1998 - "AN EFFECTIVE LEGAL STANDARD FOR COMPUTER SECURITY IN ELECTRONIC COMMERCE SYSTEMS"

"AN EFFECTIVE LEGAL STANDARD FOR COMPUTER SECURITY IN ELECTRONIC COMMERCE SYSTEMS"

International Bar Association, Vancouver Conference

Section on Business Law

Thursday, September 17, 1998

?By Christine Axsmith

1. INTRODUCTION

Security is essential to electronic commerce growth.?A security standard for the computer systems that record the electronic transactions will limit risk to those engaged in electronic commerce.

Widespread global transactions must be facilitated by legal standards for the preservation and availability of information.?Electronic commerce will be stinted until the risk of litigation is reduced.?Facilitating electronic commerce means including computer security in its legal framework.?Otherwise the risk of litigation is too great for electronic commerce to grow.?Electronic commerce can only be incorporated into the global economic mainstream by establishing a security standard for electronic commerce transactions.?Failing to include a practical definition of a trustworthy computer system risks massive litigation the mere specter of which will prevent complete economic integration of electronic commerce into the world economy.??

The question is how does that security standard develop??What should be its elements? In this paper, I will examine several other approaches that have been proposed for a computer security standard from the Organisation for Economic Cooperation and Development, the European Parliament, the American Bar Association, the United Nations and the "commercially reasonable" standard proposed in the United States.?Another goal of this paper is to provide an educational overview of computer security policy and differing approaches to it.?These suggested standards for the computer security of electronic commerce systems do not provide a practical, workable standard.?This paper proposes a legal standard for security in electronic commerce in an international context using a more practical standard, attaching the vague undefined legal concepts with technology and computer systems practices.

The elements of this paper's proposed standard are:?

• Confidentiality
• Integrity
• Awareness
• Assurance against denial of service
• Continuity of information availability
• Protection against unauthorized interception of communications

2. RISKS

?What are the computer security risks of electronic commerce??What kinds of fraud does electronic commerce falls prey to???

?Examples of risks:

• Stealing credit card numbers from the computer system
• Using fake credit card numbers to order goods online?
• Booking false reservations for means of transportation
• "Spoofing," which means that a competitor routes people trying to reach your Web page to their Web page
• Breaking into a computer system to steal sensitive client information for competitive advantage
• A disagreement arises over the key terms of the contract after the electronic information is maliciously altered while it is in transit
• A dishonest businessman breaks into a computer system and changes the terms of a contract he or she electronically signed, and then insists on performance
• Contracts signed online by customers are re-routed to competitor.
• Sensitive information about customers is intercepted and sold, resulting in harm to customer.

Should any of these events happen, a lawsuit could result against the company without adequate computer security, whose lack of computer security resulted in financial damage to a party to the transaction, or to a third party.?The questions become:?what is the standard of care for the security of computers engaged in electronic commerce??how much protection needs to be in place to avoid a lawsuit resulting from a breach of security??That topic is explored in this paper from the perspectives of several organizations interested in electronic commerce.

?3. PROPOSED STANDARDS

More detail is provided on the OECD Guidelines due to their thorough and educational nature.

?The Organization for Economic Cooperation and Development

?The Organization for Economic Cooperation and Development (OECD) established "The Guidelines for the Security of Information Systems" (Guidelines) in an attempt to set a common international framework for computer security. The goal of these Guidelines is to establish a common set of principles from which many nations can begin their computer security awareness and practices to foster the proliferation of international trade. The OECD decided that computer security needed to be approached in a manner which started from the same basic building blocks, and the Guidelines resulted.?

?Information turns the wheel of international commerce. Security of information ensures that the international markets and computerized transactions will retain confidence and integrity required for their maximum utility. The end result, if executed properly, will be the proliferation of international trade by confident and quick usage of information systems.

Transborder data flows are increasingly important to the economies of all countries. As the flow of information across borders becomes a cornerstone of economic survival, protection of the information being transferred becomes paramount to effective operations.

