End of Module Essay Legal Aspects of Information Security

8/8/2019 End of Module Essay Legal Aspects of Information Security

1/22

To what extent are the current provisions of criminal law adequate as a

response to the apparent proliferation of computer viruses? Should greater

obligations be placed upon software developers and computer users to

develop and maintain adequate security against the risk of such

infections?


2/22

To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?

TABLE OF CONTENTS

Introduction

What is a Computer Virus?

The Criminal Law relating to Computer Viruses

The Computer Misuse Act 1990

The Malaysian Computer Crimes Act 1997

The Cyber Crime Convention 2001

Conclusions

2


3/22


Introduction

The Utopian ideal that cyberspace is the realm of perfect freedom, anarchy without

chaos, where government and the law need not intrude, is no longer sustainable

because the digital era has brought with it a new generation of criminals; young and

intelligent technological experts, whose knowledge of computer code and technology is

great; in many cases exceeding the knowledge of law enforcement agencies that bear

the task of entrapping them.

Criminalising unauthorised access to computers and computer held information has

been in the realm of social and legal consciousness since the late 1980's, though the

increasing degree of interest and disquiet relating to the implications of the misuse of

computerisation, which plays an ever budding role in public, commercial and private life

has become most apparent in recent years. As information infrastructure has

progressively come under attack by cyber criminals. And the number, cost and

sophistication of attacks has continued to increase at alarming rates, threatening the

substantial and growing reliance of businesses, governments, and the community on

computer technology.

In light of the vast and growing costs of computer virus related crime, which sprawls

upward as more businesses link to the internet, thus accelerating the rate at which the

contagion can spread, law makers have begun to tackle the challenge by adopting laws

that make dodgy cyber activities criminal, demonstrating that a determined response to

the proliferation of computer viruses is not a matter of choice but a question of survival.

Given the advantages of digital crime over its analog counterparts and the growing

number of computer literate thieves, it is indubitably in the interests of law makers to do

as much as possible to establish and strengthen legislation to combat computer virus

related crime while there still remains an opportunity of catching up with these criminals.

This paper will examine criminal law relating to computer viruses in the United Kingdom

at length and both Malaysia and the European Union in brief, showing how legislatures

have responded to the threat of computer virus related crime by either enacting specific

legislation or amending existing criminal legislation. In so doing, this paper shall

3


4/22


determine whether the existing criminal legislation is adequate in response to the

apparent proliferation of computer viruses. And whether the obligation should be placed

upon software developers and computer users to develop and maintain adequate

security against the risks of computer viruses.

What is a Computer Virus?

The term computer virus was defined by computer expert Dr. Fred Cohen in 1987 as: -

"A program that can infect other programs by modifying them to include a

possibly evolved copy of itself. The key property of a virus is its ability to infect

other programs. Every program that gets infected may also act as a virus and

thus, infection grows. With the infection property, a virus can spread throughout

a computer system or network."1

From Dr. Cohen's' definition, it is apparent that computer viruses are some form of

malicious computer instructions that when inserted into a computer program or a

computer's operating system, replicate many times during the program execution,

infecting every program on a computer disk, and when the infected programmes are run,

the viral code is executed and the virus spreads further. 2 Its ability to create a copy of

itself and attach the copy to other programs or system files in the computer bears a

likeness to the behaviour of a biological virus. Therefore, legislators must bear in mind

the fact that like biological viruses, computer viruses are hard to preclude and even more

exigent to cure.

