08 Cybercrime and Security Policy Issues
See more presentations by GenX | Upload your own PowerPoint presentations
Cyber-crime and Security Policy Issues: Cyber-crime and Security Policy Issues Rodolfo Noel S. Quimbo Resource Person Information, Communication and Space Technology Division UNESCAP
Two Part Presentation: Two Part Presentation Cyber-crime Internet and Security Concepts Incidents/Attacks Improving Security Cyberlaw Statutes, Laws, and Policies – Challenges to enforcers Substantive and Procedural Law Efforts to Combat Cybercrime
Part I - Cybercrime: Part I - Cybercrime
Internet and Security Concepts: Internet and Security Concepts The Internet and Its Vulnerabilities When it started as a project of the Advanced Research Project of the US Defense Department in 1969, the system was designed for openness and flexibility, not security The first publicized international security incident was identified in 1986. An attempt was made to use the network to access computers in the US to copy information from them. In 1988, the network had its first automated network security incident courtesy of a worm program
Internet and Security Concepts: Internet and Security Concepts The Internet and Its Vulnerabilities As a response to the worm threat, a computer emergency response team was created (now the CERT Coordination Center) In 1989, the ARPANET Project officially became the Internet. However, it has, for most part retained its inherent openness The Internet being inherently open, extremely dynamic allows attacks, in general, to be quick, easy, inexpensive and often times difficult to detect or trace
Important Security Concepts: Important Security Concepts Confidentiality of Information Confidentiality is lost when someone without authority is able to read or copy information Integrity of Information Modifying information in unexpected ways makes it lose its integrity Availability of Information The erasure of information makes it unavailable when needed. Often, this is the most important attribute in service oriented businesses
Elements of a Secured Network Environment: Elements of a Secured Network Environment Authentication “I am who I Say I am” Authorization “I am allowed to read the file but only He can copy it” Non-repudiation “Yes, I sent the e-mail”
Attack Trends vis a vis Internet Growth: Attack Trends vis a vis Internet Growth Trend 1 – Automation; speed of Attack Tools Scanning for Potential Victims Compromising vulnerable systems Propagate the Attack Coordinated Management of Attack Tools
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 2 – Increasing Sophistication of Attack Tools Anti-forensics Dynamic behavior Modularity of attack tools
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 3 – Faster Discovery of vulnerabilities
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 3 – Faster Discovery of vulnerabilities Total Vulnerabilities reported (1995-Q2, 2006): 26,713
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 4 – Increasing Permeability of Firewalls Trend 5- Increasing Asymmetric Threat
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 1 – Distributed Denial of Service Attack 2 - Worms
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 3 – Attacks on the Internet Domain Name System (DNS) Cache Poisoning Compromised Data Denial of Service Domain Hijacking
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 4 – Attacks against or using routers Routers as attack platforms Denial of Service Exploitation of Trust relationship between routers
Sources of Incidents/Threats: Sources of Incidents/Threats
Kinds of Incidents: Kinds of Incidents Probe Attempts to gain access into a system Scan Large number of probes Account Compromise Unauthorized use of an account by someone other than the owner Root Compromise An account compromise where the account has special privileges on the system
Kinds of Incidents: Kinds of Incidents Packet Sniffer A program that captures data as packets travel through the network Denial of Service Preventing authorized users from using the system Exploitation of Trust Forging of identity in order to gain unauthorized access
Kinds of Incidents: Kinds of Incidents Malicious Code Programs that, when executed, cause undesired results such as loss of data, downtime, denial of service Internet Infrastructure Attacks Rare but serious attacks on key components of the Internet structure such as network name servers and large archive sites
Improving Security: Improving Security Recommended Security Practices that can minimize network intrusions: Ensure all accounts have passwords that are difficult to guess. One time passwords are preferred. Use cryptography Use secure programming techniques when writing software Regularly check for updates, fixes and patches Regularly check for security alerts
Improving Security: Improving Security Available technologies One time passwords Firewalls Monitoring Tools Security Analysis Tools Cryptography
PART II: Cyberlaw: PART II: Cyberlaw
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Challenges to Cyberlaw Enforcers: Challenges to Cyberlaw Enforcers Technological Challenges Technology allows for near absolute anonymity of culprits Legal Challenges Laws lag behind the changes in technology Resource Challenges Lack of sufficient experts/budget
Substantive Aspects of the Proposed Cybercrime Prevention Act : Substantive Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to Combat Cybercrime
Slide29: “Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity. Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here. Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.” John Perry Barlow Declaration of Independence of Cyberspace
Outline: Outline Current Legal Set-Up Why a New Cybercrime Bill? Status Salient Substantive Features of Cybercrime Bill Punishable Acts Liabilities and Penalties
Slide31: E-Commerce Act (Republic Act No. 8792) Signed into law on 14 June 2000 Aims to supplement the applicability of existing laws to electronic transactions & documents by extending legal validity & recognition to the same Non-discrimination principle Functional equivalence rule The Current Legal Set-Up
Slide32: The E-Commerce Act (R.A. 8792) Has placed RP in the map of e-ready countries §33 of the ECA is most comprehensive definition of cybercrime (McConnell International survey report, December 2000) Punishable Acts under §33 of the ECA 1. Hacking/cracking a. Unauthorized access into a computer system b. Interference in a computer system/server or information/communication system The Current Legal Set-Up
Slide33: c. Authorized access, but with intent to corrupt, alter, or destroy, without the owner’s knowledge & consent d. Introduction of viruses, resulting in destruction or loss of electronic data/messages 2. Piracy of protected works through the use of telecommunication networks such as the internet in a manner that infringes intellectual property rights 3. Violations of Consumer Act & other relevant laws through transactions covered by or using electronic data/messages The Current Legal Set-Up
The Current Legal Set-Up: The Current Legal Set-Up Rules on Electronic Evidence Effective 01 August 2001 Makes electronic documents admissible in evidence pursuant to the non-discrimination and functional equivalence principles of the ECA. Applicable in criminal cases.
