Would you like to share an article on cybercrime? Please contribute!

These articles do not necessarily reflect official positions of the Council of Europe

المدوّنات المدوّنات

Information security: the protected legal value in the Budapest Convention

The information is one of the most valuable assets for any country, as well as any person or social organization. Precisely for this reason, I think is particularly important to make a brief reflection on the importance of this situation in the modern social context, especially for the way modern technologies impact on the people.

The State is the entity that possesses the largest amount of data and information of its citizens, more than any other social organization. Given this delicate situation, one of the main conditions that a modern State must comply is to ensure the security of the information obtained from its inhabitants. This is a way to achieve trust from the people while they make use of automated services and data that the State puts at their disposal, all as part of the relationship between public entities and citizens. Logically, within public institutions there is a lot of personal data, confidential or not, about the inhabitants of the country. This is the basis to consider the information as a public heritage of particularly significant and intangible type because of the importance it has for the functioning of the State system.

When I talk about "security", I mean in fact referring to policies on information security. In this case, is an issue which is of much importance since the information is an asset of great value, when not the greatest. So within this comment I have tried to make a special emphasis in a scenario that includes not only a brief analysis of what should be understood as computer security, but also references to their different perspectives in terms of physical and logical security as well as the mode the security is protected within the Convention of Budapest. With these concepts in mind, may be possible to achieve one higher degree of trust in activities which a nation develops to carry out a comprehensive project of information security.

Concept of information security.

I define information security as an institutional and comprehensive policy for the protection of the physical and logical components of a computer system that seeks to safeguard the integrity of the hardware, software, data and information produced or obtained from people, private companies or public institutions, as well as its confidentiality, but allowing access or availability for their legitimate stakeholders and without deny or restrict the provision of services that the State, entity or company provides.

This concept of information security (or cyber-security) is intended to be wide-ranging on the main elements that cover computer system security: they are integrity, confidentiality and availability. Even though nowadays refers more to safety of the information, in any case, security should consist always in practices, processes and application of computer systems, programs and equipment to achieve, all together, the maximum security of the main resources of the organization.

The goal of security must be protecting valuable information of any type from threats to ensure the continuity of the service provided by a public or private institution, to minimize any damage to its continuity and to maximize the users’ trust in the content of the information.

I believe that information security should be first and foremost an institutional policy applicable to any public or private entity that has automated its information systems in operation. This is not a static state, but a dynamic and proactive policy, because it must always be in constant review, change and improvement. For this reason, my definition makes mention to both system components, referring to the physical part (computer equipment and all of its components) and the logical part (programs and magnetic or optical records storage in any container). In this case, I try to include the necessary conditions of integrity of the collected information; the confidentiality of such information (not only in terms of access, but also their protection) and the availability that should have on it at any time.

Physical security and logical security.-

As I have exposed in my concept of security, and in accordance with the consensual approach between experts, computer security represents first and foremost a comprehensive protection policy to institutional information, and manifests itself through a set of good practices that has three pillars, which are integrity, confidentiality and availability of information. Precisely, the previous ISO 17799 standard, in all its versions, as well as the ISO 27000 standard has been reserved specifically for information security issues, and has replaced the old 17799 technical norms. It is called precisely Information Security Management System and emphasis on these three factors and assurance of information as a resource or strategic asset for the entity. These concepts are regarded as “characteristics” of the information security. Really, they are different aspects that complement each other within the same process.

In this regard, there are two types of security: physical security and logical security, concepts that are widely known and often invoked by users or by entities that protect information, especially after a serious mishap against their computer assets.

In order to implement both forms of protection within each one of the principles I have mentioned (integrity, confidentiality and availability of information), I prefer to define the logical security as a policy and implementation of practical tasks of effective protection on computer programs, installed systems, data, processes and in general the content of valuable and relevant information which an entity may has in its power, especially if is taken as a vital resource within the organization.

On the other hand, the physical security has a similar nature, because it seeks to establish an internal policy inside the organization for each kind of users, as a manner to regulate the possibility of access to computer equipment, physical spaces, implementation of periodic information backups and other practices that apply in a discriminatory manner to the different types of people according with the nature of their functions, the bonding with the entity and the availability to them of protected and safeguarded information.