In the present day, viruses are intentionally released into systems and then transmitted

within and between systems by various means, and while once seen as pranks or the

products of misdirected creativity, now comprise business pathogens with destructive

powers; like letter bombs of the computer ages.3

For example, in a widely reported incident, Simon Vallor, a computer hacker based in

Wales, admitted to releasing a virus which spread to forty two (42) countries and

1Cohen "Computer Viruses: Theory and Experiments" Computers & Security, February 1987 at pp 23-23

2Eugene. H. Spafford "Computer Viruses as Artificial Life", Journal of Artificial Life, MIT Press, 1994

3"Letter Bomb of the Computer Age" New York Times, 5 November 1988, p.16

4


5/22


affected an estimated two thousand seven hundred (27000) terminals, causing millions

of dollars of damage to numerous businesses. It is reported that he claimed his

motivation was to see whether he could do it and if the virus would eventually spread

back to him,4 which at first glance seems like a rather naive objective, however, when

one takes the amount of damage caused by Vallor's virus into account, the harsh reality

of the act can be seen as deserving of punishment. Not only to deter other like minded

individuals from doing the same, but to teach the perpetrators of such crimes that the

law will not sit by and watch as the benefits of the computer age are overshadowed by

criminal elements.

The Criminal Law relating to Computer Viruses

When it comes to crime, existing laws are often inadequate for dealing with new

economy threats such as virus spreading. Our criminal laws are designed to punish bank

robbers and murderers, not those who deface web sites or bring down a company's

internal e-mail system. But these high tech crimes, while not necessarily deadly, are

surely deserving of punishment in much the same way as good-old fashioned crime.5

It is vital that numerous aspects of the entire criminal process in relation to computer

related crime is looked at in this paper, in order to enable me to determine the adequacy

of the existing criminal laws. For example: -

Concealment and manipulation of computer held information

The Criminal process in regard to computer held information is complex and

investigating computer held information is difficult, because computer held

information is intangible and therefore prone to easy manipulation and corruption.

This is coupled with the fact that information can be stored in computer systems

spread over many locations, both national and foreign. The information may not

be easily accessible to law enforcement agencies, who may enter upon premises

and obtain evidence from a computer therein, but fail to link or trace the evidence

to any other related material concealed in other computers, but related to the

4The Job, volume 35 Issue 895 January 10 2003, posted at www.met.police.uk

5Doug Isenberg "The Case for Criminal Hacking and Antivirus Laws" posted at www.gigalaw.com

5


6/22


same crime. Therefore, law enforcement agencies must be equipped through

criminal legislation, with the mandate to access computers spread in different

locations, intercept and/or monitor data during transmission and obtain the co

operation of all suspects and/or third parties linked to the case being

investigated. And the investigation of computer viruses needs to be a regulated

activity with failure to apply for regulation being a criminal offence.

Difficulty in identifying and tracing the perpetrator of the crime

Another intricate area for the criminal law to deal with is finding the perpetrator of

the crime (i.e.) the person who created the virus. You'll always have a criminal

case if you can find the person who created the virus, because creating a virus is

a malicious act, however, it is often very difficult to identify the origin of a virus as

it may be transmitted to a number of hosts simultaneously, therefore making it

even harder to trace the virus writer.6

Following on from above, if the criminal legislation embodied in this paper fails to provide

legal provisions encompassing the above named obstacles and complexities, then this

would seem to suggest that the criminal law is not adequate enough to deal with the

proliferation of computer viruses.

Another lingering task for criminal legislation to deal with is the question "is creating a

virus a crime even if you don't intend to spread it?"7 I believe that virus writing is an evil

that cannot be justified in any circumstances. For that reason, prosecution of virus

writers is something which should be legally provided for and accepted as appropriate

action. Virus writing needs to be recognised as a criminal act. And like murders and

terrorists, virus writers should find not be allowed to get away with it.8

6Natasha Jarvie "Control of Cyber crime - Is an end to Our Privacy on the Internet a Price worth Paying? Part 1

COMPTLR 2003, 9(3), 76-817Doug Isenberg "The Case for Criminal Hacking and Antivirus Laws" posted at www.gigalaw.com.

