sri lankan perspective in meeting the cyber crime challenge by lal dias chief operating officer, sri...
TRANSCRIPT
Sri Lankan perspective in meeting the Cyber crime challenge
by
Lal DiasChief Operating Officer,
Sri Lanka CERT
Role of Cyber systems in Sri Lanka e-Sri Lanka Development Initiative
Multi-faceted program
Objectives Bridge digital divide Improve delivery of public services Increase competitiveness of private sector Accelerate social development Poverty reduction
e-Sri Lanka Development Initiative Major Programs of e-Sri Lanka
ICT Policy, Leadership & Institutional Development
Information Infrastructure Re-engineering government ICT Human Resources Capacity Building ICT Investment & Private sector Development E-Society
ICT Agency of Sri Lanka established to spearhead the e-Sri Lanka Development Initiative
e-Sri Lanka Development Initiative
ICT Policy, Leadership & Institutional Development ProgramICT Policy, Leadership & Institutional Development Program
Information InfrastructureInformation Infrastructure
e-Laws Projecte-Laws Project
Electronic Transactions Act No. 19Electronic Transactions Act No. 19
Sri Lanka Computer Crimes Act No. 24Sri Lanka Computer Crimes Act No. 24
e-Leadership Development Project e-Leadership Development Project
Sri Lanka CERT ProjectSri Lanka CERT Project
e-Sri Lanka Projects e-Laws Project
Electronic Transactions Act No. 19 Law to enable validation of e-Commerce, e-
Signature and e-Contracting
Sri Lanka Computer Crimes Act No. 24
Identification, Investigation and Enforcement of computer crimes
e-Sri Lanka Projects e-Leadership Development Project
Develop a pool of champions to enforce security policies, monitor fraudulent activities and promote best practices
Sri Lanka CERT Project National CERT mandated to protect Sri Lanka’s
ICT infrastructure from attacks, be the single, trusted source for information on cyber crime techniques and coordinate efforts to handle Cyber crime incidents
Conflict of Systems e-Sri Lanka introduces new challenges
in fighting cyber crime: Traditional New (due to e-Sri Lanka)
• Police Investigation Team-CID-NIB
• Existing Penal Code
•Traditional Reporting mechanisms
• SLCERT Forensics Team• SLCERT Incident Handling
• Computer Crimes Act• E-Transactions Act
• New reporting mechanisms
12%
41%23%
12%
0%0%12%
Hacking
Publishing Information without consent (Sexual Harrassment)
Impersonation
Hacking Addresses & Attempted cheats
Pornography
Violation of Intellectual Property Act
Cheating
Cyber crime in Sri Lanka: 2007
Cyber crime in Sri Lanka Prosecution of Cyber crime cases
25
22
0
75
78
0
00
24
00
76
0 20 40 60 80 100 120
2005
2006
2007
Successful Dismissed Pending Uninvestigated
Total Cases: 9
Total Cases: 4
Total Cases: 17
Computer Crimes Act Timeline
1995: Work started by CINTEC Law Committee 1997: Working paper on Computer crime Act submitted Decision to be made: Develop provisions for
prosecution of cyber crimes under existing penal code OR develop a Subject specific law?
2000: decision to develop Subject specific legislation 2005: Bill finalized and presented in Parliament 2006: Further review by Parliamentary committee 2007: Passing of bill in parliament
Computer Crime Act currently not enforced fully
Computer Crimes Act Features
Provides clear structure for conducting of investigations and jurisdictions
Provides distinct cyber crime categories and the corresponding parameters under which a case may be prosecuted, including maximum or minimum applicable penalties
Use of Generic terms, so that even if technology changes, the nature of the crime will remain the same (example: phishing, vishing & phaxing)
Provision of Cross Extradition arrangement with Council of Europe signatories. Increased ability to prosecute cases beyond Sri Lanka’s borders
Clear statement of Resources that would be brought to bear on the case, including, among others, “experts”.
