Amare doc

Individual assignment Legal framework on information security Page 1
ASSOSA UNIVERSITY
COLLEGE OF COMPUTING AND INFORMATICS
EPARTMENT OF INFORMATION TECHNOLOGY
COURSE TITLE: SOCIAL ETHICS IN IT
INDIVIDUAL ASSIGNMENT
PREPARED BY:
NAME IDNO
AMARE SIMACHEW…………………… ETR/0027/08 E.C
Submitted To Instructor: TESFAYE T
Submission Date: 01/06/2011 E.C
ASSOSA,ETHIOPIA

Individual assignment Legal framework on information security Page i
Table of Contents
1. Question...................................................................................................................................... 1
2. Answer........................................................................................................................................ 1
Cybercrime law in South Africa explained in detailed................................................................... 1
1. South Africa................................................................................................................................ 1
1.1 Hacking (unauthorized access) ................................................................................................. 1
1.2 Denial of service attacks ........................................................................................................... 1
1.3 Phishing..................................................................................................................................... 2
1.4 Infection of IT systems with malware (including ransom ware, spyware, Trojan and virus) .. 3
1,5 Identity theft or identity fraud (e.g. in connection with access device).................................... 4
1.6 Electronic theft (e.g. breach of confidence by a current or former employee or criminal copy
right infringement).......................................................................................................................... 4
1.7Any other activity that adversely affect or threatens ................................................................. 4
1.8 Identity theft or identity fraud (example in connection with access device) ............................ 5
2. Kenya.......................................................................................................................................... 6
2.1 Offences .................................................................................................................................... 6
2.2 A person who knowingly and without authority discloses any password ................................ 8
2.3 A person who intentionally publishes false, misleading data................................................... 9
2.4 A person who intentionally inputs, alters, deletes, or suppresses computer data ..................... 9
2.5A person who, with fraudulent or dishonest intent.................................................................... 9
3. Nigeria....................................................................................................................................... 11
3.1Offences against critical national information infrastructure .................................................. 11
3.2 Unlawful access to a computer ............................................................................................... 12
3.3 Unauthorized modification of computer data ......................................................................... 12
3.3.1 System interference.......................................................................................................... 13

Individual assignment Legal framework on information security Page ii
3.4 Misuse of devices.................................................................................................................... 13
3.5 Computer related forgery........................................................................................................ 14
3.6 Computer related fraud ........................................................................................................... 14
3.7 Identity theft and impersonation ............................................................................................. 15
4.A proclamation to provide for the computer crime in Ethiopia................................................. 15
4.1 Section One Crimes against Computer System And Computer Data..................................... 16
4.1.1. Illegal Access .................................................................................................................. 16
4.1.2 Illegal Interception ........................................................................................................... 17
4.1.3 Interference with Computer System................................................................................. 17
4,.1.4 Causing Damage to Computer Data................................................................................ 17
4.1.5 Criminal Acts Related to Usage of Computer Devices and Data .................................... 18
4.1.5 Aggravated Cases............................................................................................................. 18
4.1.6 Computer Related Forgery............................................................................................... 18
4.1.7 Electronic Identity Theft .................................................................................................. 19
4.1.8 Criminal Liability of Service Providers ........................................................................... 19
5 .Strength of Ethiopian legal framework..................................................................................... 19
5.1Weakness of Ethiopian legal framework ................................................................................. 20
5.2 Conclusion .............................................................................................................................. 21
5.3 recommendation...................................................................................................................... 21
References..................................................................................................................................... 24

1. Question
1. Write the current legal framework of South Africa, Nigeria and Kenya and compare with
Ethiopian legal framework related to information security and computer crime.
2. Write the strength and weakness of Ethiopia legal framework related to these three
countries.
3. Put your own recommendation for Ethiopia legal framework (constitution) related to
information security and computer crime.
2. Answer
Cybercrime law in South Africa explained in detailed
1. South Africa
1.1 Hacking (unauthorized access)
hacking is recognized as an offence under section 86(1) of the ECT act, which states that it is an
offence to intentionally access or intercept data without the appropriate authority of permission
to do so. This also applies to unauthorized interface with data as contained in section 86(2) of the
ECT act. Under the ECT act, the maximum penalty is affine (unspecified) or imprisonment for a
period not exceeding 12 months.
Under the cyber crime bill the offence of hacking is more broadly defined as it encompasses the
unlawful and intentional access to data, a computer program, a computer data storage medium,
or a computer system (section 2(1)). Under the cyber crimes bill, the maximum penalty is a fine
(unspecified) or imprisonment for a period not exceeding five years (or both).
1.2 Denial of service attacks
Section 86(5) of the ECT act states that any person who commit any of the acts described in
section 86(1)-86(4) with the intent to interfere with access to an information system so as to
constitute a denial, including a partial denial of service to legitimate users is guilty of an
offence.