8Kelman A (1997) The Regulation of Virus Research and the prosecution for unlawful research?" Commentary, 1997 (3)

the Journal of Information, Law and Technology (JILT), http://elj. Warwick.ac.uk/jilt/compcrim/97-3elm

6


7/22


Computer Viruses and what constitutes the crime

According to Mathias Klang,9 the elements of the crime relating to the creation and

dissemination of computer viruses include the following: -

The writing of the code which he equates to the preparation to commit a

crime;

The unauthorised access which occurs when the virus enters into a new

computer without the authority of the legitimate user;

The unauthorised modification which could be the infection of a file, boot

sector, or part;

The loss of data, the effects of the virus that the data is no longer usable by

the legitimate user;

The endangerment of public safety due to the failure or reduction of efficiency

of the computers;

The making of the virus code available to others which can be seen as

incitement, this includes making available viruses, virus code, information on

virus creation and virus engines and

Denial of service which may be the effects of the virus.

It is important to remember that all criminal offences require the establishment of a guilty

act (actus reus) and the requisite intent (mens rea) before guilt can be proved. In order

to comprehend the sufficiency of contemporary criminal laws relating to viruses, I believe

it is vital to look at criminal legislation in the United Kingdom, Malaysia and the European

Union in light of the above named offences.

The Computer Misuse Act of 1990

The Computer Misuse Act of 1990 was enacted after numerous cases such as Cox v.

Riley10 and R v. Gold11 proved that computer crime offences could not be prosecuted

straightforwardly under the Criminal Damage Act of 1971 or the Forgery and

9Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information

Technology, Vol. 11 No.210

(1986) Crim.L.R. 46011

(1988) 2 All E.R. 186,HL

7


8/22


Counterfeiting Act. Therefore the new Act sought to address the legal lacunae relating to

computer crime.

Section 1 of the Computer Misuse Act creates a summary offence12 and covers

unauthorised access to computer systems, including hacking. It therefore embodies the

second element of the offence described by Mathias Klang as "unauthorised access

which occurs when the virus enters into a new computer without the authority of the

legitimate user".13

Section 1 states as follows: -

"A person is guilty of an offence if he causes any computer to perform any

function with intent to secure access to any program or data held in any

computer, if the access he intends to secure is unauthorised and he knows at the

time when he causes the computer to perform the function that that is the case"

Under Section 1, access is unauthorised where the suspect is not entitled to access of

the kind in question, to the program or data and/or does not have consent (from any

person who is so entitled), to access the kind of program and/or data. The offence is

applicable whether one or more than one computer is used, with intent to gain access to

another computer.14

The intent in Section 1 does not have to be aimed at a particular program or particular

data, as long as the suspect "causes a computer to perform a function". This excludes

physical contact with a computer and the examination of data without any interaction

with a computer,15 and ensures that the suspect does not have to be successful in

achieving access to commit the offence. Section 1 therefore serves to bar access to a

suspect even where the suspect has no evil intent or is merely snooping around, thus

deterring those who contemplate releasing viruses into computer systems or committing

other offences that could cost the owner of the system broken into, a considerable

amount of money and/or time to repair.

12Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk



Attorney General's reference (No.1 of 1991) ( (1992) 3 W.L.R 43215

ibid

8


9/22


The actus reus in Section 1 is the act of causing the computer to perform any function,

while the mens rea would be the knowledge of the suspect that at the time of securing

access he/she knew that the access secured or intended was unauthorised.

By using the word "any" in Section 1(1)(a) the legislature has ensured that the

unauthorised access does not need to relate to the computer that the suspect is

breaking into at the time of accessing, and also ensures that the offence is not limited to

inside hackers but also encompasses outsiders as well, making both the physical

unauthorised access as well as the remote unauthorised access into any computer a

crime.

An offence committed under Section 1, carries a fine of two thousand ( 2000) pounds

and/or up to six (6) months in jail and is triable by the Magistrates Court.

The Computer Misuse Act of 1990 does not define the words "computer", "program" or

"data", which means that it is not restricted to our comprehension of these concepts

today and will therefore have the advantage of the ability to govern computer misuse

with the several changes in computer technology over the years.

