Net savvy breeds cybercrime vulnerability

Almost daily, we are assaulted on TV by experts with dire predictions about the dangers of the Internet.

Almost daily, we are assaulted on TV by experts with dire predictions about the dangers of the Internet.

Most IT professionals understand the reality - that the threat is remote. However, images of paedophiles hacking into your PC and taking over the PC cam to ogle your precious children in your home make sensational press.

Understanding that this type of journalism will happen does not prevent us feeling annoyed that the sensationalism is getting in the way of the real issues. Identifying those is the purpose of this article.

Why we should be concerned about the potential for cybercrime lies in New Zealand's vulnerability to it. The vulnerability exists at a time when we have a weak economy and the potential for harm is greater here than in wealthy nations such as the US and the UK.

As a nation we have been quick to adopt Internet technology and consistently rank in the top 10 countries in the world for Internet uptake and use. Our claim of being the home of rugby is less certain than our claim to being the top Oceania geeks.

Along with our Oceanic geekdom, our police are noticing significant growth in computer-related crime.

It is no surprise that the police attribute the growth in computer crime to the massive growth in Internet access. It is, after all, the primary driver of our upskilling to use PCs.

Criticism of sensational media coverage is not to say that our government is not getting on with providing with us some cyber- crime legislation.

In due course the Crimes Amendment (No 6) Bill, which is before Parliament, will introduce the new Section 305ZE & ZF four new crimes:

In Section 305ZE (1) - accessing a computer system without authority and obtaining (effectively) anything from that system or causing loss.

In Section 305ZE (2) - accessing a computer system without authority with the intent of obtaining (effectively) anything from that system or causing loss. The difference between this subsection and subsection (1) is that the criminal does not get anything or cause damage. But the addition of the requirement of the element of intent to take or cause harm rules out straight vanity hacks. This omission is of concern as we explain below.

In Section 305ZF (1) - without authority, interfering with data or software stored in a computer system with the intent to cause serious damage.

In Section 305ZF (2) - recklessly, without authority and knowing that serious damage is likely to result interfering with data or software stored in a computer system causing damage.

The Ministry of Justice has adopted an extended definition of "computer system" that includes parts of networks.The Crimes Amendment (No 6) Bill was expected back from the Law and Order Select Committee at the end of August but it has been delayed until September 30.

The four cybercrimes in Section 305 do not, however, address many other destructive activities such as unauthorised entry (hacking) without intent to cause damage, mail bombing, identity theft or assumption, denial of service attacks (DOS), cyber home invasion and criminal defamation on the Web.

Other countries have recognised this and have in many cases long had coverage of many other forms of cybercrime (see Cybercrimes Comparison page 17).

Cybercrime need

Turning destructive activity into activity that is criminally sanctioned is not done lightly. There has to be more than negligent damage, as occurs with car accidents on public streets. There has to be either a wrong that threatens our society or harm to individuals that society cannot tolerate.

The interconnected world promises our society much. E-shopping, e-business, e-everything - there are many examples of activities which have had their economic impact either accelerated or made possible by the Web.

The physical capability of the Internet is an essential and critical element in this system. However, at stake is not just Internet infrastructure but, and just as important, the confidence and trust of users.The Internet poses a new problem for the law. Traditionally, crime has been built primarily on regulating people at a physical level within state borders.

Often crimes have been treated within the borders of states in very different ways. In particular the burden or elements to be proved and the punishments vary widely.This difference between countries has largely not mattered. Killing is killing. Stealing is stealing.

The message we learn is that wherever we go in the world there are activities that each state regards as crimes. People understand that you need, when travelling, to be very careful not to end up being thrown in jail.

So it is with travelling on the Internet. However, the New Zealander sitting in Wanganui and committing a crime in Boston may not have any understanding that travelling in cyberspace may expose you to committing crimes in other countries just as if you physically travelled to that country.

The reverse will also apply. Cyber criminals will realise we have no or few cybercrime laws and use New Zealand computers to launch and hide their crimes.

This is the point. Cybercrime knows no borders and cannot be contained within borders. Maintaining confidence in the integrity of the Internet is, however, the real challenge to all governments.

