Laws and regulations

In the middle of the 1980s, as computer crime started to become more prevalent, jurisdictions began crafting laws to address the ever-increasing instances of cyber-crime. In the United States, for example, federal criminal law has specific statutes that deal directly with criminal activity utilizing a computer:

• 18 USC § 1029: Fraud and related activity in connection with access devices. This statute addresses the use of a computer to commit fraud. This is most often utilized by prosecutors in connection with cases where cyber criminals use a computer or computers to commit identify theft or other fraud-related activities.
• 18 USC § 1030 - Computer Fraud and Abuse Act: Among the number of provisions within this law, the one most commonly associated with incident response is the unauthorized access to a computer system. This law also addresses the illegality of denial of service attacks.
• Electronic Communications Privacy Act ( ECPA): This amendment to the federal wiretap statute was enacted in 1986. It makes illegal the unauthorized interception of communications through electronic means such as telecommunications and the internet. The ECPA was further amended by the Communications Assistance for Law Enforcement Act (CALEA). CALEA set the requirement on ISPs to ensure that their networks could be made available to law enforcement agencies to conduct lawfully authorized surveillance.
  Having knowledge of the ECPA is critical. Provisions of the law make it a crime for an organization to conduct surveillance and capture traffic on networks, even those under their control, if the users have a reasonable expectation of privacy. This can lead to an organization being held liable for sniffing traffic on its own network if in fact the users have a reasonable expectation of privacy. For the CSIRT, this creates potential legal problems if they have to access network resources or other systems. This can be easily remedied by having all system users acknowledge that they understand their communications can be monitored by the organization, and that they have no reasonable expectation of privacy in regards to their communications when using that particular network.
• Economic Espionage Act of 1996: This law contained several provisions found in 18 USC § 1831-1839 and made economic espionage and the theft of trade secrets a crime. This act went further than previous espionage legislation as it dealt directly with commercial enterprises and not just national security or government information.