Section 2 deals with unauthorised access with intent to commit or facilitate the

commission of a serious offence and therefore provides for the second and third element

of the crime according to Mathias Klang (i.e.) "unauthorised access which occurs when

the virus enters into a new computer without the authority of the legitimate user"16 and

"unauthorised modification."17

Section 2 states as follows: -

"A person is guilty of an offence under this section if he commits an offence

under Section 1 with intent: -


Technology, Vol. 11 No.217Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information


9


10/22


(a) to commit an offence to which this section applies; or

(b) to facilitate the commission of such an offence (whether by himself or another

person);

and the offence he intends to commit or facilitate is referred to below in this

section as the further offence"

An offence committed under Section 2 of the Computer Misuse Act carries a maximum

penalty of five (5) years imprisonment, and/or an unlimited fine and is triable by the

Crown Court.

Section 2 focuses on unauthorised access gained, with intent to commit a further

offence. This indicates that, even where the perpetrator of the crime does not commit a

further offence, he will be prosecuted for carrying out the activity with the intent to

commit the further offence. The further offence must be one fixed by law or one for

which the maximum sentence is not less than five (5) years.

This offence applies to arrestable offences generally, these being offences punishable

on first conviction, on indictment18. For an offence to be proved under this section, an

offence under Section 1 must be committed. If the access is not unauthorised then the

Section 2 offence cannot be committed. It is immaterial whether the further offence is to

be committed at the time of the unauthorised access or on some future occasion. This

allows for action to be taken against the suspect who sends a virus that will complete an

offence some months beyond the initial unauthorised accessing of a computer.19

However, it does not seem to envisage a situation where the suspect has authorised

access to a computer and uses that authorised access to cause mayhem or release a

virus into the system and/or network causing damage to other computers linked to the

same network.

Section 3 of the Computer Misuse Act provides for unauthorised modification and

therefore embodies the third and fourth elements of the crime according to Mathias


19ibid

10


11/22


Klang which are "unauthorised modification which could be the infection of a file, boot

sector, or part"20 and "loss of data, the effects of the virus that the data is no longer

usable by the legitimate user.21

Section 3 of the Act states: -

"A person is guilty of an offence if: -

(a) he does any act which causes an unauthorised modification of the contents of

any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite

knowledge"

For the purposes of this section the modification of the contents of a computer

would: -

(a) impair the operation of any computer;

(b) prevent or hinder access to any program or data;

(c) impair the operation of any program or the reliability of any such data.

The requisite knowledge is knowledge that any modification intended is unauthorised,

therefore the suspect has to have an intention to cause unauthorised modification which

would mean that mere recklessness is not sufficient to justify a charge and/or conviction.

The Section 3 offence will apply where any act is done which causes an unauthorised

modification of the contents of a computer intending to impair the reliability of the data

held in the computer. The concept of modification will encompass the addition of data, its

alteration or deletion. Prosecution of Section 3 offences would therefore apply to


Technology, Vol. 11 No.221Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information


11


12/22


persons releasing viruses onto a computer system. However, the effect of the

modification must be to impair the operation of any computer; to prevent or hinder

access to the program or data held in the computer; or to impair the operation of any

such program or the reliability of any such data.

It is possible that even where the virus causes only inconvenience, that amounts to

impairment in operation in terms of Section 3 (a), or alternatively, that it hinders access

to the program or data in terms of Section 3 (b). But the offence will only be supported

where a person released a virus on to a system, which resulted in one or all of the

consequences specified. Therefore where the releasing of the virus does not result in

the consequences specified, the law needs to provide an open ended provision that

allows for the punishment of not only the act of creating the virus but releasing it onto the

system regardless of the damage caused or consequences of such.

Section 3(3) makes it immaterial whether the intent is directed at a particular computer,

program or data, or is of a particular kind or of any particular modification.

An offence committed under Section 3 carries a maximum penalty of five (5) years

imprisonment and/or an unlimited fine and is triable by the Crown Court.

Jurisdiction

In respect of the three offences envisaged above, under the Computer Misuse Act,

courts in the United Kingdom have jurisdiction whether the computer misuse originates

in the home country or is directed against a computer located within it. 22 For these

purposes, Northern Ireland and Scotland are treated as separate home countries from

England and Wales, so that these broader rules will apply to a hacker in England who

gained unauthorised access to a computer in Scotland. Basically, the Act applies to the

whole of the United Kingdom. Therefore a prosecution can be undertaken if the offence

is committed in the United Kingdom, if either the victim or the suspect is in the United

Kingdom or a significant link with the United Kingdom exists.