?Overview of the Guidelines

?The Recommendation of the Council Concerning Guidelines for the Security of Information Systems describes the aims of the document. They are intended to be general and to promote a general framework from which member nations can develop standards. More specifically, the Guidelines are intended to raise awareness of risks and appropriate safeguards in information security, to create a general framework from which to develop information security measures, to foster confidence in information Systems and facilitate their development, and promote international cooperation in achieving security of information systems. Part of information security is the availability of means by which computer criminals can be extradited and prosecuted. Another part is the confidence placed in information systems by its users. The level of confidence must be high enough to allow for the integration of sophisticated systems into the international marketplace on an even greater level, which in the end would foster economic development globally.

Technologies of the future require security to utilize their full potential. A goal of the Guidelines is establishing a structure that will outlive existing technologies. The aims of these Guidelines reflect that forward vision. The methods for implementing these aims within the charter of the OECD are the exchange of information between member states, consultation, studies, joint projects, close cooperation and coordinated action. Guidelines as set forth by the OECD are primarily statements of goals.

?Part one of the Guidelines discusses its aims: to foster a common framework with which countries can communicate their computer security structures to one another, to promote co-operation between the public and private sectors, to foster confidence in information systems, and to promote international co-operation in achieving security of information systems. Part of that process lies in the implementation of these Guidelines.???????

Part two of the Guidelines describe very briefly the scope of their application, which broadly encompasses the public and private sectors, and all information systems they contain. They do not supersede existing OECD Guidelines on the protection of Privacy and Transborder Flows of Personal Data. The development of separate information security systems for national security and other information systems is discouraged. These Guidelines are not intended to be inflexible. It was recognized that deviation might be required in the areas of national security and maintenance of the public order. Exceptions should be in the area of implementation, rather than deviation from the principles discussed later, and the Guidelines call for public disclosure of any exceptions.?

Part three provides definitions for: data, information, information systems, availability, confidentiality, and integrity.????????

?In part four, certain principles are proposed to begin discussion of information security issues. The underlying objective is explained as the protection of the interests of those relying on information systems from harm resulting from failures of availability, confidentiality, and integrity.???????

Part five states the underlying principles in connection with the security of information systems:????????

?????????Accountability Principle?- the responsibilities and accountability of parties using an information systems should be explicit.????

?????????Awareness Principle?- users and owners of information systems should be made aware of basic information security practices.?????????

?????????Ethics Principle?- "The rights and legitimate expectations of others should be respected.????????

?????????Multidisciplinary Principle?- Emphasizes that information security development should consider the perspective of all interested parties.????????

?????????Proportionality Principle?- Information security should reflect reliance on the systems and the potential harm resulting from compromise of that information.???????

?????????Integration Principle?- Differing aspects of information security should be integrated.????????

?????????Timeliness Principle?- Parties adopting these Guidelines should establish mechanisms for quick response to challenges to the security of information systems.?????

?????????Reassessment Principle?- Information security should be reevaluated periodically.????????

?????????Democracy Principle?- The security of information systems should not impede the free flow of information in a democratic society.???????

Most of these principles are familiar to information security professionals. The concept behind these principles is to have member countries working from the same general computer security scheme. The object is to create a seamless web of security and to have the transition from one to another transparent to the user, that the same set of standards would apply, eliminating loopholes between systems and countries.

?????????????????????????Implementation of the Guidelines?????????

Part six of the Guidelines discusses implementation in the areas of policy development, education and training, enforcement and redress, exchange of information, cooperation on international and national levels.????????

The policy development portion of this section outlines issues that need to be addressed in national policies. "Worldwide harmonization" of technical security standards is one of these goals. In doing so, the Guidelines suggests that security solutions reflect the variety of information systems.????????

Promotion of expertise and "best practice" in the field of information security is another goal of the Guidelines implementation. Again, the specifics of each program would vary according to the needs of the organization and its users.

This is a thorough document that covers the many aspects of computer security.?However, it tends toward the theoretical and lacks the specificity required to mitigate the litigation risks surrounding computer security and electronic commerce.?

