cyber security - the laws that govern incident response joel michael schwarz department of justice...

Cyber Security - the Laws Cyber Security - the Laws that Govern Incident that Govern Incident

ResponseResponse

Joel Michael SchwarzJoel Michael SchwarzDepartment of JusticeDepartment of JusticeComputer Crime and Intellectual Property SectionComputer Crime and Intellectual Property SectionCriminal DivisionCriminal Division(202) 353-4253 / [email protected](202) 353-4253 / [email protected]://www.cybercrime.govhttp://www.cybercrime.gov

Indiana University of Indiana University of PennsylvaniaPennsylvaniaApril 7, 2006April 7, 2006

Today’s goals:Today’s goals:

1.1. An introduction to DOJ’s Computer Crime & An introduction to DOJ’s Computer Crime & Intellectual Property SectionIntellectual Property Section

2.2. Incident Response – Monitoring Communications Incident Response – Monitoring Communications and Traffic Data During an Incidentand Traffic Data During an Incident

3.3. Disclosing Stored Communications and Disclosing Stored Communications and Documents (“ECPA”)Documents (“ECPA”)

4.4. Interesting New Legal Developments – Using Interesting New Legal Developments – Using Programs or Commands to Cause Injury or DeathPrograms or Commands to Cause Injury or Death

1. U.S. Department of Justice’s Computer Crime 1. U.S. Department of Justice’s Computer Crime & Intellectual Property Section (“CCIPS”)& Intellectual Property Section (“CCIPS”)

CCIPS attorneys:

approximately 40 attorneys

many have received degrees in computer science, engineering, or other technical fields (many are former prosecutors)

advise federal prosecutors and law enforcement agents

investigate and litigate cases

primary prosecutors in cyber-crime cases (ex. hacking)

assist AUSAs in real-world crime investigations (ex. securing content of E-mail account to trace a kidnapper)

offer comments/advise on legislation & policy pertaining to technical/legal issues, computer crime and CIP

train law enforcement on cyber-investigation and other technical issues





4.4. Interesting New Legal Developments – Using Interesting New Legal Developments – Using Programs or Commands to Cause Injury or Programs or Commands to Cause Injury or DeathDeath

2. Incident Response – 2. Incident Response – Monitoring Communications Monitoring Communications

During an IncidentDuring an Incident

Contents of Contents of communicationscommunications

Headers, logs, and Headers, logs, and other informationother information

Real-time Real-time interceptioninterception

Wiretap ActWiretap Act(18 USC (18 USC §§§§2510-22)2510-22)

Pen Register Pen Register StatuteStatute

(18 USC (18 USC §§§§3121-27)3121-27)

Access to stored Access to stored communicationscommunications

ECPAECPA(18 USC (18 USC §§2701-12)§§2701-12)

ECPAECPA

2a. 2a. Monitoring During an IncidentMonitoring During an Incident; ; Law Law Enforcement’s RoleEnforcement’s Role

• Procedural laws in the U.S. are designed to assist law enforcement in conducting investigations, securing evidence and tracking criminals

• These laws are set up using a type of hierarchy

• requiring different types of approvals depending upon the intrusiveness of the information being sought

• for example reading the content of someone’s E-mail is more invasive than merely looking at the path the E-mail took to be delivered to that person

• therefore securing the right to read E-mail content requires greater legal process, and a higher burden of proof on the part of a prosecutor, than securing the right to read the path that an E-mail took

2b. Monitoring Communications 2b. Monitoring Communications During an Incident; The ToolsDuring an Incident; The Tools

Part I. Obtaining Content of Communications - WiretapPart I. Obtaining Content of Communications - Wiretap• Involves reading the Involves reading the contentcontent of communications in of communications in real-timereal-time

• PhonePhone – install a device to listen in on the line – install a device to listen in on the line• Ex. listen in on a phone conversation planning a bank jobEx. listen in on a phone conversation planning a bank job

• ComputerComputer – install a sniffer – install a sniffer• Ex. read E-mail and IM of a kidnapper to learn where he is at the moment and what his plans areEx. read E-mail and IM of a kidnapper to learn where he is at the moment and what his plans are

• If law enforcement wishes to do this If law enforcement wishes to do this • Must secure a court order – this is a choice of last resortMust secure a court order – this is a choice of last resort• high burden of proof high burden of proof

2c. Monitoring Communications 2c. Monitoring Communications During an Incident; Generally During an Incident; Generally Without a court order - cannot intercept contents Without a court order - cannot intercept contents unless an exception applies; it’s a wiretap.unless an exception applies; it’s a wiretap.