Our Ministry of Justice recognised that to an extent by the definition, in Section 305, of computer system that includes networks. Targeting unauthorised access and damage was a start but it does not address this real problem of the interconnected world.

Net-dependent

Trillions of investment capital is being invested worldwide in the new economy on the basis that the Web will be the backbone.

Bloomberg has recently been hit with extortion attempts by cyber terrorists based in Kazakhstan. Those criminals could just as easily have launched their attack from New Zealand.

Virus attacks have put lives at stake. At a May Ministry of Justice workshop, "Options for Combating Computer and High Technology Crime", a case study on the consequences of a virus attack illustrated how this can so easily happen. What happened endangered the lives of many in the US Eastern seaboard airspace. In the US private planes often land at night at unattended airports. Air traffic control remotely switches on the lights on the runway to enable such landings by transmitting a signal across the Internet. When the Melissa virus struck, the system engineers cut the circuits to the Internet. This disabled the switching on of landing lights. Light planes, some with pilots not trained at landing at major airports, had to be routed to those airports. The fact there was no disaster was described as a miracle.

That the opportunity exists for cyber criminals to inflict massive harm to the world financial markets, to essential infrastructure such as transport, power or hospital systems, is not really a surprise. What is, is that we are prepared to see this treated in sensational ways by the press and yet there is little political will to make sure that travellers know that New Zealand is a zero tolerance cybercrime society.

The difficulty with computer-based crime is that crime detection and crime prevention inevitably involves thorny questions of potential invasion of peoples' privacy and civil rights. In the UK, MI5 has proposed taking a copy of all emails so it can keep an eye on the boardrooms and living rooms of the nation. This proposal has naturally created a storm of protest.

However, the Internet must have order. While the Internet was created as a defence mechanism in the event of nuclear attack, its vulnerabilities are part of its design. Cybercriminals understand that.

Leave liberty

Rather than focusing on proposals to interfere with our liberty on a gross scale, Parliament needs to focus on:

E determining what conduct is criminal in nature and deserving of sanction;

E establishing those crimes with effective sanctions;

E educating us on those crimes and policing those crimes.

The new Section 305 crimes are required. However those crimes do not cover the most frequently used methods of causing harm to networks through the Internet. Those methods include:

E virus attacks;

E DDOS attacks;

E mail bombing;

E reputational attacks generating hate against individuals and groups within society;

E cyber invasion (through "passive" hacks) - why should someone be able to use a program such as Back Orifice to take over your PC cam and peek into your living (or worse, kid's) room? Isn't this an absolutely clear case of electronic trespass that is totally repugnant to every decent citizen?;

E identity theft and assumption;

E trojan horse attacks;

E immune system attacks (getting a computer, router, firewall etc to react to repel an attack like an immune system would ultimately causing failure in operation of that piece of equipment).

In each case the intent of the criminal is to cause loss of capacity, reputation or trust that affects either the individual or the network. Rather than proving intent, which we suggest will be impossible in many cases, we need to take a strict liability approach.

This approach at law is used in many areas such as traffic and drug offences. The law says if you have done the act then you are guilty. The laws could be moderated by providing statutory defences. For example, if you use someone else's identity you could be excused of the crime if you can establish that you had permission.

With viruses you could be excused if you can prove that you were creating the virus for research purposes and that you took adequate care to ensure that the virus was not released.These network-related (not network-based) crimes should be in a separate statute so as to make it clear that this is a new and separate development in our law.

The statute should have extraterritorial effect. The statute should also enable judges to sentence in the absence of the defendant with a range of more appropriate sentences. Criminals from overseas could be sentenced, in absentia, to a lifetime ban from New Zealand and a lifetime attachment order on any property that is in New Zealand or comes into New Zealand. Criminals within New Zealand could, as happened in the famous Mitnick case in the US, be banned from using computers.

As the citizens of New York found, if you let the streets become a lawless place, it takes severe measures to restore lawful behaviour. Zero tolerance to cybercrime from the outset will, in Techlaw's view, pay handsome dividends.

Craig Horrocks is the managing partner and David Compton is a solicitor in Clendon Feeney's technology law team. This article, together with further background comments and links to other Web sites, can be downloaded from www.clendons.co.nz. Send email to craigeh@clendons.co.nz.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]