Information protection in automated systems
Information-communication technologies are the most important factor that affect forming of a society of 21 century. Its revolutionary influence concerns the way of life, education, work. Information technologies became vital stimulus for world economy development. They allow to solve economic and social problems more efficiently and inventively. The humanity entered a new age – age of information society. It is estimated, that in order to increase production of goods twice, fourfold increase in volume of information is needed. Yet two decades ago the volume of scientific information necessary for solving technological and social problems doubled each seven years. Since 1995 it was doubling annually or every two years.
Under such conditions, information that maintains crucial and historic directions of human activity becomes valuable product and main commodity. Its cost gradually approaches to the cost of material values. Under influence of the latest scientific and technological knowledge, production of goods radically modifies its technological basis. IT penetrate in mechanisms of mass social communications more profoundly: education, upbringing and training. IT influence formation of the personality, a way of living, system of legal relationship, etc.
The actuality of this article is determined by a process of active introduction of electronic payment and plastic cards systems that are using Internet networks in Ukrainian bank sphere. Besides, the number of threats is increasing, means of illegal interference and access to such information are being enhanced. Thus it is necessary to continue researches into this field and also improve legal and technical protection of information from unauthorized access.
Information is a strategic national resource nowadays, the main property of a state that plays increasing role in a system of government [1]. Information systems, information-analytic centers are functioning and being developed in state authorities and administrations, ministries and departments, regional and local authorities of USA, European countries, Russia. Information-inquiry and analytical systems positively affect sphere of state government and create new opportunities for its improvement and perfection.
Sure we can deny the fact that information technologies yet are not so widely used in all countries, prohibitive for many people and millions even do not know about satellites, PCs and the Internet. Humanity entered a new millennium having principally new instrument, simultaneously creative and destructive, therefore demanding very delicate treatment.
The global information civilization defined information as the main parameter. Publishing, press, radio, television, computers, other means of telecommunication became key factors of economy, manufacture, science, education, policy other spheres of social activities. It follows that various information systems and networks are reinforcing factors of society and state. Information society not only modifies the status of information as catalyst of positive shifts of social being (bulletin, knowledge, data), but also extends opportunities of information application for criminals on antisocial purpose [2].
The goal of this article is research into theoretical legal questions on information protecting in automated systems, examining of the main directions of state policy in this sphere and determining on this basis measures of state policy.
Threatening gap between levels of information technologies introduction and their legal, organizational and technical protection causes unusual anxiety of experts. According to UN estimations, losses from computer crimes all over the world have exceeded 1 trillion USD.
If we compare traditional and computer crimes, last are distinguished, first of all, by distribution in time and space of subject for infringement. In other words there is no need to penetrate in bank depository, cross borders or overcome security systems and alarms in order to steal money. It is enough to have a computer, initial data on access and protection of bank information systems, also a set of hacker programs and hacker experience.
The other important aspect of computer crimes lies in phenomena of information facelessness. Such traditional signs of criminalistic examination, as handwriting, fingerprints and other are not used in case of computer crimes.
One more specific character of computer crimes is the phenomena of software tools for computer infringements. Unlike traditional means of crime as: weapon, etc, tools of computer crimes are different software means of computer intrusion.
One of methods on computer crime committing is technical-technological method. Its main point lies in violating of information systems operation by influencing its vulnerable components. And though this kind of crime markedly differs from traditional terrorist crimes, its consequences may be similar to great man-caused disasters.
There is a great number of definitions of information security threats known that are similar by their main point in spite of differences in details: threat is danger (real or potential) of committing some action (activity or inactivity), directed to infringing main properties of information: confidentiality, integrity, accessibility.
Almost all researchers, while considering types of possible infringements of main properties of information, give one and the same list: theft (copying) and leakage of information, threat of accessibility - information blocking; integrity threats – alteration (deterioration) of information, denial of authentication or obtrusion of wrong information.
Tradition to emphasize three given types of threats comes, probably, from “Department of Defense Computer Security Evaluation Center; Trusted Computer System Evaluation Criteria (Orange Book); (1983, 1985)”. Such approach was held true in International standard ISO/IEC 15408-99 (historically named “Common Criteria”. These normative documents are dedicated to computer systems of information processing.