Slide35: ECA is seen as a mere “reactionary” law A reaction to the “I Love You” virus incident Does not cover all aspects Lack of “teeth” (need for framework for enforcement) - “It’s one thing to have a ‘complete’ definition; implementation & enforcement is another matter”. - Need to institutionalize a continuing training program for law enforcers Why a New Cybercrime Legislation?
Slide36: New ways of committing cybercrimes crop up every moment Need to factor in international efforts to combat cybercrimes ECA lacks framework that takes into account the “international facet” of cybercrimes Why a New Cybercrime Legislation?
The Proposed Cybercrime Prevention Act: Full title: “An Act Preventing and Penalizing Computer-Related Crimes, Further Amending for the Purpose Certain Provisions of Act No. 3815, as Amended, Otherwise Known as the Revised Penal Code” Aims at harmonizing existing penal laws/measures & pending cybercrime bills with the currentcybercrime measures in the U.S. and the European Union. Models: 1. Budapest Convention on Cybercrime 2. US Computer Fraud & Abuse Act of 1986 3. Philippine E-Commerce Act 4. Pending cybercrime bills The Proposed Cybercrime Prevention Act
What is Cybercrime?: What is Cybercrime? Criminal Justice Cybercrime Categories (Professor David L. Carter – 1979) Computer as the Target Computer intrusion, data theft, techno-vandalism / trespass Computer as the instrumentality of the Crime Credit card fraud, telecommunications fraud, theft Computer as Incidental to other Crimes Drug trafficking, money laundering, child pornography Crimes associated with the Prevalence of Computers Copyright violation, software piracy, component theft
Slide39: Illegal access (§4.1, proposed bill) Punishable Acts Unauthorized access to a computer system/network for the purpose of obtaining or using a computer data or program or in pursuit of a dishonest intent. Example: Hacking/cracking, computer trespass Source: Art. 2, Budapest Convention The Computer as Target
Slide40: Illegal interception (§4.2, proposed bill) Punishable act: Unauthorized interception through technical means of any non-public transmission of computer data to, from, or within a computer system or network Exception: Interception deemed necessary for the maintenance/protection of facilities of service providers (i.e., service observing or random monitoring for mechanical or service control quality checks) Example: Using electronic eavesdropping devices in obtaining data Source: Art. 3, Budapest Convention The Computer as Target
Slide41: System interference (§4.4, proposed bill) Punishable acts: Intentional & unlawful hindering with the proper functioning of a computer system or network by using or influencing computer data/program, electronic document or data message, including the introduction or transmission of viruses; also known as computer sabotage Example: Virus dissemination, denial-of-service attacks Source: Art. 5, Budapest Convention The Computer as Target
The Computer as Target: Data interference (§4.3, proposed bill) Punishable acts: Intentional & unauthorized damaging, deletion, deterioration, alteration or suppression of computer data, electronic document, or electronic data message, including the introduction or transmission of viruses Example: Inputting malicious codes, such as viruses, resulting in modification of data Source: Art. 4, Budapest Convention The Computer as Target
Slide43: Misuse of devices (§4.5, proposed bill) Punishable acts: Use, production, sale, procurement, importation, distribution, or making available, without right, or possession of any of the following: 1. Device primarily designed/adapted primarily for committing the crimes of (a) illegal access; (b) illegal interception; (c) data interference; and (d) system interference, defined under the Act; 2. Computer password, access code, or similar data by which a whole or part of a computer system or network is capable of being accessed. The Computer as Instrumentality of the Crime
Slide44: Possession of any of the foregoing items with intent to use them for the purpose of committing the crimes of (a) illegal access; (b) illegal interception; (c) data interference; and (d) system interference, defined under the Act; The Computer as Instrumentality of the Crime
Slide45: Exceptions: 1. Device, used for authorized testing of a computer system, program, or network 2. Production/creation of any of the devices is for purely academic purposes Note: In both instances, prior consent is obtained from the owner of the computer system or network on which the device is to be used. Source: Art. 6, Budapest Convention The Computer as Instrumentality of the Crime
Slide46: Computer forgery (§4.6, proposed bill) Punishable acts: 1. Input, alteration, suppression, erasure or suppression of computer data/program or electronic document in a manner that would constitute the offense of forgery under the Revised Penal Code 2. Knowingly using a computer or electronic data which are products of computer forgery for purposes of perpetuating fraudulent design. Source: Art. 7, Budapest Convention The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime : Computer fraud (§4.7, proposed bill) Punishable acts: 1. Intentional/unauthorized input, alteration, suppression, etc. of computer data/programs or electronic document or data message, or 2. Interference in the functioning of computer system or network. Elements 1. One of the punishable acts committed; 2. Act is committed with intent of procuring economic benefit for one self or for another, or for the perpetuation of a fraudulent activity 3. Damage is caused thereby The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime: The Computer as Instrumentality of the Crime Examples: Credit card fraud, identity theft/fraud Source: Art. 8, Budapest Convention