12


13/22


Jurisdiction in computer misuse cases is however made subject to the principle of

double criminality.23 Where the hacker is operating in England but the further offence

envisaged by him on a charge under Section 2 of the Act takes place abroad, the

English courts will only have jurisdiction where the contemplated conduct is a criminal

offence in that country as well as in England.

Extradition

Offences under the Computer Misuse Act 1990 are extraditable, within the scope of the

Extradition Act of 1989,24 which was passed prior to any computer misuse legislation

being enforced in the United Kingdom. This is an important aspect of the enforcement of

criminal law in response to the proliferation of computer viruses considering that the

dissemination of computer viruses can be committed over the internet and considering

that virus perpetrators have no respect for national borders. Consequently a crime can

transcend national borders and is therefore not necessarily contained within the borders

of a particular country.

Investigation

Any restrictions on the procedure of search and seizure and/or investigation of computer

evidence envisaged by criminal legislation in the United Kingdom will definitely hinder

the investigation process of computer virus related crime since data and programs can

be easily removed and destroyed without leaving traces and the law enforcement

agencies and/or police might not be able to access certain relevant material. Therefore a

brief look at these provisions is vital in my attempt to determine the adequacy of the

criminal law in response to the proliferation of computer viruses.

Section 14 of the Computer Misuse Act confers powers on the circuit judge to issue a

search warrant where there are reasonable grounds for believing that a basic hacking

offence has been or is about to be committed on the premises in question.



13


14/22


Investigative powers for Sections 2 and 3 of the Act which are punishable on indictment,

come under the Police and Criminal Evidence Act of 198425 which provides for the

issuance of a search warrant by a justice of peace, who is satisfied that an arrestable

offence has been committed and relevant evidence shall be found on the premises in

question. All relevant evidence found can be seized in accordance with Section 19 to

prevent concealment or alteration at a later date.

Evidence

Computer generated evidence is accepted by the courts in the United Kingdom under

Section 69 of the Police and Criminal Evidence Act 1984. However, in cases involving

computer viruses, evidence is usually hard to procure, yet in order to secure a

conviction, the prosecution must ensure that its case is water tight by equipping itself

with enough evidence to support its case. This won't be possible where for example the

defence insists on proof that the computer was working properly as seen in the case of

Shepard,26which might be difficult to prove in cases where the hackers have damaged

the hard disks by deleting files or introducing viruses with such effect that even getting a

print out is impossible.27Evidential difficulties are compounded by the fact that in most

cases the viruses destroy themselves as well as damaging the computer, leaving little or

no evidence behind.

Case Law

The first case in which a computer virus writer was prosecuted in England was in the

1995 during the Pile case.28 Pile created two vicious viruses named Pathogen and

Queeg. Prominent British companies were affected by the virus though the total damage

caused was unquantifiable (e.g.) Microprose estimated its losses to be up to 500,000

(Five hundred thousand) pounds and used more than four hundred and eighty (480) staff

hours checking more than a million files. Pile spread his viruses all around the world

through computer bulletin boards and in most cases hid them in computer games.

Christopher Pile was sentenced to eighteen (18) months under Section 3 of the


261993 Crim LR 295

27Turner, M (1994) "R v Vastal Patel - The Computer Misuse Act 1990 s.3(1)" , 57 Journal of Computers & Law 4

28Uhlig R (1995) "Black Baron, computer virus writer jailed for 18 months" The Electronic Telegraph 16 November,

available at http://www.telegraph.co.uk

14


15/22


Computer Misuse Act 1990 for gaining unauthorised access to computers, making

unauthorised modification and inciting others to spread the viruses he had written. This

clearly shows that the Computer Misuse Act has gone some way in providing protection

to the victims of computer virus related crime.

Adequacy of the Law

The Computer Misuse Act 1990 goes a substantial way in providing a valuable answer

to some incidents of computer virus related crime, but only in cases where the viruses

are detected and if those responsible can be identified and prosecuted under the

jurisdiction of the law which is restricted to the United Kingdom.

It addresses the major loop holes in previous laws in which the act of obtaining

unauthorised access to data in the absence of further aggravating conduct did not

constitute a criminal offence. By creating new offences (i.e.) the unauthorised access

offence29 and the ulterior intent offence,30 it has enabled the prosecution of a proliferation

of new criminality, and so took a step towards the protection of victims.

Despite the above, the Computer Misuse Act has been criticised on the following

grounds: -

It is an insufficient deterrent with few successful prosecutions and lenient

sentencing,31 due mainly to the difficulties of meeting the requirement to

prove intent on the offender's part and the inability of the police force to

understand and deal with cyber crime.32

The Act is based on the concept of unauthorised access which is increasingly

hard to prove in a networked world and does not cover new forms of

computer crime such as denial of service attacks.33

29Computer Misuse Act, s.1

30Computer Misuse Act, s.2

31Figures from the Home Office show only thirty three prosecutions for offences under the Computer Misuse Act in 1999

and 2000 the latest year's for which figures are available. And although Section 1 does not require intent the penalties forthe commission of the offence under Section 1 are insufficient.32

EURIM briefing No.34 April 200233

Claire Coleman "Cyberspace security; Securing Cyberspace - new laws and developing strategies" Information Security

Technical Report, Vol,5, Issue 2, 1 June 2000, Pgs 51 - 59

15


16/22


It lacks the framework for international co-operation in investigating and

prosecuting e-crime and there may be jurisdictional problems with pursuing a

cyber criminal who hacks into systems from another country as often is the

case.34

In addition to the above, it is evident from my discussion of the Computer Misuse Act

above that it does not provide for the punishment of the virus writer, or the fifth element

of the crime as described by Mathias Klang (i.e.) "endangerment of public safety due to

the failure or reduction of efficiency of the computers." Therefore it can be argued that

the Computer Misuse Act may act as a deterrent tool but is not fully adequate in

response to the proliferation of computer viruses.

The Malaysian Computer Crimes Act 1997

Like the Computer Misuse Act 1990 of the United Kingdom, the Computer Crimes Act

1997; creates categories of offences relating to computer crime. It creates two

categories of offences relating to unauthorised access to computer material,35 which

includes access in excess of authority and the unauthorised modification of the contents

of any computer.36 It criminalises behaviour performed on a computer which is not

criminal if performed in the absence of a computer, by making all forms of unauthorised

access an offence without exception. And therefore goes further than the United

Kingdom Act to guard against the proliferation of computer viruses.

34ibid

35Section 3 (1) A person shall be guilty of an offence if: -

(a) he causes a computer to perform any function with intent to secure access to any program or data held in ancomputer;(b) the access he intends to secure is unauthorised; and(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent of the person has to have to commit an offence under this section need not be directed at: -(a) any particular program or data;(b) a program or data of any particular kind; or(c) a program or data held in any particular computer.36

Section 5 (1) A person shall be guilty of an offence if he does any act which he knows will cause unauthorised

modification of the contents of any computer.(2) For the purposes of this section, it is immaterial that the act in question is not directed at: -(a) any particular program or data;(b) program or data of any particular kind; or(c) a program or data held in any particular computer.(3) For the purposes of this section, it is immaterial whether the unauthorised modification is. Or is intended to bepermanent or merely temporary.

16


17/22


Investigation

Part III of the Act gives a Magistrate who thinks (upon reasonable grounds) that an

offence is being or has been committed under the Act the mandate to empower the

police of the rank of Inspector or more senior, to have access to the premises where it is

believed to be occurring to have the said premises searched,37 access programs and

data on a computer and inspect the operation of a computer or associated apparatus,

suspected to have been used in connection with the commission of the offence. 38On

carrying out the search, the said Inspector has the mandate to seize and detain any

evidence found at the premises that could help build a case against the suspect.