Three key exceptions (no REP): Three key exceptions (no REP): Provider ExceptionProvider Exception, 18 U.S.C. , 18 U.S.C. § § 2511(2)(a)(i)2511(2)(a)(i)

To protect the rights and property of the system under attackTo protect the rights and property of the system under attack

ConsentConsent, 18 U.S.C. , 18 U.S.C. § § 2511(2)(c)2511(2)(c)Consent from one of the parties to the communicationConsent from one of the parties to the communication

Computer Trespasser ExceptionComputer Trespasser Exception, 18 U.S.C. , 18 U.S.C. § § 2511(2)(i)2511(2)(i)

Trespasser – accesses computer w/o authorizationTrespasser – accesses computer w/o authorizationCan intercept information “transmitted to, through or from the Can intercept information “transmitted to, through or from the protected computer”protected computer”

2d. Monitoring Communications 2d. Monitoring Communications During an Incident; During an Incident; Provider Provider

ExceptionExceptionAllows system administrator to conduct Allows system administrator to conduct reasonable monitoring:reasonable monitoring:

To To protectprotect provider’s “rights or property”; provider’s “rights or property”; Must be “substantial nexus” between the monitoring and Must be “substantial nexus” between the monitoring and the threatthe threat – cannot indiscriminately monitor (w/o consent) – cannot indiscriminately monitor (w/o consent)

When done in normal course of employment, while When done in normal course of employment, while engaged in any activity which is a “necessary engaged in any activity which is a “necessary incident to the rendition of . . . service” by providerincident to the rendition of . . . service” by provider

Is a limited exception. Not a criminal Is a limited exception. Not a criminal investigator’s privilege (cannot delegate to investigator’s privilege (cannot delegate to LE). LE).

Provider may monitor the network to protect rights, and Provider may monitor the network to protect rights, and then disclose to law enforcementthen disclose to law enforcement

2e. Monitoring Communications 2e. Monitoring Communications During an Incident; During an Incident; Consent Consent

ExceptionExceptionBanner the networkBanner the network

You have no reasonable expectation of privacy on this You have no reasonable expectation of privacy on this network. network.

your activities are monitored; your activities are monitored; results of monitoring may be disclosed to law results of monitoring may be disclosed to law

enforcement; and enforcement; and your continued use of the network consents to such your continued use of the network consents to such

monitoring and disclosuremonitoring and disclosure

Obtain the written consent of authorized users.Obtain the written consent of authorized users. through a click-through terms and conditions through a click-through terms and conditions

agreement or some type of written agreement agreement or some type of written agreement (consult legal counsel)(consult legal counsel)

Allows law enforcement to intercept communications to or from Allows law enforcement to intercept communications to or from “computer trespassers” 18 U.S.C. 2510(21)“computer trespassers” 18 U.S.C. 2510(21)

Pre-PATRIOT ACT, system owners could monitor systems to “protect Pre-PATRIOT ACT, system owners could monitor systems to “protect property,” property,”

was unclear whether they could use/disclose information to LEwas unclear whether they could use/disclose information to LEwould be as counterintuitive as requiring a warrant to assist a would be as counterintuitive as requiring a warrant to assist a burglary victimburglary victim

PATRIOT Act created the trespasser exceptionPATRIOT Act created the trespasser exception

Even if trespasser is using system as a pass-through to other down-Even if trespasser is using system as a pass-through to other down-stream victimsstream victimsA “computer trespasser” A “computer trespasser”

