-
Introduction
As mentioned in the previous chapter, a penetration tester must understand the legalimplications of hacking a network, even in an ethical manner. The laws applicable to hacking are mainly defined in the Computer Misuse Act 1990 and the Police and Justice Act 2006 which includes anti-hacking legislation. Other laws, such as the Data Protection Act, are also extremely relevant.
-
Cybercrime
Before explaining the UK laws, it is important to define and explain the concept of cybercrime, which according to the statistics given by the UK Government in 2015 [1] is increasing steadily.
- Cybercrime is any criminal activity completed using computers and the Internet. This includes anything from downloading illegal music files to stealing money from bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet. In general terms, as explained in [2], cybercrime can be separated into two main categories:
- Crimes facilitated by use of a computer: A computer, mobile phone or any other digital device is used to store, manipulate, and distribute data related to a criminal activity.
- Crimes where the computer is the target: Attacks against computer systems from criminals.
Generally, crimes related to the first category are traditional crimes such as fraud, theft, etc. Many of these are now perpetrated within cyberspace and as such they are referred to as cybercrime or computer crimes.
On the other hand, crimes related to the second category are crimes which are exclusively committed by computer systems against other computer systems. Think of Denial of Service (DoS) attacks, stealing data stored in a remote computer (i.e. hacking), etc.
Perhaps, one of the most prominent forms of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. Two of the most common ways this is done is through phishing and pharming. Both of these methods lure users to fake websites (that appear to be legitimate), where they are asked to enter personal information. This includes login information, such as usernames and passwords, phone numbers, addresses, credit card numbers, bank account numbers, and other information criminals can use to "steal" another person's identity. For this reason, it is important to always check the URL or Web address of a site to make sure it is legitimate before entering your personal information.
-
Laws and ethics
- There are two main approaches for human controls which define correct social behaviour. These are also applicable in Digital Security and they are:
- Legal System - has adapted quite well to information and communication technology by reusing some old forms of legal protection (copyrights, patents, ...) and by creating laws where no adequate ones existed (malicious access, ...)
- Ethics - can be applied without changes, since ethics is more situational and personal than the law.
-
Legal System - Relevant Laws
Laws regarding technology and computer hacking continue to change rapidly. Laws are relevant to a particular country and change from place to place (e.g. Scotland legal system is different from that in England). A penetration tester should know the penalties of unauthorised hacking in the country his/her is practising on. It is their responsibility to be aware of and understand what is legal and what is not allowed. Penetration testers need to be judicious with their hacking skills and recognise the consequences of misusing those skills. Governments are very serious about punishment for cybercrimes.
Computer Misuse Act
In the UK, one of the most relevant laws which apply to cybercrime is the Computer Misuse Act of 1990 [9]. This specifies three main sections:
1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
Two additional sections were later added to the Act. The latest, in 2015, was added by the Serious Crime Act. This is defined as 3ZA (Unauthorised acts causing, or creating risk of, serious damage).
Earlier, un 2006, Section 37 of the Police & Justice Act inserted a new section (3A) into the Computer Misuse Act 1990. This specifies that it is illegal to make, supply or obtain articles for use in offence under section 1, 3 or 3ZA.
Notice that these sections offer little practical distinction between a hacking tool and one used by system administrators and digital investigators!
Data Protection Laws
Another legislation that as a cyber security professional you should be aware of, is the Data Protection Act 1998. As this is a quite complex legislation, we only introduce the main principles. The law was designed to protect personal data stored by a third party and defines the concept of Personal Data (i.e. data from which a living individual can be identified). For instance, take a person name, address and date of birth. Only together they can be used to identify you! And only together can be defined a personal data. Each piece of data on its own it is not enough to identify someone and as a consequence should not be considered personal data.
The Act also specifies the concepts of Sensitive personal data. This is personal data consisting of information as to – racial or ethnic origin, political opinions, religion, health, sex life, criminal activity. As a consequence, it needs to be treated with greater care than other personal data. This is because information about these matters could be used in a discriminatory way, and is likely to be of a private nature,
What activities are regulated by the DPA? The Act regulates the “processing” of personal data and it is the Information Commissioner (and his/her office) who has power to enforce the Act.
The Data Protection Act contains Eight Key Principles. The principles state that personal information must:
1. be processed fairly and lawfully
2. be processed for specified lawful purposes
3. be adequate, relevant and not excessive
4. be accurate and up to date
5. not be kept for any longer than is necessary
6. be processed in accordance with the rights of individuals
7. be kept secure
8. not be transferred outside the European Economic Area without adequate protection
Earlier this year, specifically in May of 2018 the DPA 1998 was superseded by the DPA 2018 based on the General Data Protection Regulation or GDPR. The GDPR expands the number of data protection obligations required of companies and strengthened rights, many of which already existed under the Data Protection Directive.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches, considering the data driven world that we live in which is very different from when the previous legislation was established in 1995. The key principles of data privacy are still the same. However, many changes have been implemented. These are summarized below. Their explanation is taken from the EUGDPR Information Portal [7]. For further information, check the reference section.
Increased Territorial Scope
Probably the biggest change to the Data Protection regulation is the extended jurisdiction that exist with the GDPR. This applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
Penalties
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent
The request for consent must be given in a clear and easily accessible form, with the purpose for data processing explained. Consent must also be as easy to withdraw.
Breach Notification
Notification of a breach has become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
Right to Access
Data subjects have the right to obtain confirmation that their personal data is being processed from the data controller, where and for what purpose. Additionally, the controller must provide, upon request, a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
The right to be forgotten enables data subjects to have their personal data erased, cease further distribution of their data and have third parties stop processing of the data.
