viewing the cybercrime act (2015) from a global perspectiveconferen… · viewing the cybercrime...
Post on 18-Jun-2020
9 Views
Preview:
TRANSCRIPT
Viewing
The Cybercrime Act (2015)
From a Global Perspective
Ayo Rotibi (Chief Consulting Officer)
iSecure Consulting Ltd, UK, NG
Stuxnet: The World’s First Digital Weapon
Story
Moral lesson
Those motivated to do harm seek
vulnerabilities –and create malware
to exploit them
Some researchers hunt for these
vulnerabilities on behalf of
governments, others on behalf of
criminal syndicates, but many
‘white hat’ researchers constantly
do the same job for little or no pay
DAILY CONVERGENCE DEPENDENCY
294 billion e-mail sent
Generated/consumed information fill 168M DVDs
864K hours of video uploaded to YouTube
22M hours of movies watched on Netflix alone
Social networks reach 20% of the world population
SMS traffic generates $812K every minute
Average Skype conversation lasts 27 minutes
15% of the global population use their mobile
phones to shop online
There are more mobile phones on the planet than
there are people
TODAY AND THE NEAR FUTURE
Today 2030
Estimated World
Population
Estimated World
Population 7 billion
~8 billion people
Estimated Internet
Population
2.5 billion people
(35% of population is
online)
~5 billion people
(60% of population is
online)
Total Number of Devices 12.5 billion internet
connected physical
objects and devices
(~6 devices per person)
50 billion internet
connected physical
objects and devices
(~10 devices per person)
ICT Contribution to the
Economy
~4% of GDP on average 10% of worldwide GDP
Source: Evans, The Internet of Things. How the Next Evolution of the Internet Is Changing Everything.
CYBERX DEFINITIONS: CYBERSPACE
More than the internet, including not only hardware, software and information systems, but also people and social interaction within these networks
‘...systems and services connected either directly to or indirectly to the internet, telecommunications and computer networks.’ The ITU
‘...the complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.’ The ISO
CYBERX DEFINITIONS: CYBERSPACE
‘all forms of networked, digital activities; this includes the content of and actions conducted through digital networks.’ United Kingdom
‘...encompasses all forms of digital engagements, interactions, socializations and transactional activities; contents, contacts and resources deployed through interconnected networks.’ Nigeria
CYBERX DEFINITIONS: CYBERSECURITY
More than 50 nations have published some form of a cyber strategy defining what security means to their future national and economic security initiatives
https://ccdcoe.org/strategies-policies.html
Nigeria has not updated her Strategy Document here
Critical Information Infrastructure
Protection (CIIP)
Network
Security
Internet
Security
ICT Security
CyberSecurity
Information Security C
yb
erC
rim
e C
yb
erS
afe
ty
Relationship between Cyber Security and other Security Domains (Adopted from ISO/IEC 27032:2012, ‘Information technology – Security
techniques – Guidelines for cybersecurity)
CyberSecurity
Cybercrime: UNGA Resolutions 55/63 and 56/121
Resolution 56/123
“...invites Member States, when developing national law to combat the criminal misuse of information technologies, to take into account, the work and achievements of the Commission on Crime Prevention and Criminal Justice and of other international and regional organizations.”
Resolution 55/63
Eliminate save havens for criminals
Train and equip LEA to address cybercrime issues
Protection of individual freedom and privacy
Create Public awareness
Cybercrime: ITU GCA
Calls for the elaboration of strategies for the development of cybercrime legislation that is globally applicable and interoperable with existing national and regional legislative measures
“Considering the Council of Europe’s
Convention on Cybercrime as an example of
legal measures realized as a regional initiative,
countries should complete its ratification, or
consider the possibility of acceding to the
Convention of Cybercrime. Other countries
should, or may want to, use the Convention as
a guideline, or as a reference for developing
their internal legislation, by implementing the
standards and principles it contains, in
accordance with their own legal system and
practice.” WA1 Recommendation 1.3
Cybercrime: Budapest Convention 2001
Nations around the world have identified cyber crime (however it is defined) as a national priority. They also recognise that jurisdiction for prosecuting cybercrime stops at national borders, which underscores the need for cooperation and coordination through regional organisations.
