Registered Students login to NYLS Portal for updated Course Information and Reading Assignments.
UNIT 07:
Infrastructure and Information Security; Risk Management
PONDERABLES:
Who is responsible for security if 90% of the infrastructure is in the private sector? Who pays? The economics of security. Understand the concept of lowest cost avoider.
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 10, Employees, Policies, and Risk Management, pp. 345-370 (social engineering; risk management),
Chapter 11, Infrastructure Security, pp. 371-400 (Presidential Decision Directive PDD 63), and
Chapter 12, Technical Means of Protecting Information, pp. 401-448 (AZ v. Moran; NIST; Ziff Davis; cryptography; biometrics).
Curtis E.A. Karnow, "Counterstrike," 135-150 in Cybercrime, (Jack Balkin, et al. eds., NYU Press 2007).
Thomas J. Smedinghoff, "Symposium: E-Commerce: Challenges To Privacy, Integrity, And Security In A Borderless World: It's All About Trust: The Expanding Scope Of Security Obligations In Global Privacy And E-Transactions Law," 16 Mich. St. J. Int'l L. 1 (2007).
STATUTES:
Federal Information Security Management Act of 2002 ("FISMA").
Digigtal Millenium Copyright Act ("DMCA") (anti-circumvention provisions)
17 U.S.C. § 1201. Circumvention of copyright protection systems.
Gramm-Leach-Bliley Act (the "GLB Act"), 15 U.S.C. § 6801 ("Protection of nonpublic personal [financial] information").
Health Insurance Portability and Accountability Act (HIPAA) Pub. L. 104-191, 110 Stat. 1936 (1996) (health information) ("The HIPAA Security Rule: Health Insurance Reform: Security Standards, February 20, 2003, 68 FR 8334").
- HHS Standards for Privacy of Individually Identifiable Health Information; Final Rule: 45 CFR Parts 160 and 164
- HHS Security Standards; Final Rule: 45 CFR Parts 160, 162, and 164
DIRECTIVES:
National Security Presidential Directive 54 (NSPD 54)/Homeland Security Presidential Directive 23 (HSPD 23) ("Comprehensive National Cybersecurity Initiative") (Jan. 8, 2008). See DHS Fact Sheet: Protecting Our Federal Networks Against Cyber Attacks (Apr. 8, 2008)
Presidential Decision Directive (PDD 63) Critical Infrastructure Protection (May 1998).
Executive Order 13231 Critical Infrastructure Protection in the Information Age (Oct. 16, 2001).
GOVERNMENT REPORTS:
Government Accounting Office (GAO-07-39) CRITICAL INFRASTRUCTURE PROTECTION Progress Coordinating Government and Private Sector Efforts Varies by Sectors’ Characteristics (October 2006) (plans for protecting the nation’s critical information technology networks and systems are focused on developing resiliency and quick recovery rather than on safeguarding against every type of threat).
Government Accounting Office (GAO-05-434) CRITICAL INFRASTRUCTURE PROTECTION Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities (May 2005).
Government Accounting Office (GAO-04-354) CRITICAL INFRASTRUCTURE PROTECTION Challenges and Efforts to Secure Control Systems (Mar. 2004).
Congressional Reporting Service (CRS RL32114) Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress (Oct. 17, 2003).
REPORTS of the Commission on Cybersecurity for the 44th Presidency:
"Securing Cyberspace for the 44th Presidency," A Report of the CSIS Commission on Cybersecurity for the 44th Presidency (Dec. 2008).
"Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance," Commission on Cybersecurity for the 44th Presidency (Draft Feb. 23, 2009).
SECURITY STANDARDS:
DAN CATERINICCHIA, "New Cyber-Security Rules for Power Cos." Washington Post (Jan. 18, 2008) ("Federal regulators on Thursday approved the first cyber-security standards for the nation's electric industry, following growing concerns about the power grid's vulnerabilities. ... The power grid, generating plants and refineries face are increasingly threatened from hackers who could cause major disruptions and economic chaos in the U.S., the Government Accountability Office said in October.").
TORT LIABILITY FOR DATA BREACHES (Case Study):
Query: should there be a presumption of negligence for unencrypted data?
Guin v. Brazos Higher Ed. Service Corp., Civ. No. 05-668 (RHK/JSM) (Minn. 2006) (2006 U.S. Dist. LEXIS 4846) (no duty to use encryption under Gramm-Leach-Bliley).
Mark Rash, "Strict liability for data breaches?" Security Focus (Feb. 20, 2006) ("A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.")
Eric Sinrod, "A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database," FindLaw (Feb. 20, 2006) ("In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands.")