Civil legal, administrative, criminal proceedings may be instituted against guilty of illegal actions. At that, penalty degree depends on criminal sanctions when violation of the law according to their social amount, mass character, typical nature and firmness of display are criminalized as offences.
Today Ukrainian law that provides for criminal responsibility is becoming more adapted to tasks in conditions of information society development. Adoption of the new Criminal Code fundamentally changed approach to information as a subject of a crime. So, having recognized information as a subject of theft, appropriation, blackmail and other illegal acts, criminal law affirmed status of information as a subject of property right, it is adjusted with main regulations of Ukrainian information law. Until recently criminal legal doctrine excluded information from the list of possible subjects of thefts and other offences against property.
A new Criminal Code of Ukraine consists of Section 16 “Crimes in sphere of computers, computer systems and networks operation”. It includes three Articles: Article 361 “Illegal interference with operation of computers, systems and networks”, that is an illegal interference with operation of automated computers, systems or networks resulted in distortion or erasing of computer information or destroying its carriers, and also to spreading of computer viruses by using software and hardware designed for illegal penetration into these machines, systems or networks and capable of distortion or erasing computer information or destroying its carriers”; Article 362 “Theft, misappropriation, extortion of computer information or its capture by swindling or abusing official position”; Article 363 “Violation of automated electronic computer operating rules”: violation of operating rules of automated computers, systems or networks on the part of a person responsible for their operation, if it entailed theft, distortion or erasing of computer information, security means, or illegal copying of computer information, or essential infringement of such facilities, systems or networks operation.
Undoubtedly with view of numerous threats in information field, high level of such crimes latency and difficulty of collecting evidence even on established facts – such kind of normative legal regulation in current law is not enough.
We may count some negative points that come along with information processes and cause difficulties of legal qualification: illegal sale of data bases of mobile communications subscribers, SMS archives, access to official information on subscribers location, hardware and software means with undeclared features; distribution of abusive or obscene materials in the Internet; copyright violations. This list may be continued. Unsuccessful dispositions of articles 361 and 362, where illegal acts are tied to computers, were criticized at discussions of the Criminal Code draft.
According to Information Week, development of a new project of high speed computer system will be finished soon. Its principle is based on a new quantum computer that will be much more powerful.
Ordinary computer thinks with help of numerous operations. It uses these small operations and bits of information, processor can remember figures and do all sortings of mathematical data in order to execute calculating commands. Quantum computer will be much more perfect than present models. It will use intra-atomic particles – electrons. As these particles may exist in different states simultaneously, they become polybit, i.e. may keep several bits of information simultaneously. Thus one electron can conduct in several times more information than usual mechanical system.
In this connection we may imagine problems of qualification of computer crimes and moreover criminal prosecution of guilty, when cyber criminals will be using quantum computers.
It is obviously that present qualification of information security threats demands further development and specification. It is not accidentally that objective side of offences is characterized by more deep detailed elaboration in Cyber Criminality European Convention. Convention distinguishes illegal access (article 2) and illegal data interception (article 3), interference with data (article 4) and interference with system (article 5), misuse of devices (article 6), computer related counterfeit (article 8), child pornography related to computers (article 9), copyright and adjacent rights violations (article 10) [3].
Information protection is a set of methods that maintain integrity, confidentiality, authenticity, reliability and accessibility of information under influence of threats of natural and artificial character. The humanity, at different stages of its development, solved this problem with peculiar to its current stage character. Computer invention and further impetuous development of information technologies in second part of 20 century made a problem of information protection as topical, urgent, and critical as informatization is actual for the whole society.
Computerization gave birth to a new kind of crime. Total amount of misuses in sphere of computer technologies and extent of damage are increasing steadily. It can be described by several facts:
- high development and mass introduction of information technologies and processes based on computer use in many fields of human activity;
- great number of experts in field of computer technologies and raising the level of their skills;
- law imperfection in field of information relationship and information security;
- imperfection or absence of technical means of information security in concrete technologies;
- low level of revealing computer crimes.
This, in turn, caused necessity of reconsidering computer criminality as social phenomena and elaborating of corresponding techniques on fighting against it, including revealing and investigating crimes committed with use of computer technologies.
Efforts on creating system of fighting computer crimes are focused on several directions:
- legal provision of fighting computer crimes;
- development of secured information technologies;
- development of security means with purpose of existing information technologies updating.
