• CYBER-CRIME LAWS AND THEIR INEVITABLE WEAK BITES

    A comprehensive article that touches on cyber-crime laws, the limits to overcoming cyber-crime and the opportunity in the collective security of the human race.

    With the advent of the computer age, legislatures have been struggling to redefine the law to fit crimes perpetuated by computer criminals. This crime is amongst the newest and most constantly evolving areas of the law in many jurisdictions. The rise of technology and online communication has not only produced a dramatic increase in the incidence of criminal activity, it has also resulted in the emergence of what appears to be some new varieties of criminal activity. Both the increase in the incidence of criminal activity and the possible emergence of new varieties of criminal activity pose challenges for legal systems, as well as for law enforcement.

    The news said that another person had their identity stolen. It happened again. You might even know of someone that had it happen to them. We often hear of percentages - and they are surprisingly high. Enforcement is taking place, but we have to wonder if computer crime laws are really having any effect against cyber crime.


    Defining Cyber Crime

    Computer crime refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Net-crime refers to criminal exploitation of the Internet. Cyber-crimes are defined as: "Offenses that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)"

    Hacking has a rather simple definition to it. Basically it is defined as the unauthorized use of a computer - especially when it involves attempting to circumvent the security measures of that computer, or of a network.

    Beyond this, there are two basic types of hacking. Some only hack because they want to see if they can do it - it is a challenge to them. For others, however, it becomes an attack, and they use their unauthorized access for destructive purposes. Hacking occurs at all levels and at all times - by someone, for some reason. It may be a teen doing it to gain peer recognition, or, a thief, a corporate spy, or one nation against another.


    Effectiveness of Computer Hacking Laws

    Like any other law, the effectiveness must be determined by its deterrence. While there will always be those that want to see if they can do it, and get away with it (any crime), there are always the many more who may not do something if they are aware of its unlawfulness - and possible imprisonment.

    In the early 1990's, when hacker efforts stopped AT&T communications altogether, the U.S. Government launched its program to go after the hackers. This was further stepped up when government reports (by the GAO) indicate that there have been more than 250,000 attempts to hack into the Defense Department computers. First there were the laws - now came the bite behind it. One of the effects of computer hacking brought about focused efforts to catch them and punish them by law.

    Then, more recently, the U.S. Justice Department reveals that the National Infrastructure Protection Center has been created in order to protect our major communications, transportation and technology from the attack of hackers. Controlling teens and hackers has become the focus of many governmental groups to stop this maliciousness against individuals, organizations, and nations.


    One of the most famous for his computer crimes hacking was Kevin Mitnick, who was tracked by computer, and caught in 1995. He served a prison sentence of about five years. Others have likewise been caught. Another case is that of Vasily Gorshkov from Russia, who was 26 years old when convicted in 2001. He was found guilty of conspiracy and computer crime.

    Other individuals have also been found guilty and sentenced -and many others remain on trial. If you are one who pays much attention to the news, then you know that every now and then, you will hear of another hacker that has been caught, or a group of hackers that have been arrested because of their criminal activities. The interesting thing is that it is often others who had learned hacking techniques, and are now using them to catch other criminal hackers.

    Another criminal hacker, who called himself Tasmania, made big news when he fled Spain on various charges of stealing into bank accounts online, and banks, and went to Argentina. There he went into operation again. He was quickly tracked to Argentina, and the governments of Spain and Argentina went after him with surveillance, first. Before long, he was arrested, along with 15 other men, and was then extradited back to Spain (in 2006) where he could face up to 40 years in prison.

    The simple truth is, these criminal hackers/cyber attackers get smarter everyday and they do everything possible to cover their tracks, making it difficult to find or locate them. We can’t help but wonder if this computer crime laws have any impact on the rate of computer crimes being committed day after day. We wonder if the existing laws in place are adequate to combat cyber crime and consequently if amendments need to be put in place.

    Today, criminal organizations are very active in the development and diffusion of malware that can be used to execute complex fraud with minimal risks to the perpetrators. Criminal gangs, traditionally active in areas such as human or drug trafficking, have discovered that cyber-crime is a lucrative business with much lower risks of being legally pursued or put in prison. Unethical programmers are profitably servicing that growing market. Because today’s ICT ecosystem was not built for security, it is easy for attackers to take over third party computers, and extremely difficult to track attacks back to their source. Attacks can be mounted from any country and hop through an arbitrary number of compromised computers in different countries before the attack reaches its target a few milliseconds later. This complicates attribution and international prosecution.