The above named provisions go a long way in aiding the criminal law to procure

substantial evidence against the perpetrators of computer virus related crimes, and alsoappears to give law enforcement agencies extensive powers which could encompass

access to information that may be unconnected with the case in question, (i.e.)

belonging to or rather operated by third parties, thus enabling law enforcers to obtain a

warrant for the search of one computer and use it to search other computer networks.

The Act allows a police officer to without a warrant, enter, search, seize and require co

operation of the suspect as if a warrant had been issued, in cases where the time lost in

obtaining a warrant is likely to hinder the investigative process.39 Therefore, it is evident

that the Malaysian Act goes a step further than the Computer Misuse Act of the UnitedKingdom, to ensure that its law enforcement agencies are well equipped with the arm

and backing of the law so as not to hinder the vital process of search, investigation and

seizure in computer virus related cases.

By virtue of Section 10 (1) (b) any suspect and/or person in charge of or concerned with

the operation of the computer in question, is required to co operate with the police officer

and failure to comply or obstruction may cause the suspect or person to be prosecuted

under Section 11, leading to a fine of not more than 25000 ringgit and/or a maximum of

three (3) years imprisonment.

37S. 10(1) Malaysian Computer Crimes Act 1997

38S. 10 (1) (a) Malaysian Computer Crimes Act 1997

39S. 10 (2) Malaysian Computer Crimes Act 1997

17


18/22


The Cyber Crime Convention of 2001

In view of the fact that cyber crimes have an international element and national

measures need to be supplemented with international co operation based on global

measures, co-ordinated international work and binding minimum standards, I shall take a

brief look at the Convention on Cyber Crime of the Council of Europe which came into

play to harmonise computer crime provisions, catalyse investigations and ensure

effective international co-operation among authorities of the European Union.

The Convention on Cyber Crime was the product of four (4) years of work by Council of

Europe experts, with the aid of the United States, Canada, Japan and South Africa. As

the first international treaty to address criminal law and crimes committed via the Internet

and other computer networks, it is appropriate to the proliferation of computer viruses,

because it deals with aspects of infringement of computer-related fraud, violations of

network security and provides a legal back bone for the extradition of computer hackers

from and to countries that have no formal extradition treaties between them.

Its main objective, set out in the preamble, is to pursue a common criminal policy aimed

at the protection of society against cyber crime, especially by adopting appropriate

legislation and fostering international co-operation, to harmonise legislation, facilitate

investigations and allow efficient levels of co-operation between the authorities ofdifferent member states and other third party states.

The Convention attempts to address the problem of criminal law concerning computer

viruses by creating offences relating to: -

intentional illegal access to computer systems,40

intentional interference with computer data including deletion or alteration,41

intentional interference with computer systems,42

40Article 2, Cyber Crime Convention



18


19/22


misuse of certain devices designed or adapted primarily for the purpose of

committing any of the offences established under Articles 2 to 5,43 and

the possession of such devices with an intent to commit the above named

offences.44

Since cyber crime is not constrained within national boundaries, it can only be properly

and efficiently addressed by having some international understanding as to what it is and

how it should be fought. However, achieving global consensus is a difficult task due to

differences in cultural and national security issues making the attempt to establish

common standards a daunting task.

The Cyber Crime Convention made an attempt to lead the members of the European

Union towards better legislation to fight computer virus related crime by providing a

Framework for the implementation of various legislation, in the respective member

countries. However, it has not been ratified by many countries including the United

Kingdom and therefore was fruitless.

Conclusion

Computers have ushered in a new age filled with the potential for good. Unfortunately,the computer age has also ushered in new types of crime for the police to address.

Therefore law enforcement must seek ways to keep draw backs from overshadowing the

great promise of the computer age.

More than ever the need is apparent for a law enforcement regime which can deal

effectively with crimes committed in networked environment boundaries. However, it is

also clear that improvement in cyber crime laws and enforcement alone will not be

enough - organisations need to identify system vulnerabilities and implement protectivemeasures.

