Sitting in her basement office at Stanford Law School, where she is executive director of the school's Center for Internet and Society, cyberlaw expert Jennifer Granick ponders various efforts to legislate computer security and privacy – and pronounces them failures.
"They've almost all been disasters," concludes the attorney, who has represented hackers and is frequently invited to speak at infosec conferences.
The Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA) have generated a ton of bureaucracy, for example, but not much privacy, believes Granick. Despite the Computer Fraud and Abuse Act, viruses and worms are rampant. "In the end," she says, "all we are protected against is shopping bots and auction comparison software."
She also dismisses the Electronic Communications Privacy Act (ECPA), which she describes as convoluted and does not prevent ISPs from reading users' email. She then goes on to write off anti-spam laws as ineffective against the growing tide of junk email.
Nonetheless, HIPAA, GLBA, and other newer laws such as Sarbanes-Oxley (SOX) – which have had a huge impact on infosec – have companies scrambling to comply. The effort is paying off in increased cybersecurity and privacy, some experts say.
According to a study by market research firm Meta Group, 64 percent of companies have dedicated budgets for regulatory compliance, with the average budget projected to be $7.2 million in 2005. More than half the companies in the study – about 270 firms from a range of sectors – have allocated resources for compliance with SOX and HIPAA. And more than a third budgeted for compliance with GLBA. Most of the money companies are allocating for auditing centres around compliance, explains Meta analyst Jon Van Decker.
Indeed, the government requirements have boosted infosec efforts at many companies by expanding IT security beyond the realm of firewalls and anti-virus into a broader business context, believes Michael Rasmussen, Forrester Research analyst.
"We're seeing a lot of organizations that are driving forward their security operations because of regulations," he says. While it will take time for HIPAA, GLBA and other laws to take full effect, he adds, "I've seen a tremendous amount of progress."
But Stephen Wu, CEO of InfoSec Law Group, a Silicon Valley-based law firm, says the results have been mixed so far. Large financial services firms are doing their best to have "world-class security," but some small and mid-size companies prefer to ignore the issue.
"They're saying, 'I've practiced [business] all these years and haven't had a problem. Just laws on the books aren't going to change the way I do business'."
Even among large organizations, there are gaps in compliance, notes Wu. "People are focused on survival. They're focused on selling products, on making it through to the next upturn in the economic cycle. If you had resources to throw into security, versus resources for engineers and marketing people to create and sell new products, there's a natural capitalistic tendency to focus on the latter."
Mark Rasch, senior vice-president and chief security counsel at managed security firm Solutionary, says that the regulations are improving security.
"What the regulations have done is skewed the marketplace slightly, so that although the IT security people are fighting for budget, they have a business justification," he says.
As for the older Computer Fraud and Abuse Act's effectiveness in fighting cybercrime, Rasch – a former Department of Justice attorney – says that like any other criminal law, it only catches a small percentage of the culprits.
"It defines what is acceptable and what is unacceptable, and always raises the specter that you might catch these people. But does it really deter this kind of conduct? I doubt any criminal law actually deters people who are bent on doing it," he declares.
Wu suggests that more resources might need to be allocated for enforcing the anti-hacking law. However, Granick believes it needs to be changed "so that it deals with the problem – which is attackers – as opposed to the way it's phrased now, which is any unauthorized or unwanted communications."
Before she joined Stanford in 2001, Granick became well-known for defending hackers against criminal charges of unauthorized computer access. Her clients included Max Butler, also known as Max Vision, who served time in prison for unleashing a worm that patched a hole in several government computers. She also represented, for a time, Jerome Heckenkamp, who was charged with breaking into computers owned by eBay and Qualcomm, among others. They had parted ways before he pleaded guilty earlier this year.
At the Center for Internet and Society, where Granick teaches the Cyberlaw clinic, students usually represent clients in cases involving technology and the public interest, such as anonymity on the internet and copyright laws.
However, the clinic did take on a cybercrime case last year, in which it appealed the conviction of a Los Angeles man for notifying the customers of his former employer that the company's web mail system was vulnerable to hackers. The Ninth Circuit Court of Appeals overturned the conviction.
Rather than simply hoping that the criminal law catches or deters intruders, suggests Granick, companies might be better off taking a public-health approach to cybersecurity by keeping their systems protected and patched.
"To some extent, we have to recognize that legal prohibitions alone are not the solution, that we need to spend time and resources on prevention as well as on punishment after the fact," declares Granick.
"The statutes need to do what we really want them to do, which is to protect privacy, stop spam, and prevent attackers from attacking computers. The problem is, we've written these statutes in such a way that they're often both too broad and under-inclusive."
Granick is not the only one to hold computer-related laws in such low esteem. For instance, Deirdre Mulligan, a professor at U.C. Berkeley's Boalt Hall School of Law, makes the point that as technology evolves, laws invariably need to be amended through litigation or the legislative process. She is especially critical of the ECPA which, when it was passed in 1986, assumed a difference between an email provider and the place where people stored messages, and placed protections based on whether messages were in transmission or stored. But now people use their email service providers as a place to store messages, she points out.
While ECPA was an extremely important piece of legislation and made email the critical form of communication it is today, GLBA was a step in the right direction, but "a far cry from what privacy and consumer advocates were looking for," says Mulligan.
"It relies a lot on providing people with notices and asking people to take action to limit the disclosure of their information. That's not the way one should go about constructing a bill to protect privacy," she continues.
Meanwhile, Granick suggests that other bodies, such as insurance firms, could have more influence than the law in shaping the future of cybersecurity, by encouraging the creation of better, more secure software.
"Computer security is still young," she concludes. "Better programming processes are being developed, and we're trying to get to where we know a lot more about certain kinds of vulnerabilities, so coders can do a better job of avoiding them."