     SO, WHAT LAWS DO WE HAVE IN PLACE TO COMBAT CYBER CRIMES?








    1.  THE COMPUTER MISUSE ACT OF 1990: A law in the UK that makes illegal certain activities, such as hacking into other people’s systems, misusing software, or helping a person to gain access to protected files of someone else's computer.

    Sections 1-3 of the Act introduced three criminal offences:

    a) Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);

    b) unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;

    c) unauthorised modification of computer material, subject to the same sentences as section 2 offences.


    2. COMPUTER FRAUD AND ABUSE ACT: A law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.
    It was amended in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the Act punishes anyone who not only commits or attempts to commit an offense under the Act, but also those who conspire to do so.


    3. ELECTRONIC COMMUNICATIONS PRIVACY ACT: Passed in 1986, Electronic Communications Privacy Act (ECPA) was an amendment to the federal wiretap law, the Act made it illegal to intercept stored or transmitted electronic communication without authorization.11 ECPA set out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. Which is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce." The Act prohibits illegal access and certain disclosures of communication contents. In addition, ECPA prevents government entities from requiring disclosure of electronic communications by a provider such as an ISP without first going through a proper legal procedure.


    4. CYBER SECURITY ENHANCEMENT ACT: Cyber Security Enhancement Act (CSEA) was passed together with the Homeland Security Act in 2002, it granted sweeping powers to the law enforcement organizations and increased penalties that were set out in the Computer Fraud and Abuse Act.

    The Act also authorizes harsher sentences for individuals who knowingly or recklessly commit a computer crime that results in death or serious bodily injury.
    The sentences can range from 20 years to life. In addition CSEA increases penalties for first time interceptors of cellular phone traffic, thus removing a safety measure enjoyed by radio enthusiasts.


    5.    Other Laws Used to Prosecute Computer Crimes

    In addition to laws specifically tailored to deal with computer crimes, traditional laws can also be used to prosecute crimes involving computers. For example, the Economic Espionage Act (EEA) was passed in 1996 and was created in order to put a stop to trade secret misappropriation. 15 EEA makes it a crime to knowingly commit an offense that benefits a foreign government or a foreign agent. The Act also contains provisions that make it a crime to knowingly steal trade secrets or attempt to do so with the intent of benefiting someone other than the owner of the trade secrets. EEA defines stealing of trade secrets as copying, duplicating, sketching, drawing, photographing, downloading, uploading, altering, destroying, photocopying, replicating, transmitting, delivering, sending, mailing, communicating, or conveying trade secrets without authorization. The Act, while not specifically.

    While we can’t measure all the computer crime laws here, different countries have different laws laid down to fight cybercrime and to prosecute the guilty ones.


    BUT EVEN WITH THE PRESENCE OF THESE LAWS:

    We’ve discovered that internationally, both Governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nation-state is sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court.


    And this leads us to discussing invasive monitoring by governments. Wikileaks claims that mass interception of entire populations is not only a reality; it is a secret new industry spanning 25 countries. Wikileaks has published 287 files that describe commercial malware products from 160 companies (http://wikileaks.org/the-spyfiles.html). These files include confidential brochures and slide presentations these companies use to market intrusive surveillance tools to governments and law enforcement agencies. This industry is, in practice, unregulated. Intelligence agencies, military forces and police authorities are able to silently, and en masse, secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers. Users’ physical location can be tracked if they are carrying a mobile phone, even if it is only on standby (think RFID).

    To get a glimpse of the potential market size, the U.S government is required by law to reveal the total amount of money spent spying on other nations, terrorists and other groups. In 2010, the United States spent $80 billion on spying activities. According to the Office of the Director of National Intelligence, $53.1 billion of that was spent on non-military intelligence programmes. Approximately 100,000 people work on national intelligence. These figures do not include DARPA’s “Plan X” which seeks to identify and track the vulnerabilities in tens of billions of computers connected to the Internet, so they can be exploited.

    It is increasingly common for governments to use monitoring tools, viruses and Trojans to infect computers and attack civilians, dissidents, opponents and political oppositions. The purpose is to track the victim’s operation on the web, gather information about their activities and the identity of collaborators. In some cases, this can lead to those targeted being neutralized and even ruthlessly suppressed.