For the sake of completeness:
 Section 86(1) –see discussion above in relation to hacking;
 Section 86(2) – criminalizes the unlawful intentional interference with data in a way
which cause such data to be modified, destroyed or otherwise rendered ineffective;
 Section 86(3) – makes it an offence to unlawful produce, sell, offer to sell, procure for
use ,design, adapt for use, distribute or posses any device including a computer program
or a component, which is designed primarily to overcome security measure for the
protection of data, or performs any of those acts with regard to a password, access code
or any other similar kind of data with the intent to unlawful utilize such item to
contravene this section; and
 Section 86(4) - makes it an offence to utilize any device or computer program mentioned
in section 86(3) in order to unlawful overcome security measures designed to protect
such data from access thereto.
Under the ECT act, the maximum penalty for contravening section 86(5) is a fine
(unspecified) or imprisonment for a period not exceeding five years.
1.3 Phishing
Phishing is recognized as an offence under section 87(2) of the ECT act which provides that a
person who commits any of the acts described in section 86(1)-86(5) for the purpose of obtaining
an unlawful advantage by causing fake data to be produced with an intent that it would be
considered or acted upon as if it were authentic is guilty of offence. The maximum penalty under
the ECT act is a fine (unspecified) or imprisonment for a period not exceeding five years.
Phishing can also be prosecuted under the common law offence of theft and fraud. The
maximum penalty imposed would depend on which court hears the cause (which would depend
on a variety of factors, the quantum of the claim being one). If the case is prosecuted in the
magistrate’s court, the court can impose a fine or imprisonment for a maximum period of 15
years in terms of its penal jurisdiction. If the case is heard in the high court of south Africa, the
court has wider discretion and may impose any fine or term of imprisonment which they deem
appropriate in the circumstance.

Under cybercrime bill, there are separate offences for cyber fraud, cyber forgery and uttering and
cyber extortion (section 8,9 and 10) which all attempt to deal with forms of phishing. A court
which convicts a person of such an offence (where a penalty is not prescribed by any other law)
can impose a sentence which the court deems appropriate and which is within that court’s penal
jurisdiction.
1.4 Infection of IT systems with malware (including ransom ware,
spyware, Trojan and virus)
Yes, see the discussion above in respect to denial of service attack. Section 87(1) related to
computer –related extortion, fraud and forgery of the ECT act is also relevant as it states that it is
an offence to perform or threaten to perform any of the acts to described in section 86, for the
purpose of obtaining any unlawful property advantage by undertaking to cease or desist from
such action, or undertaking to restore any damage cased as the result of those actions.
Under the ECT Act, the maximum penalty imposed for contravention of section 86(4) is a fine
(unspecified) or imprisonment for period not exceeding five years.
Under the cyber crimes Bill, there are separate offences for unlawful acts (in respect of software
tools), as well as unlawful interference with data, computer program, computer data storage
medium or a computer program or system(which is construed broadly enough to specifically
include malware).
Under the Cybercrimes Bill, the maximum penalty for contravention of theses sections is a fine
(unspecified) or imprisonment for a period not exceeding 10 years (or both).
Yes, see the discussion above in respect to denial- of- service attacks. Section86 (3) of the ECT
Act is relevant and the maximum penalty which can be imposed for contravention of section86
(3) is a fine or imprisonment for a period not exceeding 12months.
Under the Cyber Crimes Bill, it is an offence under section4 (1) to unlawfully and intentionally
posses, manufacturer, assemble, obtain, sell, purchase, make available or advertise any software
or hardware tool for purpose of contravening certain other section of the Cybercrimes Bill. The
maximum penalty for contravention of this section is a fine (unspecified) or imprisonment for a
period not exceeding 10 years (or both).

1,5 Identity theft or identity fraud (e.g. in connection with access device)
Yes, Section 87 of the ECT Act (which deals with computer-related extortion, fraud and forgery)
is relevant and criminalizes the action of the person who performs or threatens to perform any of
the acts in section 86 for the purpose of obtaining any unlawful property advantage by causing
fake data to be produced with the intent that it be considered or acted upon as if it were authentic.
If the offender uses an access device to breach certain security measure and then uses data
unlawfully, then the offender will have contravened section 87 and of the ECT Act. As stated
above, the maximum penalty imposed for contravention of section 87 if a fine (unspecified) or
imprisonment for a period not exceeding five years. Identify theft or fraud can also be prosecuted
under the common law offence of “theft “or “fraud’ .The sentence jurisdiction would operate the
same as discussed above in relation to “phishing”. Depending on the nature of offence it may
also be possible to prosecute identity theft or fraud as an infringement of copy right under the
copy right laws. Under the Cybercrimes Bill there are separate offences for cyber fraud, ciber
forgery and uttering and cyber extortion (sections 8,9 and 10) which are broad enough to cover
identity theft or fraud. A court which convicts a person of such an offence (where a penalty is not
prescribed by any other law) can impose a sentence which court deems appropriate and which is
within that courts penal jurisdiction.
1.6 Electronic theft (e.g. breach of confidence by a current or former
employee or criminal copy right infringement).
Yes, electronic theft may constitute an offence under section 86(1) of the ECT Act related to
unlawful access to data (see the discussion above relation to hacking).it can also be prosecuted
and which is within that courts penal jurisdiction.
With regards to criminal copy right infringement, the copy right Act 98 of 1987 makes provision
for criminal penalties, including the fine(maximum of R5,000 per infringement) and /or
imprisonment of up to three years for first conviction. The maximum fine and/or imprisonment
penalty for a second conviction is R10, 000 and or 5 years.
1.7Any other activity that adversely affect or threatens
The security, confidentiality or availability of any IT system structure, communications
network, device or data.