Is a person who accesses network “without authorization” and “thus Is a person who accesses network “without authorization” and “thus has no reasonable expectation of privacy…”has no reasonable expectation of privacy…”Excludes a person known by the provider to have an existing Excludes a person known by the provider to have an existing contractual relationship with the provider for use of the system contractual relationship with the provider for use of the system (even if contract is to access a different part of the system)(even if contract is to access a different part of the system)

2f. Monitoring Communications 2f. Monitoring Communications During an Incident; During an Incident; Trespasser Trespasser

ExceptionException

2g. Tracing Traffic Data 2g. Tracing Traffic Data During During an Incident; The Toolsan Incident; The Tools

Part II. Tracing Source/Destination of Part II. Tracing Source/Destination of Communications Communications

Pen/TrapPen/Trap

• The Pen Register, Trap and Trace Statute The Pen Register, Trap and Trace Statute governs real-time monitoring of traffic data (e.g. governs real-time monitoring of traffic data (e.g. most e-mail header information, source and most e-mail header information, source and destination IP address and port)destination IP address and port)

Pen RegisterPen Register: outgoing connection data: outgoing connection dataTrap and TraceTrap and Trace: incoming connection data: incoming connection data

Does not include contentDoes not include content of communications of communications (e.g. e-(e.g. e- mail subject line or content of a mail subject line or content of a downloaded file).downloaded file).

• If law enforcement wishes to get a court order – If law enforcement wishes to get a court order – the burden of proof is lower than for reading the burden of proof is lower than for reading contentcontent

2h. Tracing Traffic Data 2h. Tracing Traffic Data During an During an Incident; Header InformationIncident; Header Information (2)(2)

Akin to the Wiretap Act, Pen/Trap also grants providers Akin to the Wiretap Act, Pen/Trap also grants providers exceptions to the general restrictions on intercepting header exceptions to the general restrictions on intercepting header info.info.Exceptions:Exceptions:

Provider exception is broad:Provider exception is broad:can intercept if “relating to the “operation, maintenance, can intercept if “relating to the “operation, maintenance, andand testing,” of the service, or to protect the rights or testing,” of the service, or to protect the rights or property of the provider, or to protect users of that property of the provider, or to protect users of that service from abuse of service or unlawful use of serviceservice from abuse of service or unlawful use of service

Consent of userConsent of userto record the fact that a wire or electronic communication to record the fact that a wire or electronic communication was initiated or completedwas initiated or completed

3a. 3a. Disclosing Stored Disclosing Stored Communications and DocumentsCommunications and Documents

Part III. Access To/Disclosure of Stored Part III. Access To/Disclosure of Stored CommunicationsCommunications

• ECPA (18 U.S.C 2701-11) governs access to and ECPA (18 U.S.C 2701-11) governs access to and disclosure of stored files.disclosure of stored files.• Provider/Customer/Government rolesProvider/Customer/Government roles

• Cannot necessarily share stored files with others, Cannot necessarily share stored files with others, including governmentincluding government

• Three main categories are coveredThree main categories are covered• Communications/content (e.g., e-mail, Communications/content (e.g., e-mail, voicemail, other files)voicemail, other files)• Transactional Data (e.g., logs reflecting with Transactional Data (e.g., logs reflecting with whom users communicated)whom users communicated)• Subscriber/Session Information Subscriber/Session Information

What stored communications records can network What stored communications records can network operators voluntarily disclose? operators voluntarily disclose? First ask whether provider offers communications First ask whether provider offers communications services to the public generally, or if it is a private services to the public generally, or if it is a private providerprovider

public provider - if services may be accessed by public provider - if services may be accessed by anyany user user who complies with required procedure and pays any feeswho complies with required procedure and pays any feesIf not a public provider – ECPA doesn’t preclude from If not a public provider – ECPA doesn’t preclude from voluntarily disclosing to law enforcement or othersvoluntarily disclosing to law enforcement or others

Examples:Examples:AOL is a public provider, AOL is a public provider, A company that provides e-mail and voice mail services A company that provides e-mail and voice mail services to employees is a private providerto employees is a private provider

3b.Disclosing Stored 3b.Disclosing Stored Communications and DocumentsCommunications and Documents

When providing E-mail services, or other stored When providing E-mail services, or other stored communication services (such as letting a student communication services (such as letting a student store files, web pages, etc.) what records can network store files, web pages, etc.) what records can network operators voluntarily disclose? operators voluntarily disclose?

