Why do we need Ethics and Policies?

Imagine if there were no air traffic controllers and airplanes flew freely.

• Trying to take off and land would be extremely dangerous.
• Many more accidents would have happend.
  • Such a situation would wreak havoc.

Would E & P be enough in CS?

• Cyberspace has no authorities that function like air traffic controllers.
• Human behavior online often is less mature than in normal social settings.
• Cyberspace has become the new playground for today’s bad guys.

This is why the demand for systems security professionals is growing so rapidly.

Definations

Cyberspace cannot continue to flourish without some assurances of user security.

Hierarchical IT Security Policy Framework

• Policies: Apply to the entire organisation.

• Standards: Specific to a given policy.

• Procedures & Guidelines: Define usage and implementation.

• This will help define the roles, responsibilities, and accountability throughout.

Foundational IT Security Policies

Note: The goal of the IT security policy framework is to minimise exposure to risks, threats, and vulnerabilities.

• Policies should:
  • Relate to practical design requirements.
  • Apply the best security controls and countermeasures.
  • Set limits and reference standards, procedures, and guidelines.
  • Ensure that laws and regulations are applied.

Foundational IT Security Policies: Examples

Data Classification Standards

Provide consistent definitions for handling and securing different types of data.

• Security controls protect various data types within the seven IT infrastructure domains (user,ws,lan, wan, remote & sys. etc.).

  Major Categories	Description
  Private Data	Must be kept private; proper security controls are required for compliance.
  Confidential	Owned by the organisation, including intellectual property, customer lists, and patents.
  Internal Use Only	Shared internally; not intended for external communication.
  Public Domain Data	Shared with the public, such as website content and white papers.

Procedures and guidelines ensure proper data handling to maintain security.

Example: U.S. Federal Government Data Classification Standard

Example: UK Government Data Classification Standard

Note: Organisations should begin defining their IT security policy framework by establishing an asset classification policy.

Cybersecurity Laws and Regulations in the UK

• ISSUE: There is no overarching, primary national cybersecurity law.

• But, there are sevral critical legislation schemes that govern cybersecurity, data privacy, and data protection in the UK:

  1. CMA: Computer Misuse Act 1990
  2. DPA: Data Protection Act 2018
  3. UK-GDPR: UK General Data Protection Regulation
  4. NIS Regulations: Network and Information Security Regulations 2018:
  5. PSTI: Product Security and Telecommunications Infrastructure Act 2022.

1. CMA: Computer Misuse Act 1990

• It addresses various offenses related to unauthorised access and use of computer system

• It is the main act that regulates the UK’s digital relationship between individuals and malicious parties.

  • Prosecutes criminals for unauthorised access to computers for the purpose of modifying, removing, or tampering with data, as well as malicious cybercrime and cyber attacks like ransomware and DDoS attacks.

• ISSUE: Ethical hacking is illegal as it defines all non-consensual system access as a crime hence we need to adpate others.

Task: Is Compliance With the CMA Mandatory?

If so, what are the Non-Compliance Penalties for Computer Misuse Act 1990?

CMA Penalty

UK Gov Review

• Empowering law enforcement to seize criminal domain names and IP addresses.
• Introducing penalties for the possession of illegally obtained data.
• Considering cross-border cybercrime jurisdiction updates.
  • Facilitate better cooperation between countries

2. DPA: Data Protection Act 2018: Post-Brexit

• Provides guidance and best practice for data handling.

• It incorporates most of the EU General Data Protection Regulation (GDPR).

• The EU GDPR provided a general outline the UK adapted for their specific needs.

• DPA 2018 fulfills three primary purposes for the UK:

  • Allows the UK to adopt the EU GDPR into their national legislating process formally
  • It gives the UK authority to amend and exempt parts of the EU GDPR that may or may not apply to the UK
  • Extends UK data protection regulation to new areas not initially included in the EU GDPR.

Is Compliance With the DPA 2018 Mandatory?

What Are the Penalties for DPA 2018 Non-Compliance?