See also the discussion above in relation to hacking with regards to the Cybercrime Bill and
electronic theft.
Any other activity that adversely affects or threatens the security, confidentiality, integrating or
availability of any IT system, infrastructure, communication s network, devices and data.
The ECT Act also criminalize attempting to commit any of the offences in the ECT Act or aiding
and abetting those offences (section 88) the same penalties will apply as if the offence was
successfully perpetrated. Under the cybercrime Bill there are numerous new offences relating to
“malicious communications.” For example, it will be an offence to disseminate a data message
which advocates, promotes or insights hate discrimination or violence against a person or group
of persons “Revenge porn” will also constitute an offence under the cyber crime Bill (where a
naked image of the a person is shared electronically without their consent).
1.8 Identity theft or identity fraud (example in connection with access
device)
Section 87 of the ECT act (which deals with computer related extortion, fraud and forgery) is
relevant and criminalist the action of a person who performs or threaten to perform any of the
acts in section 86 for the purpose of obtain any unlawful proprietary advantage or obtain any
unlawful advantage by causing fake data to be produced with the intent that it be considered or
acted upon as if it were authentic. If the offender uses an access device to breach certain security
measure and then uses the data unlawfully. Then the offender will contravene section 87 and 86
of the ECT Act. As stated above the maximum penalty imposed for contravention of section 87
is fine (unspecified) or imprisonment for a period not exceeding five years.
Identity theft or fraud can also be prosecuted under the common law offence of “theft “or “fraud
“The sentencing jurisdiction would operate the same as discuss above in relation to “phishing”.
Depending on the nature of the offence, it may also be possible to prosecute identity theft or
fraud as an infringement of copyright under copy right laws.
Under the cyber crimes bill, there are separate offences for cyber fraud, cyber forgery and
uttering and cyber extortion which are broad enough to cover identity theft or fraud. a court
which convicts a person of such an offence(where a penalty is not prescribed by any other
law)can impose sentence which the court deems appropriate and which is within the courts penal
jurisdiction

2. Kenya
The National Computer And
Cybercrimes Co-Ordination Committee
2.1 Offences
(1) A person who causes, whether temporarily or permanently, a computer system to perform a
function, by infringing security measures, with intent to gain access, and knowing such access is
unauthorized, commits an offence and is liable on conviction, to a fine not exceeding five
Million shillings or to imprisonment for a term not exceeding three years, or to both.
(2) Access by a person to a computer system is unauthorized if
(a) That person is not entitled to control access of the kind in question to the program or data; or
(b) that person does not have consent from any person who is entitled to access the computer
system through any function to the program or data.
(3) For the purposes of this section, it is immaterial that the unauthorized access is not directed at
(a) Any particular program or data;
(b) A program or data of any kind; or
(c) A program or data held in any particular computer system.
(1) A person who commits an offence under Section 14 with intent to commit a further offence
under any law, or to facilitate the commission of a further offence by that person or any other
person, commits an offence and is liable, on conviction, to a fine not exceeding ten million
shillings or to imprisonment for a term not exceeding ten years, or to both.
(1) A person who intentionally and without authorization does any act which causes an
unauthorized interference, to a computer system, program or data, Commits an offence and is
liable on conviction, to a fine not Exceeding ten million shillings or to imprisonment for a term
not exceeding five years, or to both.
(2) For the purposes of this section, interference is unauthorized, if the person whose act causes
the interference
(a) Is not entitled to cause that interference;
(b) Does not have consent to interfere from a person who is so entitled.
(3) A person who commits an offence under subsection (1) which,
(a) Results in a significant financial loss to any person;

