Tightened – key terms defined, semantics clarified e.g. what is the substantive difference between “the misuse of computer systems or data” and “the abuse of electronic means of completing transactions”Technically, “the misuse of computer systems or data” encompasses “the abuse of electronic means of completing”
Separation of Duty: A person with multiple functional roles has the opportunity to abuse those powers. Example: The person who requisitions the purchase of goods or services should not be the person who approves the purchase. The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports“entitlements” is where loopholes can be created. Entitlement versus Visbility
Currently “unauthorised” defined as 1) when a person who is not entitled to access (etc), 2) does not consent to access (etc) or 3) is not acting under the Cybercrime Act or the Interception of Communication Acts
Example, Online Banking. Bank rolls out update that inadvertently exposes customer data, What recourse for customer?
??? – or has he? Another point, whose authorization would the network engineer need to see traffic? Everyone on the network at the time? The CEO?Call bank: All calls recorded.
How much information does each of services have on each computer? Why is this not limited, if it is vast?
Eavesdropping In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.Using a sniffer, an attacker can do any of the following:Analyze your network and gain information to eventually cause your network to crash or to become corrupted.Data ModificationAfter an attacker has read your data, the next logical step is to alter it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be modified. Identity Spoofing (IP Address Spoofing)Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet.After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections.Authentication/Authorization System AttacksA common denominator of most operating system and network security plans is password-based access control. This means your access rights to a computer and network resources are determined by who you are, that is, your user name and your password. Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user. When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time.After gaining access to your network with a valid account, an attacker can do any of the following:Obtain lists of valid user and computer names and network information. Modify server and network configurations, including access controls and routing tables.Modify, reroute, or delete your data. Denial-of-Service AttackUnlike a password-based attack, the denial-of-service attack prevents normal use of your computer or network by valid users.After gaining access to your network, the attacker can do any of the following:Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services.Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.Block traffic, which results in a loss of access to network resources by authorized users.Man-in-the-Middle AttackAs the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data. Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information. This attack is capable of the same damage as an application-layer attack, described later in this section.Security system AttackA key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.Application-Layer Attack & Operation System exploitsAn application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do any of the following:Read, add, delete, or modify your data or operating system.Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.Abnormally terminate your data applications or operating systems.Disable other security controls to enable future attacks.
Disclosure Example: Digicel online customer care – is a third party you are disclosing your credit card info toNow that Credit Reporting is online in Jamaica, this not being in place is a disaster waiting to happen.Define ProtectionLegal Recourse for cybercrime victims.
Under section 402.2 of the Criminal Code of Canada,“ Everyone commits an offence who knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. is guilty of an indictable offence and liable to imprisonment for a term of not more than five years; or is guilty of an offence punishable on summary conviction.” Under section 403 of the Criminal Code of Canada,“ (1) Everyone commits an offence who fraudulently personates another person, living or dead, (a) with intent to gain advantage for themselves or another person; (b) with intent to obtain any property or an interest in any property; (c) with intent to cause disadvantage to the person being personated or another person; or (d) with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice. is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years; or guilty of an offence punishable on summary convictionsection 4 (b)(3) of the Cybercrime Prevention Act of 2010.(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right: Provided, That if no damage has yet been caused, the penalty imposable shall be one (1) degree lower.Interesting note on Philippines - known as the 10th heavy users of Facebook and other social networking sites such as Twitter, Multiply and Tumblr has been known as source to various identity theft problems. Identity of those people who carelessly put personal information on their profiles can easily be stolen just by simple browsing.
The General Data Protection Regulation Proposal introduces a broad breach notification requirement for any personal data breach similar to that set out in the amended ePrivacy Directive: Trigger and Timing. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal datatransmitted, stored or otherwise processed must be notified to the local data protection authority without undue delay and no later than 24 hours after the controller becomes aware of the breach. A delay in notification is possible, butthe controller must make a reasoned justification for taking longer than 24 hours to notify. Individuals must be notified without undue delay after the controller has notified the authorities, where the breach is likely to adversely affect the protection of an individual’s personal data or privacy. Importantly, the Regulation explicitly mandates processors to notify controllers immediately about a breach on their side. Content.Notification must include the nature of the breach including the types of data and individuals concerned, possible consequences, contact details, measures taken to mitigate potential adverse effects and measures taken by the organisation. Exemptions. Notification to individuals is not required where the organisation can demonstrate that it applied appropriate protection measures to protect the data. As a result, an exemption from notification to individuals seems to be available where encryption technology is applied.Sanctions.Failure to report a breach is sanctioned by administrative penalties of up to 2% of an organisation’s annual global turnover. For a first and unintentional breach (non-compliance with the Regulation), no sanction is imposed, only a written warning issued, where, for example, a company with fewer than 250 employees is processing data only as an activity ancillary to its main activities
Left out :- Cyber Vandalism/Defacement - Hacktivism - Cybersex
Data use is purpose-driven, where purpose-driven refers to the fact that data should only be used for the intended purpose it was created/supplied/generated for, the purpose should be communicated to the data owner, their consent received for using their data for that purpose, and once it has fulfilled the purpose the data must be destroyed.
