Introduction to legal principles¶
From an early age, we learn that the law forbids doing certain things. Later, we learn that the law can also require certain actions. You can find the corresponding areas “DO NOT” and “DO” in the concept map below, which structures regulation related to information. This module also presents many other perspectives, and the summary will ultimately remind you what else—besides regulations themselves (laws, decrees, etc.)—needs to be understood. The sections introducing criminal law and data protection law relate primarily to Finnish legislation. They are also more concrete than the other sections, which present a condensed version of the the CyBOK content. It should be noted that some parts of CyBOK Chapter 3 have been omitted here entirely. These include punishments and their enforcement, as well as most aspects related to intelligence.
Note on the accessibility of the concept map.
The nature of law and legal practice¶
Although studying law requires logic, it is a different discipline from physics or mathematics. Law does not represent immutable principles of the world; rather, it is grounded in social and political values, as well as human aspirations and weaknesses.
Society influences the development and interpretation of law, just as law influences the behaviour of members of society. Societies evolve and values change, typically leading to changes in laws and their methods of interpretation. For legal scholarship, it is challenging that its subject is constantly changing. The situation is similar to research in cyber security. In both fields, however, there is an aspiration to achieve predictability comparable to that found in the natural sciences. In law, prediction concerns the outcomes of disputes presented before a competent court. In advanced legal systems, it is possible to achieve a degree of predictability sufficient to maintain trust in the system as a whole.
Legal research often begins with a review of the processes by which law is enacted, how it is interpreted, and how it is enforced. There are already differences between states in these respects. One of the most important distinctions is between common law and civil law systems. In a civil law system, all judgments are based on written legislation. In common law, judgments are also based on precedents established through practice and unwritten law.
If you need to study legal matters in more depth than in this course, it may be necessary to understand the relationships between regulations at different levels. At the foundation is often the constitution, above which sit primary legislation, secondary legislation (regulations, including those of EU), EU directives, judicial decisions (precendents), codes (collections of statutes), international treaties, and scholarly works on law. In addition, a cyber security practitioner must naturally consider influences at different levels within their own field: standards, information security policies, best practices, recommendations—and perhaps even ethical guidelines as a foundation.
Applying law in cyber security¶
The emergence of cyberspace raised significant concern about how laws and other regulations could be applied to this new domain. Two schools of thought emerged. According to the first, cyberspace is so radically different from anything previously experienced that existing laws are not applicable, and legislators and judges should reconsider everything, particularly abandoning collections of precedents. In its most radical form, this view suggests that states should be deprived of their authority to enforce laws and regulations in relation to Internet activities.
The second view treats the Internet as simply a tool for human activity, like other tools developed throughout history. Laws should continue to be applied to individuals operating in cyberspace in most respects just as they were before its existence. One should avoid the “cyberspace fallacy”—the belief that cyberspace is somehow separate from the real world and constitutes a different legal domain.
So far, the latter view has prevailed. Consequently, the cyber security field must operate in a reality where legislators, judges, and law enforcement apply existing laws to cyberspace, regardless of whether those laws explicitly address it. In either case, real-world situations and cyber operations do not always fit neatly into categories. For example, a data processing activity that does not violate copyright or freedom from defamation may still violate data protection. The legal risks of all actions must be assessed broadly based on multiple regulations. Cross-border activity introduces further challenges (discussed later).
One important emerging legal issue related to cyber security is the treatment of artificial intelligence. Laws have generally been developed in relation to human behaviour and property. Artificial intelligence is not interpreted as a legal person and cannot be held criminally liable, enter into contracts, own property, or be liable for damages. If an entity controlled by AI causes harm, existing laws are applied to the individuals who created or used the AI.
Evidence¶
In legal proceedings, evidence refers to the use of accepted material—proof—to demonstrate the validity of disputed claims with sufficient certainty. Evidence can take many forms, such as direct witness statements, business documents, correspondence, surveillance recordings, recordings of intercepted phone conversations, server logs, and so on. Not all forms are accepted everywhere; for example, phone conversations are not admissible as evidence in Britain. The admissibility of digital evidence depends on its quality, which in turn is strongly affected by its handling history, see the module on forensics.
The person initiating a legal case—the claimant—is said to bear the burden of proof regarding the facts that establish their right to bring the claim. The other party—the defendant—must also prove the facts they present in their defence to reduce or eliminate their liability.