Sri Lankan perspective in meeting the Cyber crime challenge
Download
Report
Transcript Sri Lankan perspective in meeting the Cyber crime challenge
Sri Lankan perspective
in meeting the
Cyber crime challenge
by
Lal Dias
Chief Operating Officer,
Sri Lanka CERT
Role of Cyber systems in Sri Lanka
e-Sri Lanka Development Initiative
Multi-faceted program
Objectives
Bridge digital divide
Improve delivery of public services
Increase competitiveness of private sector
Accelerate social development
Poverty reduction
e-Sri Lanka Development Initiative
Major Programs of e-Sri Lanka
ICT Policy, Leadership & Institutional Development
Information Infrastructure
Re-engineering government
ICT Human Resources Capacity Building
ICT Investment & Private sector Development
E-Society
ICT Agency of Sri Lanka established to
spearhead the e-Sri Lanka Development
Initiative
e-Sri Lanka Development Initiative
ICT Policy, Leadership & Institutional Development Program
e-Laws Project
Electronic Transactions Act No. 19
Sri Lanka Computer Crimes Act No. 24
e-Leadership Development Project
Information Infrastructure
Sri Lanka CERT Project
e-Sri Lanka Projects
e-Laws Project
Electronic Transactions Act No. 19
Law to enable validation of e-Commerce, eSignature and e-Contracting
Sri Lanka Computer Crimes Act No. 24
Identification, Investigation and Enforcement of
computer crimes
e-Sri Lanka Projects
e-Leadership Development Project
Develop a pool of champions to enforce security
policies, monitor fraudulent activities and promote
best practices
Sri Lanka CERT Project
National CERT mandated to protect Sri Lanka’s ICT
infrastructure from attacks, be the single, trusted
source for information on cyber crime techniques
and coordinate efforts to handle Cyber crime
incidents
Conflict of Systems
e-Sri Lanka introduces new challenges in
fighting cyber crime:
New (due to e-Sri Lanka)
Traditional
• SLCERT Forensics Team
• SLCERT Incident Handling
• Police Investigation Team
• Computer Crimes Act
• E-Transactions Act
• Existing Penal Code
• New reporting mechanisms
•Traditional Reporting
-CID
-NIB
mechanisms
Cyber crime in Sri Lanka: 2007
12%
12%
0%
12%
41%
23%
Hacking
Publishing Information without consent (Sexual Harrassment)
Impersonation
Hacking Addresses & Attempted cheats
Pornography
Violation of Intellectual Property Act
Cheating
Cyber crime in Sri Lanka
Prosecution of Cyber crime cases
Total Cases: 17
76
24
0
2007
Total Cases: 9
0
78
22
2006
Total Cases: 4
20
40
Successful
60
Dismissed
0
0
75
25
2005
80
Pending
Uninvestigated
100
120
Computer Crimes Act
Timeline
1995: Work started by CINTEC Law Committee
1997: Working paper on Computer crime Act submitted
Decision to be made: Develop provisions for prosecution
of cyber crimes under existing penal code OR develop a
Subject specific law?
2000: decision to develop Subject specific legislation
2005: Bill finalized and presented in Parliament
2006: Further review by Parliamentary committee
2007: Passing of bill in parliament
Computer Crime Act currently not enforced fully
Computer Crimes Act
Features
Provides clear structure for conducting of investigations and
jurisdictions
Provides distinct cyber crime categories and the corresponding
parameters under which a case may be prosecuted, including
maximum or minimum applicable penalties
Use of Generic terms, so that even if technology changes, the
nature of the crime will remain the same (example: phishing,
vishing & phaxing)
Provision of Cross Extradition arrangement with Council of
Europe signatories. Increased ability to prosecute cases beyond
Sri Lanka’s borders
Clear statement of Resources that would be brought to bear on
the case, including, among others, “experts”.
