Cyber Crime Laws and Legal Framework Cyber Crime Laws and Legal Framework DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS
Services Computer Crime Computer Crime Data Protection Data Protection Electronic and Mobile Commerce Law Electronic and Mobile Commerce Law Identity Theft Identity Theft Information Security Law and Compliance Information Security Law and Compliance IT Contract Negotiations IT Contract Negotiations IT Governance incorporating SOX IT Governance incorporating SOX Risk Assessments Risk Assessments Training and Awareness Programs Training and Awareness Programs Virtual In-House Technology Law Advisory Service Virtual In-House Technology Law Advisory Service
Track Presenter F. Franklin Akinsuyi 2 Masters Degrees IT and IT Law 2 Masters Degrees IT and IT Law Over 15 Years Experience Over 15 Years Experience Internet Banking Internet Banking Data Protection Data Protection IT Governance IT Governance Information Security Information Security E-Government Risk Assessor E-Government Risk Assessor Provided evidence to House of Lords Technical Committee Provided evidence to House of Lords Technical Committee
Presentation Outline Identify latest trends in computer related crime Identify latest trends in computer related crime Highlight EU/US legislative reaction to computer crime Highlight EU/US legislative reaction to computer crime Overview of these legislations Overview of these legislations Review African cyber law landscape Review African cyber law landscape Propose a cybercrime legislative framework Propose a cybercrime legislative framework
Traditional Computer Crime Activities Identity Theft: Fastest growing computer crime trend Identity Theft: Fastest growing computer crime trend Hacking: Breaking into online and network environments Hacking: Breaking into online and network environments Virus Attacks: Infecting computer systems so that they crash Virus Attacks: Infecting computer systems so that they crash Phishing: Masquerading to gain passwords of internet banking Phishing: Masquerading to gain passwords of internet banking Privacy Breach: Leaking and/or obtaining personal information Privacy Breach: Leaking and/or obtaining personal information Denial of Service Attacks: Making a system becomes unavailable for use Denial of Service Attacks: Making a system becomes unavailable for use Unauthorised Database Access: Typically to gain access to personal information Unauthorised Database Access: Typically to gain access to personal information Key Stroke Logging: Attaching devices to computers to see what has been typed in to capture passwords, prominently used in financial organisations Key Stroke Logging: Attaching devices to computers to see what has been typed in to capture passwords, prominently used in financial organisations
New Trend Attacking Critical Infrastructure New Trend Attacking Critical Infrastructure New attack strategies with specific intent to bring down critical systems New attack strategies with specific intent to bring down critical systems Stuxnet discovered in June 2010 Stuxnet discovered in June 2010 This was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes This was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes It is also the first known worm to target critical industrial infrastructure It is also the first known worm to target critical industrial infrastructure According to news reports the infestation by this worm might have damaged Iran's nuclear facilities According to news reports the infestation by this worm might have damaged Iran's nuclear facilities Critical infrastructure Attacks can come from Botnets making it difficult to identify true source Critical infrastructure Attacks can come from Botnets making it difficult to identify true source In protecting critical infrastructure, We now need to condition our minds to attacks outside of traditional methods In protecting critical infrastructure, We now need to condition our minds to attacks outside of traditional methods
US/EU Legislation Examples Computer Misuse Act UK 1990 Computer Misuse Act UK 1990 CALEA US 1994 CALEA US 1994 Data Protection Directive EU 1995 Data Protection Directive EU 1995 Identity Theft Act US 1998 Identity Theft Act US 1998 Digital Millennium Copyright Act US 1998 Digital Millennium Copyright Act US 1998 Security Breach Legislation US 2002 (California first) Security Breach Legislation US 2002 (California first) Federal Information Security Management Act US 2002 Federal Information Security Management Act US 2002 Privacy of Electronic Communications Directive EU 2002 Privacy of Electronic Communications Directive EU 2002 Sarbanes-Oxley US 2004 Sarbanes-Oxley US 2004 Personal Data and Security Act US 2005 Personal Data and Security Act US 2005 European Cybercrime Convention (Treaty) European Cybercrime Convention (Treaty)
Data Protection Directive Personal data must be processed: Fairly and lawfully Fairly and lawfully Processed for limited purposes Processed for limited purposes Adequate, relevant and not excessive Adequate, relevant and not excessive Accurate Accurate Not kept- longer than necessary Not kept- longer than necessary Processed in accordance with the data subjects rights Processed in accordance with the data subjects rights Securely Securely Not transferred to countries without adequate protection. Not transferred to countries without adequate protection.
