerable costs on service providers. A fuller consideration of design mandates for surveillance is beyond the scope of this report. However, it should be noted that the Council of Europe Convention on Cybercrime does not impose design mandates, technical standards, or data retention requirements on service providers. The treaty only establishes procedures for preserving, seizing, or accessing whatever data is otherwise available for business purposes, using whatever current technical capabilities companies may have. It does not require changes in technology or business practices.182 The European Union in 2002 adopted a directive on privacy in the communications sphere that permits but does not require member countries to adopt data retention requirements.183

Anonymity

The Council of Europe Convention on Cybercrime also recognizes another important privacy right: the legitimacy of anonymous communications. The Explanatory Report makes it clear that the convention does not impose on service providers any obligation to keep records of their subscribers. Thus, under the Convention, a service provider would not be required to register identity information of users of prepaid cards for telephone service, nor is it obliged to verify the identity of subscribers or to resist the use of pseudonyms by users of it services.184 In 2003, the Council of Europe issued a Declaration on Freedom of Communication on the Internet in which it expressly stated, “In order to…enhance the free expression of information and ideas, member states should respect the will of users not to disclose their identity.”185 Likewise, the European Commission, in its 2001 Communication on Creating a Safer Information Society, recognized the value of anonymity, stating, “An increasing variety of authentication mechanisms is required to meet our different needs in the environments in which we interact. In some environments, we may need or wish to remain anonymous.”186 Also, in its 2001 Communication on Network and Information Security, the Commission stated, “authentication must also include the possibility for anonymity, as many services do not need to identify the user…”187

182 Articles 20 and 21 of the Council of Europe convention specifically state that the real-time interception laws required under the convention shall empower competent authorities to “compel a service provider, within its existing technical capability,” to collect or record, or to co-operate and assist the competent authorities in the collection or recording of, traffic data and communications content. The Explanatory Report states: “The article does not obligate service providers to ensure that they have the technical capability to undertake collections, recordings, co-operation or assistance. It does not require them to acquire or develop new equipment, hire expert support or engage in costly re-configuration of their systems.” Para. 221.

183 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Article 4(1), Official Journal L 201/37, July 31, 2002, at 37-47 (replacing EU Directive 97/66/EC),

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett. Also available at http://europa.eu.int/comm/internal_market/privacy/law_en.htm.

184 Convention, Para. 181.

185 Declaration on freedom of communication on the Internet (Strasbourg, 28.05.2003) (Adopted by the Committee of Ministers at the 840th meeting of the Ministers' Deputies)

http://www.coe.int/T/E/Communication_and_Research/Press/News/2003/20030528_declaration.asp

Encryption

Strong encryption is an important tool used in securing the Internet. As the European Commission noted in 2001, “The use of encryption technologies…[is] becoming indispensable, particularly with the growth in wireless access.”188 Recognizing this, the general trend in national policies regarding cryptography has been to reduce or eliminate rules limiting the import, export, and use of encryption. In recent years, most developed countries, which previously sought to control encryption, have concluded that, on balance, the general availability of encryption will improve security, not interfere with it. The 1997 OECD Guidelines on Cryptography Policy and a 1998 European Commission report expressed strong support for the unrestricted availability of encryption products and services.

Based on these statements, in the late 1990s Canada, Germany, Ireland, and Finland announced national cryptography policies based on the OECD Guidelines, favoring the free use of encryption. France, which had long restricted encryption, reversed that policy in January 1999 and announced that encryption could be used in France without restrictions. In December 1997, Belgium amended its 1994 law to eliminate the provision restricting cryptography. The United States, which had sought to limit use of encryption by limiting trade in cryptographic products and services, lifted almost all restrictions on the export of encryption in 2000.₁₈₉

Regulation and Legislation

In a growing number of countries, policymakers are concluding that market forces alone are not sufficient to ensure adequate mitigation of cyber-security risks. As the European Commission has noted, action by governments is required because the market offers imperfect incentives for security: market prices do not always accurately reflect the costs and benefits of investment in security; often neither providers nor users bear all the consequences of inaction; control over the Internet is dispersed and given the complexity of networks, it may be difficult for users to assess potential dangers. Many of the critical infrastructures heavily dependent on computer systems have a long history of regulation in the public interest – regulation of safety, competition, and environmental impact, among other issues. Increasingly, regulators are adding cyber-security to the list of concerns meriting government attention.

Regulation, however, carries risks. In some respects, the Internet has flourished as a relatively unregulated communications medium. The global trend over the past two decades has been towards deregulation of communications networks generally. Competition and innovation supports development of new services and technologies, drives down prices, and expands access to communications technology. When technology is rapidly changing, government regulation may hinder the adoption of innovative security solutions.

