[ISN] On Trial - Prosecuting cybercrime puts your organization--and
your security--on the hot seat.
isn at c4i.org
Mon Oct 18 02:23:25 EDT 2004
By Carole Fennelly
Attorney: Is it fair to say that, prior to March 24, 2000, you were
not aware of [a] bug that allowed someone to enter the system?
Bloomberg: That's correct. It's not just someone. You would have to
work pretty hard to do it and have to be reasonably competent to do
Attorney: Would it be fair to say that that bug was a dangerous threat
to the security of your system?
-Testimony of Michael Bloomberg, U.S. v. Zezev
New York City Mayor Michael Bloomberg endured more than an hour of
cross-examination during the 2003 criminal trial of Oleg Zezev, a
Russian citizen later convicted of hacking Bloomberg LLP's network and
making extortion demands. Bloomberg didn't make excuses for weaknesses
in the company's digital infrastructure. He met the issue head-on.
Is your CEO prepared to do that?
Your company will undergo intense scrutiny if a case against a
cybercrime suspect goes to trial. Your employees, from the IT staff to
the corner office, will be cross-examined by defense attorneys, who
will attack their competence, challenge their statements and attempt
to discredit corporate polices and processes. Internal, often
sensitive, documents and information may become part of the public
record, and, if the case generates enough buzz, it's fair game for CNN
and The New York Times.
When your company takes the stand, you're asking for an open--and very
public--security audit. Although you can't control everything that
goes on in the courtroom, you can prepare your employees for the
concentrated defense questioning.
If your IT security policies are strong, and if you have solid
incident response plans, you'll be ready for the onslaught. If not,
your secrets and flaws may be exposed in the worst possible light.
Prosecutors rely on corporate cooperation to convict cybercriminals,
and most will try to limit the admissible evidence to avoid
unnecessarily embarrassing the company or revealing sensitive
information. Through the discovery process, the defense counsel has
access to all seized evidence and can subpoena anything that may show
negligence or weaken the case--possibly revealing holes in IT security
policies, processes and infrastructure. If your security is weak, it's
much more difficult to prove that a particular individual was
responsible for the crime.
Much of what happens in court is dependent on pretrial
maneuverings--when admissibility is argued and judges rule on motions
to suppress evidence. This is the stage at which you can try to avoid
exposing sensitive corporate security data.
"The company can communicate the big stuff that it doesn't want to
come out--company trade secrets, information about response policies
or vulnerabilities--to the [law enforcement] agent," says Richard
Salgado, former senior counsel with the Computer Crime and
Intellectual Property Section of the U.S. Department of Justice. "A
motion may be made to exclude that kind of questioning."
More information about the ISN