Cyber criminal offenses covered by the DPA 2018 include:

• Destruction, falsifying, unlawful use, or unlawful obtainment of personal data, as well as altering information to prevent disclosure to the data subject [1]

3. UK-GDPR (UK General Data Protection Regulation)

• The UK-GDPR is the United Kingdom’s data security regulation that’s tailored by and complements the DPA 2018.
• Also modeled after the EU-GDPR, it governs and regulates how UK organisations and businesses collect, store, use, and process personal data.
• UK-DGPR protects the rights of data subjects (people whose data is held, according to the DPA2018) to control how their data is handled, and has 7 principles :

How the DPA Act Works With the UK-GDPR?

Both the UK-GDPR and the DPA 2018 work together in conjunction to regulate data protection and data privacy in the UK.

• The DPA 2018 applies to UK organisations that decide how personal data is used (controllers).
• The UK-GDPR applies to those that process personal data on behalf of controllers (processors).

A UK retailer decides what customer data to collect and how it will be used → this makes the retailer the controller under the DPA 2018.
The retailer hires a cloud company to store and manage that data → the cloud company is the processor under the UK-GDPR.

what are the Key Differences betweeen UK-GDPR and DPA-18?

Is Compliance With the UK-GDPR Mandatory?

All UK organisations and businesses that are involved in the collection, handling, storage, or processing of personal/private data of all entities in the United Kingdom must comply with the UK-GDPR.

steps in achieving UK-GDPR compliance, as well as DPA compliance, is to:

• Adhere to the 7 principles of data processing
• Create an IT Security Policy to meet the GDPR's security requirements
• Implement strong data protection concepts
• Maintain a clear, comprehensive, and suitable privacy policy

Task: Scenario: Social Media App Development

A tech startup in the UK is developing a new social media app for sharing photos and videos with special filters and effects.

• Under UK-GDPR: What needs to be considered?

Scenario: Social Media App Development

A tech startup in the UK is developing a new social media app for sharing photos and videos with special filters and effects.

• Under UK-GDPR: What needs to be considered?

  • User Consent: Obtain explicit consent from users to process personal data.
  • Transparency: Provide a clear privacy policy explaining data use, storage, and sharing.
  • Data Minimisation: Collect only necessary data for the app's functionality.
  • User Rights: Users can access, correct, or delete their data.

Task Scenario: Social Media App Development

A tech startup in the UK is developing a new social media app for sharing photos and videos with special filters and effects.

• Under DPA 2018: What needs to be considered?

Scenario: Social Media App Development

A tech startup in the UK is developing a new social media app for sharing photos and videos with special filters and effects.

• Under DPA 2018: What needs to be considered?

  • Children's Data: Comply with additional protections if the app targets children (e.g., Age-Appropriate Design Code).
  • Special Categories of Data: Implement extra safeguards for sensitive information.
  • Criminal Offenses: Misuse of personal data by employees could result in criminal charges.

4. NIS Regulations: (Network and Information Security Regulations 2018)

• Transposed from the EU Cybersecurity Directive prior to Brexit.

• Mandate "detect and manage the threats to the security of network and information systems in an acceptable and proportional manner".

• Impose cybersecurity obligations:

  • Relevant digital service providers (RDSPs — cloud computing service providers and online marketplace providers)
  • Operators of essential services (OES — healthcare, energy, transport and infrastructure, and other public services)

Is Compliance With the NIS Regulations Mandatory?

Yes. All UK OES and RDSPs must maintain compliance with the NIS Regulations.

• Fine could be up to £17.5 million
• To comply with the NIS regulations, all UK OES and DSPs are required to implement adequate cybersecurity measures and cyber resilience programs that include:

What Is the Difference Between the NIS Regulations and GDPR?

5. (NEW) PSTI: Product Security and Telecommunications Infrastructure-2022

• Enacted to enhance the security of consumer connectable products and streamline the deployment of telecommunications infrastructure in the UK
• Key obligations:
  • Unique Passwords: avoid easily guessable credentials.
  • Security Reporting: provide clear information on how to report security issues and the expected timelines for response and resolution.
  • Security Updates: Information on the minimum period for security updates must be made available to consumers, ensuring ongoing protection against vulnerabilities.
• OPSS: Office for Product Safety & Standards is responsible for enforcing the PSTI Act.