European Initiative in Electronic Commerce

In its May 1998 report from the Committee on Economic and Monetary Affairs and Industrial Policy, the Commission "recalls that building trust and confidence for the citizens is a key element for the promotion of electronic commerce."?Further, the report "asks in the meantime the Commission to negotiate a Mutual Recognition Agreement with the United States on data protection, as a first step to solve the current difficulties in defining a current approach; asks also the Commission to ensure that certain principles concerning protective standards are included in this negotiation process."?Security is recognized as key to forward movement of electronic commerce.??

The document recognizes the role of security in fostering electronic commerce growth.?The most specific being:?"the most effective known means of user defence against on-line crime are strong encryption technologies."?Effective computer security and anti-crime measures involve more issues than encryption.?Technology is a key component to preventing online crime, but it is not the only one.?A more thorough standard is proposed at the end of this paper.?Further, computer security affects more then merely "crime."?It affects the availability of information in the event of a lawsuit.?If a computer system engaged in electronic commerce loses vital contract information, available only through the computer system, and then the existence of the contract is later challenged, "crime" is not the issue.?Availability of the information is the issue.?Further, it is an issue that encryption will not solve.?A computer virus, a result of poor computer security standards and practices, can eliminate vital elements of an online system, and the online contracts with it.???

The American Bar Association?

The American Bar Association Information Security Committee Science and Technology Section has published it Digital Signature Guidelines.?In the definitions section under subsection 1.35 "trustworthy system" is defined:?

1.35 Trustworthy System?

Computer hardware, software, and procedures that:

• (1)are reasonably secure from intrusion and misuse;
• (2)provide a reasonably reliable level of availability, reliability, and correct operation;
• (3)are reasonably suited to performing their intended functions; and
• (4)adhere to generally accepted security principles.?

The comments following this standard include definitions of important information systems concepts:?

• Confidentiality:Ensuring that information is not disclosed or revealed to unauthorized person
• Integrity:Ensuring consistency of data; in particular, preventing unauthorized creation, alteration, or destruction of data.
• Availability:Ensuring that legitimate users are not unduly denied access to information and resources.
• Legitimate use:Ensuring that resources are used only by authorized persons in authorized ways.

The ABA standard for a trustworthy system is solid, if a little lacking in detail.?Chief concerns are the liberal use of the term "reasonably" in every aspect of the definition.?Legal discussions of computer security in the United States often include the term.?Certainly, an unreasonable standard would not be anyone's goal.?The question is:?what is reasonable??The comments to this "trustworthy system" definition help elucidate the question but do not reduce the considerable litigation risks inherent in every "reasonable" in that definition.?Reasonable is in the eye of the beholder, and if the parties to a transaction have not compared their computer security views, there is a greatly increased risk of litigation.??Decreased litigation is the goal.?Achieving it will foster electronic commerce growth.

United Nations?

In its United Nations Commission on International Trade Law Report of the Working Group on Electronic Commerce:?

• "It was widely felt that the aim of uniform rules on electronic signatures should be to provide guidance to legislators as to how wide variety of authentication-related functions could be performed in an electronic environment.?Such functions ranged along what was referred to as a 'sliding scale' from providing the highest degree of security (along the lines of 'notarized' and other certified signatures in a paper-based environment) to the low level of security offered by handwritten marks or signature stamps.?However, one of the difficulties of undertaking work in the area of electronic signatures stemmed from the fact that, if the uniform rules to be prepared were to provide the level of guidance that might be required to implement the principles embodied in article 7 of the Model Law, they might have to deviate from a purely functional approach, and to address in some detail the manner in which specific techniques could perform the above-mentioned functions."?

The Working Group avoided discussion of "cryptography for security purposes,"?and decided the "focus of its work would be placed initially on issues of digital signatures."?The report mentions that "it might be appropriate to consider … whether different standards are needed for consumer transactions."?That proposal is a very practical solution for electronic commerce security issues because the type, quantity, and cost of transactions vary a great deal in electronic transactions between those two groups.?The report observes problems inherent in differentiating between consumer and commercial transactions in an online environment, which is true from a technical viewpoint.?The type of transaction can be defined by the volume of purchase or the total amount in the transaction, or other aspects of the transaction.

