Sri Lankan perspective in meeting the Cyber crime challenge

by Lal Dias Chief Operating Officer, Sri Lanka CERT

Role of Cyber systems in Sri Lanka

e-Sri Lanka Development Initiative

Multi-faceted program Objectives

Bridge digital divide Improve delivery of public services Increase competitiveness of private sector Accelerate social development Poverty reduction

e-Sri Lanka Development Initiative

Major Programs of e-Sri Lanka

ICT Policy, Leadership & Institutional Development Information Infrastructure Re-engineering government ICT Human Resources Capacity Building ICT Investment & Private sector Development E-Society

ICT Agency of Sri Lanka established to spearhead the e-Sri Lanka Development Initiative

e-Sri Lanka Development Initiative

ICT Policy, Leadership & Institutional Development Program e-Laws Project Electronic Transactions Act No. 19 Sri Lanka Computer Crimes Act No. 24 e-Leadership Development Project

Information Infrastructure Sri Lanka CERT Project

e-Sri Lanka Projects

e-Laws Project Electronic Transactions Act No. 19

Law to enable validation of e-Commerce, eSignature and e-Contracting

Sri Lanka Computer Crimes Act No. 24

Identification, Investigation and Enforcement of computer crimes

e-Sri Lanka Projects

e-Leadership Development Project

Develop a pool of champions to enforce security policies, monitor fraudulent activities and promote best practices

Sri Lanka CERT Project

National CERT mandated to protect Sri Lankas ICT infrastructure from attacks, be the single, trusted source for information on cyber crime techniques and coordinate efforts to handle Cyber crime incidents

Conflict of Systems

e-Sri Lanka introduces new challenges in fighting cyber crime:

New (due to e-Sri Lanka) Traditional

SLCERT Forensics Team SLCERT Incident Handling

Computer Crimes Act E-Transactions Act New reporting mechanisms

Police Investigation Team

-CID -NIB

Existing Penal Code Traditional Reporting

mechanisms

Cyber crime in Sri Lanka: 2007

12% 0% 12% 12%

41% 23%

Hacking Publishing Information without consent (Sexual Harrassment) Impersonation Hacking Addresses & Attempted cheats Pornography Violation of Intellectual Property Act Cheating

Cyber crime in Sri Lanka

Prosecution of Cyber crime cases

Total Cases: 17
24 76
2007

0
0

Total Cases: 9
22 78
2006

0 0

Total Cases: 4
25 75
2005

0 0

20

40 Successful

60 Dismissed Pending

80 Uninvestigated

100

120

Computer Crimes Act

Timeline

1995: Work started by CINTEC Law Committee 1997: Working paper on Computer crime Act submitted Decision to be made: Develop provisions for prosecution of cyber crimes under existing penal code OR develop a Subject specific law? 2000: decision to develop Subject specific legislation 2005: Bill finalized and presented in Parliament 2006: Further review by Parliamentary committee 2007: Passing of bill in parliament

Computer Crime Act currently not enforced fully

Computer Crimes Act

Features

Provides clear structure for conducting of investigations and jurisdictions Provides distinct cyber crime categories and the corresponding parameters under which a case may be prosecuted, including maximum or minimum applicable penalties Use of Generic terms, so that even if technology changes, the nature of the crime will remain the same (example: phishing, vishing & phaxing) Provision of Cross Extradition arrangement with Council of Europe signatories. Increased ability to prosecute cases beyond Sri Lankas borders Clear statement of Resources that would be brought to bear on the case, including, among others, experts.

Computer Crimes Act

Cyber crime Categories

Computer-related offenses
Computers used as tools for criminal activity (Theft, fraud)

Hacking
Activities which affect CIA of computer system or network (includes viruses and other malware)

Content related offenses

Computers with Internet access used to distribute illegal data (copyright infringement, pornography)

Computer Crimes Act

Parameters

Unauthorized Access Unauthorized Access in order to commit an offence Causing a computer to perform functions without lawful authority Offenses committed against national security Dealing with unlawfully obtained data Illegal interception of data Use of an illegal device Unauthorized disclosure of information

Computer Crimes Act: Penalties

Parameter Unauthorized Access Unauthorized Access to commit offense Function without Lawful authority Offenses Against National Security Jail Term (Years) 5 5 5 5 0.5 3 100K Fine (Rupees) 100K 200K 300K 300K Or Both?

Unlawfully obtained data

Illegal interception Use of illegal devices Unauthorized disclosure

0.5 3
0.5 3 0.5 3

100K 300K
100K 100K 300K 300K

CHALLENGES Identification of Cyber Crimes

Limited reporting of crime

Lack of trust in reporting methods No guarantee of confidentiality

Verifying reports/Authenticity of Reports

Genuine report or prank?

Due diligence

Reporting of crimes found at workplace. Professional obligation vs. Personal inconvenience

CHALLENGES Investigation of Cyber Crimes

Gathering of evidence

Maintaining admissibility of evidence

Lack of proper structure for cooperation between investigating organizations Poor system for maintenance of chain of custody

Weight of Digital evidence in court

Lack of understanding of importance of digital evidence Lack of Legal professionals conversant with CCA

Jurisdiction

NIB, CID, other organizations (SLCERT, TechCERT, etc)

CHALLENGES Enforcement of Cyber Laws

Tendency to prosecute under existing penal code; more lenient penalties (Case studies)
Lack of IT Savvy lawyers

Lack of ICT Knowledge of judges, making obtaining warrants more time consuming
Lack of provisions for prosecuting Cross border crime, such as cross-extradition arrangements, cooperative investigation of cases, etc

Case study 1:

A Foreign National published false information regarding the sale of DVD players online
Online payments credited to Standard Chartered Bank Account Funds withdrawn by offender who left country DVD Players not delivered

Suspect arrested upon return to Sri Lanka, fined and deported

Problem: Waiting for suspect to return to Sri Lanka. Lack of extradition arrangements.

Case study 2:

Superimposing nude images on a picture of a Buddha Statue (causing offense)

Investigated by CID Cyber Crimes Unit NGO employee arrested Convicted and sentenced to 3 Years imprisonment, suspended for 3 years Problem: Leniency in sentence and enforcement of sentence. Much stronger penalties allowed for under CCA

Future plans for cyber crime fighting

Build a defined structure and working relationship between organizations concerned with cyber crime
AGs Department Police Force NIB CID Cyber crime Reporting Centres Sri Lanka CERT International Police Community International CERT Community International Judicial Community Inter-Governmental Relationships

Future Plans

Identification

Building and maintenance of Cyber Crime Reporting Centres

Additional secured reporting channels (E-mail, Web)

Protection of Confidentiality through Information Security Measures Raises trust Expected Outcome: Reporting of more cases

Future Plans

Investigation

Develop a Digital Forensics Lab, Larger Forensics team to handle increase in cases

Develop clear Chain of Custody procedures

Build contacts with Foreign Police forces to increase skills available in investigating complex, cross-border cases and forensics knowledge Expected Outcome: Increased number of successfully prosecuted cases

Future Plans

Prosecution

Run Awareness Programs for the local judiciary to raise awareness of Computer crimes (attack techniques, potential damage, etc) and the provisions of the Computer Crimes Act (CCA) Build a pool of IT Savvy Legal professionals able to prosecute cases under the CCA

Increase number of countries with which Sri Lanka has Extradition Treaties through Government intervention
Expected Outcome: Increased number of successfully prosecuted
cases

THANK YOU