Sri Lankan perspective in meeting the Cyber crime challenge

by

Lal DiasChief Operating Officer,

Sri Lanka CERT

Role of Cyber systems in Sri Lanka e-Sri Lanka Development Initiative

Multi-faceted program

Objectives Bridge digital divide Improve delivery of public services Increase competitiveness of private sector Accelerate social development Poverty reduction

e-Sri Lanka Development Initiative Major Programs of e-Sri Lanka

ICT Policy, Leadership & Institutional Development

Information Infrastructure Re-engineering government ICT Human Resources Capacity Building ICT Investment & Private sector Development E-Society

ICT Agency of Sri Lanka established to spearhead the e-Sri Lanka Development Initiative

e-Sri Lanka Development Initiative

ICT Policy, Leadership & Institutional Development ProgramICT Policy, Leadership & Institutional Development Program

Information InfrastructureInformation Infrastructure

e-Laws Projecte-Laws Project

Electronic Transactions Act No. 19Electronic Transactions Act No. 19

Sri Lanka Computer Crimes Act No. 24Sri Lanka Computer Crimes Act No. 24

e-Leadership Development Project e-Leadership Development Project

Sri Lanka CERT ProjectSri Lanka CERT Project

e-Sri Lanka Projects e-Laws Project

Electronic Transactions Act No. 19 Law to enable validation of e-Commerce, e-

Signature and e-Contracting

Sri Lanka Computer Crimes Act No. 24

Identification, Investigation and Enforcement of computer crimes

e-Sri Lanka Projects e-Leadership Development Project

Develop a pool of champions to enforce security policies, monitor fraudulent activities and promote best practices

Sri Lanka CERT Project National CERT mandated to protect Sri Lanka’s

ICT infrastructure from attacks, be the single, trusted source for information on cyber crime techniques and coordinate efforts to handle Cyber crime incidents

Conflict of Systems e-Sri Lanka introduces new challenges

in fighting cyber crime: Traditional New (due to e-Sri Lanka)

• Police Investigation Team-CID-NIB

• Existing Penal Code

•Traditional Reporting mechanisms

• SLCERT Forensics Team• SLCERT Incident Handling

• Computer Crimes Act• E-Transactions Act

• New reporting mechanisms

12%

41%23%

12%

0%0%12%

Hacking

Publishing Information without consent (Sexual Harrassment)

Impersonation

Hacking Addresses & Attempted cheats

Pornography

Violation of Intellectual Property Act

Cheating

Cyber crime in Sri Lanka: 2007

Cyber crime in Sri Lanka Prosecution of Cyber crime cases

25

22

0

75

78

0

00

24

00

76

0 20 40 60 80 100 120

2005

2006

2007

Successful Dismissed Pending Uninvestigated

Total Cases: 9

Total Cases: 4

Total Cases: 17

Computer Crimes Act Timeline

1995: Work started by CINTEC Law Committee 1997: Working paper on Computer crime Act submitted Decision to be made: Develop provisions for

prosecution of cyber crimes under existing penal code OR develop a Subject specific law?

2000: decision to develop Subject specific legislation 2005: Bill finalized and presented in Parliament 2006: Further review by Parliamentary committee 2007: Passing of bill in parliament

Computer Crime Act currently not enforced fully

Computer Crimes Act Features

Provides clear structure for conducting of investigations and jurisdictions

Provides distinct cyber crime categories and the corresponding parameters under which a case may be prosecuted, including maximum or minimum applicable penalties

Use of Generic terms, so that even if technology changes, the nature of the crime will remain the same (example: phishing, vishing & phaxing)

Provision of Cross Extradition arrangement with Council of Europe signatories. Increased ability to prosecute cases beyond Sri Lanka’s borders

Clear statement of Resources that would be brought to bear on the case, including, among others, “experts”.