So a key question is: what are the best means to achieve the desired results of improved computer security? By and large, as a fundamental principle, government should not impose technology mandates on private sector operators of critical infrastructures. There is widespread recognition that technology mandates are likely to be ineffective and even counterproductive.

186 European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final: http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html.

187 European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001) 298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm.

188 European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions - Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final, http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html.

189 See “Cryptography and Liberty 2000: An International Survey of Encryption Policy,” Electronic Privacy Information Center,

http://www2.epic.org/reports/crypto2000; see also “Commercial Encryption Export Controls,” Bureau of Industry and Security, U. S. Dep’t of Commerce, http://www.bxa.doc.gov/Encryption/Default.htm.

Instead, one approach is to impose a general requirement to protect security. This approach was taken in Europe, growing out of the concept of privacy protection, where a general duty to protect security is imposed on all entities that collect or process personally identifiable data. Another approach is to focus only on certain economic sectors. The United States for example, in imposing privacy obligations on the financial services and health care industries, also imposed a requirement for companies in those sectors to protect the security of personal data. Singapore has also focused on the financial services sector, but not in the context off privacy protection – Singapore’s e-security guidelines for financial services firms grow directly out of security concerns, not privacy concerns. There are also different approaches to translating a general security requirement into specific security steps. One approach for government cyber-security regulation is to address processes, not technologies. Another approach is to develop guidelines. These approaches can be complimentary.

Europe has started by imposing security obligations on all entities that collect and process personal information. Article 17 of the EU Data Protection Directive requires that controllers of personal information take “appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”190 The Directive further states “such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be processed.” Canada takes a similar approach, requiring in general terms under its Personal Information Protection and Electronic Documents Act that private sector companies take security measures to protect personal information they hold.

The European Union has issued a somewhat more detailed directive specifically addressing obligations regarding the protection of information in the electronic communications industry.191 Article 4 specifies that a provider of electronic communications service providers must take steps to safeguard the security of “its services, as opposed to personal data, if necessary in conjunction with the provider of the public communications network with respect to network security.” Second, providers of publicly available electronic communications must inform subscribers of a particular risk of a breach of security, and “where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.”192

How should these general requirements be translated into practice? Singapore offers one model, where the Monetary Authority of Singapore (MAS) has spelled out a comprehensive set of cyber-security recommendations in its Technology Risk Management Guidelines for Financial Institutions.193 The guidelines are aimed at promoting sound processes in managing technology risks and the implementation of security practices, but they are not mandatory. Instead, as the guidelines state, “MAS intends to incorporate these guidelines into supervisory expectations for the purpose of assessing the adequacy of technology risk controls and security measures adopted by financial institutions. Each institution can expect that MAS will take a keen interest as to how and what extent it has achieved compliance with these guidelines…Financial institutions are encouraged to use their best endeavors to ensure compliance with these guidelines.”194 The guidelines are careful to state that they do not affect and should not be regarded as a statement of the standard of care that institutions owe to their customers.195 An appendix lists security practices for financial institutions, stating that financial institutions “should” adopt the practices.

190 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281/31, Nov. 23, 1995,

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett.

191 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, Article 4(1), Official Journal L 201/37, July 31, 2002, at 37-47,

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett. Also available at http://europa.eu.int/comm/internal_market/privacy/law_en.htm.

192 Id. at Article 4(2).

193 Technology Risk Management Guidelines for Financial Institutions, Monetary Authority of Singapore, Draft Nov. 11, 2002, http://www.mas.gov.sg/display.cfm?id=94D063CD-5EB6-4636-82B5A725F9F6E9F5

194 TId., para. 7.0.1, p. 11.

195 Id. at p. 25.

The practices include the following guidelines:

•Systems software and firewalls should be configured to the highest security settings consistent with the level of protection required, keeping abreast of enhancements, updates and patches recommended by system vendors;

•All default passwords for new systems should be changed immediately upon installation as they are mostly known by intruders at large;

•Firewalls should be installed between internal and external networks as well as between geographically separate sites; and

•Anti-virus software should be implemented.196

The United States has taken a different approach, focusing on processes, not technological practices. Thus, the Financial Services Modernization Act of 1999 (known popularly by its lead sponsors in the Congress as the Gramm-Leach-Bliley Act) recognized that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.”197 Under the Act, regulators of financial institution were required to issue regulations for administrative, technical, and physical safeguards for information security.198 The crucial point is this: the regulations that were issued do not say what the technical components of a safeguards program must be. Instead the regulations leave it up to the businesses to decide what specific security measures are best for them.

Under the Act, the rules issued by the regulatory agencies for the financial services industry require banks to adopt security plans. The rules do not state what technical measures those plans must contain. The security program must:

•Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;

•Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and

•Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risk.199

Information security programs must be designed to control risks, commensurate with the sensitivity of the information and the complexity and scope of activities. The regulations require that certain fairly broad categories of security measures must be considered and, if appropriate, adopted:

•access controls on customer information systems (authentication and authorization);

•access restrictions at physical locations;

•encryption of electronic customer information;

•change management procedures;

•dual control procedures (segregation of duties and background checks) for employees with access to customer information;

•intrusion monitoring systems;

•intrusion response programs; and

•measures to protect against destruction, loss, or damage of customer information.

