Sri Lankan Perspective in Meeting the Cyber Crime Challenge

8/2/2019 Sri Lankan Perspective in Meeting the Cyber Crime Challenge

1/24

Sri Lankan perspectivein meeting the

Cyber crime challengeby

Lal DiasChief Operating Officer,

Sri Lanka CERT


2/24

Role of Cyber systems in Sri Lanka

e-Sri Lanka Development Initiative

Multi-faceted program

Objectives Bridge digital divide

Improve delivery of public services Increase competitiveness of private sector

Accelerate social development

Poverty reduction


3/24


Major Programs of e-Sri Lanka ICT Policy, Leadership & Institutional Development

Information Infrastructure

Re-engineering government ICT Human Resources Capacity Building

ICT Investment & Private sector Development

E-Society

ICT Agency of Sri Lanka established tospearhead the e-Sri Lanka DevelopmentInitiative


4/24


ICT Policy, Leadership & Institutional Development Program

Information Infrastructure

e-Laws Project

Electronic Transactions Act No. 19

Sri Lanka Computer Crimes Act No. 24

e-Leadership Development Project

Sri Lanka CERT Project


5/24

e-Sri Lanka Projects

e-Laws Project

Electronic Transactions Act No. 19

Law to enable validation of e-Commerce, e-Signature and e-Contracting

Sri Lanka Computer Crimes Act No. 24 Identification, Investigation and Enforcement of

computer crimes


6/24

e-Sri Lanka Projects

e-Leadership Development Project Develop a pool of champions to enforce security

policies, monitor fraudulent activities and promote

best practices

Sri Lanka CERT Project National CERT mandated to protect Sri Lankas ICT

infrastructure from attacks, be the single, trustedsource for information on cyber crime techniquesand coordinate efforts to handle Cyber crimeincidents


7/24

Conflict of Systems

e-Sri Lanka introduces new challenges infighting cyber crime:

TraditionalNew (due to e-Sri Lanka)

Police Investigation Team-CID-NIB

Existing Penal Code

Traditional Reportingmechanisms

SLCERT Forensics Team SLCERT Incident Handling

Computer Crimes Act E-Transactions Act

New reporting mechanisms


8/24

12%

41%

23%

12%

0%0%

12%

Hacking

Publishing Information without consent (Sexual Harrassment)

Impersonation

Hacking Addresses & Attempted cheats

Pornography

Violation of Intellectual Property ActCheating

Cyber crime in Sri Lanka: 2007


9/24

Cyber crime in Sri Lanka

Prosecution of Cyber crime cases

25

22

0

75

78

0

0

0

24

0

0

76

0 20 40 60 80 100 120

2005

2006

2007

Successful Dismissed Pending Uninves tigated

Total Cases: 9

Total Cases: 4

Total Cases: 17


10/24

Computer Crimes Act

Timeline

1995: Work started by CINTEC Law Committee

1997: Working paper on Computer crime Act submitted Decision to be made: Develop provisions for prosecution

of cyber crimes under existing penal code OR develop aSubject specific law?

2000: decision to develop Subject specific legislation

2005: Bill finalized and presented in Parliament

2006: Further review by Parliamentary committee

2007: Passing of bill in parliament

Computer Crime Act currently not enforced fully


11/24

Computer Crimes Act

Features

Provides clear structure for conducting of investigations andjurisdictions

Provides distinct cyber crime categories and the correspondingparameters under which a case may be prosecuted, includingmaximum or minimum applicable penalties

Use of Generic terms, so that even if technology changes, thenature of the crime will remain the same (example: phishing,vishing & phaxing)

Provision of Cross Extradition arrangement with Council ofEurope signatories. Increased ability to prosecute cases beyondSri Lankas borders

Clear statement of Resources that would be brought to bear onthe case, including, among others, experts.


