AUSTRALIAN LAW JOURNAL, NEW BOOKS

AUSTRALIAN LAW JOURNAL

NEW BOOKS

E-SECURITY

Authors:�� Leif Gamertsfelder, Rob McMillan, Andrew Handelsmann and Phillip Hourigan

Publisher: �� Law Book Co, 2002

ISBN:�� ISBN 0 455 21851 X, 91 pp, Index

Price:�� Softcover $AUD85.00 including GST. There is also an online version for the same price by subscription.

�� The news in February 2002 that a minor employee of the Allied Irish Bank, John Rusnak, had apparently siphoned off a huge amount of the bank's money, leaving it with a $1.47 billion deficit, focuses attention once again on the security of electronic systems, especially those of financial enterprises.

�� For as long as people have had control over valuable information, other people have been attempting to secure, use and alter such information to their own advantage.� In earlier times, when information was invariably in a physical form, access to the object and manipulation of its contents was a challenge to those having the requisite interest.� Sir Francis Walsingham, the head of security for Queen Elizabeth I, eventually snared Mary Queen of Scots, discovering her hidden notes and unravelling their codes to convince the reluctant Elizabeth that Mary had to be executed to put an end to her plots.�

�� The biggest advance in security systems came in the 20th century with the development in the 1930s of the primitive machines that eventually grew into the electronic computers of today.�� Hitler's High Command prided itself on the Enigma typewriter that would automatically encrypt military and naval signals.� It was a great fortune for the Allied cause in the War that this particular security system was broken at Bletchley Park in England .� In particular, the naval codes were unravelled by a team initially led by the brilliant mathematician, Alan Turing. �His achievements saved many an Atlantic convoy, although they were ill-rewarded after the War, when Turing was prosecuted for a homosexual offence and forced into hormone therapy to escape imprisonment.� Soon afterwards he committed suicide:� see Andrew Hodges, Alan Turing, The Enigma (Walker & Co, NY, 2000).

�� Cracking the Enigma code demonstrates that even the most advanced security system can usually be overcome.� Turing used his early prototype computer to help crack Enigma.� Yet, to the very end, the German authorities rejected the possibility that their unique technological system had been breached.� Nowadays, it is accepted that any security system can eventually be overcome by determined and resourceful invaders.� Rarely do the crackers and hackers have the noble objectives of Turing and his team.� Yet that team was the progenitor of a vast modern problem now the subject of this highly practical book.

�� The book is written by three solicitors of the firm Deacons in Sydney, together with Mr Rob McMillan, an expert in security of electronic systems for the Commonwealth Bank of Australia.� The book records that in September 2001 the Australian National Audit Office reported on the security systems in place in ten federal agencies.� It found that some were very good.� But others left much to be desired.�

�� In the same month, the attacks on the World Trade Center in New York and on the Pentagon near Washington revealed the high vulnerability of societies dependent upon modern technology and reliant upon human security checks.� One of the most vivid images of the events of 11 September is that of the wife of the Solicitor-General of the United States, on the Washington plane telephoning her husband on her mobile phone to ask what she should do in her predicament.� This is the basic question that the authors have posed for themselves in this book.� What can be done?� They have provided answers by reference to relevant Australian legislation, current case law and the principles of the common law and of administrative law.

�� Amongst the cases that have already arisen, which are described in this book, are some that have caused world-wide damage to users of modern information technology.� Perhaps the largest of these was the so-called Love Bug virus.� Let loose, it caused damage to an estimated 45 million computers world-wide.� According to the authors, the estimated losses and costs incurred as a result of this virus were $US10 billion.� The authors describe the consequences of other manipulations of systems that have resulted in denial of services to subscribers.� Such acts have led to the shutting down of world-wide networks, including even cnn.com.� The interruption in such services is described as occasioning damage running into billions of dollars in value.

�� As against these forms of invasion of information systems, others of more moderate intensity are instanced.� They include the efforts of one Vladimir Levin who was accused of stealing $US10 million from Citibank Inc in the United States by computer hacking.� Yet for every Levin, there are many small fry intruders, some of them out for personal gain, others (usually young computer experimenters) simply hoping to test their skills against the walls of security put in place by system owners and operators.

�� Australia has not been immune from breaches of information security.� This book describes the activities of an overseas student at a university in Western Australia who created a "spoof email", apparently from another staff member, to secure secret information on the contents of a forthcoming examination question which the student wished to have.� In another case, a computer network engineer, employed by an online grocery service to implement security systems, had access to all passwords and codes used to secure the company's systems.� After leaving the employ of the company, the employee set up a remote electronic link from his home.� He then proceeded to erase vital files and to disable the company's Internet link with its customers.� The result was considerable loss to the company.� The employee was charged and convicted under the now repealed provisions of s 310 of the Crimes Act 1900 (NSW) prohibiting damage to data in a computer.