(b) Threatens national security;
(c) Causes physical injury or death to any person; or
(d) Threatens public health or public safety, is liable, on conviction, to a fine not exceeding
twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(1) A person who intentionally and without authorization does any act which intercepts or causes
to be intercepted, directly or indirectly and causes the transmission of data to or from a computer
system over a telecommunication system commits an offence and is liable, on conviction, to a
fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years,
or to both.
(2) A person who commits an offence under subsection (1) which
(a) Results in a significant financial loss;
(b) Threatens national security;
(c) Causes physical or psychological injury or death to any person; or
(d) Threatens public health or public safety, is liable, on conviction to a fine not exceeding
twenty million shillings or to imprisonment for a term not exceeding ten years, or to both.
(3) For the purposes of this section, it is immaterial that the unauthorized interception is not
directed at
(a) A telecommunication system;
(b) Any particular computer system data;
(c) A program or data of any kind; or
d) A program or data held in any particular computer system.
(1) A person who knowingly manufactures, adapts, sells, procures for use, imports, offers to
supply, distributes or otherwise makes available a device, program, computer password, access
code or similar data designed or adapted primarily for the purpose of committing any offence
under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty
million shillings or to imprisonment for a term not exceeding ten years, or to both.
(2) A person who knowingly receives, or is in possession of, a program or a computer password,
device, access code, or similar data from any action specified under subsection (1) and intends
that it be used to commit or assist in commission of an offence under this Part commits an
offence and is liable on conviction, to a fine not exceeding ten million shillings or to
imprisonment for a term not exceeding five years, or to both.

2.2 A person who knowingly and without authority discloses any
password
(1) A person who knowingly and without authority discloses any password, access code or other
means of gaining access to any program or data held in any computer system commits an offence
and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment
For a term not exceeding three years, or to both.
(2) A person who commits the offence under
Subsection (1)
(a) For any wrongful gain;
(b) For any unlawful purpose; or
(c) To occasion any loss, is liable, on conviction, to a fine not exceeding ten million shillings or
to imprisonment for a term not exceeding five years, or to both.
(1) A person who unlawfully and intentionally performs or authorizes or allows another person
to perform a prohibited act envisaged in this Act, in order to
(a) Gain access, as provided under section 14, to critical data, a critical database or a national
critical information infrastructure; or
(b) Intercept data, as provided under section 17, to, from or within a critical database or a
national critical information infrastructure, with the intention to directly or indirectly benefit a
foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to
imprisonment for a period not exceeding twenty years or to a fine not exceeding ten million
shillings, or to both.
(2) A person who commits an offence under subsection (1) which causes physical injury to any
person is liable, on conviction, to imprisonment for a term not exceeding twenty years.
(3) A person who commits an offence under subsection (1) which causes the death of a person is
liable, on conviction, to imprisonment for life.
(4) A person who unlawfully and intentionally possesses, communicates, delivers or makes
available or receives, data, to, from or within a critical database or a national critical information
infrastructure, with the intention to directly or indirectly benefit a foreign state against the
Republic of Kenya, commits an offence and is liable on conviction to imprisonment for a period
exceeding twenty years or to a fine not exceeding ten million shillings, or to both.

(5) A person who unlawfully and intentionally performs or authorizes, or allows another person
to perform a prohibited act as envisaged under this Act in order to gain access, as provided under
section 14 ,to or intercept data ,as provided under section 17, which is in possession of the
State and which is exempt information in accordance with the law relating to access to
information, with the intention to directly or indirectly benefit a foreign state against the
Republic of Kenya, commits an offence and is liable, on conviction, to a fine not exceeding five
million shillings or to imprisonment for a period not exceeding ten years, or to both.
2.3 A person who intentionally publishes false, misleading data
(1) A person who intentionally publishes false, misleading or fictitious data or misinforms with
intent that the data shall be considered or acted upon as authentic, with or without any financial
gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million
shillings or to imprisonment for a term not exceeding two years, or to both.
2.4 A person who intentionally inputs, alters, deletes, or suppresses
computer data
(1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in
inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were
authentic, regardless of whether or not the data is directly readable and intelligible commits an
offence and is liable, on conviction, to fine not exceeding ten million shillings or to
imprisonment for a term not exceeding five years, or to both.
(2) A person who commits an offence under subsection (1), dishonestly or with similar intent —
(a) For wrongful gain;
(b) For wrongful loss to another person; or
(c) For any economic benefit for oneself or for another person, is liable, on conviction, to a fine
not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or
to both.
2.5A person who, with fraudulent or dishonest intent
(1) A person who, with fraudulent or dishonest intent

(a) Unlawfully gains;
(b) Occasions unlawful loss to another person; or
(C) Obtains an economic benefit for oneself or for another person, through any of the means
Described in subsection (2), commits an offence and is liable, on conviction, to a fine not
exceeding twenty million shillings or 2018 Computer Misuse and Cybercrimes imprisonment
term for a term not exceeding ten years, or to both.
(2) For purposes of subsection (1) the word “means" refers to
(a) An unauthorized access to a computer system, program or data;
(b) Any input, alteration, modification, deletion, suppression or generation of any program or
data;
(c) Any interference, hindrance, impairment or obstruction with the functioning of a computer
system;
(d) copying, transferring or moving any data or program to any computer system, data or
computer data storage medium other than that in which it is held or to a different location in any
other computer system, program, data or computer data storage medium in which it is held; or
(e) Uses any data or program, or has any data or program output from the computer system in
which it is held, by having it displayed in any Manner.