Lack of security in computer systems is a real problem. Some training must be given to

the public regarding security because securing the computer system is very important,


44Article 6(1) (b), Cyber Crime Convention

19


20/22


since the breaking of passwords for example, is the first door to illegal entry on a

computer system. Security is of course the first defence against computer crime

because the inadequacy of the victim's security system facilitates the commission of the

crime.

Although numerous legislations worldwide are valuable legal weapons to fight computer

crime, it remains imperative that practical computer security is taken very serious by the

business community therefore both software developers and computer users need to be

sensitised about the importance of beefing up their security systems on all networks,

however the obligation must remain with the law enforcers and legislators of the law to

ensure that the law is adequate enough to deter and punish all perpetrators of computer

virus related crime.

In the final analysis therefore it is right to assert that the criminal law is not adequate in

relation to the proliferation of computer viruses and the obligation should not be placed

on software developers and computer users to develop and maintain adequate security

against such infections.

20


21/22


References

Law

Police and Criminal Evidence Act 1984 (1984 c.60)

Forgery and Counterfeiting Act 1981 (1981 c.45)

The Computer Misuse Act 1990 (1990 c.18)

Malaysian Computer Crimes Act 1997

Cyber Crime Convention, 23 November 2001, Budapest, Council of Europe

Blackstone's Criminal Practice 2004, Part B Offences available at

http://greeville.butterworths.co.uk

Attorney general's reference (No.1 of 1991) (1993) 3 W.L.R. 432

Papers and Articles

Carter & Katz "Computer Crime: An emerging Challenge for Law Enforcement" FBI Law

Enforcement Bulletin, December 1996

Claire Coleman "Cyberspace security; Securing cyberspace - new laws and developing

strategies" Computer Law & Security Report 19 (2) at pp 131-136

Cohen "Computer Viruses: Theory and Experiments" Computers & Security, February 1987 at pp

23

Doug Isenberg "The Case of Criminal Hacking and Antivirus Laws" available at www.gigalaw.com

Eugene.H.Spafford "Computer Viruses as Artificial Life" Journal of Artificial Life, MIT Press, 1994

Joan L. Aaron, Michael O'Leary, Ronald. A. Gove, Shiva Azadegan and M. Christina Schneider

"The Benefits of a Notification Process in Addressing the Worsening Computer Virus Problem:

21


22/22


Results of a Survey and a Simulation Model", Computer & Security, Vol.21, No.2, 2002 at pp 142

- 163.

Jones, SC (1996) "Computer terrorist or mad boffin?" New Law Journal 46

Kelman A (1997) "Regulation of Virus Research and the prosecution of unlawful research"

Commentary, 1997 (3), the Journal of Information, Law and Technology (JILT), available at

http:///elj.warwick.ac.uk/jilt/compcrim/97-3elm

Kit Burden & Creole Palmer "Internet crime; Cyber Crime - A new breed of criminal?" Computer

La w & Security report Vol. 19, Issue 3, May 2003, Pgs 222-227

Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of

Law and Information Technology, Vol. 11 No.2

Nagavalli Annamalai "Cyber Laws of Malaysia - The Multimedia Super Corridor" Journal of

International Banking Law 1997, 12(12), 473-481

Natasha Jarvie "Control of Cyber crime - Is an end to our privacy on the Internet a Price worth

paying?" Part 1 COMPTLR 2003, 9(3), 76-81

Turner M (1994) "R v Vatsal Patel - The Computer Misuse Act 1990 s.3 (1)", 57 Journal of

Computer & Law 4

Newspaper Articles

"Letter bomb of the Computer Age" New York Times, 5 November 1988, p.16

Uhlig R (1995) "Black Baron, computer virus writer jailed for 18 months" The electronic telegraph

16 November 1995, available at http://www.telegraph.co.uk

The Job, Volume 35 Issue 895, January 10, 2003 available at www.met.police.uk

Documents

End of Module Essay Legal Aspects of Information Security