The Computer as Instrumentality of the Crime: Offenses related to child pornography (§5, proposed bill) Child pornography - materials which visually depict a minor engaged in a sexually explicit conduct or a person appearing to be a minor engaged in sexually explicit conduct Punishable Acts Producing child pornography for distribution Offering/making available child pornography Distributing/transmitting child pornography all through the medium of a computer system or network The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime: - Criminal liability is without prejudice to prosecution under RA 9208 (Anti- Trafficking in Persons Act of 2003) & RA 7610 (Special Protection of Children Against Child Abuse, Exploitation and Discrimination Act) Source: Art.9, Budapest Convention The Computer as Instrumentality of the Crime
The Computer as an Incident to the Commission of the Crime: The Computer as an Incident to the Commission of the Crime Violations of the Revised Penal Code & other existing penal laws (§7, proposed bill) - Should an act punishable under the Revised Penal Code, the Consumer Act, or other existing penal laws be committed “through the use of, aided by, or involving computer systems or networks or through transactions covered by or using electronic documents or electronic data messages”, said act shall be punishable and prosecuted under those laws . - Purpose: Fill in the gaps in existing penal laws & eradicate preconceived notions that our existing laws only punishes crimes committed in real world. - Source: §33(c), Philippine E-Commerce Act
Slide52: Infringement of Intellectual Property Rights (§6, proposed bill) Punishable acts: Intentional copying, reproduction, dissemination, distribution, or making available online by means of a computer system or network Of protected works (e.g., computer programs, systems and designs), without the knowledge and consent of the owners thereof for his or another person’s benefit Liability without prejudice to prosecution under RA 8293 (IP Code) Exception: Fair use, as defined in RA 8293 (IP Code) Source: Art.10, Budapest Convention Crimes Associated with the Prevalence of Computers
Slide53: Unsolicited commercial communications (§4.8, proposed bill) Punishable acts: Unconsented transmission of voice or data messages which seek to advertise, sell, or offer for sale products and services Example: Spam e-mail Crimes Associated with the Prevalence of Computers
Slide54: Prosecution under the proposed bill does not bar prosecution under: Revised Penal Code Consumer Act Other Relevant Laws Liabilities and Penalties
Slide55: Who are liable: Persons who directly committed any of the punishable acts (§8, proposed bill) Co-conspirator(s) in the commission of any of the punishable acts (§10, proposed bill) Persons who aid/abet in the commission of any of the punishable acts (§11, proposed bill) Liabilities and Penalties
Slide56: Who are liable: In case of juridical entities (§9, proposed bill) a. Officers, board members, & employee(s) who directly participated or knowingly authorized the commission of the unlawful act in behalf & for the benefit of the juridical entity b. Officers & board members if the commission of the offense was due to lack of supervision control, either willfully or through gross negligence Liabilities and Penalties
Slide57: Imposable penalties (§8, proposed bill) - Prision correccional (6 months & 1 day to 6 years) or fine (PhP100,000.00 – PhP600,000.00), or both fine & imprisonment - Offenses related to child pornography: Prision mayor (6 years & 1 day to 12 years) or fine (PhP200,000.00 – PhP800,000.00), or both fine & imprisonment - Subsidiary penalty of imprisonment in case the offender does not have enough property to satisfy the fine. Civil liabilities for loss or damage Liabilities and Penalties
Procedural Aspects of the Proposed Cybercrime Prevention Act : Procedural Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to CombatCybercrime
Outline: Outline Jurisdiction Joint Cybercrime Investigation Unit Functions Composition Powers Enforcement and Implementation Collection of Computer Data Search and Seizure of Computer Data International Cooperation Remedies Some Issues
Extra-Territorial Application of the Proposed Cybercrime Prevention Act: Jurisdiction - Sec. 21, proposed bill: “The Regional Trial Court shall have jurisdiction over any violation of the provisions of this Act committed within the territory of the Philippines. In case any of the offenses herein defined is committed outside the territorial limits of thePhilippines, and by such commission any damage is caused to a computer system or network situated in the Philippines, or to a natural or juridical person who, at the time the offense was committed, is in the Philippines, the proper Regional Trial Court in the Philippines shall have jurisdiction.” Extra-Territorial Application of the Proposed CybercrimePrevention Act
Extra-Territorial Application of the Proposed Cybercrime Prevention Act: Jurisdiction - Two approaches in establishing jurisdiction: 1. Where the crime is committed 2. Where the effects of the crime are felt - If the answer to any of the foregoing is the Philippines, then the proper RTC may take cognizance of the cybercrime case. Extra-Territorial Application of the Proposed Cybercrime Prevention Act
Slide62: Jurisdiction - This is without prejudice to the filing appropriate actions in courts/tribunals of other countries which, under their respective laws, may properly acquire jurisdiction . Extra-Territorial Application of the Proposed Cybercrime Prevention Act
Joint Cybercrime Investigation Unit (“JCIU”): Main functions (§13, proposed bill): 1. To combat cybercrimes and computer-related offenses 2. To investigate, prosecute, and coordinate efforts of all law enforcement agencies in combating cybercrimes and computer-related offenses Joint Cybercrime Investigation Unit (“JCIU”)