3. Nigeria
Approach To Cyber Security Issues In Nigeria: Challenges And Solution
Protection of Critical National Information Infrastructure
Designation of certain computer systems or networks as critical national information
infrastructure.
(1) The President may on the recommendation of the National Security Adviser, by Order
published in the Federal Gazette, designate certain computer systems, networks and information
infrastructure vital to the national security of Nigeria or the economic and social well being of its
citizens, as constituting Critical National Information Infrastructure.
(2) The Presidential Order made under subsection (1) of this section may prescribe minimum
standards, guidelines, rules or procedure in respect of –
(a) The protection or preservation of critical information infrastructure;
(b) The general management of critical information infrastructure;
(c) Access to, transfer and control of data in any critical information infrastructure;
(d) infrastructural or procedural rules and requirements for securing the integrity and
authenticity of data or information contained in any critical national information infrastructure;
(e) the storage or archiving of data or information regarded critical national information
infrastructure;
(f) recovery plans in the event of disaster or loss of the critical national information infrastructure
or any part of it; and (g) any other matter required for the adequate protection, management and
control of data and other resources in any critical national information infrastructure
4. Audit and Inspection of critical national information infrastructure 4 The Presidential Order
made under section 3 of this Act may require the audit and inspection of any Critical National
Information Infrastructure, from time to time, to evaluate compliance with the provisions of this
Act.
3.1Offences against critical national information infrastructure
(1) Any person who commits any offence punishable under this Act against any critical national
information infrastructure, designated pursuant to section 3 of this Act, is liable on conviction to
imprisonment for a term of not less than fifteen years without an option of fine.

(2) Where the offence committed under subsection (1) of this section results in grievous bodily
injury, the offender shall be liable on conviction to imprisonment for a minimum term of 15
years without option of fine.
(3) Where the offence committed under subsection (1) of this section results in death, the
offender shall be liable on conviction to death sentence without out option of fine.
3.2 Unlawful access to a computer
(1) Any person, who without authorization or in excess of authorization, intentionally accesses
in whole or in part, a computer system or network, commits an offence and liable on conviction
to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000 or
to both fine and imprisonment.
(2) Where the offence provided in subsection (1) of this section is committed with the intent of
obtaining computer data, securing access to any program, commercial or industrial secrets or
confidential information, the punishment shall be imprisonment for a term of not less than three
years or a fine of not less than N7, 000,000.00 or to both fine and imprisonment.
(3) Any person who, with the intent to commit an offence under this section, uses any device to
avoid detection or otherwise prevent identification with the act or omission, commits an offence
and liable on conviction to imprisonment for a term of not less than three years or to a fine of not
less than N7, 000,000.00 or to both fine and imprisonment.
3.3 Unauthorized modification of computer data
(1) Any person who directly or indirectly does an act without authority and with intent to cause
an unauthorized modification of any data held in any computer system or network, commits an
offence and liable on conviction to imprisonment for a term of not less than 3 years or to a fine
of not less than N7, 000,000.00 or to both fine and imprisonment. (2) Any person who engages
in damaging, deletion, deteriorating, alteration, restriction or suppression of data within
computer systems or networks, including data transfer from a computer system by any person
without authority or in excess of authority, commits an offence and liable on conviction to
imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00
or to both fine and imprisonment.

(3) For the purpose of this section, a modification of any data held in any computer system or
network takes place where, by the operation of any function of the computer, computer system or
network concerned any- (i) program or data held in it is altered or erased; (ii) program or data is
added to or removed from any program or data held in it; or (iii) act occurs which impairs the
normal operation of any computer, computer system or network concerned.
3.3.1 System interference
Any person who without authority or in excess of authority, intentionally does an act which
causes directly or indirectly the serious hindering of the functioning of a computer system by
inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data
or any other form of interference in the computer system, which prevents the computer system or
any part thereof, from functioning in accordance with its intended purpose, commits an offence
and liable on conviction to imprisonment for a term of not less than two years or to a fine of not
less than N5,000,000.00 or to both fine and imprisonment.
3.4 Misuse of devices
(1) Any person who unlawfully produces, supplies, adapts, manipulates or procures for use,
imports, exports, distributes, offers for sale or otherwise makes available- (a) any devices,
including a computer program or a component designed or adapted for the purpose of
committing an offence under this Act; (b) a computer password, access code or similar data by
which the whole or any part of a computer, computer system or network is capable of being
accessed for the purpose of committing an offence under this Act, or (c) any device designed
primarily to overcome security measures in any computer, computer system or network with the
intent that the devices be utilized for the purpose of violating any provision of this Act, commits
an offence and is liable on conviction to imprisonment for a term of not less than three years or a
fine of not less than N7,000,000.00 or to both imprisonment and fine.
(2) Any person who with intent to commit an offence under this Act, has in his possession any
devise or program referred to in subsection (1) of this section, commits an offence and shall be
liable on conviction to imprisonment for a term of not less than two years or to a fine of not less
than N5, 000,000.00 or to both fine and imprisonment.

(3) Any person who, knowingly and without authority, discloses any password, access code or
any other means of gaining access to any program or data held in any computer or network for
any unlawful purpose or gain, commits an offence and shall be liable on conviction to
imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or
(4) Where the offence under subsection (1) of this section results in substantial loss or damage,
the offender shall be liable to imprisonment for a term of not less than five years or to a fine of
not less than N10,000,000.00 or to both fine and imprisonment.
(5) Any person who with intent to commit any offence under this Act uses any automated means
or device or any computer program or software to retrieve, collect and store password, access
code or any means of gaining access to any program, data or database held in any computer,
commits an offence and shall be liable on conviction to imprisonment for a term of not less than
five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment.
3.5 Computer related forgery
Any person who knowingly accesses any computer or network and inputs, alters, deletes or
suppresses any data resulting in inauthentic data with the intention that such inauthentic data will
be considered or acted upon as if it were authentic or genuine, regardless of whether or not such
data is directly readable or intelligible, commits an offence and is liable on conviction to
imprisonment for a term of not less than three years or to a fine of not less than N7,000,000.00 or
3.6 Computer related fraud
(1) Any person who knowingly and without authority or in excess of authority causes any
loss of property to another by altering, erasing, inputting or suppressing any data held in
any computer, whether or not for the purpose of conferring any economic benefits for
himself or another person, commits an offence and is liable on conviction to
imprisonment for a term of not less than three years or to a fine of not less than N7,
000,000.00 or to both fine and imprisonment. (2) Any person who with intent to defraud
sends electronic message to a recipient, where such electronic message materially

misrepresents any fact or set of facts upon which reliance the recipient or another person
is caused to suffer any damage or loss, commits an offence and shall be liable on
conviction to imprisonment for a term of not less than five years or to a fine of not less
than N10, 000,000.00 or to both fine and imprisonment.
3.7 Identity theft and impersonation
Any person who in the course of using a computer, computer system or network
(a) Knowingly obtains or possesses another person’s or entity’s identity information with
the intent to deceive or defraud, or
(b) Fraudulently impersonates another entity or person, living or dead, with intent to
(i) gain advantage for himself or another person;
(ii) Obtain any property or an interest in any property;
(iii) Cause disadvantage to the entity or person being impersonated or another person; or
(iv) avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice,
commits an offence and liable on conviction to imprisonment for a term of not less than
three years or a fine of not less than N7,000,000.00 or to both fine and imprisonment.
4.A proclamation to provide for the computer crime in Ethiopia
Ethiopia has one of the lowest percentages of internet penetration in the world and in Africa. Still
the number of internet users and the percentage of penetration in the country are rising by the
day. At the beginning of the twenty first century, the number of internet users in the country was
around 10,000 people, but as of June 2017, this number has raised to 16,037,811 with an internet
penetration rate of 15.4% and an overall growth of 160,278 from the year 2000.
 From various study conducted in Ethiopia regarding cybercrimes, seven forms of
cybercrimes are experienced;
1. Computer virus, worm, malware or other malicious attack (57.1 %,)
2. Website defacement (40%), illegal access (17.1%), and spam (14.7%) are the
leading cybercrimes frequently perpetuated against the institutions.
3. Causing damage to computer data (62.9%)
4. Denial of service (DOS) (45.7%)

5. System interference (45.7%)
4.1 Section One Crimes against Computer System And Computer Data
 Now, therefore, in accordance with Article 55(1) of the Constitution of the Federal
Democratic Republic of Ethiopia, it is hereby proclaimed as follows.
4.1.1. Illegal Access
1/ whosoever, without authorization or in excess of authorization, intentionally secures access to
The whole or any part of computer system, computer data or network shall be punishable with
Simple imprisonment not exceeding three years or fine from Birr 30,000 to 50, 000 or both.
2/ where the crime stipulated under sub article (1) of this Article is committed against:
a) a computer system, computer data or network that is exclusively destined for the use of a legal
Person, the punishment shall be rigorous imprisonment from three to five years and fine from
Birr 30,000 to 50,000;
b) A critical infrastructure, the punishment shall be rigorous imprisonment from five to 10 years
And fine from Birr 50,000 to 100,000.
“Computer Crime Proclamation No.958/2016”
1. Whoever, without authorization or in excess of authorization, intentionally secures access
to the whole or any part of computer system, computer data or network shall be
punishable with simple imprisonment not more than three years or fine from Birr 30,000
to 50, 000 or both.
2. The crime specified under sub-article (1) of this Article is committed against:
A. A computer system, computer data or network that is exclusively destined for the
use of a legal person, the punishment shall be demanding from three years to five
years and fine from Birr 30,000 to 50,000.
B. A critical infrastructure, the punishment shall be rigorous imprisonment from five
years to ten years and fine from Birr 50,000 to 100,000.

