Computer Security And The Law :: essays research papers

I. Introduction You are a computer administrator for a large manufacturing company. In the middle of a production run, all the mainframes on a crucial network grind to a halt. Production is delayed costing your company millions of dollars. Upon investigating, you find that a virus was released into the network through a specific account. When you confront the owner of the account, he claims he neither wrote nor released the virus, but he admits that he has distributed his password to "friends" who need ready access to his data files. Is he liable for the loss suffered by your company? In whole or in part? And if in part, for how much? These and related questions are the subject of computer law. The answers may very depending in which state the crime was committed and the judge who presides at the trial. Computer security law is new field, and the legal establishment has yet to reach broad agreement on may key issues. Advances in computer security law have been impeded by the reluctance on the part of lawyers and judges to grapple with the technical side of computer security issues[1]. This problem could be mitigated by involving technical computer security professional in the development of computer security law and public policy. This paper is meant to help bridge to gap between technical and legal computer security communities. II. THE TECHNOLOGICAL PERSPECTIVE A. The Objectives of Computer Security The principal objective of computer security is to protect and assure the confidentiality, integrity, and availability of automated information systems and the data they contain. Each of these terms has a precise meaning which is grounded in basic technical ideas about the flow of information in automated information systems. B. Basic Concepts There is a broad, top-level consensus regarding the meaning of most technical computer security concepts. This is partly because of government involvement in proposing, coordinating, and publishing the definitions of basic terms[2]. The meanings of the terms used in government directives and regulations are generally made to be consistent with past usage. This is not to say that there is no disagreement over the definitions in the technical community. Rather, the range of such disagreement is much narrower than in the legal community. For example there is presently no legal consensus on exactly what constitutes a computer[3]. The term used to establish the scope of computer security is "automated information system," often abbreviated "AIS." An Ais is an assembly of electronic equipment, hardware, software, and firmware configured to collect, create, communicate, disseminate, process, store and control data or information. This includes numerous items beyond the central processing unit and associated