Joint Cybercrime Investigation Unit (“JCIU”): Composition of the JCIU §14, proposed bill: 1. National Bureau of Investigation – Anti-Fraud and Computer Crimes Division 2. Philippine Center for Transnational Crime 3. Philippine National Police – Crimes Investigation and Detection Group Headed by an Executive Director to be appointed by the respective member organizations. Joint Cybercrime Investigation Unit (“JCIU”)
Slide65: §15, proposed bill: Prepare/implement measures to suppress cybercrimes Investigate & conduct info gathering activities to identify & prosecute cyber-offenders Effect searches/seizures Refer cases to proper gov’t agency for prosecution Formulate programs for int’l cooperation Solicit/coordinate private sector participation Recommend enactment of appropriate laws & measures §29, proposed bill: - Formulate/implement special & continuing training course for law enforcers Joint Cybercrime InvestigationUnit (“JCIU”) Powers
Slide66: Role of service providers (§17 & 19, proposed bill): 1. Preserve computer data & traffic record up to a maximum period of 6 months from date of transaction - 6-month period, extendible upon JCIU’s order (reasonable belief that the computer data may have been used in committing cybercrime) 2. Cooperate in the disclosure of computer data & traffic record covered by a lawful court order/writ, and to keep confidential info regarding the execution by JCIU of such court order/writ Enforcement & Implementation
Slide67: Search, Seizure, & Collection of Computer Data (§16, 18, & 19, proposed bill): - Can only be done by virtue of a court order/writ, upon finding probable cause - JCIU, by virtue of a court order/writ, can require a person/service provider to submit specified computer data & subscriber info, & to collect and record traffic data associated with specified communications Enforcement & Implementation
Slide68: Search, Seizure, & Collection of Computer Data (§16, 18, & 19, proposed bill): - JCIU can perform/require the following by virtue of a warrant: Enforcement & Implementation Conduct surveillance operations Secure computer system/network or portions thereof Make/retain copy of computer data secured Maintain integrity of the relevant stored computer data Remove/render in accessible those computer data in the accessed computer system/network
Slide69: Treaty/International Agreement (§22 to 26, proposed bill) Philippine gov’t undertakes to cooperate with other nations in the detection, investigation, & prosecution of cyber-offenses & also in the collection of evidence relating thereto. - Condition: Formal request for cooperation or assistance, made by a duly authorized representative of the foreign gov’t pursuant to a treaty/agreement Reciprocity In the absence of treaty/agreement, mutual assistance or cooperation shall be based on the principle of reciprocity. International Cooperation (§22 to 26, proposed bill)
Slide70: Grounds for refusal to cooperate: 1. Offense punishable under RP laws & RP courts have acquired jurisdiction over the person of the accused 2. Info requested is privileged/protected under RP laws or that which affects national security 3. Production of requested info, unreasonable 4. Requesting gov’t previously refused similar request by RP without justifiable reason 5. Prior breach by the requesting gov’t International Cooperation (§22 to 26, proposed bill)
Efforts to Combat Cybercrimes: Efforts to Combat Cybercrimes
Innovative Practices to Combat Cybercrimes: Innovative Practices to Combat Cybercrimes Antiphishing Japan OnGuard Online in the US Video Campaigns to educate consumers
International Cooperation: International Cooperation Council of Europe Convention on Cybercrime criminalizes: Offenses against confidentiality, integrity and availability of computer data Computer related offenses like computer related forgery Content related offenses like child pornography; and Copyright related offenses
International Cooperation: International Cooperation The Asia Pacific Economic Cooperation endorses the following action items to combat Cybercrime: Immediate enactment of substantive, procedural and mutual assistance laws; Making cybercrime laws as comprehensive as those proposed in the Council of Europe; Assistance between and among economies; Security and Technical guidelines that can be used by governments and corporations vs cybercrime Outreach programs to economies and consumers regarding cybersecurity and cyber ethics
International Cooperation: International Cooperation ASEAN Network Security Coordination Center Early warning systems against viruses and illegal network intrusions Asia Pacific Computer Emergency Response Team
Thank You: Thank You
Cyber-crime and Security Policy Issues: Cyber-crime and Security Policy Issues Rodolfo Noel S. Quimbo Resource Person Information, Communication and Space Technology Division UNESCAP
Two Part Presentation: Two Part Presentation Cyber-crime Internet and Security Concepts Incidents/Attacks Improving Security Cyberlaw Statutes, Laws, and Policies – Challenges to enforcers Substantive and Procedural Law Efforts to Combat Cybercrime
Part I - Cybercrime: Part I - Cybercrime
Internet and Security Concepts: Internet and Security Concepts The Internet and Its Vulnerabilities When it started as a project of the Advanced Research Project of the US Defense Department in 1969, the system was designed for openness and flexibility, not security The first publicized international security incident was identified in 1986. An attempt was made to use the network to access computers in the US to copy information from them. In 1988, the network had its first automated network security incident courtesy of a worm program
Internet and Security Concepts: Internet and Security Concepts The Internet and Its Vulnerabilities As a response to the worm threat, a computer emergency response team was created (now the CERT Coordination Center) In 1989, the ARPANET Project officially became the Internet. However, it has, for most part retained its inherent openness The Internet being inherently open, extremely dynamic allows attacks, in general, to be quick, easy, inexpensive and often times difficult to detect or trace