4.1.2 Illegal Interception
 Whoever, without authorization or in excess of authorization, intentionally intercepts
non-public computer data or data processing service shall be punishable with rigorous
imprisonment not exceeding five years and fine from Birr 10,000 to 50,000.
 Where the crime stipulated under sub-article (1) of this Article is committed against:
A. A computer data or data processing service that is exclusively destined for the use
of a legal person, the punishment shall be rigorous imprisonment from five years
to ten years and fine from Birr 50,000 to 100,000.
B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten
years to fifteen years and fine from Birr 100,000 to 200,000
4.1.3 Interference with Computer System
Whoever, without authorization or in excess of authorization, intentionally hinders,
impairs (damages), interrupts or disrupts the proper functioning of the whole or any part
of computer system by inputting, transmitting, deleting or altering computer data shall be
punishable with rigorous imprisonment from three years to five years and fine not
exceeding Birr 50,000.
1. Where the crime stipulated under sub-article (1) of this Article is committed against:
A. A computer system that is exclusively destined for the use of a legal person, the
punishment shall be rigorous imprisonment from five years to ten years and fine
from Birr 50,000 to 100,000.
B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten
years to fifteen years and fine from Birr 100,000 to 200,000 or, in serious case,
rigorous imprisonment from fifteen years to twenty years and fine from Birr
200,000 to 500,000
4,.1.4 Causing Damage to Computer Data
1 Whosoever, without authorization or in excess of authorization, intentionally alters,
deletes, suppresses a computer data, renders it meaningless, useless or inaccessible to
authorized users shall be punishable with rigorous imprisonment not exceeding three
years and fine not exceeding
Birr 30,000.

2/ where the crime stipulated under sub article (1) of this Article is committed against:
a) a computer data that is exclusively destined for the use of a legal person, the punishment
shall be rigorous imprisonment from three years to five years and fine from Birr 30,000 to
50,000;
b) a critical infrastructure, the punishment shall be rigorous imprisonment from five to
10years and fine from Birr 50,000 to 100,000.
4.1.5 Criminal Acts Related to Usage of Computer Devices and Data
1. Whoever, knowing that it can cause damage to computer system, computer data or
network, intentionally transmits any computer program exclusively designed or adapted
for this purpose shall be punishable with simple imprisonment not exceeding five years
or fine not exceeding Birr 30,000.
2. Whoever, knowing that it is to be used for the commission of unlawful act specified
under Articles 3 to 6 of this Proclamation, intentionally imports, produces, offers for sale,
distributes or makes available any computer device or computer program designed or
adapted exclusively for the purpose of committing such crimes shall be punishable with
rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000.
4.1.5 Aggravated Cases
 Where the crime stipulated under Article 3 to 6 of this Proclamation is committed:
A. against a computer data or a computer system or network which is designated as top
secrete by the concerned body for military interest or international relation, or while the
country is at a state of emergency or threat, the punishment shall be rigorous
imprisonment from fifteen years to twenty five years
4.1.6 Computer Related Forgery
 Whoever falsifies a computer data, makes false computer data or makes use of such data
to injure the rights or interests of another or to procure for himself or for another person
any undue right or advantage shall be punishable with simple imprisonment not
exceeding three years and fine not exceeding Birr 30,000 or in a serious cases with
rigorous imprisonment not exceeding ten years and fine from Birr 10,000 to 100,000.
 Computer Related Fraud

1. Whoever fraudulently causes a person to act in a manner prejudicial to his rights or those
of third person by distributing misleading computer data, misrepresenting his status,
concealing facts which he had a duty to reveal or taking advantage of the person’s
erroneous beliefs, shall be punishable with rigorous imprisonment not exceeding five
years and fine not exceeding Birr 50,000.
4.1.7 Electronic Identity Theft
Whoever, with intent to commit criminal act specified under Article 10 of
Proclamation or for any other purpose produces, obtains, sales, possesses or
transfers any data identifying electronic identity of another person without
authorization of that person shall be punishable with simple imprisonment not
exceeding five years or fine not exceeding Birr 50,000.
4.1.8 Criminal Liability of Service Providers
 A service provider shall be criminally legally responsible in accordance with Articles 12
to 14, of this Proclamation for any illegal computer content data disseminated through its
computer systems by third parties, if it has:
1. Directly involved in the dissemination or edition of the content data;
2. Upon obtaining actual knowledge that the content data is illegal, failed to take any
measure to remove or to disable access to the content data; or
3. Failed to take appropriate measure to remove or to disable access to the content data upon
obtaining notice from competent administrative authorities.
5 .Strength of Ethiopian legal framework
The efforts and initiatives being made by the government in fighting cybercrime from three
cyberspace governance perspectives namely cyber security-related policies and strategies,
legislative frameworks, and institutional arrangements. I will also provide some
recommendations on what the government should do so that appropriate plans and measures
can be implemented to a safer and secure Ethiopia.

