ITEC85 - Legal, Ethical, and Professional Issues

Law

Rules that mandate or prohibit

certain behavior. They are enforced by the state (government) and carry penalties (fines, imprisonment). Laws represent the minimum standard of behavior.

Ethics

Rules that define socially

acceptable behavior. They are based on cultural mores and professional standards.

Breaking them results in social stigma, loss of job, or loss of professional certification.

Law vs. Ethics - The Distinction

The Conflict: Information Security often operates in the grey area where technology moves faster than the law.

Example: Is it legal to scan a network you don't own? (Usually No). Is it ethical if you

are trying to warn them of a flaw? (Debatable).

Liability

The legal obligation of an entity; limits what an organization is responsible for (and what they can be sued for).

Due Care

Taking reasonable measures to protect an asset. "Doing what a reasonable person would do." (e.g., Installing antivirus).

Due Diligence

The verification that Due

Care is happening. (e.g., Checking the logs to prove the antivirus is updating).

Business Impact

If a company is hacked,

they can be sued for "Negligence" if they failed to exercise Due Care.

The Commandments of Computer Ethics

Created by the Computer Ethics Institute. Core principles include:

- Thou shalt not use a computer to harm other people.

- Thou shalt not interfere with other people's computer work.

- Thou shalt not snoop around in other people's computer

files.

- Thou shalt not use a computer to steal.

- Thou shalt not use a computer to bear false witness (Fake News/Fraud).

Key Takeaway: Technology does not change right and

wrong; it just amplifies the impact.

White Hat

Ethical Hackers. They have

authorization (written permission) to test

systems. They disclose vulnerabilities to the

vendor/owner to fix them.

Black Hat

Malicious Hackers / Crackers.

They violate security for personal gain, destruction, or fame. They sell exploits or

data.

Grey Hat

The "Vigilantes." They hack

without permission (Illegal) but usually without malicious intent (Ethical?). They

might publicly release a vulnerability to force

a company to fix it (Full Disclosure).

Grey Hat

Warning: ____ activities are illegal under Philippine and International law.

Other Threat Actors

- Script Kiddies

- Hacktivists

- State-Sponsored / APT (Advanced Persistent

Threat)

Script Kiddies

Unskilled attackers who use

tools/scripts written by others. They lack theoretical knowledge but cause mass damage due to their numbers.

Hacktivists

Hackers motivated by a political or social cause (e.g., Anonymous). They use DoS or defacement to promote a message.

State-Sponsored / APT (Advanced Persistent

Threat)

Hackers employed by governments. Highly

skilled, well-funded, and patient. Targets: National

security, intellectual property, critical infrastructure.

Why study US Law?

Most major tech companies (Microsoft, Google, Cisco) are US-based, setting global standards.

U.S. / International Regulatory Acts

- CFAA (Computer Fraud and

Abuse Act)

- DMCA (Digital Millennium

Copyright Act)

- FOIA (Freedom of Information Act)

CFAA (Computer Fraud and

Abuse Act)

The foundation of anti-hacking law. Defines "unauthorized access" to a "protected computer."

Unauthorized Access Defined by CFAA

Without Authorization

Accessing a system that you

have no permission to access at all (e.g., hacking).

Unauthorized Access Defined by CFAA

Exceeding Authorized Access

Accessing permitted areas of a computer but then accessing files, data, or areas for which you are not authorized.

Unauthorized Access Defined by CFAA

Key Intent

The act must generally be intentional and, in many cases, accompanied by an intent to defraud, damage, or obtain something of value.

Protected Computer Defined by CFAA

The definition is broad, covering most computers

connected to the internet. It includes:

- Computers used by or for a financial institution.

- Computers used by the U.S. government.

- Any computer used in interstate or foreign commerce or communication (e.g., any computer with internet access).

DMCA (Digital Millennium Copyright Act)

Criminalizes the production and dissemination of technology used to circumvent copyright protections (DRM).

FOIA (Freedom of Information Act)

Allows citizens to request data from the federal government.

FOIA (Freedom of Information Act)

Security implication: What data must remain secret for national security vs. what must be public?

Philippine Legal Framework - Data Privacy

- Republic Act 10173 (Data Privacy Act of 2012)

Republic Act 10173 (Data Privacy Act of 2012)

Protects the fundamental human right of privacy while ensuring free flow of information.

Republic Act 10173 (Data Privacy Act of 2012)

Scope: Applies to any processing of personal data

in the Philippines.

Republic Act 10173 (Data Privacy Act of 2012)

Key Concept: "Data Subject" (the person) has rights (Right to be informed, right to access, right to erase).

Republic Act 10173 (Data Privacy Act of 2012)

Requirement: Organizations must appoint a DPO (Data Protection Officer).

Philippine Legal Framework - Cybercrime

Republic Act 10175 (Cybercrime Prevention Act of 2012)

Republic Act 10175 (Cybercrime Prevention Act of 2012)

Offenses against confidentiality, integrity, and

availability: Illegal Access, Illegal Interception, Data

Interference (Destruction), System Interference.

Republic Act 10175 (Cybercrime Prevention Act of 2012)

Computer-related offenses: Computer-related Forgery and Identity Theft.

Republic Act 10175 (Cybercrime Prevention Act of 2012)

Content-related offenses: Cybersex, Child Pornography, and Cyber-libel.

Republic Act 10175 (Cybercrime Prevention

Act of 2012)

Impact: Hacking is now a criminal offense with specific jail time in the Philippines.

Professional Organizations

Why join? To network, learn, and establish credibility.

Professional Organizations

- ACM (Association for Computing Machinery)

- ISC² (Intl. Information System Security Certification

Consortium)

- ISACA

ACM (Association for Computing Machinery)

Focuses on computing as a science and profession. Strong Code of Ethics regarding public safety.

ISC² (Intl. Information System Security Certification Consortium)

The gold standard for security

certifications (CISSP).

ISACA

Focuses on IT Governance and Auditing (CISA, CISM).

The ISC² Code of Ethics

Security professionals must adhere to four canons:

- Protect society, the common good, necessary public trust and confidence, and the infrastructure.

- Act honorably, honestly, justly, responsibly, and legally.

- Provide diligent and competent service to principals.

- Advance and protect the profession.

Note: Protecting "Society" comes before protecting

your "Employer."

Summary & Key Takeaways

- Ignorance of the law (RA 10173/10175) is no excuse for a security breach.

- Ethical behavior builds the trust required to be a security professional.