Important Security Concepts: Important Security Concepts Confidentiality of Information Confidentiality is lost when someone without authority is able to read or copy information Integrity of Information Modifying information in unexpected ways makes it lose its integrity Availability of Information The erasure of information makes it unavailable when needed. Often, this is the most important attribute in service oriented businesses
Elements of a Secured Network Environment: Elements of a Secured Network Environment Authentication “I am who I Say I am” Authorization “I am allowed to read the file but only He can copy it” Non-repudiation “Yes, I sent the e-mail”
Attack Trends vis a vis Internet Growth: Attack Trends vis a vis Internet Growth Trend 1 – Automation; speed of Attack Tools Scanning for Potential Victims Compromising vulnerable systems Propagate the Attack Coordinated Management of Attack Tools
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 2 – Increasing Sophistication of Attack Tools Anti-forensics Dynamic behavior Modularity of attack tools
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 3 – Faster Discovery of vulnerabilities
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 3 – Faster Discovery of vulnerabilities Total Vulnerabilities reported (1995-Q2, 2006): 26,713
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 4 – Increasing Permeability of Firewalls Trend 5- Increasing Asymmetric Threat
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 1 – Distributed Denial of Service Attack 2 - Worms
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 3 – Attacks on the Internet Domain Name System (DNS) Cache Poisoning Compromised Data Denial of Service Domain Hijacking
Attack Trends (cont’d.): Attack Trends (cont’d.) Trend 6 – Increasing Threat from Infrastructure Attacks Attack 4 – Attacks against or using routers Routers as attack platforms Denial of Service Exploitation of Trust relationship between routers
Sources of Incidents/Threats: Sources of Incidents/Threats
Kinds of Incidents: Kinds of Incidents Probe Attempts to gain access into a system Scan Large number of probes Account Compromise Unauthorized use of an account by someone other than the owner Root Compromise An account compromise where the account has special privileges on the system
Kinds of Incidents: Kinds of Incidents Packet Sniffer A program that captures data as packets travel through the network Denial of Service Preventing authorized users from using the system Exploitation of Trust Forging of identity in order to gain unauthorized access
Kinds of Incidents: Kinds of Incidents Malicious Code Programs that, when executed, cause undesired results such as loss of data, downtime, denial of service Internet Infrastructure Attacks Rare but serious attacks on key components of the Internet structure such as network name servers and large archive sites
Improving Security: Improving Security Recommended Security Practices that can minimize network intrusions: Ensure all accounts have passwords that are difficult to guess. One time passwords are preferred. Use cryptography Use secure programming techniques when writing software Regularly check for updates, fixes and patches Regularly check for security alerts
Improving Security: Improving Security Available technologies One time passwords Firewalls Monitoring Tools Security Analysis Tools Cryptography
PART II: Cyberlaw: PART II: Cyberlaw
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Countries with Cybercrime Statutes: Countries with Cybercrime Statutes
Challenges to Cyberlaw Enforcers: Challenges to Cyberlaw Enforcers Technological Challenges Technology allows for near absolute anonymity of culprits Legal Challenges Laws lag behind the changes in technology Resource Challenges Lack of sufficient experts/budget
Substantive Aspects of the Proposed Cybercrime Prevention Act : Substantive Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to Combat Cybercrime
Slide29: “Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity. Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here. Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge. Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.” John Perry Barlow Declaration of Independence of Cyberspace
Outline: Outline Current Legal Set-Up Why a New Cybercrime Bill? Status Salient Substantive Features of Cybercrime Bill Punishable Acts Liabilities and Penalties
Slide31: E-Commerce Act (Republic Act No. 8792) Signed into law on 14 June 2000 Aims to supplement the applicability of existing laws to electronic transactions & documents by extending legal validity & recognition to the same Non-discrimination principle Functional equivalence rule The Current Legal Set-Up
Slide32: The E-Commerce Act (R.A. 8792) Has placed RP in the map of e-ready countries §33 of the ECA is most comprehensive definition of cybercrime (McConnell International survey report, December 2000) Punishable Acts under §33 of the ECA 1. Hacking/cracking a. Unauthorized access into a computer system b. Interference in a computer system/server or information/communication system The Current Legal Set-Up
Slide33: c. Authorized access, but with intent to corrupt, alter, or destroy, without the owner’s knowledge & consent d. Introduction of viruses, resulting in destruction or loss of electronic data/messages 2. Piracy of protected works through the use of telecommunication networks such as the internet in a manner that infringes intellectual property rights 3. Violations of Consumer Act & other relevant laws through transactions covered by or using electronic data/messages The Current Legal Set-Up
The Current Legal Set-Up: The Current Legal Set-Up Rules on Electronic Evidence Effective 01 August 2001 Makes electronic documents admissible in evidence pursuant to the non-discrimination and functional equivalence principles of the ECA. Applicable in criminal cases.
