In the mid-1980s, as computer crime started to become more prevalent, jurisdictions began crafting laws to address ever-increasing instances of cybercrime. In the United States, for example, federal criminal law has specific statutes that deal directly with criminal activity when utilizing a computer, as follows:
- 18 USC § 1029—Fraud and related activity in connection with access devices: This statute addresses the use of a computer to commit fraud. This is most often utilized by prosecutors in connection with cases where cybercriminals use a computer, or computers, to commit identity theft or other fraud-related activities.
- 18 USC § 1030—Computer Fraud and Abuse Act (CFAA): Among the number of provisions within this law, the one most commonly associated with incident response is that of unauthorized access to a computer system. This law also addresses the illegality of denial-of-service (DoS) attacks.
- Electronic Communications Privacy Act (ECPA): This amendment to the Federal Wiretap Statute was enacted in 1986. It makes illegal the unauthorized interception of communications through electronic means, such as telecommunications and the internet. The ECPA was further amended by the Communications Assistance for Law Enforcement Act (CALEA). CALEA imposed the requirement on ISPs to ensure that their networks could be made available to law enforcement agencies, in order to conduct lawfully authorized surveillance.
Being familiar with the ECPA is critical for those organizations that have a presence in the United States. Provisions of the law make it a crime for an organization to conduct surveillance and capture traffic on networks, even those under their control, if the users have a reasonable expectation of privacy. This can lead to an organization being held liable for sniffing traffic on its own network if, in fact, its users have a reasonable expectation of privacy. For CSIRT members, this creates potential legal problems if they access network resources or other systems. This can be easily remedied, by having all system users acknowledge that they understand their communications can be monitored by the organization and that they have no reasonable expectation of privacy in their communications when using computer and network resources provided by the organization.
- Economic Espionage Act of 1996 (EEA): This law contains several provisions found in 18 USC § 1831-1839, and makes economic espionage and the theft of trade secrets a crime. This Act goes further than previous espionage legislation, as it deals directly with commercial enterprises and not just national security or government information.