Additionally, under the regulations, staff must be trained in the implementation of the security program. Regular testing of the key controls, systems, and procedures must take place, with appropriate adjustments made to account for relevant changes in technology, the sensitivity of customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements200 The rules also require the Boards of Directors of financial institutions to approve their institutions’ written security programs and oversee the development, implementation, and maintenance of the program, including assigning specific responsibility for implementation and reviewing reports from management.

196 Id., Appendix C, p. 21. For further information on financial security, see Thomas Glaessner, Tom Kellermann, and Valerie McNevin, Electronic Security: Risk Mitigation in Financial Transactions—Public Policy Issues, The World Bank, June 2002, http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/E-security-RiskMitigationversion3/$FILE/E-security-Risk+Mitigation+ version+3.pdf; Thomas Glaessner, Tom Kellermann, and Valerie McNevin, Electronic Security: Risk Mitigation in Financial Transactions—Summary of Recent Research and Global Dialogues, The World Bank, May 2003, http://www.worldbank.org/wbi/B-SPAN/sub_e-security.htm

197 Gramm-Leach Bliley Act, Title 15, United States Code, section 6801.

198 Gramm-Leach Bliley Act, Title 15, United States Code, section 6805.

199 “Appendix B to Part 570—Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” Part III, http://www.occ.treas.gov/fr/fedregister/66fr8616.htm.

200 Id.

Similar rules issued by the Federal Trade Commission require that financial institutions under its purview must develop a plan in which the institution must:

(1) designate one or more employees to coordinate the safeguards;

(2) identify and assess the risks to customers information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks;

(3) design and implement a safeguards program, and regularly monitor and test it;

(4) select appropriate service providers and contract

with them to implement safeguards; and

(5) evaluate and adjust the program in light of relevant circumstances, including changes in the firms business arrangements or operations, or the results of testing and monitoring of safeguards.201

A similar approach can be seen in the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires healthcare institutions to institute security measures to ensure patient information that is stored electronically remains confidential and free from unauthorized access. The security rule adopted under the Act requires the maintenance of reasonable and appropriate administrative, physical, and technical safeguards to protect the integrity and confidentiality of personal medical information and to protect against reasonably anticipated threats or hazards to the security or integrity of medical data or its unauthorized use or disclosure.203 The rule applies to data both while in storage and in transit. It has 28 “standards” and 41 “implementation specifications.”204 It states that security practices should take into account technical capabilities of record systems, costs of security measures, the need for personnel training, and the value of audit trails in computerized record systems. The security rule identifies safeguards that are “required” and those that are “addressable.”

The core principles of the Security Rule require covered entities to:

•Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

•Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

•Protect against any reasonably anticipated uses or disclosures of such information that are not required under the Security Rule.

•Ensure compliance with the Security Rule by its workforce.205

The Rule, however, allows flexibility:

• Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications.

• In deciding which security measures to use, a covered entity must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity.

(ii) The covered entity’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.206

Another approach is to require companies to publicly disclose vulnerabilities and breaches, both in order to inform the public and to prompt system operators to improve security. EU law obligates the providers of publicly available telecommunications services to inform their subscribers of particular risks of a breach of security of the network and any possible remedies, including the costs involved. For example, in the State of California, a law took effect on July 1, 2003 requiring any company that owns, licenses, or maintains personal information of California residents to notify those residents if a security breach enables an unauthorized person to gain access to the residents’ personal information.207

201 See “Financial Institutions and Customer Data: Complying with the Safeguards Rule,” http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm; see also Standards for Safeguarding Customer Information, 67 Fed. Reg. 36484-94, May 23, 2000, (codified at 16 Code of Federal Regulations Part 314), http://www.ftc.gov/os/2002/05/67fr36585.pdf.

202 45 Code of Federal Regulations sections 160, 162, 164; http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

203 See HIPAA, Title 42, United States Code section 1320d-2(d)(2).

204 Linda A. Malek and Brian R. Krex, “HIPAA’s security rule becomes effective 2005,” The National Law Journal, Mar. 31, 2003 at B14.

205 45 Code of Federal Regulations Section 164.306(a)..

206 45 Code of Federal Regulations Section 164.306(b).

207 Security Breach Information Act (SB 1386), added to the California Civil Code as Section 1798.29; Thomas J. Smedinghoff, Cybersecurity Disclosure Requirements: A New Trend?” Baker & McKenzie, Chicago (October 3, 2003), http://www.bmck.com/ecommerce/cybersecurity-disclosure-requirements.pdf.