Web security is also known as “Cybersecurity”. It basically means protecting a website or web application by detecting, preventing, and responding to cyber threats.[1] The demand for an effective international guideline on cybersecurity has been often discussed on various platforms theoretically but is miles away concerning its practical application.
Understanding the importance of web security
Protection of web security is very crucial due to its ever-growing challenges. “Along with email, the web is one of the top vectors for cyberattacks. They are prone to all kinds of malware attacks, with the proven fact that the email and web together are a key part of 99% of successful breaches. IT security departments face serious challenges when trying to secure the web from thwarting attacks to dealing with limits in skills and resources. In the past, security teams have deployed a collection of on-premises solutions to manage email and web security. But increasingly organizations are turning to comprehensive email and web security solutions – via integrated, cloud-based technologies that simplify the task and reduce the cost of reducing risk and because attackers or hackers are often leveraging email and web channels together, a seamless and scalable strategy for protecting both is essential.”[2]
This article is divided into two main discussions: 1) Understanding web security, and 2) Challenges faced in the arena of web security in the light of international law. The article’s main focus is to comprehend the future of international law on web security and the laws to abide by in respect of the same.
International laws & Cyber-crimes
“The 2011 US International Strategy for Cyberspace states that the US reserves ‘the right to use all necessary means – diplomatic, informational, military, and economic – as appropriate and consistent with international law’ to respond to concerns of all types in cyberspace. The government’s major challenge is to ensure that people are primarily protected from crime and espionage on the internet. The vast majority of cyber-attacks are not carried out by government-sponsored hackers but by criminals intending to steal business secrets and financial information.”[3]
“Budapest Cybercrime Convention (under auspices of Council of Europe) in which about 40 (mostly western) state parties participated. The convention obligated state parties to enact laws to be able to prosecute cybercrime internally. Further calls for mutual assistance in investigating/prosecuting containing exceptions for protecting state interests were also put forth.”[4]
International law might limit its effectiveness in some spheres but is notably a powerful tool. Many challenges are not as novel as they are often described, and states are accordingly trying to contend with their interests. “International law is supposed to apply in conflict of cyber-crimes, but which international law? Several country states have questioned the applicability of a prominent subdomain of international law. Perhaps more importantly, is that how international law is supposed to be applied? It is one thing to know that the online realm is not a lawless world, but quite another to understand how its rules precisely apply to cyber phenomena.”[5]
Would any of the following activities constitute a cyber-crime?[6]
- Hacking (Unauthorized access),
- Phishing,
- Denial of service attacks,
- Infection of IT systems with different malware,
- Identity theft,
- Electronic theft and many more.
Yes, the Federal Computer Fraud and Abuse Act (CFAA), is the primary statutory mechanism for prosecuting cyber crimes and provides for both civil and criminal activities. Other relevant laws include Electronic Communication Protection Act (ECPA) which protects communications in storage and transit. In addition to this, numerous states have passed statutes prohibiting hacking and other computer crimes. Example: New York prohibits the knowing use of a computer with intention of gaining access to computer material under NY Penal Law. The specification of which statute is applicable depends on several factors. Whether these activities would constitute a crime or not would mainly depend on whether the actor intended for them to be used for illegal purposes. If there were criminal intent present in the evidence so provided, a person may be liable for aiding and abetting or even distribution of any unauthorized hardware that will violate CFAA law and other related computer crime laws.
Other laws include
- “The Federal Trade Commission (FTC), applying to unfair and deceptive practices, as a means to require companies to implement security measures.
- The Cybersecurity Information Sharing Act (CISA). The CISA allows companies to monitor network traffic, including taking defensive measures on their own systems. It also encourages sharing of cyber-threat information between companies and with the government.
- Under the sector-specific Act, we have Grammleach -Bliley Act (GLBA), which requires implementing written policies and procedures that are designed to ensure security and confidentiality in records and protection against anticipated threats and unauthorized access and use. Then, the Health Insurance Portability and Accountability Act (HIPPA), includes cybersecurity requirements applicable to protected health information in the possession of certain “covered entities” and their “business associates.”
- New York recently passed SHIELD Act, which requires reasonable security for personal information and specifying specific measures that may satisfy that standard.
- The California Consumer Privacy Act (CCPA), crates data breach right of action for Californian residents with penalties up to $100 – $750 per consumer and per-incident if plaintiffs prove that the impacted business failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information.
- The Cybersecurity and Infrastructure Security Agency Act created CISA, a component of Department of Homeland Security, and the federal agency responsible for protecting critical infrastructure in the United States.”[7]
In a 2021 case of Van Buren vs the United States,[8] was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of “exceeds authorized access” with one intentionally accessing a computer system they have the authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one “exceeds authorized access” by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA’s language had long created a circuit split in case law, and the Court’s decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.
In another case of “hiQ Labs, Inc. v. LinkedIn Corp, 938 F.3d 985 (9th Cir. 2019), was a United States Ninth Circuit case about web scraping. The 9th Circuit affirmed the district court’s preliminary injunction, preventing LinkedIn from denying the plaintiff, hiQ Labs, from accessing LinkedIn’s publicly available LinkedIn member profiles. hiQ is a small data analytics company that used automated bots to scrape information from public LinkedIn profiles. The court ruled for hiQ and the right to do web scraping. However, the Supreme Court, based on its Van Buren v. United States decision, vacated the decision and remanded the case for further review in June 2021.”[9]
In the case of United States vs Rodriguez,[10] a sentence was held “for violating the Computer Fraud and Abuse Act use was not unreasonable where the district court varied upward to reflect the seriousness of the offence, to promote respect for the law, and to protect the public from future criminal conduct, and imposed a 12-month statutory maximum sentence where the guideline range was 0 to 6 years.”[11]
Securing web security is vital due to the persistent attacks in this arena and majorly because they often leave no trace behind. The same can cause major economic, social, and political damages to victims of cyber-crimes. The laws, penalties so imposed help in making progress in reducing such crimes taking place. Further to ensure universally that every internationally wrongful act attracts legal consequences.
[1] https://www.goodfirms.co/glossary/web-security/ [2] https://www.mimecast.com/content/web-security/ [3] Microsoft Word - 290512summary (chathamhouse.org) (International law: Meeting Summary: Cyber Security and International Law by Mary Ellen O’Connell, Louise Arimatsu and Elizabeth Wilmshurst, Chatham House. [4] PowerPoint Presentation (hoover.org) [5] CyCon_2016_book_sisu.indd (ccdcoe.org) [6] Cybersecurity 2021 | Laws and Regulations | USA | ICLG [7] Refer the above link. [8] https://en.wikipedia.org/wiki/Van_Buren_v._United_States [9] https://en.wikipedia.org/wiki/HiQ_Labs_v._LinkedIn [10] https://casetext.com/case/us-v-rodriguez-241/case-summaries?PHONE_NUMBER_GROUP=P&__cf_chl_jschl_tk__=pmd_c93874b0434ca7c727998f6aa3d74a227be88612-1628331734-0-gqNtZGzNAmKjcnBszQr6 [11] https://casetext.com/case/united-states-v-jones-1203