Personal Data and Security Act US Enacted after breaches at Choicepoint and Lexisnexis Requires the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements Increasing criminal penalties for identity theft involving electronic personal data by: Increasing penalties for computer fraud when such fraud involves personal data, Increasing penalties for computer fraud when such fraud involves personal data, Makes it a crime to intentionally or wilfully conceal a security breach involving personal data; Makes it a crime to intentionally or wilfully conceal a security breach involving personal data; Gives individuals access to, and the opportunity to correct, any personal information held by data brokers; Gives individuals access to, and the opportunity to correct, any personal information held by data brokers;
Computer Misuse Act Three aspects to computer misuse Unauthorised access Unauthorised access Intent to commit a further offence Intent to commit a further offence Unauthorised Modification Unauthorised Modification
Information Security Laws Applicable to public, private and military sectors Applicable to public, private and military sectors Information security must be mandatory and enforced Information security must be mandatory and enforced Follow principles of IS Follow principles of IS Security breach notifications Security breach notifications Appropriate sanctions Appropriate sanctions Constantly reviewed Constantly reviewed SOX has shown the way SOX has shown the way
Federal Information Security Management Act of 2002 Comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets; Comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets; provide effective government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; provide effective government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities; provide for development and maintenance of minimum controls required to protect federal information and information systems; provide for development and maintenance of minimum controls required to protect federal information and information systems;
Anti-Spam Laws Does not go as far as to ban all unsolicited junk mail. Does not go as far as to ban all unsolicited junk mail. Demands that spammers use subject lines that identify what is inside their messages Demands that spammers use subject lines that identify what is inside their messages Bans junk mailers from harvesting addresses from websites. Bans junk mailers from harvesting addresses from websites. Spam include a mechanism that lets people tell the sender that they do not want to receive any more messages. Spam include a mechanism that lets people tell the sender that they do not want to receive any more messages. Opt-out scheme that means businesses are free to send mail until people say they do not want it. Opt-out scheme that means businesses are free to send mail until people say they do not want it.
Data Retention Overview Geared toward the telecommunications industry, the law requires phone companies and Internet service providers (ISPs) to store information about all customers' phone calls and electronic communications for up to two years To ensure data is available for investigation, detection and prosecution of serious crime To ensure data is available for investigation, detection and prosecution of serious crime Applies to traffic and location data and related data necessary to identify the subscriber Applies to traffic and location data and related data necessary to identify the subscriber Does not apply to the content Does not apply to the content Recognised that it will generate significant costs for electronic communications providers Recognised that it will generate significant costs for electronic communications providers
Digital Millennium Copyright Act 1998 Overview Makes it a Crime to circumvent anti-piracy measures built into commercial software. Makes it a Crime to circumvent anti-piracy measures built into commercial software. Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. Outlaws the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. Permits the cracking of copyright protection devices, to conduct encryption research, assess product interoperability, and test computer security systems Permits the cracking of copyright protection devices, to conduct encryption research, assess product interoperability, and test computer security systems Limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet Limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet
Computer Crime Convention Sample Provisions for computer related offences: Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems Title 1 – Offences against the confidentiality, integrity and availability of computer data and systems Article 2 – Illegal access Article 2 – Illegal access Article 3 – Illegal interception Article 3 – Illegal interception Article 4 – Data interference Article 4 – Data interference Article 5 – System interference Article 5 – System interference Article 6 – Misuse of devices Article 6 – Misuse of devices
Computer Crime Convention Sample Provisions for forensic investigations Title 4 – Search and seizure of stored computer data Title 4 – Search and seizure of stored computer data Title 5 – Real-time collection of computer data Title 5 – Real-time collection of computer data Article 16 –Preservation of stored computer data Article 16 –Preservation of stored computer data Articles 20 – Real-time collection of traffic data Articles 20 – Real-time collection of traffic data Article 21 – Interception of content data Article 21 – Interception of content data Articles Mutual Assistance Articles Mutual Assistance
African Country Cyber Laws Ghana: Electronic Transactions and National Information Technology Agency Act in the process of Developing Data Protection Laws Ghana: Electronic Transactions and National Information Technology Agency Act in the process of Developing Data Protection Laws Senegal: Legislation to govern the development of ICT covers cyber law, protection of data and electronic transactions Senegal: Legislation to govern the development of ICT covers cyber law, protection of data and electronic transactions South Africa: Electronic Transactions Act South Africa: Electronic Transactions Act Tunisia: Electronic Exchanges and Electronic Commerce Act Tunisia: Electronic Exchanges and Electronic Commerce Act Nigeria is on the starting blocks Bills are in the house Nigeria is on the starting blocks Bills are in the house
Computer Crime Legislative Framework Computer Crime Framework Information Security Law Information Security Law Lawful Interception Lawful Interception Computer Misuse Electronic Commerce Electronic Commerce Data Retention Data Protection
Benefits Imposes a positive image Imposes a positive image International acclaim for job well done International acclaim for job well done Opens itself to possibility of offshore outsourcing Opens itself to possibility of offshore outsourcing Foreign investment Foreign investment Possibility of new types of business being established Possibility of new types of business being established New Job opportunities for graduates New Job opportunities for graduates
Way Forward Other Issues Inclusion of information technology Law in legal curriculum Inclusion of information technology Law in legal curriculum Development of an advanced learning institution to develop and cross train lawyers and law enforcement agencies on information technology and its use in combating crime Development of an advanced learning institution to develop and cross train lawyers and law enforcement agencies on information technology and its use in combating crime Development of an information technology abuse response team liasing with global response and incident handling teams Development of an information technology abuse response team liasing with global response and incident handling teams
Food for Thought ?
Use! Abuse!! Laws!!! Communications device Communications device Business tool Business tool Musical Instrument Musical Instrument Gaming device Gaming device Location device Location device Device to be hacked into Device to be hacked into Identity theft tool Identity theft tool Terrorist equipment Terrorist equipment Network Sabotage Network Sabotage Data Protection Data Protection Privacy of Communications Privacy of Communications Data Retention Data Retention Information Security Information Security
Contact Us F. Franklin Akinsuyi F. Franklin Akinsuyi COPYRIGHT 2010 COPYRIGHT 2010
End Of Session