Both security types could be seen as faces of the same coin, so much that the execution of some of these protection practices may fall both within the physical security and logical security. For example, in the case of information backups or access to computer systems I think they could be considered as physical or logical protection actions as well, taking into account that they share many similarities and also keep similar objectives. These goals will always be consistent with the principles of integrity, confidentiality and availability. That is why I affirm that between both types of security exists interdependence and they are equally necessary and convergent. One is not conceived without the other, and would be senseless to apply only one in detriment of the other. Once again, the security must be always seen as an integral policy.

However, all this is mostly a theoretical exercise because at the end what matters is that information security actions can be carried out, regardless of its name or classification. This issue is particularly sensitive in modern organizations because, unfortunately, these physical and logical security policies do not always exist within them or are running in an inadequate form. One reason may be that the economic investment in technological equipment can be elevated, and the human resources department guidelines not always destine computing personnel exclusively to security work, but the functions of these professionals tends to be very diverse, from maintenance of equipment up to effective programming or computer support, according with the appropriate interests of the company or institution.

Nevertheless, the creation of an institutional policy on security should be a goal for any entity, and its implementation must be a constant, evolutionary and permanent process. Notwithstanding the foregoing, always must be taken into consideration that the implementation of a solid information security policy, including physical and logical aspects as we saw, doesn't have to be in collision with a plan for efficient service that the information system provides its users, nor sacrificing the continuation of the functional operation.

The protection of information in the Convention of Budapest.

In addition to the use of technical solutions that provide physical and logical security, especially which can be found in international technical standards well detailed as the ISO 27000, there is another effective way to protect the amount of information, whether individual or national, public or private. I am referring to the use of legal norms, especially the prevention provided by the criminal law as an alternative to dissuasion.

So it seems to have been understood in the Convention of Europe on Cybercrime, which introduces, within the substantive part of the Agreement, the protection of “computer data” (which is itself information). It is not a coincidence that, in almost all the articles that constitute the substantive criminal part, they reference to information and the need to protect it, understood as "any representation of facts, information or concepts in a form suitable for processing in a computer system" (article 1, subparagraph (b), it means, information created, modified, transmitted or received in digital form and by electronic means, and capable of being stored in magnetic or optical containers. In principle, such concept would exclude information stating in another type of format such as paper, film, magnetic tapes or other physical medium able to represent or show something. However, these formats are susceptible to be converted into electronic documents through a scanning or similar process. This means a conversion from physical format to digital structure, which would be equally protected as computer data.

Similarly, the article 2, paragraph second, foresees the illicit access as an aggravated form of felony where security measures have been broken or circumvented with the intention of obtaining computer data. Once again, it is not simply an unauthorized access to a computer system, but the intention to obtain information contained in that system, no matter if it is public or private. Logically, the computer data (information) are more important than the physical part of the equipment.

Perhaps the article that represents best this desire to protect information is the article 3 of the Budapest Convention, about illegal interception. In this case, the conduct consists in the intentional and unlawful interception of computer data communicated in non-public transmissions from a computer system to a computer system or inside the same system, including electromagnetic emissions from a computer system carrying such computer data.

In addition, as an essential complement, the article 4 of the European Convention foresees the data interference, which is an unauthorized and fraudulent conduct that damages, erases or alters computer data. It shows once more how important is the protection of the information contained in digital format inside computer systems.

In conclusion, the data and information, in their different perspectives, constitute the protected legal value in the substantive part of the Convention on Cybercrime, which is an approach that should be taken into account by the penal legislator when preparing the corresponding criminal types. It means not only punish unauthorized access or destruction of computer data, but to have in mind that, at the end, is the information the legal value that must be protected.

Does your country protect the information, public or private, through ISO standards or any other similar technical norm?

Does your country’s legal system guarantee enough protection to data and information as a form of personal and national heritage?

No comments yet. Please sign in to comment.
Tools on Cybercrime & Electronic Evidence Empowering You!
عرض محتوى الويب عرض محتوى الويب

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects