• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CTO-CybersecurityForum-2010-Jayantha Fernando
 

CTO-CybersecurityForum-2010-Jayantha Fernando

on

  • 1,061 views

 

Statistics

Views

Total Views
1,061
Views on SlideShare
1,061
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CTO-CybersecurityForum-2010-Jayantha Fernando CTO-CybersecurityForum-2010-Jayantha Fernando Presentation Transcript

        • Sri Lankan Cyber Crime Legislation
        • A developing country perspective
      Jayantha Fernando , Director/ Legal Advisor, ICT Agency of Sri Lanka [email_address] or [email_address]
      • Country Statistics
      • Glimpse of Sri Lanka’s Policy Reform Stack
        • Cyber Law Stack
      • Sri Lankan Cyber Crime Framework
        • Computer Crimes Act No. 24 of 2007
      • Unique Enforcement Procedures
      • Addressing Challenges& Institutional arrangements
      • Conclusions
        • Outline
    • Agenda
    • Sri Lanka – Country Facts Land Area: 65,610 Sq. Km Population: 21,130,000 GDP: US$ 27 Billion GDP/cap: US$ 1600 Currency: Sri Lankan Rupee Time Zone: GMT +5:30 Capital: Colombo (Commercial) Sri Jayawardenepura (Ad) Languages: Sinhala, Tamil, English Exports: Garments, Tea, Gems, Rubber, Tourism, IT/BPO Administr’n: 9 Provinces, 25 Districts, 325 Divisional Secretariats
        • ICT Sector - 5 th Largest Revenue Earner for Sri Lanka
        • First in South Asia to Liberalise Telecom Sector – 70% mobile penetration. (5 mobile operators, Large No of ISPs, 5 gateways)
        • A large pool of educated workers – 50,000 new accountants per annum, 30% per annum growth in IT workforce
        • Colombo Stock Exchange - Fastest Growing in Asia
          • Colombo Stock Exchange Software replicated in Croatia, Mauritius etc (LSE bought MIT)
        • Sri Lanka is ranked 16 th in the “Top 50 Global Outsourcing Destinations’ (A.T Kearney Global Services Location Index- 2009) and amongst the Top 20 emerging cities.
        • Sri Lankan ICT-BPO Sector
      • The e-Sri Lanka Development Project - USD 83 Million
        • Prepared from 2002-2005 & started since 2005
      • “ Taking dividends of ICT to every village, every citizen, every business and Transform the way the Government thinks and works ” ( www.icta.lk )
      • Implemented by ICT Agency of Sri Lanka (ICTA)
      • Information & Communication Technology Act No. 27 of 2003 (amended by Act 33 of 2008)
      • Two main functions of ICTA
        • Catalyst for ICT development – Implements the ICT Development Strategy
        • Directs ICT Legal & Policy Reform
        • ICT Development Strategy in
        • Sri Lanka - towards a knowledge economy
    • Companies Off-Shoring in Sri Lanka
        • Network Readiness Index (NRI)
        • Network Readiness Index (NRI)
      SAARC Region Year 2002/03 2003/04 2004/05 2005/06 2006/07 2007/08 2008/09 Countries 82 102 104 115 122 127 134 India   45 39 40 44 50 54 Sri Lanka 54 66 71 83 86 79 72 Nepal   - - - 108 119 127 Bangladesh   93 100 110 118 124 130 Butan   - - - - - - Maldives   - - - - - - Pakistan   76 63 67 86 84 98 Afganistan   - - - - - - SL – Percentile Ranking 66 % 65 % 68 % 72 % 70 % 62 % 54 %
      • Intellectual Property Act No. 36 of 2003 (based on TRIPS)
        • Copyright Protection for IT Products Services & Protection of Integrated chips
      • Electronic Transactions Act No. 19 of 2006 (based on UNCITRAL Model on e-Commerce 1996 and UNCITRAL Model Law on e-Signatures 2001) – Ensures Technology Neutrality
          • Includes features of the “UN Convention on the Use of Electronic Communications in International Contracts” (UN e-Contracting Convention of 2005)
          • Sri Lanka – one of the first 3 countries in Asia to sign the convention (on 6 th July 2006) along with China & Singapore
          • Sector specific Certificate Authorities established (for Banking + Govt Network)
      • Payment and Settlement Systems Act of 2005
      • Monetary Law (Amendment) Act 2002 and Treasury Bills (Amd) 2004
        • Establishes Sri Lanka as a destination for Electronic based Financial Transactions
        • Policy Reforms Agenda
        • E-Laws Program
    • Cyber Crime Framework
      • Primarily Embodied in 3 Statutes
      • Computer Crimes Act No. 24 of 2007
        • (Provides for the identification as well as Investigation and prevention of Computer Crime)
      • Payment Devices Frauds Act No. 30 of 2006
        • (Protects persons lawfully using payment devices; Criminalises & Prevents the possession and use of unauthorised or counterfeit payment devices and provides for investigation of offences)
      • Penal Code (Amendment) Act No. 16 of 2006
        • (Prevents Computer based services being used for Child exploitation)
      • Other Relevant Statutes
      • Prevention of Money Laundering Act No. 5 of 2006
      • Financial Transactions Reporting Act No. 6 of 2006
      • Obscene Publications (Amendment) Bill 2010 – (Prevent Child Image Abuse)
        • Policy & Regulatory – NRI Rankings
        2003 2004 2005 2006 2007 2008 102 104 115 122 127 134 Policy and Regulatory Environment for ICT Development 62 67 72 58 72 71 Laws relating to ICT 69 78 87 71 64 59 Percentile Ranking Laws to ICT 3.18 3.13 2.99 3.31 3.80 3.94 Percentile Ranking Policy & Regulatory 3.79 2.98 2.95 3.95 3.80 4.00
    • Computer Crimes Act No. 24 of 2007 Historical Evolution
      • 1995 - Process commenced (CINTEC Law Committee)
      • 1997 – Working paper on Computer Crimes (Public Consultation)
      • Law Commission & Justice Ministry Review
        • 2000 – 2003
      • Bill Presented to Parliament – 23 rd Aug 2005
      • Parliamentary Committee Review (2005-07)
      • Legislation Enacted on 8 th May 2007
      • Date of Operation – 15 th July 2008 (Gazette Extraordinary – No 1559/41 of 25 th July 2008)
    • Computer Crimes Act No. 24 of 2007 Key Features
      • Applicability (Section 2)
      • A person commits an offence under the Act while being present in Sri Lanka or outside Sri Lanka
      • The Computer, computer system or information affected, by the act which constitutes an offence under this Act, was at the material time in Sri Lanka or outside Sri Lanka
      • The facility or service, including computer storage or information processing service, used in the commission of an offence under this Act, was situated in Sri Lanka
      • The loss or damage is caused within or outside Sri Lanka by the commission of an offence under the Act, to the state or to a person resident in Sri Lanka or outside Sri Lanka.
    • Sri Lankan Law - Key Provisions
      • Section 3 - Criminalises the securing of unauthorised access to a computer, or any information held in any computer, with knowledge that the offender had no lawful authority to secure such access.
      • Section 4 is an enhanced version of Section 3 and criminalises unauthorised access with the intention of committing another offence under the Computer Crimes Act or any other law.
      • Section 5 criminalises activities which results in unauthorised modification and damage to a computer, computer system or computer program.
      • What constitutes “Modification or damage” clarified
        • impairing the operation of any computer, or the reliability of any data or information held therein
        • destroying, deleting or corrupting or adding, moving or altering any information held in any computer
        • unauthorized use of Computer services etc
        • Introduction of a program resulting in malfunction (Viruses, worms etc)
    • Sri Lankan Law - Key Provisions
      • Causing a computer to perform a function which will result in harm to National Economy, National Security and Public Order, an offence (Section 6)
      • Obtaining information from a computer or a storage medium without authority (Section 7)
        • Including buying, selling, uploading and downloading, copies or acquires the substance or meaning of such information
      • Illegal interception of Data (Section 8)
      • Use of Illegal devices (Section 9)
      • Unauthorised disclosure of Information (Section 10)
    • Enforcement
      • Ensuring Appropriate Balance and creating conducive
      • environment for enforcement
      • Criminal investigations interfere with “rights of subjects”
      • In a democratic society any such interference must be justifiable and “proportionate” to the needs of the Society sought to be protected
      • Growth of Cyber Crime creates challenges in respect of how best an appropriate balance could be reached between the needs of investigators and rights of Data users
      • Interests of ISP’s / intermediaries likely to be affected
    • Investigation &Enforcement Procedure (Unique Features)
      • Provision to designate “ experts ” to assist Investigators with defined powers (Section 17 – 22)
      • Experts – “Public Officers” qualified in Electronic engineering or Information Technology – Sec 17 (1)
      • Broad powers for Experts – Section 17(4)
      • Powers of search and seizure with warrant – Section 18