Slide35: ECA is seen as a mere “reactionary” law A reaction to the “I Love You” virus incident Does not cover all aspects Lack of “teeth” (need for framework for enforcement) - “It’s one thing to have a ‘complete’ definition; implementation & enforcement is another matter”. - Need to institutionalize a continuing training program for law enforcers Why a New Cybercrime Legislation?
Slide36: New ways of committing cybercrimes crop up every moment Need to factor in international efforts to combat cybercrimes ECA lacks framework that takes into account the “international facet” of cybercrimes Why a New Cybercrime Legislation?
The Proposed Cybercrime Prevention Act: Full title: “An Act Preventing and Penalizing Computer-Related Crimes, Further Amending for the Purpose Certain Provisions of Act No. 3815, as Amended, Otherwise Known as the Revised Penal Code” Aims at harmonizing existing penal laws/measures & pending cybercrime bills with the currentcybercrime measures in the U.S. and the European Union. Models: 1. Budapest Convention on Cybercrime 2. US Computer Fraud & Abuse Act of 1986 3. Philippine E-Commerce Act 4. Pending cybercrime bills The Proposed Cybercrime Prevention Act
What is Cybercrime?: What is Cybercrime? Criminal Justice Cybercrime Categories (Professor David L. Carter – 1979) Computer as the Target Computer intrusion, data theft, techno-vandalism / trespass Computer as the instrumentality of the Crime Credit card fraud, telecommunications fraud, theft Computer as Incidental to other Crimes Drug trafficking, money laundering, child pornography Crimes associated with the Prevalence of Computers Copyright violation, software piracy, component theft
Slide39: Illegal access (§4.1, proposed bill) Punishable Acts Unauthorized access to a computer system/network for the purpose of obtaining or using a computer data or program or in pursuit of a dishonest intent. Example: Hacking/cracking, computer trespass Source: Art. 2, Budapest Convention The Computer as Target
Slide40: Illegal interception (§4.2, proposed bill) Punishable act: Unauthorized interception through technical means of any non-public transmission of computer data to, from, or within a computer system or network Exception: Interception deemed necessary for the maintenance/protection of facilities of service providers (i.e., service observing or random monitoring for mechanical or service control quality checks) Example: Using electronic eavesdropping devices in obtaining data Source: Art. 3, Budapest Convention The Computer as Target
Slide41: System interference (§4.4, proposed bill) Punishable acts: Intentional & unlawful hindering with the proper functioning of a computer system or network by using or influencing computer data/program, electronic document or data message, including the introduction or transmission of viruses; also known as computer sabotage Example: Virus dissemination, denial-of-service attacks Source: Art. 5, Budapest Convention The Computer as Target
The Computer as Target: Data interference (§4.3, proposed bill) Punishable acts: Intentional & unauthorized damaging, deletion, deterioration, alteration or suppression of computer data, electronic document, or electronic data message, including the introduction or transmission of viruses Example: Inputting malicious codes, such as viruses, resulting in modification of data Source: Art. 4, Budapest Convention The Computer as Target
Slide43: Misuse of devices (§4.5, proposed bill) Punishable acts: Use, production, sale, procurement, importation, distribution, or making available, without right, or possession of any of the following: 1. Device primarily designed/adapted primarily for committing the crimes of (a) illegal access; (b) illegal interception; (c) data interference; and (d) system interference, defined under the Act; 2. Computer password, access code, or similar data by which a whole or part of a computer system or network is capable of being accessed. The Computer as Instrumentality of the Crime
Slide44: Possession of any of the foregoing items with intent to use them for the purpose of committing the crimes of (a) illegal access; (b) illegal interception; (c) data interference; and (d) system interference, defined under the Act; The Computer as Instrumentality of the Crime
Slide45: Exceptions: 1. Device, used for authorized testing of a computer system, program, or network 2. Production/creation of any of the devices is for purely academic purposes Note: In both instances, prior consent is obtained from the owner of the computer system or network on which the device is to be used. Source: Art. 6, Budapest Convention The Computer as Instrumentality of the Crime
Slide46: Computer forgery (§4.6, proposed bill) Punishable acts: 1. Input, alteration, suppression, erasure or suppression of computer data/program or electronic document in a manner that would constitute the offense of forgery under the Revised Penal Code 2. Knowingly using a computer or electronic data which are products of computer forgery for purposes of perpetuating fraudulent design. Source: Art. 7, Budapest Convention The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime : Computer fraud (§4.7, proposed bill) Punishable acts: 1. Intentional/unauthorized input, alteration, suppression, etc. of computer data/programs or electronic document or data message, or 2. Interference in the functioning of computer system or network. Elements 1. One of the punishable acts committed; 2. Act is committed with intent of procuring economic benefit for one self or for another, or for the perpetuation of a fraudulent activity 3. Damage is caused thereby The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime: The Computer as Instrumentality of the Crime Examples: Credit card fraud, identity theft/fraud Source: Art. 8, Budapest Convention