Data Portability
This is the right for a data subject to receive the personal data concerning them and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Data Protection Officers
A Data Protection Officer or DPO must be appointed for those controllers and processors whose main activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
-
International Laws
Where the Internet is concerned, legislation is often the weakest form of protection. Since international boundaries are relatively meaningless, there are difficulties in defining the jurisdiction of courts.
The UK has also signed a number of international treaties, including membership of the United Nations, the International Court of Justice, the International Criminal Court, and the Commission for International Trade Law. Additionally, the UK is a signatory to the Cybercrime Treaty of 2001 in Budapest [4]:
There are also many bilateral agreements-treaties with just one other signatory. For example, the basis upon which law enforcement agencies co-operate rely on extradition and mutual legal assistance treaties.
The Computer Misuse Act 1990 is unusual in that it extends the court's jurisdiction to events occurring outside the UK: the test is that there must be a significant link (sections 4 & 5). However, there is no obligation to prosecute just because such a link exists.
-
Ethical Issues
It is impossible to develop laws to describe and enforce all forms of behaviour acceptable to society. Instead a society relies on ethics and moral principles to prescribe generally accepted standards or proper behaviour.
Ethics is concerned with standards of behaviour and considerations of what is "right" and what is "wrong." It is difficult to state hard ethical rules because definitions of ethical behaviour are a function of an individual's experience, background, nationality, belief, culture, values, etc. Ethics is not universal.
Ethical computing should incorporate ethical norms. Furthermore, if an individual is a certified professional in ethical computing or information systems security, that individual is required to adhere to higher ethical and legal standards than non-certified personnel. For instance, if you are a member of the British Computing Society you are obliged to adhere to their ethical code.
-
Laws & Ethics
Law Ethics Described by formal written documents Generally described by unwritten principles Interpreted by courts Interpreted by each individual Established by legislature representing all people Presented by philosophies, religions, professional groups Applicable to everyone Personal choice Courts are final arbiter of “right” No external arbiter Enforcement by police and courts Limited enforcement -
Conclusion
Overall the main point that you need to remember, is to recognize the importance of a basic knowledge of the laws under which a IT security professional operates. In the UK – and the EU – you need to be aware, particularly, of the laws related to hacking and data protection. The new GDPR legislation is considered the strongest in the world at this point and data protection is something every IT security professional needs to have a good working knowledge of.
Additionally, you need to keep in mind that prosecution will use other existing laws to address the majority of cybercrimes. In most cases, cybercrimes are just age-old crimes committed using a new technology. For instance, an online fraud will be likely to be prosecuted under the Fraud Act of 2006.Check the reference section if you want to investigate this area further.
-
References and further readings
[1] - UK Government, Department for Business, Innovation & Skills. Information security breaches survey 2015. 4th of June 2015. Available at:
🔗 https://www.gov.uk/government/publications/information-security-breaches-survey-2015[2] – Author Unknown, Network Defense, Security Policy and Threats, EC-Council Press, 2011
[3] – Definitions of all UK cyber laws can be viewed on the legislation.gov.uk web site. Available at:
🔗 http://www.legislation.gov.uk/[4] – Council of Europe, convention on cybercrime, Budapest, 2001. available at:
🔗 http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf[5] – Wikipedia, Convention on Cybercrime, Available at:
🔗 https://en.wikipedia.org/wiki/Convention_on_Cybercrime[6] - The National Archives, Data Protection Act 2018 – Available at:
🔗 http://www.legislation.gov.uk/ukpga/2018/12/contents[7] – Information commissioner’s Office (ICO), Guide to the General Data Protection Regulation (GDPR), 2018. Available at:
🔗 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/[8] – EUGDPR Information Portal, GDPR Key Changes. Available at:
🔗 https://www.eugdpr.org/key-changes.html[9] - The National Archives, Computer Misuse Act 1990, Available at:
🔗 http://www.legislation.gov.uk/ukpga/1990/18/contents -
Quiz
1. Define the five offences stated by the Computer Misuse Act 1990, as updated by the Police and Justice Act 2006 and by Serious Crime Act 2015 related to unauthorised access to computer systems. Provide brief examples of activities that would violate the four main sections of the Act.
- Answer:
- Section 1: Unauthorised Access to Computer Material - violated by deliberately accessing a system using a username and password that you know that you should not.
- Section 2: Unauthorised access with intent to commit or facilitate commission of further offences. - violated by accessing a system and intended to do some other deed other than just navigating the contents.
- Section 3: Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. - violated by acts such as denial of service attacks and other forms of computer bombardment.
- Section 3A: Making, supplying or obtaining articles for use in offence under section 1 or 3 - violated by the creation, distribution and application of hacking tools.
- Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage. This is aimed at attacks against critical national infrastructure.
2. In the context of the Data Protection explain the concept of Personal Dat
3. Provide a simple definition of Sensitive Personal Data.
Answer:
Sensitive personal data is personal data consisting of information as to – racial or ethnic origin, political opinions, religion, health, sex life, criminal activity
4. What is the role of ethics in the context of penetration testing?
Answer:
Ethics is concerned with standards of behaviour and considerations of what is “right” and what is “wrong”. It is difficult to state hard ethical rules because definitions of ethical behaviour are a function of an individual’s experience, background, nationality, beliefs, culture, values, etc. In penetration testing when in a situation where legality is unclear, ethical judgement should be used.