If you are a If you are a private providerprivate provider (i.e. non-public) may (i.e. non-public) may voluntarilyvoluntarily disclose all without violating ECPA disclose all without violating ECPA

Content (e.g., the stored e-mail or voice mail)Content (e.g., the stored e-mail or voice mail)Transactional dataTransactional dataUser informationUser information

Private providers may voluntarily disclose to Private providers may voluntarily disclose to government and non-government alikegovernment and non-government alike

3c.Disclosing Stored 3c.Disclosing Stored Communications and DocumentsCommunications and Documents

Distinguish between “public” and “private” providers in the University/Educational Institution Context:

• Universities that provide services to only students, faculty and alumni are probably not considered “public” providers

• Universities that make their services available to others, such as selling E-mail services or accounts to others (other than students, faculty and alumni), may begin to cross the line into the realm of being considered “public” for ECPA purposes

3d.Disclosing Stored 3d.Disclosing Stored Communications and DocumentsCommunications and Documents

3e.Disclosing Stored 3e.Disclosing Stored Communications and DocumentsCommunications and Documents

Educational Institutions – Special Considerations:

Keep in mind:

• although voluntary disclosure of this information (i.e. subscriber, transactional and content records) by private providers is not prohibited by ECPA

• this information may be covered under other laws that pertain to educational institutions

• for example - laws pertaining to student records under the Family Educational Rights and Privacy Act (“FERPA”) may apply

A A public providerpublic provider must look to statutory exceptions before must look to statutory exceptions before disclosing a user’s content disclosing a user’s content oror non-content non-content to governmentto government

Public provider may Public provider may voluntarilyvoluntarily disclose the disclose the contentcontent of of communicationscommunications when: when:

Consent to do so exists (e.g., via banner or TOS)Consent to do so exists (e.g., via banner or TOS)Necessarily incident to the rendition of the service or to Necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of the protection of the rights or property of the provider of that servicethat serviceContents inadvertently obtained & pertain to Contents inadvertently obtained & pertain to commission of a crime (to law enforcement)commission of a crime (to law enforcement)Provider has “good faith” belief that an emergency Provider has “good faith” belief that an emergency involving immediate danger of death or serious physical involving immediate danger of death or serious physical injury requires disclosure (to governmental entity)injury requires disclosure (to governmental entity)

3f.Disclosing Stored 3f.Disclosing Stored Communications and DocumentsCommunications and Documents

3g.Disclosing Stored 3g.Disclosing Stored Communications and DocumentsCommunications and Documents

Public provider may Public provider may voluntarilyvoluntarily disclose disclose non-contentnon-content recordsrecords concerning a customer or subscriber (i.e. concerning a customer or subscriber (i.e. transactional or subscriber information):transactional or subscriber information):

When consent to do so exists (e.g., via banner or When consent to do so exists (e.g., via banner or TOS)TOS)

To protect provider’s rights and propertyTo protect provider’s rights and property

To the government if provider reasonably To the government if provider reasonably believes an emergency involving immediate believes an emergency involving immediate danger of death or serious physical injury danger of death or serious physical injury requires disclosurerequires disclosure

To any person other than a governmental entityTo any person other than a governmental entity

3h. Overview: 3h. Overview: What stored communications records What stored communications records can can non-public providersnon-public providers be be ccompelled to disclose to the government (and how can this be compelled)?

Content - Unread E-Content - Unread E-mail (<= 180 days) mail (<= 180 days)

Search WarrantSearch Warrant

Content – Unread E-Content – Unread E-mail (>180 days)mail (>180 days)

Subpoena (with Subpoena (with notice to the notice to the subscriber)subscriber)

Stored Content/Files Stored Content/Files and Read E-mail and Read E-mail

Subpoena (ECPA Subpoena (ECPA doesn’t apply)doesn’t apply)

Transactional Transactional RecordsRecords

(sites visited, etc.)(sites visited, etc.)