�� The book also describes an invasion of security committed against the control system of a local government authority in Queensland.� This resulted in the undesired release of sewerage into local creeks and parks; but also in the conviction and sentence of the miscreant for an offence against the Queensland Criminal Code, s 408D.

�� The many instances given in the book demonstrate the vulnerability of government and corporate systems (as well as those of individuals) to security breaches and the special vulnerability of such systems to disgruntled individuals.� If they can cover their tracks, they can do a great deal of harm and escape scot-free.� It is obviously important to prevent this by adopting the kinds of security systems described in the book.� It is also important to secure effective law reform to ensure specific remedies that can sanction the wide variety of abuse.

�� The book points to the limited capacity of the law to deal with all problems of information security on a national basis.� Thus the Love Bug virus, which originated in the Philippines, was ultimately tracked down to its originators.� But Philippines law was silent on the kind of offence that had occurred.� There was neither effective civil redress nor even the satisfaction of bringing the perpetrators to answer in a criminal court for their grossly irresponsible and damaging conduct.

�� National laws, enacted by overseas jurisdictions, such as the Computer Fraud and Abuse Act 1986 (US) and the Computer Misuse Act 1990 (UK) are described.� The latter in particular was influential in the design of the Australian federal legislation that now provides computer access criminal offences.� This legislation is to be found in the Cybercrime Act 2001 (Cth) and the Crimes Amendment (Computer Offences) Act 2001 (NSW).� Other Australian States and Territories have introduced, or are planning, legislation.� The book mentions these.

�� It also records the civil remedies that the authors feel may be invoked where damage has been done by deliberate or negligent breaches of security.� There is a good analysis of the relevant principles of the common law.� A bold attempt is made to describe how a duty of care in Australia is ascertained, calling on Modbury Triangle Shopping Centre Pty Ltd v Anzil (2000) 75 ALJR 164.� Reference is made to provisions of the new Privacy Amendment (Private Sector) Act 2000 (Cth).� The introduction into the Australian private sector of federal privacy principles by the vehicle of the lastmentioned Act, gives an obvious impetus to the establishment in Australia of information policy rules that will embrace the interconnected issues of data privacy and data security.

�� A special feature of the book is that it is written without a pre-supposed, detailed knowledge of information security systems or encryption techniques.� In short, it is written for the ordinary lawyer and corporate official as a general backgrounder.� It is long on practical illustrations of the extent of the problem and what can be done.� It is short on detailed analysis and copious footnotes.� It is no more than a general introduction.� But that is exactly what it aspires to be.

�� The book sets out, as a lawyer advising clients would wish, the preventive measures and e-security strategies that can be put in place to address the problems portrayed in the early chapters.� These include practical prevention initiatives; the introduction of risk management; the initiation of appropriate responses to security incidents; regular auditing of security systems; consideration of the insurance coverage apt to e-security breaches; advice on the gathering and preservation of evidence necessary to prove the causes of security breaches; and source materials on industry protocols that are relevant.� A large section of the book examines the relevant law and its inadequacies.� It emphasises the needs to advise clients on practical measures that will hopefully restrain security breaches and, when they occur, provide means for them to be traced, proved and brought to legal responses.

�� The introduction of informatics, which builds on the technology of Alan Turing's idea of a machine that could execute a series of operations on sequences of binary digits (the Turing universal machine) has come a long way since it was conceived in 1936.� Self-evidently, such developments now have enormous legal implications.� One of the authors of this book, Leif Gamertsfelder, has pointed out that lawyers should not be surprised at these implications.� Fifty years before the primitive computer, the invention of the motor car brought about a similar revolution in society and in civil and criminal law.� Litigation in the courts of most modern societies was revolutionised in many ways.� So it is with the contemporary progeny of the universal machine.� As with the motor car, there are dangers and mishaps that can have serious personal and social consequences.� The law must attend to these.� In doing so, it will not take its eye off the great benefits of the technology.� Indeed, we are only at the beginning of the phenomenon of cyberspace.

�� Alan Turing, although fifty years dead, now has his own electronic space (http://www.turing.org.uk/).� The products of his inventive mind continue to live in cyberspace.� For an introduction to some of the legal problems that arise in Australia, this little book is to be commended, as are its authors.