        • Obtain information including subscriber information and traffic data
        • Interception of Communication at any stage of communication
      • Expert or Police Officer can issue notice for preservation of Information for 7days - extension of time with Magistrate’s warrant (Sec 19)
      • Normal use Computers not to be hampered (Sec 20)
      • Competency of Police Officers to be certified by IGP (Sec 21)
      • Ensure Strict confidentiality by Police & Experts in connection with all information collected during an investigation (Sec 24)
    • Enforcement Challenges
      • Problems of identification
        • Lack of understanding by “victims” what constitutes cyber crime
        • Lack of understanding by enforcement as to what is cyber crime – investigation and prosecution under wrong provisions
        • Lack of under standing by the legal community – inability to map offences to Computer Crimes Act (eg:- phishing, DNS Fast fluxing etc)
      • Lack of Reporting
        • Lack of safe and secure locations and systems to report cyber crime
        • Lack of infrastructure to safeguard confidentiality of the victim
        • Requirement to give oral evidence in Courts (reluctance of victims and “experts” to come forward)
      • Investigation and Co-ordination
        • Lack of proper Digital Forensic Lab for e-Forensics with controls
        • Challenges in training and retaining good enforcement officials
    • Addressing Challenges
      • Awareness, Infrastructure and Creating Institutions
        • Awareness and Skills Development
          • For Law enforcement, Stake holders (banking etc) and even public
        • Establishing “ Digital Forensic Lab” for Computer Crimes Unit of Police (CID) - ICTA Leadership
        • Creating a hotline for reporting offences
        • Implementing IT Usage and Information Securities Policies (Both Govt and Pvt Sector)
          • E-Government Policy adopted by Cabinet of Ministers on
          • 16 th December 2009 – See www.icta.lk
        • Admissibility of Electronic Evidence enhanced by Evidence (Special Provisions) Act No. 14 of 1995 & Electronic Transactions Act 19 of 2006 (Dual Regime)
    • Addressing Challenges – Creating Institutional Arrangements (CERTs)
      • Governments cannot rely on traditional Govt expertise to combat cyber threats and address Cyber Forensic issues
      • ICTA Established Sri Lanka CERT as a subsidiary (Nov 2006)
      • See www.SLCERT.gov.lk
      • Private sector driven Company model with Government Stake holders (handles threats, forensics and develops IS policies)
      • Handled over 350 incidents since inception (Approx 10 incidents a month)
      • Reported Incidents of Cyber Crime increased from 48 (in 2008) to 69 in 2009
      • Creating sector specific CSIRTS (Banking sector, ISPs etc)
      • Admitted as full member of APCERT and FIRST
        • Centre of Excellence to deal with Cyber security issues
    • Addressing Challenges – International Cooperation
      • Cross border nature of cyber crimes Requires foreign bilateral co-operation between enforcement and judicial officials
      • Consider signing Council of Europe (CoE) Convention on Cyber Crime (Budapest Convention)
      • Review of Part V “Harare Scheme on Mutual Legal Assistance in Criminal Matters”- drawing on CoE
      • Advantages of Budapest Convention
        • Legal and Contractual basis for International cooperation in Cyber Crime enforcement (Ranging from Police to Judicial cooperation)
        • Facilitates the gathering of Electronic Evidence, investigation of cyber-laundering, Cyber- terrorism and other serious crimes
        • Provides for Cyber Crime legislation harmonisation and allows participation in Cybercrime Convention Committee (T-CY)
    • Conclusions
      • Sri Lankan Computer Crime Legislation – Substantially compliant with the Budapest Convention
      • Technology and cyber crime techniques several steps ahead
      • – Laws are always behind Technology
      • Cannot get the ideal framework to all address enforcement challenges (despite consistency in the Procedures in Computer Crimes Act & Payment Devices Frauds Act)
      • Need for Multiple stake-holders to cooperate in enforcement (Private Sector and Civil Society inputs) – SL CERT Model
        • Governments alone cannot enforce Cyber Crime
      • Draw on International Best Practices
      • Need for International Co-operation
        • Council of Europe Convention as a tool for global cooperation
        • International Dialog – ICANN, CTO, IGF etc
    • THANK YOU