Court Order Court Order (potentially, with (potentially, with notice)notice)

Subscriber Subscriber InformationInformation

SubpoenaSubpoenaNOTE: The process indicated in each of the above cases is the simplest form of process that may be used (ex. where a subpoena is required, a court order, a process with more procedural protections, will also satisfy ECPA)

3i. Notice to Subscriber

When “notice” to subscriber is required May delay notice 90 days to avoid:

flight from prosecutiondestruction of or tampering with evidenceintimidation of potential witnessesseriously jeopardizing an investigation

May extend delay an additional 90 days (if court order, notice may be delayed until judge/court orders otherwise)

3j. Compelling ProductionBasic Subscriber Information

Can be obtained through subpoena (18 U.S.C. § 2703(c)(2))

Gives youName & address

Local and LD telephone toll billing records

Telephone number or other account identifier (such as username or “screen name”)

Length & type of service provided

Session times and duration

Temporarily assigned network address

Means and source of payment

3k. Provider Preservation of Data

2703(f) Request requires provider to preserve records for 90 days while you seek appropriate paperDuty extends only to records in provider’s possession at time of request, not future informationCan extendNo duty of confidentiality

Be aware of limitations of provider in preserving (i.e. system requirements may cause a change to an account and alert the subscriber – ask the provider about any limitations);

3l.Disclosing Stored 3l.Disclosing Stored Communications and DocumentsCommunications and Documents

A provider’s good faith on legal process A provider’s good faith on legal process and statutory authorization in preserving and statutory authorization in preserving and/or disclosing information confers and/or disclosing information confers complete immunity to any civil or criminal complete immunity to any civil or criminal action against the provider.action against the provider.

United StatesUnited States

causing or attempting to cause causing or attempting to cause serious bodily serious bodily injuryinjury by the by the transmission of a “program, transmission of a “program, information, code, or command,” raises the information, code, or command,” raises the potential penalty up to 20 yearspotential penalty up to 20 years

causing or attempting to cause causing or attempting to cause deathdeath by the by the transmission of a “program, information, transmission of a “program, information, code, or command,” raises the potential code, or command,” raises the potential penalty up to life in prisonpenalty up to life in prison

4a. Punishment Issues4a. Punishment Issues Some countries have increased Some countries have increased

penalties when harm leads to serious penalties when harm leads to serious injury or deathinjury or death

• SoBig virus/worm shut down train signaling systems throughout the East of the US, covering 23 states (transportation CIP)

• Slammer worm disabled a safety monitoring system in a nuclear power plant in Ohio for nearly 5 hours , which, luckily posed no safety hazard since the plant had been offline since an earlier date (energy CIP)

• LovSan/Blaster worm knocked out a dispatching system used by state police troopers in Illinois – even though the system was not connected to the ‘Net (emergency services CIP)

4b. Punishment Issues4b. Punishment Issues How can someone cause serious injury How can someone cause serious injury

or death with a computer code or or death with a computer code or command?command?

A quote from an MSNBC news article on a Romanian hacker case handled by an FBI Special Agent:

“It was nearly 70 degrees below zero outside, but the e-mail on a computer at the South Pole Research Center sent a different kind of chill through the scientists inside. `I’ve hacked into the server. Pay me off or I’ll sell the station’s data to another country and tell the world how vulnerable you are,’ the message warned. Proving it was no hoax, the message included scientific data showing the extortionist had roamed freely around the server, which controlled the 50 researchers’ life-support systems”

4c. Punishment Issues4c. Punishment Issues

Joel Michael Schwarz - Computer Crime SectionJoel Michael Schwarz - Computer Crime Section: (202) : (202) 353-4253353-4253

E-Mail: E-Mail: [email protected]@usdoj.gov Web site: www.cybercrime.govWeb site: www.cybercrime.gov

THE ENDTHE END

cyber security - the laws that govern incident response joel michael schwarz department of justice...

Documents

content of communications

communications ecpa

stored communications

email content

ecpa slide

death slide

crime cases

crime investigations