Legal vs. Ethical Aspects of Information Assurance and Security
Title 18 of the United States Code (USC) section 1030 outlines a variety of fraud and related activities deemed illegal under federal law, thereby breaking the basic need for information assurance and security. More specifically, there are several activities outlined in each sub-paragraph of the law, further refining the various activities that are prohibited. Examples include the use of any computer system to commit espionage, engage in unauthorized access (trespassing a.k.a hacking) to gain certain types of government-related data, credit, financial, or even commercial information. Additionally, anyone attempting to access a federal information system without permission and/or authorization commits fraud, illegally obtains passwords or other credentials to gain access or threaten a federal information system is in violation of this law regardless of actual intent.
Real-life Cases with Legal Ramifications
A couple of real-life examples come to mind as they relate to this and other US laws with similar verbiage and legal ramifications. Of particular interest is the WikiLeaks case involving Julian
Assange and the former Military Intelligence soldier Bradley Manning. The recent indictment of Assange in May of 2019 paints a clear picture of the alleged (yet obvious) violation of multiple sub-sections of 1030 in which Assange has been charged with conspiracy to commit computer intrusion as well as multiple other cybercrimes. The question is, do cybercrimes such as this and others, which involve the disclosure of US government data and assets classified as a potential risk to national security, actually, coincide with their data classification level? Did the information leaked by Assange actually harm the national security of the United States?
What about the former intelligence analyst for the NSA, Russell D. Tice, who claimed that the NSA and the DIA were wiretapping American citizens unlawfully and unconstitutionally. He also accepted to be one of the sources who reported wiretapping activities covered under the 2005 New York Times. Compare Tice’s actions to those of Eric Ciaramella a former CIA analyst and National Security Council staffer who is believed to be the whistleblower in alleged illegal activities that transpired at the White House during a phone call between the President and a Ukrainian official. Although the specific types of data that was leaked differs in each example, the same question applies to both. Legal, ethical, or neither? The differences between these examples are that Ciaramella and Tice currently face no legal ramifications under whistleblower protection laws while Assange has already been sentenced.
Maintaining information security and assurance while distinguishing between the varying degrees of potentially sensitive information transmitted and stored on government information systems can be challenging, especially as it pertains to current laws. Some say much of the data processed by the government has been over-classified for unknown reasons. A number of legal experts have agreed that current federal laws outlining what can and cannot be done with an information system were written in a much different time with a different intent than what it is being used today. In order to prosecute offenders in accordance with how many of these laws were written originally, it may be necessary to incorporate modern-day technology and terms to clarify not only the types of data covered under the law but also a review of how digital data is classified and declassified for public release.
Information Assurance and Security in today’s world
Information assurance and security are an absolute necessity in today’s world of tech. It is, however, equally important to keep in mind that what may be ethical in one person’s view may not always match what the current law deems to be acceptable. The process benefits organizations by using information risk management services. If you are confused about whether to opt for information assurance, then ask yourself a few questions –
- Are you looking for effective decision-making?
- Is it important for your organization to have well-defined SLAs and contractual terms?
- Do you want proper risk profiling for implementing risk mitigation?
Depending on your answers, contact us at EC-Council Global Services to learn about our Vendor Risk Management services. It not only empowers you with the above skills but ensures your organization’s adherence to audit and compliance requirements. Build an information assured environment for your organization today!
Engage with EGS!
Gain greater confidence in your cybersecurity decisions by working with EC-Council Global Services’ thought leaders to apply our solutions to your specific business and technology initiatives.
Posture Assessment Survey
An independent expert assessment of the current state of information security environment is conducted against global standards and leading industry practices to measure the overall cybersecurity maturity of your organization.
Connect with us to take a FREE 15-Minute Survey. This will be followed by a remediation plan of the identified gaps and the development of a roadmap for transformation.
FREE Phishing Simulation
To assess your organization’s human error vulnerabilities, take OhPhish’s FREE subscription to run simulated Phishing attacks and get a detailed, actionable report.
OhPhish is the fastest growing integrated platform for security awareness training. You can train your users, phish them, review results, and repeat to ensure your company is on top of this game.
Vulnerability Assessment & Penetration Testing (VAPT)
EGS offers a broad range of network infrastructure, web applications, and mobile application security assessment services designed to detect and gauge security vulnerabilities. Take the FREE VAPT for up to 10 external IPs, worth USD 5000 and get a customized report!