Computer Crimes Act
Cyber crime Categories
Computer-related offenses
Computers used as tools for criminal activity
(Theft, fraud)
Hacking
Activities which affect CIA of computer system or network
(includes viruses and other malware)
Content related offenses
Computers with Internet access used to distribute illegal data
(copyright infringement, pornography)
Computer Crimes Act
Parameters
Unauthorized Access
Unauthorized Access in order to commit an offence
Causing a computer to perform functions without
lawful authority
Offenses committed against national security
Dealing with unlawfully obtained data
Illegal interception of data
Use of an illegal device
Unauthorized disclosure of information
Computer Crimes Act: Penalties
Jail Term
(Years)
Fine
(Rupees)
Or Both?
Unauthorized Access
≤5
≤100K
Unauthorized Access to
commit offense
≤5
≤200K
Function without Lawful
authority
≤5
≤300K
Offenses Against National
Security
≤5
-
×
Unlawfully obtained data
0.5≤ ≤3
100K≤
≤300K
Illegal interception
0.5≤ ≤3
100K≤
≤300K
Use of illegal devices
0.5≤ ≤3
100K≤
≤300K
Unauthorized disclosure
0.5≤ ≤3
100K≤
≤300K
Parameter
CHALLENGES
Identification of Cyber Crimes
Limited reporting of crime
Verifying reports/Authenticity of Reports
Lack of trust in reporting methods
No guarantee of confidentiality
Genuine report or prank?
Due diligence
Reporting of crimes found at workplace. Professional
obligation vs. Personal inconvenience
CHALLENGES
Investigation of Cyber Crimes
Gathering of evidence
Maintaining admissibility of evidence
Weight of Digital evidence in court
Lack of proper structure for cooperation between
investigating organizations
Poor system for maintenance of chain of custody
Lack of understanding of importance of digital evidence
Lack of Legal professionals conversant with CCA
Jurisdiction
NIB, CID, other organizations (SLCERT, TechCERT, etc)
CHALLENGES
Enforcement of Cyber Laws
Tendency to prosecute under existing penal code; more
lenient penalties (Case studies)
Lack of IT Savvy lawyers
Lack of ICT Knowledge of judges, making obtaining
warrants more time consuming
Lack of provisions for prosecuting Cross border crime,
such as cross-extradition arrangements, cooperative
investigation of cases, etc
Case study 1:
A Foreign National published false information regarding the
sale of DVD players online
Online payments credited to Standard Chartered Bank
Account
Funds withdrawn by offender who left country
DVD Players not delivered
Suspect arrested upon return to Sri Lanka, fined and
deported
Problem: Waiting for suspect to return to Sri Lanka. Lack of
extradition arrangements.
Case study 2:
Superimposing nude images on a picture of a Buddha
Statue (causing offense)
Investigated by CID Cyber Crimes Unit
NGO employee arrested
Convicted and sentenced to 3 Years imprisonment,
suspended for 3 years
Problem: Leniency in sentence and enforcement of sentence.
Much stronger penalties allowed for under CCA
Future plans for cyber crime fighting
Build a defined structure and working relationship
between organizations concerned with cyber
crime
International Judicial Community
AG’s Department
Inter-Governmental Relationships
Police Force
International Police Community
NIB
CID
Cyber crime
Reporting Centres
Sri Lanka CERT
International CERT Community
Future Plans
Identification
Building and maintenance of Cyber Crime Reporting
Centres
Additional “secured” reporting channels (E-mail, Web)
Protection of Confidentiality through Information
Security Measures
Raises trust
Expected Outcome: Reporting of more cases
Future Plans
Investigation
Develop a Digital Forensics Lab, Larger Forensics team to
handle increase in cases
Develop clear Chain of Custody procedures
Build contacts with Foreign Police forces to increase skills
available in investigating complex, cross-border cases and
forensics knowledge
Expected Outcome: Increased number of successfully
prosecuted cases
Future Plans
Prosecution
Run Awareness Programs for the local judiciary to raise
awareness of Computer crimes (attack techniques,
potential damage, etc) and the provisions of the Computer
Crimes Act (CCA)
Build a pool of IT Savvy Legal professionals able to
prosecute cases under the CCA
Increase number of countries with which Sri Lanka has
Extradition Treaties through Government intervention
Expected Outcome: Increased number of successfully prosecuted
cases
THANK YOU