The Computer as Instrumentality of the Crime: Offenses related to child pornography (§5, proposed bill) Child pornography - materials which visually depict a minor engaged in a sexually explicit conduct or a person appearing to be a minor engaged in sexually explicit conduct Punishable Acts Producing child pornography for distribution Offering/making available child pornography Distributing/transmitting child pornography all through the medium of a computer system or network The Computer as Instrumentality of the Crime
The Computer as Instrumentality of the Crime: - Criminal liability is without prejudice to prosecution under RA 9208 (Anti- Trafficking in Persons Act of 2003) & RA 7610 (Special Protection of Children Against Child Abuse, Exploitation and Discrimination Act) Source: Art.9, Budapest Convention The Computer as Instrumentality of the Crime
The Computer as an Incident to the Commission of the Crime: The Computer as an Incident to the Commission of the Crime Violations of the Revised Penal Code & other existing penal laws (§7, proposed bill) - Should an act punishable under the Revised Penal Code, the Consumer Act, or other existing penal laws be committed “through the use of, aided by, or involving computer systems or networks or through transactions covered by or using electronic documents or electronic data messages”, said act shall be punishable and prosecuted under those laws . - Purpose: Fill in the gaps in existing penal laws & eradicate preconceived notions that our existing laws only punishes crimes committed in real world. - Source: §33(c), Philippine E-Commerce Act
Slide52: Infringement of Intellectual Property Rights (§6, proposed bill) Punishable acts: Intentional copying, reproduction, dissemination, distribution, or making available online by means of a computer system or network Of protected works (e.g., computer programs, systems and designs), without the knowledge and consent of the owners thereof for his or another person’s benefit Liability without prejudice to prosecution under RA 8293 (IP Code) Exception: Fair use, as defined in RA 8293 (IP Code) Source: Art.10, Budapest Convention Crimes Associated with the Prevalence of Computers
Slide53: Unsolicited commercial communications (§4.8, proposed bill) Punishable acts: Unconsented transmission of voice or data messages which seek to advertise, sell, or offer for sale products and services Example: Spam e-mail Crimes Associated with the Prevalence of Computers
Slide54: Prosecution under the proposed bill does not bar prosecution under: Revised Penal Code Consumer Act Other Relevant Laws Liabilities and Penalties
Slide55: Who are liable: Persons who directly committed any of the punishable acts (§8, proposed bill) Co-conspirator(s) in the commission of any of the punishable acts (§10, proposed bill) Persons who aid/abet in the commission of any of the punishable acts (§11, proposed bill) Liabilities and Penalties
Slide56: Who are liable: In case of juridical entities (§9, proposed bill) a. Officers, board members, & employee(s) who directly participated or knowingly authorized the commission of the unlawful act in behalf & for the benefit of the juridical entity b. Officers & board members if the commission of the offense was due to lack of supervision control, either willfully or through gross negligence Liabilities and Penalties
Slide57: Imposable penalties (§8, proposed bill) - Prision correccional (6 months & 1 day to 6 years) or fine (PhP100,000.00 – PhP600,000.00), or both fine & imprisonment - Offenses related to child pornography: Prision mayor (6 years & 1 day to 12 years) or fine (PhP200,000.00 – PhP800,000.00), or both fine & imprisonment - Subsidiary penalty of imprisonment in case the offender does not have enough property to satisfy the fine. Civil liabilities for loss or damage Liabilities and Penalties
Procedural Aspects of the Proposed Cybercrime Prevention Act : Procedural Aspects of the Proposed Cybercrime Prevention Act Drafting Comprehensive Laws to CombatCybercrime
Outline: Outline Jurisdiction Joint Cybercrime Investigation Unit Functions Composition Powers Enforcement and Implementation Collection of Computer Data Search and Seizure of Computer Data International Cooperation Remedies Some Issues
Extra-Territorial Application of the Proposed Cybercrime Prevention Act: Jurisdiction - Sec. 21, proposed bill: “The Regional Trial Court shall have jurisdiction over any violation of the provisions of this Act committed within the territory of the Philippines. In case any of the offenses herein defined is committed outside the territorial limits of thePhilippines, and by such commission any damage is caused to a computer system or network situated in the Philippines, or to a natural or juridical person who, at the time the offense was committed, is in the Philippines, the proper Regional Trial Court in the Philippines shall have jurisdiction.” Extra-Territorial Application of the Proposed CybercrimePrevention Act