See also: "Citibank admits: we've lost the backup tape," The Registar (Jun. 7, 2005); "Missing data is latest in rash of breaches," Baltimore sun (Jun. 8, 2005).
ADDITIONAL READING:
National Strategy to Secure Cyberspace (Feb. 2003).
National Infrastructure Advisory Council (DHS) Website.
Bruce Schneier, "Quickest Patch Ever," WIRED (Sept. 7, 2006) ("If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.")
Mary Mosquera, "Commerce uses encryption to help steel notebooks," Federal Computer Week (Jan. 22, 2007) ("With thefts of notebook PCs a leading cause of data breaches, the Commerce Department is encrypting its mobile hard drives to lock up files and data."
Brad Stone, "A Lively Market, Legal and Not, for Software Bugs," NY Times (Jan. 30, 2007) ("software vulnerabilities — as with stolen credit-card numbers and spammable e-mail addresses — carry real financial value. They are commonly bought, sold and traded online, both by legitimate security companies, which say they are providing a service, and by nefarious hackers and thieves.")
Ellen Messmer, "U.S. cyber counterattack: Bomb 'em one way or the other," NetworkWorld (Feb. 2, 2007) ("If the United States found itself under a major cyberattack aimed at undermining the nation’s critical information infrastructure, the Department of Defense is prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source.")
Anne Broache, "Data breach bills resurface in Congress,' CNET News (Feb. 6, 2007) ("Concealing security breaches in which personal consumer information may have been swiped could carry prison time under a pair of sweeping proposals that resurfaced Tuesday in Congress.")
Ellen Nakashima, "Bush Order Expands Network Monitoring: Intelligence Agencies to Track Intrusions," Washington Post (Jan. 26, 2008) ("President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. The [classified] directive ... authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies. ... The NSA has particular expertise in monitoring ... communications systems -- traditionally overseas. The prospect of aiming that power at domestic networks is raising concerns, just as the NSA's role in the government's warrantless domestic-surveillance program has been controversial.")
Jill R. Aitoro, "Industry experts question $6 billion Bush cybersecurity plan," GovExec.com (Jan. 29, 2008) ("... the administration plans to reduce access points from the Internet to government networks and better monitor intrusion attempts through the use of network sensors that detect suspicious patterns. Once implemented in government, the program would be adapted to private networks. ... Some argue that a focus on intrusion detection alone is not enough. ... Intrusion protection and detection machines are only one piece of the puzzle ... the source of data -- the operating systems and applications themselves -- [are] equally if not more vulnerable.")
Jason Miller, "OMB does not support bill to update FISMA," FCW.com (Feb. 14, 2008) ("The ... administration doesn't support legislation introduced late last year that would modify the Federal Information Security Management Act").
Jason Miller, "Experts find fault with cyberdirective: Intelligence monitoring authorization reverses 20 years of policy and laws, critics contend," FCW.com (Feb. 18, 2008) ("When President Bush issued a classified cybersecurity directive early last month, he reversed 21 years of policy that had prevented the Defense Department and the National Security Agency from having oversight of civilian agency networks. ... [Critics contend that the directive] violates the Computer Security Act of 1987, the Federal Information Security Management Act of 2002 and the Privacy Act of 1974.")
Brian Robinson, "Unlocking the national cybersecurity initiative," Federal Computer Week Sep 17, 2008. ("In April, DHS published a fact sheet about the Comprehensive National Cybersecurity Initiative (CNCI) that listed various measures that were being taken to prevent future attacks on U.S. computer systems, including the expansion of several existing programs and the creation of a National Cybersecurity Center (NCSC), which will serve as the focus for improving federal government network defenses. ")
SIOBHAN GORMAN, "Hathaway to Head Cybersecurity Post," Wall St. J. (Feb 8, 2009).
Jill R. Aitoro, "Group unveils security controls to thwart cyberattacks," NextGov.com )Feb. 23, 2009) ("A consortium of federal agencies and private organizations released a set of guidelines on Monday aimed at protecting data and information systems from cyberattacks. The list of security controls eventually will be compared to global audit guidelines to determine whether they should be incorporated into assessments of information security.")
Jill R. Aitoro, "Obama proposes big increase in cybersecurity spending at DHS," NextGov.com (Feb. 26, 2009) ("President Obama proposed a 21 percent increase in the Homeland Security Department's fiscal 2010 cybersecurity budget, but how the funds would be distributed remains unclear ...")
OPTIONAL READING ON DETERRENCE:
K. A. Taipale, Cyber-Deterrence in Law, Policy and Technology: Cyberterorrism, Information Warfare, Digital and Internet Immobilization (IGI Global 2010).