Funds necessary for these tasks solution are too significant and every year they are needed more and more. Production volumes of physical control and computer security means only in USA were 1.8 billion USD in 1990, about 5 billion in 2000 year. However these expenses are much less than possible losses.
Computer crimes in countries with developed information telecommunication infrastructure became wide distributed, thus number of special articles are included in criminal laws.
First law on information security was adopted in USA in 1906. Today there are about 500 legal documents on information security, disclosure and computer crime in the US. Problems of information security are examined by American administration as one of key elements of national defence. National policy of US in field of information protection is formed by the National Security Agency (NSA). At that, the most important strategic tasks that define national policy in this sphere as a rule are solved at level of National Security Council, decisions are processed as directives of the President of the USA.
Adequate response to changes of social relationship found representation in normative documents of EU Council (there are more than 100 documents), resolutions, conventions, recommendations and directives of Europarliament and European Union. Concrete reflection of informatization processes is expressed in laws, normative and ethical rules of subjects of information relationship of all developed countries.
Analysis of legal regulation of information relationship in Ukraine and international experience allows to determine a number of basic methodological, principal regulations of information law that is public legal basis of information right:
- main object of regulation – social information relationship;
- main subject of social relationship – information (bulletin, data, knowledge, secret etc.);
- method of legal regulation – system complex application of constitutional, civil, administrative, labor and criminal law methods (it defines inter-branch character of public legal regulation) and use of private legal regulation methods (at level of agreements, customs, traditions, norms of social morals, professional and business ethics);
- by legal origin as inter-branch complex concept of Ukrainian national law it has private legal and public legal nature;
- information law has connection with other inter-branch institutes of law: copyright, property right, intellectual property law etc., and creates complex, aggregated hyper system of law with them.
National (state, public) law of Ukraine has significant corpus of legal acts (laws and by-laws) that directly or indirectly regulate information relationship in society. The total of legal norms in sphere of social information relationship defined in laws and by-laws have reached critical amount. This trend conditions on possibility and necessity of picking them out in a separate, autonomous and inter-branch institute of law – information law and corresponding legal systematization at level of scientific discipline and law [4].
The state of information telecommunication systems and level of their protection is one of the most important factors that influence information security of a state. Economical losses from computer crimes are at the same level with advantages obtained after introduction of computers in practice, and we can not estimate social and moral damage at all.
State policy of Ukraine in sphere of information protection is determined by a priority of national interests, has a purpose to make information threats impossible, and is performed by way of carrying out of regulations, specified in legislation and Technical Information Protection Convention, and also development of programs on information protection and separate projects.
There are some measures on state policy realization in sphere of information protection: creating legal basis on realizing state policy in sphere of information protection, consecution and order of developing corresponding normative legal acts; definition of perspective directions of development of normative documents on questions of information protection on basis of analysis of corresponding home and foreign normative base, development of specified normative documents; definition of domestically produced computers and basic software, office and telecommunication equipment, designed for restricted information processing, other protection means in state and local authorities, National Academy of Sciences, Armed Forces, other military departments, internal affairs authorities; development of certification system of domestically produced and foreign technical means of information protection; definition of real demand for experts in system of technical protection of information, development and improvement of the system of training, retraining and raising the level of skills for experts in technical protection of information.
Materials of this article may be used for perfection of information protection in automated systems. Given thesis and conclusions may be used in two main directions: theoretical methodical basis for improvement of information protection from unauthorized access and improvement of current law on information protection and criminal responsibility for offences with help of computers.
[1] N. Nizhnik, G. Lepikov, Information technologies in state authorities, Information technologies and information protection, Collection of scientific works, Zaporizhzhya: 1998, p.97. [2] R. Kaluzhny, R. Kolpak, IT use of organized criminality for influencing society, Fighting organized criminality and corruption (theory and practice), Scientific practical magazine, #3, 2001, p.160. [3] V. Golubev, Computer Crime Investigation, Monograph, Zaporizhzhya: University of Humanities “ZIDMU”, 2003, p.52. [4] R. Kaluzhny, V. Gavlovski, V. Tsymbaluck, M. Gutsaluk, Problems of reforming information law of Ukraine, Legal, normative and methodological provision of information protection system in Ukraine, Kyiv: 2000, p.17-21.