Extra-Territorial Application of the Proposed Cybercrime Prevention Act: Jurisdiction - Two approaches in establishing jurisdiction: 1. Where the crime is committed 2. Where the effects of the crime are felt - If the answer to any of the foregoing is the Philippines, then the proper RTC may take cognizance of the cybercrime case. Extra-Territorial Application of the Proposed Cybercrime Prevention Act
Slide62: Jurisdiction - This is without prejudice to the filing appropriate actions in courts/tribunals of other countries which, under their respective laws, may properly acquire jurisdiction . Extra-Territorial Application of the Proposed Cybercrime Prevention Act
Joint Cybercrime Investigation Unit (“JCIU”): Main functions (§13, proposed bill): 1. To combat cybercrimes and computer-related offenses 2. To investigate, prosecute, and coordinate efforts of all law enforcement agencies in combating cybercrimes and computer-related offenses Joint Cybercrime Investigation Unit (“JCIU”)
Joint Cybercrime Investigation Unit (“JCIU”): Composition of the JCIU §14, proposed bill: 1. National Bureau of Investigation – Anti-Fraud and Computer Crimes Division 2. Philippine Center for Transnational Crime 3. Philippine National Police – Crimes Investigation and Detection Group Headed by an Executive Director to be appointed by the respective member organizations. Joint Cybercrime Investigation Unit (“JCIU”)
Slide65: §15, proposed bill: Prepare/implement measures to suppress cybercrimes Investigate & conduct info gathering activities to identify & prosecute cyber-offenders Effect searches/seizures Refer cases to proper gov’t agency for prosecution Formulate programs for int’l cooperation Solicit/coordinate private sector participation Recommend enactment of appropriate laws & measures §29, proposed bill: - Formulate/implement special & continuing training course for law enforcers Joint Cybercrime InvestigationUnit (“JCIU”) Powers
Slide66: Role of service providers (§17 & 19, proposed bill): 1. Preserve computer data & traffic record up to a maximum period of 6 months from date of transaction - 6-month period, extendible upon JCIU’s order (reasonable belief that the computer data may have been used in committing cybercrime) 2. Cooperate in the disclosure of computer data & traffic record covered by a lawful court order/writ, and to keep confidential info regarding the execution by JCIU of such court order/writ Enforcement & Implementation
Slide67: Search, Seizure, & Collection of Computer Data (§16, 18, & 19, proposed bill): - Can only be done by virtue of a court order/writ, upon finding probable cause - JCIU, by virtue of a court order/writ, can require a person/service provider to submit specified computer data & subscriber info, & to collect and record traffic data associated with specified communications Enforcement & Implementation
Slide68: Search, Seizure, & Collection of Computer Data (§16, 18, & 19, proposed bill): - JCIU can perform/require the following by virtue of a warrant: Enforcement & Implementation Conduct surveillance operations Secure computer system/network or portions thereof Make/retain copy of computer data secured Maintain integrity of the relevant stored computer data Remove/render in accessible those computer data in the accessed computer system/network
Slide69: Treaty/International Agreement (§22 to 26, proposed bill) Philippine gov’t undertakes to cooperate with other nations in the detection, investigation, & prosecution of cyber-offenses & also in the collection of evidence relating thereto. - Condition: Formal request for cooperation or assistance, made by a duly authorized representative of the foreign gov’t pursuant to a treaty/agreement Reciprocity In the absence of treaty/agreement, mutual assistance or cooperation shall be based on the principle of reciprocity. International Cooperation (§22 to 26, proposed bill)
Slide70: Grounds for refusal to cooperate: 1. Offense punishable under RP laws & RP courts have acquired jurisdiction over the person of the accused 2. Info requested is privileged/protected under RP laws or that which affects national security 3. Production of requested info, unreasonable 4. Requesting gov’t previously refused similar request by RP without justifiable reason 5. Prior breach by the requesting gov’t International Cooperation (§22 to 26, proposed bill)
Efforts to Combat Cybercrimes: Efforts to Combat Cybercrimes
Innovative Practices to Combat Cybercrimes: Innovative Practices to Combat Cybercrimes Antiphishing Japan OnGuard Online in the US Video Campaigns to educate consumers
International Cooperation: International Cooperation Council of Europe Convention on Cybercrime criminalizes: Offenses against confidentiality, integrity and availability of computer data Computer related offenses like computer related forgery Content related offenses like child pornography; and Copyright related offenses
International Cooperation: International Cooperation The Asia Pacific Economic Cooperation endorses the following action items to combat Cybercrime: Immediate enactment of substantive, procedural and mutual assistance laws; Making cybercrime laws as comprehensive as those proposed in the Council of Europe; Assistance between and among economies; Security and Technical guidelines that can be used by governments and corporations vs cybercrime Outreach programs to economies and consumers regarding cybersecurity and cyber ethics
International Cooperation: International Cooperation ASEAN Network Security Coordination Center Early warning systems against viruses and illegal network intrusions Asia Pacific Computer Emergency Response Team
Thank You: Thank You
No comments:
Post a Comment