OPTIONAL READING ON RISK:
Cass R. Sunstein, Terrorism and Probability Neglect, 26 JOURNAL OF RISK AND UNCERTAINTY 121 (2003), reprinted in THE RISKS OF TERRORISM (W. Kip Viscusi ed. 2003) .
Cass R. Sunstein, Probability Neglect: Emotions, Worst Cases, and Law, U. Chicago L. & Econ., Olin Working Paper No. 138. (November 2001) available at http://ssrn.com/abstract=292149.
Cass R. Sunstein, RISK AND REASON (Cambridge 2002) (ISBN:0521016258).
Much of Sunstein’s work in this area builds on that of Amos Tversky and Daniel Kahneman. See generally Amos Tversky & Daniel Kahneman, Judgment under Uncertainty: Heuristics and Biases, 185 SCIENCE 1124 (1974); JUDGMENT UNDER UNCERTAINTY: HEURISTICS AND BIASES, (Daniel Kahneman, Paul Slovac & Amos Tversky, eds., 1982).
K. A. Taipale, Technology, Security and Privacy: The Fear of Frankenstein, the Mythology of Privacy, and the Lessons of King Ludd, 7 Yale J. L. & Tech. 123, 133-136; 9 Intl. J. Comm. L. & Pol'y 8 (Dec. 2004) (excerpt pp. 133-136).
OPTIONAL READING ON SECURITY:
NIST Information Security Handbook: A Guide for Managers, Nov. 7, 2006. (Download PDF) ("NIST Special Publication 800-100, Information Security Handbook: A Guide for Managers. The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations.").
Dan Geer, "The Shrinking Perimeter of Defense: Making the Case for Data-Level Risk Management" (2004).
Dan Geer, "Securing the Point of Use: The New Foundation for Data Security" (2005).
Dan Geer, et al., "Cyber Insecurity: The Cost of Monopoly" (2005).
Dan Geer, schmoocon presentation 13i06 (2006) [slides] [text].
Bruce Schneier, Crypto-Gram, http://www.schneier.com/crypto-gram.html.
Bruce Schneier, BEYOND FEAR (2004) (ISBN:0387026207).
Bruse Schneier, SECRETS & LIES: DIGITAL SECURITY IN A NETWORKED WORLD (2000) (ISBN:0471453803).
Anthony H. Cordesman, CYBER-THREATS, INFORMATION WARFARE, AND CRITICAL INFRASTRUCTURE PROTECTION: DEFENDING THE US HOMELAND (2002) (ISBN:0275974235).
Hal Varian, "Managing Online Security Risks," N.Y. Times (Jun. 1, 2000).
Ross Anderson, "Economics and Security Resources Page," Univ. of Cambridge (see, in particular, "Why Information Security is Hard - An Economic Perspective").
Bruce Schneier, "Information Security and Externalities," Schneier on Security Weblog (Jan. 18, 2007) ("Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem.").
OPTIONAL READING ON BIOMETRICS:
National Research Council of the National Academies, Summary of a Workshop on the Technology, Policy, and Cultural Dimensions of Biometric Systems (2006) (Whither Biometrics?)
K. A. Taipale, Presentation: Technology, Policy, and Cultural Dimensions of Biometric Systems: Information Sharing, Biometric Systems: Workshop, National Academy of Sciences (2005). [slides]
Registered Students login to NYLS Portal for updated Reading Assignments.
Course Outline/Class Units
Registererd NYLS students login to my.nyls.edu for updated outline and assignments.
- Overview, What is Cybercrime?
- Computer Intrusions and Attacks (Unauthorized Access)
- Computer Viruses, Time Bombs, Trojans, Malicious Code (Malware)
- Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
- Online Vice: Gambling; Pornography; Child Exploitation
- International Aspects and Jurisdiction
- Infrastructure and Information Security; Risk Management
- Investigating Cybercrime: Digital Evidence and Computer Forensics
- Interception, Search and Seizure, and Surveillance
- Information Warfare, Cyberterrorism, and Hacktivism
- Terrorism, Radicalization, and The War of Ideas
- Trade Secret Theft and Economic Espionage
- National Security
- Case Study: CALEA, VoIP
Course Information
- PAPER RESEARCH
- USEFUL LINKS FOR DEFINING TECHNICAL TERMS
- COURSE SUBTEXT AND OPTIONAL BACKGROUND MATERIAL
Registered Students login to NYLS Portal for updated Reading Assignments.
All original material on this or any linked page is copyright the Center for Advanced Studies in Science and Technology Policy © 2003-2009. Permission is granted to reproduce this material in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.
|