Computer Crimes Act Cyber crime Categories

Computer-related offensesComputers used as tools for criminal activity(Theft, fraud)

HackingActivities which affect CIA of computer system or network (includes viruses and other malware)

Content related offensesComputers with Internet access used to distribute illegal data (copyright infringement, pornography)

Computer Crimes Act Parameters

Unauthorized Access Unauthorized Access in order to commit an

offence Causing a computer to perform functions

without lawful authority Offenses committed against national security Dealing with unlawfully obtained data Illegal interception of data Use of an illegal device Unauthorized disclosure of information

Computer Crimes Act: Penalties

ParameterJail Term (Years)

Fine (Rupees)

Or Both?

Unauthorized Access ≤5 ≤100K Unauthorized Access to commit offense

≤5 ≤200K

Function without Lawful authority

≤5 ≤300K

Offenses Against National Security

≤5 - ×

Unlawfully obtained data

0.5≤ ≤3 100K≤ ≤300K

Illegal interception0.5≤ ≤3

100K≤ ≤300K

Use of illegal devices0.5≤ ≤3

100K≤ ≤300K

Unauthorized disclosure

0.5≤ ≤3100K≤ ≤300K

Identification of Cyber Crimes Limited reporting of crime

Lack of trust in reporting methods No guarantee of confidentiality

Verifying reports/Authenticity of Reports Genuine report or prank?

Due diligence Reporting of crimes found at workplace.

Professional obligation vs. Personal inconvenience

CHALLENGESCHALLENGES

Investigation of Cyber Crimes Gathering of evidence

Maintaining admissibility of evidence Lack of proper structure for cooperation between

investigating organizations Poor system for maintenance of chain of custody

Weight of Digital evidence in court Lack of understanding of importance of digital

evidence Lack of Legal professionals conversant with CCA

Jurisdiction NIB, CID, other organizations (SLCERT, TechCERT, etc)

CHALLENGESCHALLENGES

Enforcement of Cyber Laws Tendency to prosecute under existing penal

code; more lenient penalties (Case studies)

Lack of IT Savvy lawyers

Lack of ICT Knowledge of judges, making obtaining warrants more time consuming

Lack of provisions for prosecuting Cross border crime, such as cross-extradition arrangements, cooperative investigation of cases, etc

CHALLENGESCHALLENGES

Case study 1: A Foreign National published false information

regarding the sale of DVD players online

Online payments credited to Standard Chartered Bank Account

Funds withdrawn by offender who left country

DVD Players not delivered

Suspect arrested upon return to Sri Lanka, fined and deported

Problem: Waiting for suspect to return to Sri Lanka. Lack of extradition arrangements.

Case study 2: Superimposing nude images on a picture of a

Buddha Statue (causing offense)

Investigated by CID Cyber Crimes Unit

NGO employee arrested

Convicted and sentenced to 3 Years imprisonment, suspended for 3 years

Problem: Leniency in sentence and enforcement of sentence. Much stronger penalties allowed for under CCA

Future plans for cyber crime fighting Build a defined structure and working

relationship between organizations concerned with cyber crime

AG’s Department

Police Force

NIB

CID

Cyber crime Reporting Centres

Sri Lanka CERT International CERT Community

International Police Community

International Judicial Community

Inter-Governmental Relationships

Future Plans Identification

Building and maintenance of Cyber Crime Reporting Centres

Additional “secured” reporting channels (E-mail, Web)

Protection of Confidentiality through Information Security Measures

Raises trust

Expected Outcome: Reporting of more cases

Future Plans Investigation

Develop a Digital Forensics Lab, Larger Forensics team to handle increase in cases

Develop clear Chain of Custody procedures

Build contacts with Foreign Police forces to increase skills available in investigating complex, cross-border cases and forensics knowledge

Expected Outcome: Increased number of successfully prosecuted cases

Future Plans Prosecution

Run Awareness Programs for the local judiciary to raise awareness of Computer crimes (attack techniques, potential damage, etc) and the provisions of the Computer Crimes Act (CCA)

Build a pool of IT Savvy Legal professionals able to prosecute cases under the CCA

Increase number of countries with which Sri Lanka has Extradition Treaties through Government intervention

Expected Outcome: Increased number of successfully prosecuted cases

THANK YOU