Sri Lankan perspective in meeting the Cyber crime challenge by Lal Dias Chief Operating Officer, Sri Lanka CERT

Role of Cyber systems in Sri Lanka e-Sri Lanka Development Initiative Multi-faceted program Objectives Bridge digital divide Improve delivery of public services Increase competitiveness of private sector Accelerate social development Poverty reduction

e-Sri Lanka Development Initiative Major Programs of e-Sri Lanka ICT Policy, Leadership & Institutional Development Information Infrastructure Re-engineering government ICT Human Resources Capacity Building ICT Investment & Private sector Development E-Society ICT Agency of Sri Lanka established to spearhead the e-Sri Lanka Development Initiative

e-Sri Lanka Development Initiative ICT Policy, Leadership & Institutional Development Program e-Laws Project Electronic Transactions Act No. 19 Sri Lanka Computer Crimes Act No. 24 e-Leadership Development Project Information Infrastructure Sri Lanka CERT Project

e-Sri Lanka Projects e-Laws Project Electronic Transactions Act No. 19 Law to enable validation of e-Commerce, e-Signature and e-Contracting Sri Lanka Computer Crimes Act No. 24 Identification, Investigation and Enforcement of computer crimes

e-Sri Lanka Projects e-Leadership Development Project Develop a pool of champions to enforce security policies, monitor fraudulent activities and promote best practices Sri Lanka CERT Project National CERT mandated to protect Sri Lanka’s ICT infrastructure from attacks, be the single, trusted source for information on cyber crime techniques and coordinate efforts to handle Cyber crime incidents

Conflict of Systems e-Sri Lanka introduces new challenges in fighting cyber crime: New (due to e-Sri Lanka) Traditional SLCERT Forensics Team SLCERT Incident Handling Computer Crimes Act E-Transactions Act New reporting mechanisms Police Investigation Team CID NIB Existing Penal Code Traditional Reporting mechanisms

Cyber crime in Sri Lanka: 2007

Cyber crime in Sri Lanka Prosecution of Cyber crime cases Total Cases: 17 Total Cases: 9 Total Cases: 4

Computer Crimes Act Timeline 1995: Work started by CINTEC Law Committee 1997: Working paper on Computer crime Act submitted Decision to be made: Develop provisions for prosecution of cyber crimes under existing penal code OR develop a Subject specific law? 2000: decision to develop Subject specific legislation 2005: Bill finalized and presented in Parliament 2006: Further review by Parliamentary committee 2007: Passing of bill in parliament Computer Crime Act currently not enforced fully

Computer Crimes Act Features Provides clear structure for conducting of investigations and jurisdictions Provides distinct cyber crime categories and the corresponding parameters under which a case may be prosecuted, including maximum or minimum applicable penalties Use of Generic terms, so that even if technology changes, the nature of the crime will remain the same (example: phishing, vishing & phaxing) Provision of Cross Extradition arrangement with Council of Europe signatories. Increased ability to prosecute cases beyond Sri Lanka’s borders Clear statement of Resources that would be brought to bear on the case, including, among others, “experts”.

Computer Crimes Act Cyber crime Categories Computer-related offenses Computers used as tools for criminal activity (Theft, fraud) Hacking Activities which affect CIA of computer system or network (includes viruses and other malware) Content related offenses Computers with Internet access used to distribute illegal data (copyright infringement, pornography)

Computer Crimes Act Parameters Unauthorized Access Unauthorized Access in order to commit an offence Causing a computer to perform functions without lawful authority Offenses committed against national security Dealing with unlawfully obtained data Illegal interception of data Use of an illegal device Unauthorized disclosure of information

Computer Crimes Act: Penalties Parameter Jail Term (Years) Fine (Rupees) Or Both? Unauthorized Access ≤5 ≤100K  Unauthorized Access to commit offense ≤200K Function without Lawful authority ≤300K Offenses Against National Security - × Unlawfully obtained data 0.5≤ ≤3 100K≤ ≤300K Illegal interception Use of illegal devices Unauthorized disclosure

Identification of Cyber Crimes CHALLENGES Identification of Cyber Crimes Limited reporting of crime Lack of trust in reporting methods No guarantee of confidentiality Verifying reports/Authenticity of Reports Genuine report or prank? Due diligence Reporting of crimes found at workplace. Professional obligation vs. Personal inconvenience

Investigation of Cyber Crimes CHALLENGES Investigation of Cyber Crimes Gathering of evidence Maintaining admissibility of evidence Lack of proper structure for cooperation between investigating organizations Poor system for maintenance of chain of custody Weight of Digital evidence in court Lack of understanding of importance of digital evidence Lack of Legal professionals conversant with CCA Jurisdiction NIB, CID, other organizations (SLCERT, TechCERT, etc)

Enforcement of Cyber Laws CHALLENGES Enforcement of Cyber Laws Tendency to prosecute under existing penal code; more lenient penalties (Case studies) Lack of IT Savvy lawyers Lack of ICT Knowledge of judges, making obtaining warrants more time consuming Lack of provisions for prosecuting Cross border crime, such as cross-extradition arrangements, cooperative investigation of cases, etc

Case study 1: A Foreign National published false information regarding the sale of DVD players online Online payments credited to Standard Chartered Bank Account Funds withdrawn by offender who left country DVD Players not delivered Suspect arrested upon return to Sri Lanka, fined and deported Problem: Waiting for suspect to return to Sri Lanka. Lack of extradition arrangements.

Case study 2: Superimposing nude images on a picture of a Buddha Statue (causing offense) Investigated by CID Cyber Crimes Unit NGO employee arrested Convicted and sentenced to 3 Years imprisonment, suspended for 3 years Problem: Leniency in sentence and enforcement of sentence. Much stronger penalties allowed for under CCA

Future plans for cyber crime fighting Build a defined structure and working relationship between organizations concerned with cyber crime International Judicial Community AG’s Department Inter-Governmental Relationships Police Force NIB CID International Police Community Sri Lanka CERT International CERT Community Cyber crime Reporting Centres

Future Plans Identification Building and maintenance of Cyber Crime Reporting Centres Additional “secured” reporting channels (E-mail, Web) Protection of Confidentiality through Information Security Measures Raises trust Expected Outcome: Reporting of more cases

Future Plans Investigation Develop a Digital Forensics Lab, Larger Forensics team to handle increase in cases Develop clear Chain of Custody procedures Build contacts with Foreign Police forces to increase skills available in investigating complex, cross-border cases and forensics knowledge Expected Outcome: Increased number of successfully prosecuted cases

Future Plans Prosecution Run Awareness Programs for the local judiciary to raise awareness of Computer crimes (attack techniques, potential damage, etc) and the provisions of the Computer Crimes Act (CCA) Build a pool of IT Savvy Legal professionals able to prosecute cases under the CCA Increase number of countries with which Sri Lanka has Extradition Treaties through Government intervention Expected Outcome: Increased number of successfully prosecuted cases

THANK YOU