Review of the Jamaican Cybercrime Act of 2010
Jamaican Cybercrime Act of 2010 Review Comments by Dr. Tyrone W A Grandison (CEO, Proficiency Labs) Presentation toThe Joint Select Committee of the Jamaican Parliament on the Cybercrimes Act On March 7th, 2013
Introduction: Proficiency Labs Small startup founded in 2012 based in Ashland, Oregon. Specializes in building, evaluating and repairing privacy and security solutions for cyber systems. Services offered: IT Consulting, Systems Development, Data Extraction & Expert Witness Services for Legal Cases, Legislative Compliance Education & Outreach. 2
Introduction - Tyrone• Born & Bred in Kingston, Jamaica. • Recognition:• Over 20 years experience in the • Distinguished Engineer of the Association of Computing Machinery Computer Science field. (ACM),• The last decade has been spent • Senior Member of the Institute of reading & evaluating law; then Electrical and Electronics Engineers implementing solutions (IEEE), (administrative, physical & technical) • IEEE Technical Achievement Award in that ensure compliance. 2010 for ‖Pioneering contributions to Secure and Private Data Management‖,• Over 90 academic peer-reviewed • IBM Master Inventor, papers in the spaces of computer and • Fellow of the British Computer Society data security and privacy. (BCS),• Over 30 patents in the computer • Pioneer of the Year (2009), National science. Society of Black Engineers. 3
Flow of the Talk State my Motivation / Agenda Provide Summary Page by Page Analysis of the current Act Immediate Improvements Next Steps Guidance– Process-Wise Suggestions on Missing Elements Suggestion on Legislative Principles Close 4
Motivation The Jamaican Public The Caribbean Academic Community Personal Gratitude 5
Review Summary The Act needs to be tightened. Currently, it onlyfocuses on unauthorized access. In its current form, the Act has limits in its scope & coverage and it is far too general in many other parts; with potentially devastating implications to the local Computer Science community (Research and Development). 6
―obtains access‖ Definition stated on Page 3 – 2.(2) It seems the intent of this definition is to define deviant and undesired behavior. Is this assumption correct? The reality is that every single user of a computer system falls under the purview of this definition. For example: Simple: Minister Robinson uses MS Powerpoint to open a ministerial presentation, edit it and store it on my machine. Under all the conditions cited in the Act, (a) through (e), Minister Robinson ―obtains access‖. Is this the intent? Is everyone using a computer or computing device (which includes mobile phones) supposed to be in this group of people who ―obtain access‖ under the Cybercrime Act? I can also see scenarios where less than scrupulous elements could use this definition to unfairly persecute others. Recommendation: This definition needs to be sharpened to align with its true intent. 7
―entitled‖ Mentioned on Page 3 – 2.(4)(a) ―entitled‖ and ―entitlement‖ should be defined. Technically, a person may not be entitled to data (depending on definition), but it may be a function of their job. Example: Is a CFO entitled to see client data, even though he is several levels above the actual person who has data access rights? When you have separation of duties scenarios, how does that interact with "entitlement"? Recommendation: 2.4.(a) should be removed, rephrased or a section on "entitlement" included. 8
―consent‖ Mentioned on Page 3 – 2.(4)(b) ―consent‖ should be defined. ―consent‖ should be documented and retained in order to prove compliance. What are acceptable forms of documenting ―consent‖? Recommendation: 2.4.(b) should be removed, rephrased or a section on ‖consent" included. 9
―unauthorised‖ Defined by Page 3 – 2.(4) Current definition is limited. Hypothetical Legal Scenario: Someone who accidentally gains access rights to valuable data through software malfunction. Could soundly argue that access is authorised under the Cybercrime Act because the software is a proxy for him and the software is entitled. Thus, his activity is not covered under the Act. Recommendation: Use established definition of Unauthorized Access - when a person who does not have permission to connect to or use a system or data gains entry in a manner 10 unintended by the system owner.