12/24

Computer Crimes Act

Cyber crime Categories

Computer-related offenses

Computers used as tools for criminal activity

(Theft, fraud)

Hacking

Activities which affect CIA of computer system or network(includes viruses and other malware)

Content related offenses

Computers with Internet access used to distribute illegal data

(copyright infringement, pornography)


13/24

Computer Crimes Act

Parameters

Unauthorized Access

Unauthorized Access in order to commit an offence Causing a computer to perform functions without

lawful authority

Offenses committed against national security

Dealing with unlawfully obtained data Illegal interception of data

Use of an illegal device

Unauthorized disclosure of information


14/24

Computer Crimes Act: Penalties

ParameterJail Term

(Years)

Fine

(Rupees)Or Both?

Unauthorized Access 5 100K Unauthorized Access tocommit offense

5 200K Function without Lawfulauthority

5 300K Offenses Against National

Security

5 -

Unlawfully obtained data 0.5 3 100K 300K Illegal interception 0.5 3 100K 300K Use of illegal devices 0.5 3 100K 300K Unauthorized disclosure 0.5 3 100K 300K


15/24

Identificationof Cyber Crimes

Limited reporting of crime Lack of trust in reporting methods

No guarantee of confidentiality

Verifying reports/Authenticity of Reports Genuine report or prank?

Due diligence Reporting of crimes found at workplace. Professional

obligation vs. Personal inconvenience

CHALLENGES


16/24

Investigation of Cyber Crimes

Gathering of evidence Maintaining admissibility of evidence

Lack of proper structure for cooperation betweeninvestigating organizations

Poor system for maintenance of chain of custody

Weight of Digital evidence in court Lack of understanding of importance of digital evidence

Lack of Legal professionals conversant with CCA

Jurisdiction NIB, CID, other organizations (SLCERT, TechCERT, etc)

CHALLENGES


17/24


18/24

Case study 1:

A Foreign National publishedfalse information regarding thesale of DVD players online

Online payments credited to Standard Chartered Bank

Account

Funds withdrawn by offender who left country

DVD Players not delivered

Suspect arrested upon return to Sri Lanka, fined anddeported

Problem:Waiting for suspect to return to Sri Lanka. Lack of

extradition arrangements.


19/24

Case study 2:

Superimposing nude images on a picture of a BuddhaStatue (causing offense)

Investigated by CID Cyber Crimes Unit

NGO employee arrested

Convicted and sentenced to 3 Years imprisonment,suspended for 3 years

Problem:Leniency in sentence and enforcement of sentence.Much stronger penalties allowed for under CCA


20/24

Future plans for cyber crime fighting

Build a defined structure and working relationshipbetween organizations concerned with cybercrime

AGs Department

Police Force

NIB

CID

Cyber crimeReporting Centres

Sri Lanka CERT International CERT Community

International Police Community

International Judicial CommunityInter-Governmental Relationships


21/24

Future Plans

Identification

Building and maintenance of Cyber Crime Reporting

Centres

Additional secured reporting channels (E-mail, Web)

Protection of Confidentiality through Information

Security Measures

Raises trust

Expected Outcome: Reporting of more cases


22/24

Future Plans

Investigation

Develop a Digital Forensics Lab, Larger Forensics team to

handle increase in cases

Develop clear Chain of Custody procedures

Build contacts with Foreign Police forces to increase skills

available in investigating complex, cross-border cases andforensics knowledge

Expected Outcome: Increased number of successfullyprosecuted cases


23/24

Future Plans

Prosecution

Run Awareness Programs for the local judiciary to raiseawareness of Computer crimes (attack techniques,

potential damage, etc) and the provisions of the ComputerCrimes Act (CCA)

Build a pool of IT Savvy Legal professionals able toprosecute cases under the CCA

Increase number of countries with which Sri Lanka hasExtradition Treaties through Government intervention

Expected Outcome: Increased number of successfully prosecuted

cases


24/24

THANK YOU

Documents

Sri Lankan Perspective in Meeting the Cyber Crime Challenge