Authentication is an essential part of effective computer security for electronic commerce computers, but the digital signatures relied upon are not enough to establish a standard for computer security in a realistic manner because the nature of the risk is severalfold.?Referring to the security principles in the OECD document, there is the remaining issue of the integration principle.?Physical security (i.e. guards, guns, gates) plays a crucial role in preventing the unauthorized use of a system and must be integrated into the overall security structure of a computer system.?Another security issue to be integrated into the overall securing of electronic information is awareness of computer security information by the users of the computer system.?Much media attention is given to outside threats to a computer system by young computer users frequently referred to as “hackers.”?The primary threat to any computer system is from inside the organization by a lack of information about protecting electronic assets and malice.?Malicious inside users are curtailed by informed and aware co-workers.?Computer security awareness and training is one of the strongest computer security tools available to any organization fearing the hacker threat.

In terms of the 'trustworthiness' of a system from article 7 of the Model Law, the report states:??

• "From the parties' perspective, the essential consideration was whether they were said to make up for the trustworthiness of the hardware, software and procedures used by the parties (e.g., whether they were reasonably secure from intrusion and misuse; whether they provided a reasonable level of availability, reliability and correct operation; whether they were reasonable suited to performing their intended function; and whether they were operated in conformity with generally accepted security principles.)

Similar to the ABA standard of computer security, it provides a good overview of what a computer security standard should accomplish.?The concern in terms of limiting litigation risk is the vagueness of “generally accepted security principles” and the recurring term "reasonable."?This paper calls for more clarity in an effort to reduce potential lawsuits.?It is the “potential” of the lawsuit that will discourage true integration of electronic commerce into the global marketplace.?This paper seeks to augment that standard with a practical application to technology and information management practices.

Commercially Reasonable

In the United States, part of the private sector has advocated for the entire computer security standard to be captured in the two words "commercially reasonable."?"Commercially reasonable" is not a valid standard for computer security.?Adoption of such a vague standard will inhibit electronic commerce development severely.

The Problem

There is a world of difference in what could be "commercially reasonable" in the United States alone.?Would you be doing millions of dollars of business with someone not willing to commit to making a safe copy of their systems in the event of natural disaster??But this very obvious element in system availability may not be considered reasonable in a commercial sense to some.?

Leaving security undefined will jeopardize the entire movement towards electronic commerce.?The lack of clarity will lead to fundamental misunderstandings between contracting parties that will only resolved in a court of law after a major problem has occurred.?The more cautious business sectors will hesitate or cease to engage in electronic commerce, fearful these inevitable lawsuits will arise.?

• Example:?A computer systems manager in Company A fails to make a copy of the system as a backup for a few months.?During that time the system crashes and the contract is lost six days after it was digitally signed.?The contracting parties disagree on the key terms of the contract (quantity) which was signed online with a digital signature.?Outside events have affected the market value of the goods in question.?A lawsuit results.?Company A will insist that making a copy of the system for safety measures more than once a month is not "commercially reasonable" whether or not it had that impression initially.

A duplicate of a computer system stored for safekeeping is referred to as a “backup.”?The essential problem of failing to make a proper backup of the system on a regular basis, as with other lapses of security, is common.

Then the natural question is:?if computer security is such a problem, how is it that computers are used in business??Wouldn't these poor practices preclude profit from businesses using computers??

Prior to the advent of electronic commerce, the losses associated with poor computer security practices were intangible.??Loss of computing time, use of phone lines after hours, loss of records that had to be re-keyed are not direct losses of income and business.?Some industries do have the issue of direct impact on profit, and have adapted their computer security accordingly.