―commits an offence‖ Mentioned on Page 5 - Part II. 3 (1) Covers only unauthorised access of software or data. Deloitte & Touche’s ―Cyber Security Watch‖ survey (2011) Forty-six (46) percent of respondents said insider attacks were more costly to their organization than external attacks. Thus, insider attack (i.e. attack from people within the company who are probably authorised) should be included. Recommendation: Address the case where the person has authorized access and chooses to pass on (confidential or private) information to another person/entity/computer for monetary or other gain/purpose, via electronic or other means (e.g. showing someone onscreen, taking a screenshot and sharing it, printing material and passing it on) 11
―offence‖ Mentioned in Page 6 - 4 (1) through 4 (4) The definition of offence is too narrow. Recommendation: The definition needs to be broadened. Statistically, the bigger security risk/threat has been proven to be ―the insider threat‖, i.e. existing employees, disgruntled soon-to-be ex-employees, i.e. most likely people who are authorized. 12
―unauthorised modification‖ Mentioned in Page 7 - 5 (1) through 5 (3) Limited Applicability: In-house IT departments are normally authorized to modify their parent company’s system and data. Any crime committed by someone in these departments may argue that they are not covered under this Act. Realistically, this clause will likely only apply to computer hobbyists, professional hackers and security academics who are outside a corporate entity (with no consent.) Recommendation: Rephrase to include modification with authorization but not for the intended purpose. 13
―intercepts‖ Mentioned on Page 8 – 6 (1) (b) Define ―intercepts‖. The current wording is awkward. Currently, the effect of this is: Anyone who happens to listen in network traffic is committing an offence. Example: The network goes down and the traffic on the network is dumped into a file that a network engineer must view to troubleshoot the problem. From the current definition, it can be interpreted as: They have committed an offence by indirectly intercepting. ??? Also, what about network protocol/security students writing assignment code that requires interception? It would also encapsulate a number of other valid scenarios where interception is necessary and or a business function, e.g. deep packet inspection. With the current wording, one eliminates the possibility of legitimate interception happening in industry or academia. Recommendation: Determine function of clause and rewrite. 14
―lawful justification or excuse‖ Mentioned on Page 9 - (7) (1) Define ―lawful justification or excuse.‖ Under the current phrasing, the following are prosecutable: Intentional software updates/upgrades, i.e. if the updates cause a memory leak, system failure etc. Beginning computer students who write horrible code with unintended consequences to the computer or network. (Computer) Security professional and students in the course of their duties. What authorisation is acceptable here? Would the acceptance of a software update, the permission of a lecturer/teacher, etc. constitute authorization and thus exempt these scenarios from prosecution? Recommendation: Rephrase to meet intent. 15
8 (1) In (8) (1) (a) either: 1) redefine computer to be broader or 2) replace it with ―code, program, software, computer or equivalent electronic (and non-electronic) artifact.‖ In (8) (1) (b) the phrase ―any access code or password‖ is contemporary and too specific. I suggest using ―any authentication or authorization token, such as access codes & password, biometric identifiers, gesture passwords‖ in order to predict for future technology and to capture more current mechanisms. 16
―protected computer‖ Mentioned on Page 11 – 9 (1) and 9 (2) ―the offender knows, or ought reasonably to know‖ puts the burden/responsibility on the offender and offers a potential loophole. It is possible for an offender to skirt this Law by suggesting that they did not know and that it could not be reasonably determined that a computer was protected. I suggest that an additional policy step be taken to avoid this scenario: All protected computers be clearly and visibly tagged/labeled as such. The inclusion of 9 (2)(c) through 9 (2) (e) makes this very broad and potentially detrimental, e.g. loss of laptops by emergency service. The scenarios are endless. Either remove them, clarify the offences or ensure ALL equipment is labeled ―Protected Computer‖. 17
―incites‖ Mentioned on Page 12. 10 (a) and 10 (b) Define ―incites‖ Creative Scenario: A ―very smart‖ disgruntled ex-employee who commits an unauthorized access may request that his boss or whoever incited him to action be charged as well. Recommendation: I suggest removing ―incites, attempts‖ from 10 18
―suffered loss‖ Page 13 – 12 (1) Defined ―suffered loss‖ ―suffered loss‖ should be tied to something tangible and or capped. In order to dissuade people from making frivolous claims. 19
14 & 15 14 (1) (a) Define the grounds upon which ―reasonably required‖ is based. 14 (1) (b) Define the evidence upon which ―reasonable grounds‖ is based. 14 (1) What happens when an offender has automated tamper-resistant or tamper-proof software on their system? (15) (1) Define ―reasonable grounds‖. 20
17 & 18 The term ―key‖ is being used without definition in 17 (3) (b) and 18 (9) (a) Define ―key‖ such that it includes current cryptographic mechanisms and so that there is room for future technologies. Define ―intelligible‖ A smart lawyer could argue that hashed data is intelligible to someone with the hash algorithm. 21