Despite the fact that Ethiopia is still lagging behind even compared to many developing
countries, ICT penetration and usage is steadily growing. As the potential for ICT to increase
economic growth and reduce poverty is an established fact, Ethiopia has to embrace ICT use
in its entire social, economic and political structures. That is why the Ethiopian Government
envisioned every aspect of Ethiopian life is ICT assisted and has made the development of
ICT one of its strategic plan priorities.
There is also a staggering increase in social networks users. The young generation of the
country is logging on every day to the online environment. Recent reports show that as of
2012, there were over 1 million Face book users, with 45 per cent are between the age of 18-
40. According to the recent research paper of Trend Micro Incorporated, Ethiopia is one of
the top 10 African countries with the biggest number of Face book users. The number of
broadband subscription has also increased from 27,043 in 2011 to 30,372 in 2012. According
to the Australia-based telecoms research company, BuddeCom, Ethiopia’s broadband market
is also set for a boom following massive improvements in international bandwidth, national
fiber backbone infrastructure and 3G mobile broadband services. There are also recent
reports that show Ethiopia’s International Internet bandwidth is better than many other
African countries as the country has been working towards improving its international
bandwidth through international fiber optic links via Djibouti, Kenya and Sudan.
5.1Weakness of Ethiopian legal framework
Despite the fact that Ethiopia cannot be immune from the threat of cybercrime, there is no
consolidated report that shows the exact prevalence and impact of cybercrime in the country and
to what extent the Ethiopian information society is vulnerable. This is because, among others,
companies and individual users do not report cybercrime incidents for several reasons, do not
keep organized record and some are not even know that they are targeted by cybercriminals.
Records in the intelligence agencies and the law enforcement are also either not properly
recorded or not accessible. Ethiopian-specific literatures on the extent of cyber-crime activities
are also nonexistent. This inadequacy of statistics could lead to over- or under estimating the
threat of cybercrime in the country.

In this work, I tried to extract the better picture of cybercrime in the country based on, among
others, two source of information. The first information was collected from a survey conducted
on some institutions in Addis Ababa. Some technical reports obtained from Information Network
Security Agency (INSA) are also used as source of information.
Accordingly, the questionnaires were categorized in to the following four perspectives which I
believe that they can give some picture of cyber security status at organizational level in
Ethiopia.
• Reality and prevalence of cybercrime,
• Preparation of organizations to deal with cybercrime incidents,
• Reporting of incidents and
• Perceptions on legislative, policy and law enforcement measures
5.2 Conclusion
Even though it has not been yet fully integrated in to everyday aspect of life, the use of ICT and
ICTs supported services are embraced by individuals, government and business in Ethiopia. The
government of Ethiopia is also working on the development ICT infrastructures and ICT based
services which will increase the level of reliance on these infrastructures and services. But it is
an established fact that with reliance on computer systems and other digital technologies comes
vulnerability to cybercrime and cyber-attack. Therefore, once Ethiopia is connected to a global
network, it becomes vulnerable to cybercriminals operating anywhere in cyberspace. And thus
Ethiopia is vulnerable to cybercriminals not in theory but in practical terms.
The government of Ethiopia is aware of the threats from cyberspace and is working towards
curtailing these threats in terms of policy, institution and legislation. But these efforts are at very
initial stage and are inadequate to deal with the ever changing cyber environment and growing
threat of cybercriminals.
5.3 recommendation
The current state of affairs of cyber security in Ethiopia should not be allowed to continue
because cybercrime is thriving. To change this status quo and strengthen cyber security

governance in Ethiopia, comprehensive works need to be done and I want to provide the
following recommendations.
• As cybercriminals take advantage of jurisdictions that lack comprehensive legal frameworks on
cyber security in general and cybercrime in particular, I recommend that Ethiopia has to speed up
its comprehensive proposed cybercrime law but also avoid the piecemeal and scattered
legislation approach for it is among the bottlenecks of enforcement and interpretation.

References
1. www.wikipediay .com/computer crime
2. https://www.abyssinialaw.com/.../1545-the-state-of-cybercrime-governance-in-ethiopi...
3. https://www.michalsons.com › Cyber Crime
4. G. O, Odulajaand F.Wada Assessing Cyber crime and its Impact on E-Banking In
Nigeria Using Social Theories (2012)
5. Criminal Code Act Chapter 77, Laws of the Federation of Nigeria. (1990)

Amare doc

Recommended

Recommended

More Related Content

Similar to Amare doc

Similar to Amare doc (20)

Recently uploaded

Recently uploaded (20)

Amare doc