Civil law might beat criminal law at protecting IT
Criminal prosecution of computer crime has expanded over the past two decades, but civil law holds more promise, some experts said at a recent Federal Information Assurance Conference at the University of Maryland.
'This is the golden age of hacking,' said John Sleggs, director of defense and intelligence programs at Netsec Inc. of Herndon, Va.
'There hasn't been enough of an effort to secure our systems' by top management, he said. 'This adds up to negligence.'
Sleggs predicted legislation would hold corporate directors and CIOs liable for inadequately safeguarding systems.
Criminal law covering cybercrime dates back to the Computer Fraud and Abuse Act of 1984, but for more than a decade it focused only on federal computers, said Patric Reynolds, the National Security Agency's associate general counsel for information assurance. He called 1996 amendments to the act 'a watershed' in extending coverage to computers involved in interstate commerce and communication.
The USA Patriot Act referred to some computer crimes as terrorism, and it broadened the definition of financial loss to include business opportunities lost to hacking.Liability concerns
Reynolds said the growing reach of criminal statutes could result in liability laws that prod software vendors to improve.
Joshua R. Icore, senior business development director for homeland security initiatives and intelligence at Soza & Co. Ltd. of Fairfax, Va., said the wireless security dilemma 'will not get better because any vendor wants it to get better.'
Customers will have to demand it, he said, through enforceable service-level agreements that put the financial onus on product and service providers.
Criminal prosecution is complicated by jurisdictional problems, said Craig Phillippe, supervisory special agent of a new FBI computer intrusion unit.
'At the end of the day, you're going to find either a juvenile or somebody sitting behind a computer in Russia,' he said.
Richard W. Aldrich, a cyberlaw specialist at the Defense Information Systems Agency's Information Assurance Technology Analysis Center, said prospects are improving for international cooperation. Thirty-four countries have signed the Council of Europe's Convention on Cybercrime, he said.
Only one country has ratified the convention, however. It must be ratified by four more countries, at least three of them in the European Union, to take effect.