The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.

Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally

ACUTA Journal of Telecommunications in Higher Education

In This Issue Disasters, Emergencies, and Residence Hall Communications GWU\u27s Safety Systems Built Around Telecommunications ln the Face of Disaster Advertorial: Contact 101 : Strategies for Emergency Notification University Approaches to Emergencies and Emergency Communication A Reasoned Response to Crisis Digital Forensics: What ls lt and Why Should I Care? Exploits, Guidelines, and Vulnerabilities: Protecting Digital Resources Classifying Events, lncidents and Disasters President\u27s Message From the Executive Director Here\u27s My Advic

ACUTA Journal of Telecommunications in Higher Education

In This Issue Disasters, Emergencies, and Residence Hall Communications GWU\u27s Safety Systems Built Around Telecommunications ln the Face of Disaster Advertorial: Contact 101 : Strategies for Emergency Notification University Approaches to Emergencies and Emergency Communication A Reasoned Response to Crisis Digital Forensics: What ls lt and Why Should I Care? Exploits, Guidelines, and Vulnerabilities: Protecting Digital Resources Classifying Events, lncidents and Disasters President\u27s Message From the Executive Director Here\u27s My Advic

Determining Training Needs for Cloud Infrastructure Investigations using I-STRIDE

As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodical, rigorous and forensically sound manner. This work applies the STRIDE asset-based risk assessment method to cloud computing infrastructure for the purpose of identifying and assessing an organization's ability to respond to and investigate breaches in cloud computing environments. An extension to the STRIDE risk assessment model is proposed to help organizations quickly respond to incidents while ensuring acquisition and integrity of the largest amount of digital evidence possible. Further, the proposed model allows organizations to assess the needs and capacity of their incident responders before an incident occurs.Comment: 13 pages, 3 figures, 3 tables, 5th International Conference on Digital Forensics and Cyber Crime; Digital Forensics and Cyber Crime, pp. 223-236, 201

Best Practices and Recommendations for Cybersecurity Service Providers

This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decision-making procedures of private cybersecurity service providers

Electronic security - risk mitigation in financial transactions : public policy issues

This paper builds on a previous series of papers (see Claessens, Glaessner, and Klingebiel, 2001, 2002) that identified electronic security as a key component to the delivery of electronic finance benefits. This paper and its technical annexes (available separately at http://www1.worldbank.org/finance/) identify and discuss seven key pillars necessary to fostering a secure electronic environment. Hence, it is intended for those formulating broad policies in the area of electronic security and those working with financial services providers (for example, executives and management). The detailed annexes of this paper are especially relevant for chief information and security officers responsible for establishing layered security. First, this paper provides definitions of electronic finance and electronic security and explains why these issues deserve attention. Next, it presents a picture of the burgeoning global electronic security industry. Then it develops a risk-management framework for understanding the risks and tradeoffs inherent in the electronic security infrastructure. It also provides examples of tradeoffs that may arise with respect to technological innovation, privacy, quality of service, and security in designing an electronic security policy framework. Finally, it outlines issues in seven interrelated areas that often need attention in building an adequate electronic security infrastructure. These are: 1) The legal framework and enforcement. 2) Electronic security of payment systems. 3) Supervision and prevention challenges. 4) The role of private insurance as an essential monitoring mechanism. 5) Certification, standards, and the role of the public and private sectors. 6) Improving the accuracy of information on electronic security incidents and creating better arrangements for sharing this information. 7) Improving overall education on these issues as a key to enhancing prevention.Knowledge Economy,Labor Policies,International Terrorism&Counterterrorism,Payment Systems&Infrastructure,Banks&Banking Reform,Education for the Knowledge Economy,Knowledge Economy,Banks&Banking Reform,International Terrorism&Counterterrorism,Governance Indicators

Ethical and Unethical Hacking

The goal of this chapter is to provide a conceptual analysis of ethical, comprising history, common usage and the attempt to provide a systematic classification that is both compatible with common usage and normatively adequate. Subsequently, the article identifies a tension between common usage and a normativelyadequate nomenclature. ‘Ethical hackers’ are often identified with hackers that abide to a code of ethics privileging business-friendly values. However, there is no guarantee that respecting such values is always compatible with the all-things-considered morally best act. It is recognised, however, that in terms of assessment, it may be quite difficult to determine who is an ethical hacker in the ‘all things considered’ sense, while society may agree more easily on the determination of who is one in the ‘business-friendly’ limited sense. The article concludes by suggesting a pragmatic best-practice approach for characterising ethical hacking, which reaches beyond business-friendly values and helps in the taking of decisions that are respectful of the hackers’ individual ethics in morally debatable, grey zones

Regulating secure software development : analysing the potential regulatory solutions for the lack of security in software

The security of our informational infra­structure is still relatively poor. Huge investments have been made and even the regulators have taken information security seriously. Majority of current efforts both at the operational and the regulatory level, however, address only symptoms of an underlying problem: the insecurity of the software products - the salient components of most information and software systems. Secure software development has gained momentum during the past couple of years and improvements have been made. By analysing the incentives for secure software development, it is argued in this study that without appropriate regulatory intervention the level of security will not improve to meet the needs of the network society as a whole. Beside information security in general, secure software development has to be raised as an important public policy if we wish to achieve a more secure network society and to maintain trust for information products and systems in commerce. Efficacious regulatory measures are desperately needed to change the current practices. This study analyses two of the most attractive alternatives, software product liability and disclosure of vulnerability information, and makes suggestions for their improvement

The Ethics of Cybersecurity

This open access book provides the first comprehensive collection of papers that provide an integrative view on cybersecurity. It discusses theories, problems and solutions on the relevant ethical issues involved. This work is sorely needed in a world where cybersecurity has become indispensable to protect trust and confidence in the digital infrastructure whilst respecting fundamental values like equality, fairness, freedom, or privacy. The book has a strong practical focus as it includes case studies outlining ethical issues in cybersecurity and presenting guidelines and other measures to tackle those issues. It is thus not only relevant for academics but also for practitioners in cybersecurity such as providers of security software, governmental CERTs or Chief Security Officers in companies

Cyber Risks, Potential Liabilities and Insurance Responses in the Marine Sector

The marine sector is vulnerable to cyber-attacks as it becomes more dependent on information and operational technology systems connected to the internet. While this allows for greater efficiency, the interconnected nature of such systems will expose the sector to new and evolving cyber risks. The research begins by briefly examining the nature of cyber risks, identifying likely threat actors and the motivation behind such attacks. Through the use of hypothetical scenarios, the researcher identified; i) some of the cybersecurity vulnerabilities particular to the marine sector, ii) the potential losses and liabilities from a cyber-attack / incident and iii) analysed how insurance may be used to mitigate the risks focusing specifically on the adequacy of traditional marine policies as well as cyber insurance policies to cover such risks. Traditional marine policies were analysed to identify the gaps in cyber coverage in addition to the recognition that without a clearly written cyber exclusion clause, insurers will be exposed to risks and liabilities they did not intend to cover. As for Assureds, while traditional hull and cargo insurance policies may cover some risk, they will not fully cover losses unique to cyber risks such as network failure, data loss, business interruption, cyber espionage and reputational damage so they too may not have adequate coverage against cyber-attacks. The main conclusion from the research is that marine and cyber insurance policies currently available do not adequately protect against cyber related losses and liabilities particularly those unique to the marine sector. This is primarily due to the extensive list of exclusions found in cyber insurance policies and commonly used cyber exclusions clauses usually attached to traditional marine policies. The coverage limits are also inadequate to cover the potential losses to marine facilities and assets which are usually connected to a complex supply chain