Too much vagary is too much litigation for electronic commerce to succeed.?The issue of what constitutes a "commercially reasonable" standard for security needs to be brought to the table and discussed between the parties so an understanding common to all the parties is reached.?A similar suggestion can be found in the United Nations standard for computer security in electronic commerce systems earlier in this paper.?Too many differences exist between industries for one "commercially reasonable" standard to cover all transactions.?Basic computer security principles can be provided as the default, and can be negotiated between the parties if they choose, but at least the concept of what is basic computer security will be established.?Much litigation will be prevented if both parties are forced to confront what security level they deem acceptable.

International Ramifications

In an international environment, cultural differences in the meaning of "security" preclude the open-endedness of the "commercially reasonable" standard.?What one nation accepts as the elements of computer security from its security agencies may not be in accord with other nations' computing definitions.

?4. A PROPOSED SOLUTION

?Certain concrete factors need to be put forward as a default standard for security for electronic commerce information systems.?The following attempts to provide a computer security standard that is concrete enough to reduce future litigation to maximum extent possible, and yet flexible enough for a changing technical landscape.?The parties can negotiate a different standard in their contracts.?The organizational attempts to meet these criteria need to recorded in writing and stored in a secure location to ensure future availability.

?These factors are:

Confidentiality?- that a method be in place to control access to the computer system, such as user IDs and passwords (commonly referred to as identification and authentication), token technology, or smart card technology.?The goal is to verify that the user is authorized to have access to this computer system, and is permitted to perform the tasks attempted.

Integrity?- that the information system has been tested for known basic security vulnerabilities and vulnerabilities unique to that computer environment.

Awareness?that all users of computer systems engaged in electronic commerce are trained once a year on their computer security responsibilities.?Threats to the continuity of operations and recent information on arising security threats are communicated to users as are the organization’s means of addressing those issues.

Assurance against denial of service?- that the system has a means of stopping malicious or negligent actions which make the computer system unavailable to authorized users.?An example would be the prevention of a series of attempts to access the computer system which will ensure the system is not accessible by any user, valid or otherwise.?One frequent method of accomplishing this goal is to set the computer system to lock out a person who has tried to log on to the system and failed more than three times.?When someone is trying to log on and failing so many times in a row, often they are trying a series of password combinations until they successfully break into the computer system to perform unauthorized tasks.?

Continuity of information availability?- that electronic records of prior transactions are available independent of personnel turnover, and that records are still retrievable in the event of natural disaster or calamitous event.??

Protection against unauthorized interception of communications?- that electronic information transmitted across uncontrolled wires be in some way encrypted.?This element does not mean that no government must have the key, and does not mean that a minimum key length must be required.?The capability for this kind of computer misuse exists at the amateur level and risks associated with it will only increase dramatically with time.?Just employing encryption as a practice would put any commercial organization ahead of most in terms of securing electronic information.?Sensitive issues regarding key length and key escrow are unresolved at this time.?While these are important obstacles to address, the basic legal standard proposed for computer security in this paper seeks only to make room for the encryption question, however it is resolved.?Ignoring encryption while determining computer security standards is self-defeating.?

Encryption is frequently an obstacle in effective discussions of a computer security standard, as witnessed by the handling of that issue by the United Nations discussion of electronic commerce issues highlighted earlier.?Encryption and computer security are often considered synonymous.?Encryption, which makes computer communications unreadable to electronic eavesdroppers, is a key aspect of electronic commerce security.?But the strongest encryption in the world will not in itself guarantee the security of computerized information.?The encryption protects information in transit.?The information needs to be available and protected while stored on the computer as well.

The amount and the degree of the commitment (or non-commitment) to security needs to be part of the contract negotiation process.?Much is taken for granted in the very word itself: Security.?This is all true within the United States, without including international cross-cultural definitions of "security" and "reasonable."?

CONCLUSION?

The proposed computer security standard for electronic commerce computers in this paper does not include all of the elements that could be part of a computer security definition.?The goal is to provide a workable basic guideline for those wishing to adopt a standard that is concrete enough to avoid the maximum number of lawsuits and flexible enough to not be outdated in the near future.

?

?

?

?

?

?

?