    According to F-Secure “News from the Lab” blog, during the Syrian repression the government discovered that dissidents were using programmes like SkypeTM to communicate. After the arrest of a few dissidents, the government used their Skype accounts to spread a malware programme called “Xtreme RAT” hidden in a file called “MACAddressChanger.exe” to others activists who downloaded and executed the malware. The dissidents trusted the MACAddressChanger programme because other files with that name had been successfully used in the past to elude the monitoring system of the government. The Xtreme Rat malware falls into the “Remote Access Tool” category. The full version can easily be bought online for €100. The IP address of the command and control server used in those attacks belonged to the Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

    In the Trend Micro “Malware Blog”, experts at Trend Micro found that the Syrian government was also using the DarkComet malware to infect computers of the opposition movement. The malware steals documents from victims. It seems that it was also spread through Skype chat. Once executed, the malware tries to contact the command and control (C&C) server to transfer the stolen information and receive further instructions. It has been observed, in this example that the C&C server is located in Syria and the range of IP addresses are under the control of the Government of Syria.

    What the above partially illustrates is the very real conflict of interest in organizations and governments responsible for securing our digital world.

    African countries have been criticized for dealing inadequately with cybercrime as their law enforcement agencies are inadequately equipped in terms of personnel, intelligence and infrastructure, and the private sector is also lagging behind in curbing cybercrime. African countries are pre-occupied with attending to pressing issues such as poverty, the AIDS crisis, the fuel crisis, political instability, ethnic instability and traditional crimes such as murder, rape and theft, with the result that the fight against cybercrime is lagging behind. It is submitted that international mutual legal and technical assistance should be rendered to African countries by corporate and individual entities to effectively combat cybercrime in Africa.


    CONCLUSION: 

    While there is no silver bullet for dealing with cyber crime, it doesn’t mean that we are completely helpless against it. The legal system is becoming more tech savvy and many law enforcement departments now have cyber crime units created specifically to deal with computer related crimes, and of course we now have laws that are specifically designed for computer related crime. While the existing laws are not perfect, and no law is, they are nonetheless a step in the right direction toward making the Internet a safer place for business, research and just casual use. As our reliance on computers and the Internet continues to grow, the importance of the laws that protect us from the cyber-criminals will continue to grow as well.

    Efforts at combating cyber-crimes will all continue to produce futile results as long as governments and the OPS (organized public sector) are insincere in their drive towards protecting the sanity of the internet.
    Whatever efforts we make, we shouldn't ignore the fact that an enlightened citizenry is the key to safety of the internet but then, the battle of sovereign supremacy will continue to undermine our collective safety online.
    It behooves every one of us on the globe to look inward and think ahead that our collective safety is greater than the greed and ferocity of hegemonist both in the private sector and supremacist in government.






    References:

    “2003 CSI/FBI Computer Crime and Security Survey”.
    http://www.usdoj.gov/criminal/cybercrime/CSI_FBI.htm

    http://www.hackingalert.com/hacking-articles/computer-hacking-laws.php

    http://securityaffairs.co/wordpress/7619/malware/malware-its-all-about-you.html

    http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446

    http://en.wikipedia.org/wiki/Computer_crime

    http://nials-nigeria.org/pub/lauraani.pdf

    CYBER CRIME AND NATIONAL SECURITY: THE ROLE OF THE PENAL AND PROCEDURAL LAW
    http://nials-nigeria.org/pub/lauraani.pdf

    Computer Misuse Act
    http://www.lawteacher.net/criminal-law/essays/computer-misuse-act.php

    5 comments → CYBER-CRIME LAWS AND THEIR INEVITABLE WEAK BITES

    1. Without regulating the internet, fighting cyber crimes would be inevitable. All ordinance against it would taken into no effect.

    2. Regulating the internet is a very difficult task, and involves numerous policies.

      Maybe in the future, we could get to see that happening

    3. Internet have many advantage as well as have many disadvantage. Its great description about cyber crime laws. This type of crime is effect on our society.

    4. Preventing hacker activity has thus become one of most important activities for businesses and computer experts and ends up utilizing huge amounts of money which can be in billions. And even with such investments in IT security and the prevention of hacking activity, it is still impossible task to curb all hacker activity or still to stay ahead of the hackers. Laws need consistently and relentless application.

    5. We are responsible in assuring our safety against cyber criminals.