Computer Crimes Act Cyber crime Categories
Computer-related offensesComputers used as tools for criminal activity(Theft, fraud)
HackingActivities which affect CIA of computer system or network (includes viruses and other malware)
Content related offensesComputers with Internet access used to distribute illegal data (copyright infringement, pornography)
Computer Crimes Act Parameters
Unauthorized Access Unauthorized Access in order to commit an
offence Causing a computer to perform functions
without lawful authority Offenses committed against national security Dealing with unlawfully obtained data Illegal interception of data Use of an illegal device Unauthorized disclosure of information
Computer Crimes Act: Penalties
ParameterJail Term (Years)
Fine (Rupees)
Or Both?
Unauthorized Access ≤5 ≤100K Unauthorized Access to commit offense
≤5 ≤200K
Function without Lawful authority
≤5 ≤300K
Offenses Against National Security
≤5 - ×
Unlawfully obtained data
0.5≤ ≤3 100K≤ ≤300K
Illegal interception0.5≤ ≤3
100K≤ ≤300K
Use of illegal devices0.5≤ ≤3
100K≤ ≤300K
Unauthorized disclosure
0.5≤ ≤3100K≤ ≤300K
Identification of Cyber Crimes Limited reporting of crime
Lack of trust in reporting methods No guarantee of confidentiality
Verifying reports/Authenticity of Reports Genuine report or prank?
Due diligence Reporting of crimes found at workplace.
Professional obligation vs. Personal inconvenience
CHALLENGESCHALLENGES
Investigation of Cyber Crimes Gathering of evidence
Maintaining admissibility of evidence Lack of proper structure for cooperation between
investigating organizations Poor system for maintenance of chain of custody
Weight of Digital evidence in court Lack of understanding of importance of digital
evidence Lack of Legal professionals conversant with CCA
Jurisdiction NIB, CID, other organizations (SLCERT, TechCERT, etc)
CHALLENGESCHALLENGES
Enforcement of Cyber Laws Tendency to prosecute under existing penal
code; more lenient penalties (Case studies)
Lack of IT Savvy lawyers
Lack of ICT Knowledge of judges, making obtaining warrants more time consuming
Lack of provisions for prosecuting Cross border crime, such as cross-extradition arrangements, cooperative investigation of cases, etc
CHALLENGESCHALLENGES
Case study 1: A Foreign National published false information
regarding the sale of DVD players online
Online payments credited to Standard Chartered Bank Account
Funds withdrawn by offender who left country
DVD Players not delivered
Suspect arrested upon return to Sri Lanka, fined and deported
Problem: Waiting for suspect to return to Sri Lanka. Lack of extradition arrangements.
Case study 2: Superimposing nude images on a picture of a
Buddha Statue (causing offense)
Investigated by CID Cyber Crimes Unit
NGO employee arrested
Convicted and sentenced to 3 Years imprisonment, suspended for 3 years
Problem: Leniency in sentence and enforcement of sentence. Much stronger penalties allowed for under CCA
Future plans for cyber crime fighting Build a defined structure and working
relationship between organizations concerned with cyber crime
AG’s Department
Police Force
NIB
CID
Cyber crime Reporting Centres
Sri Lanka CERT International CERT Community
International Police Community
International Judicial Community
Inter-Governmental Relationships
Future Plans Identification
Building and maintenance of Cyber Crime Reporting Centres
Additional “secured” reporting channels (E-mail, Web)
Protection of Confidentiality through Information Security Measures
Raises trust
Expected Outcome: Reporting of more cases
Future Plans Investigation
Develop a Digital Forensics Lab, Larger Forensics team to handle increase in cases
Develop clear Chain of Custody procedures
Build contacts with Foreign Police forces to increase skills available in investigating complex, cross-border cases and forensics knowledge
Expected Outcome: Increased number of successfully prosecuted cases
Future Plans Prosecution
Run Awareness Programs for the local judiciary to raise awareness of Computer crimes (attack techniques, potential damage, etc) and the provisions of the Computer Crimes Act (CCA)
Build a pool of IT Savvy Legal professionals able to prosecute cases under the CCA
Increase number of countries with which Sri Lanka has Extradition Treaties through Government intervention
Expected Outcome: Increased number of successfully prosecuted cases