proxy70

Gary S. Morris
GSM Associates
Suite 202
7338 Lee Highway
Falls Church, Virginia 22046
(703) 685-3021



                  Computer Security and the Law

I.  Introduction

     You are a computer administrator for a large manufacturing
company.  In the middle of a production run, all of the
mainframes on a crucial network grind to a halt.  Production is
delayed costing your company hundreds of thousands of dollars.
Upon investigating, you find that a virus was released into the
network through a specific account.  When you confront the owner
of the account, he claims he neither wrote nor released the
virus, but admits that he has distributed his password to
"friends" who need ready access to his data files.  Is he liable
for the loss suffered by your company? In whole, or in part? And
if in part, for how much?  These and related questions are the
subject of computer security law.  The answers may vary depending
on the state in which the crime was committed and the judge who
presides at the trial.  Computer security law is a new field, and
the legal establishment has yet to reach broad agreement on many
key issues. Even the meaning of such basic terms as "data" can be
the subject of contention.

     Advances in computer security law have been impeded by the
reluctance on the part of lawyers and judges to grapple with the
technical side of computer security issues [1].  This problem
could be mitigated by involving technical computer security
professionals in the development of computer security law and
public policy.  This article is meant to help bridge the gap
between the technical and legal computer security communities by 
explaining key technical ideas behind computer security for
lawyers and presenting some basic legal background for technical
professionals.

II.  The Technological Perspective

     A. The Objectives of Computer Security

     The principal objective of computer security is to protect
and assure the confidentiality, integrity, and availability of
automated information systems and the data they contain. Each of
these terms has a precise meaning which is grounded in basic
technical ideas about the flow of information in automated
information systems.  

     B.   Basic Concepts