Immediate Improvements terms. Update with precise definitions of unclear Include ―authorised access‖ measures – to address insider threat. Modify language to ensure that domestic Computing professionals and academia are not suffocated by the Act. Bolster Act with policy actions that improve enforcement. Increase penalties to be true disincentives. 22
Stepping Back Determine the technical and business activities and threats that should be covered on this Act. There are several broad (technical) cyber threat categories: Eavesdropping or Sniffing Data Modification Identity Spoofing Authentication/Authorization System Attack Denial of Service Man-in-the-Middle Security system Attack Operating System exploits Application-Layer attacks Each of these categories have a complementary, well-defined, legitimate function. 23
Then Impact analysis Determine how the new provisions/clauses/rules will impact all the stakeholders. Collaborative rule-making Request stakeholder input. Weigh stakeholder input based on their established biases and business functions. Engage impartial entity (or entities) in collating new proposed rules with stakeholder input and public interest. Enable Enforcement 24
What is Missing? Personal Data Protection OECD Data Protection Directive can be used as a model. The seven principles governing the OECD’s recommendations for protection of personal data were: Notice—data subjects should be given notice when their data is being collected; Purpose—data should only be used for the purpose stated and not for any other purposes; Consent—data should not be disclosed without the data subject’s consent; Security—collected data should be kept secure from any potential abuses; Disclosure—data subjects should be informed as to who is collecting their data; Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; 25 Accountability—data subjects should have a method available to them to
What is Missing? Identity Theft (both online and traditional) ―The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right.‖ Multiple approaches across the world. Normally focused on traditional identity theft. Approaches: Canada : sections 402.2 and 403 of the Criminal Code of Canada US : Identity Theft and Assumption Deterrence Act of 1998 Philippines: section 4 (b)(3) of the Cybercrime Prevention Act of 2010. 26
What is Missing? Breach Notification ―When a cyber breach occurs, inform in a timely manner, in multiple media, and ensure compromised data owners are compensated and protected from ongoing malicious activity.‖ Organizations may also be fined for the breach. In US, Laws vary by state. See here. California was 1st. EU General Data Protection Regulation Proposal (July 1, 2013) introduces breach notification requirement. Useful Reference Material: ―Dealing with data breaches in Europe and beyond‖ by Ann Bevitt, Karin Retzer and Joanna Łopatowska (Morrison & Foerster LLC), 2013. California Database Breach Act (SB 1386) 27
What is Missing? Illegal Cyber Actions Unsolicited Commercial Communications — The transmission of commercial electronic communication with the use of computer system which seek to advertise, sell, or offer for sale products and services. Cyber-squatting – The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same. Cyber Fraud – The deliberate deception for unfair or unlawful gain that occurs online. Cyber Extortion – The attack or threat of attack against an entity (person or company), coupled with a demand for money to avert or stop the attack. Cyber Spying or Espionage – The act or practice of obtaining secrets (personal, sensitive, classified or proprietary data) without the permission of the holder of the information. 28
Principles “Good Stewardship” - Companies that collect, collate or utilize data on individuals in any way are stewards of this data. It is expected that companies will be good ―data‖ stewards, which looks like: Asking for consent when using an individual’s data. Respect the individual’s wishes/preferences with regards to how they want their data to be used or not used. Compensating individual’s for any damage or harm done to the individual when the steward or its agents perform or enable some act that is detrimental to the individual. Offering compensation to the individual(s) when data is used in a manner that leads the company to gain revenue from data use or processing. Making all actions taking with regards to data, transparent and visible to the data owner(s). Data use is purpose-driven. 29
Principles “Data Ownership” - Data about or concerning a particular individual is owned by that individual. Thus, giving individuals ownership rights over their data and the actions performed on it. “Private and Secure by Default” - Data stewards should ensure that there are process, technology and social safeguards in place to ensure that the data owner’s privacy is protected. It should be assumed that data is secure and private by default. Data should remain in a privacy-preserving and secure state until it is no longer needed (i.e. used for its purpose) and it is securely destroyed. Legal recourse for victims of cybercrime. 30
Concluding Remarks There is a lot of work to be done to protect the Jamaican people, the Jamaican business community and the Jamaica academic community. The culture of paper in Jamaica is moving into the electronic age. You cannot pull skeptical people into the 21st century, without some kind of surety that you are protecting their interests. A corporation’s bottom line is only as good as the people who work for it and buys its goods & services. A protected citizen is a confident consumer. 31
Questions Dr. Tyrone W A Grandison @firstname.lastname@example.org 32