PSTI: More

Imagine you are a retailer based in China and importing smart devices into the UK market:

Duties of Relevant Persons:

The Act defines the roles and responsibilities of different stakeholders: Manufacturers, Importers and Distributor.

What smart products are affected by the new law?

• The law applies to any consumer smart device that connects either to the internet, or to a home network. IoT, Smart home things, TVs, etc.

NCSC has produced a ‘point of sale’ (POS)

• Leaflet for retailers to distribute in-store to their customers.
• How to choose products that protect against the most common cyber attacks.

More

RIPA: Regulation of Investigatory Powers Act 2000

1. Regulates Surveillance: RIPA governs how public authorities, such as law enforcement, can conduct surveillance, intercept communications, and access data.

2. Network Traffic Interception: Allows lawful interception of communications (emails, phone calls, internet activity) for national security and crime prevention purposes.

3. Impact on ISPs: Internet Service Providers (ISPs) may be required to assist authorities by providing user data or enabling the interception of network traffic.

4. Ensures Accountability: The act requires proper authorisation for surveillance and interception to prevent misuse and ensure lawful actions.

Ethical Principles in Cybersecurity

• Confidentiality

• Integrity

• Availability

• NEW: Accountability : Holding individuals responsible for their actions related to data security.

Key Ethical Issues

• Data Breaches: Unauthorised access to sensitive data.
  • Example: Unauthorised access leading to the exposure of personal information.
• Surveillance: Monitoring individuals' activities and communications.
  • Example: Ethical dilemmas in using surveillance for security versus privacy intrusion.
• Hacking: Unauthorised access to systems and data.
  • Example: Ethical hackers (white-hat) versus malicious hackers (black-hat).
• Cybercrime: Engaging in illegal activities through digital means.
  • Example: Phishing attacks to steal sensitive information.

Privacy Concerns in Cybersecurity (Some)

• Personal Data Protection: Safeguarding personal information from unauthorised access.

  • Importance: Protecting individual privacy rights.

• Data Collection and Usage: Ensuring data is collected and used ethically.

  • Example: Only collecting necessary data and being transparent about its use.
  • Always ask YOURSELF AS COLLECTOR: DO I NEED THIS INFO

• Consent: Obtaining permission from individuals before collecting or using their data.

  • Right to be Forgotten: Allowing individuals to request the deletion of their data.
  • Application: Implementing processes to respect this right.

Best Practices for Ethical Cybersecurity

• Transparency: Being open about data collection and usage practices.
  • Example: Clear privacy policies and notices.
• Minimisation: Collecting only the necessary amount of data.
  • Principle: Reducing risk by limiting data exposure.
• Security Measures: Implementing strong security controls to protect data.
  • Practices: Encryption, access controls, and regular security audits.
• Regular Audits: Conducting frequent audits to ensure compliance with ethical standards.
  • Benefit: Identifying and addressing potential vulnerabilities.

Case Study-1: Data Breach at Marriott International (2018)

• Incident: Unauthorised access to the Starwood guest reservation database.
• Ethical Implications:
  • Negligence: Failure to detect and prevent the breach from 2014 to 2018.
  • Impact: Exposed personal information of approximately 500 million guests.
  • Response: Implemented enhanced security measures and notified affected customers.

Case Study-2: Ethical Dilemma in Surveillance - Clearview AI (2020)

• Unlawfully storing facial images.
• Ethical Implications:
  • Privacy Violation: Unauthorised scraping of personal images.
  • Impact: Legal actions and public criticism over privacy concerns.
  • Response: Company faced restrictions and regulatory scrutiny in several countries.

Lab

• The lab covers different aspects of legal and ethical considerations. It consists of several scenarios that cover various pieces of legislation. It can be found here

Note: that you you can use the time that allocated for you independent learning to do more of the provided labs and research.