“Convinced of the need to pursue, as a matter of
priority, a common criminal policy aimed at the
protection of society against cybercrime, by adopting
appropriate legislation and fostering international co-
operation” The Council of Europe Convention on Cybercrime
CyberSecurity Ecosystem
Regional and
Global Partnership
Cyber Crime
Cyber
Warfare
National Cyber
Assets / and Critical
Information
Infrastructures
Telecoms
Encryption
and
Cryptography
Territorial
Airspace
Academics
Policies
Presidential
Directives
Judiciary
Regulatory &
Enforcement
Agencies
Tools Safeguards
Concepts
Legislations
Risk Mgt
Cyber
Terrorism
Cybersecurity V Cybercrime
Non-intentional
ICT Security
Incidents
Offences
by means
of ICT
Offences
involving
ICT
Intentional attack
against ICT
Attack against
Critical
Infrastructures
Other attacks
against CIA of
ICT
Security/trust/resilience/
reliability of ICT
Rule of law / Criminal
Justice and Human Right
Cybersecurity
Strategies Cybercrime
Strategies
Cybercrime: Budapest Convention 2001
A comprehensive Cybercrime Strategy generally contains technical protection measures, as well as legal instruments.
“Convinced of the need to pursue, as a matter of
priority, a common criminal policy aimed at the
protection of society against cybercrime, by adopting
appropriate legislation and fostering international co-
operation” The Council of Europe Convention on Cybercrime
Cybercrime: Computer Misuse Act 1990
This British Act is the foremost Cybercrime Legislation
Predates the Budapest Convention
Defines Computer misuse offences:
Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised modification of computer material.
Nigeria’s Perspective - Highlights
Based on criminalization (Cybercrime) of various
cyber activities:
Critical national information structure offences
Cyber-terrorism
Child pornography
Racism or xenophobia
Other cyber-related crimes
Nigeria’s Cybercrime Act 2015
Broadly captured under the following:
Critical Information Infrastructure Protection (CIIP)
Unauthorised access to computer data
Unauthorised modification of computer data
Damaging or denying access to computer system &
system interference
Unauthorised receiving or giving access to a
computer program or data
Illegal devices or data
Related Offenses
Duties of Providers
Nigeria’s Cybercrime Act 2015: Objectives
Provide an effective and unified legal, regulatory
and institutional framework for the Prohibition,
Prevention, Detection, Prosecution and
Punishment of cybercrimes in Nigeria;
Ensure the protection of critical national
information infrastructure; and
Promote cybersecurity and the protection of
computer systems and networks, electronic
communications; data and computer programs,
intellectual property and privacy rights
Cybercrime Act 2015 – Ecosystem
Regional and
Global Partnership Cyber
Security
National Cyber
Assets / and Critical
Information
Infrastructures
Telecoms
Digital
Forensics
Policies
Presidential
Directives
Concepts
Legislations
Cyber
Terrorism
Regulatory &
Enforcement
Agencies
Judiciary
Nigeria’s Cybercrime Act 2015: Part II
This is not captured under any of the
International Instruments earlier mentioned
UNGA Resolution 57/239 captures the essence
of protecting CNII
Other instruments include:
OECD Recommendation of the Council on the Protection of
Critical Information Infrastructures
The Green Paper on a European Program for Critical
Infrastructure Protection
Developments in the field of information and
telecommunications in the context of international security
And many more….
Nigeria’s Cybercrime Act 2015: Part III
The Convention on Cybercrime distinguishes between four different types of offences:
Offences against the confidentiality, integrity and availability of computer data and systems;
Computer-related offences;
Content-related offences; and
Copyright-related offences
Part III of the Act is in line with Article 2-12 of the Convention (even if there are over 50 of computer-related offences)
The Act does not include Copyright-related offenses
Nigeria’s Cybercrime Act 2015: Part III
Article 13 –Sanctions and measures states:
Each Party shall adopt such legislative and other measures as may be necessary to ensure that the criminal offences established in accordance with Articles 2 through 11 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty
Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions
Nigeria’s Cybercrime Act 2015: Part IV
Duties: 37.3 Obligation of Financial institutions to customers
Duties: 38.3 & 38.5 The provisions under this section need to be
strengthened in line with the spirit of Article 15: Condition and Safeguards
Legal Interception: 39 This aligns with Article 20: Real-time collection of traffic
data. However, the provision is short on the responsibility of government to the Service Providers.
20.b states “compel a service provider, within its existing technical capability”
Nigeria’s Cybercrime Act 2015: Parts VII and VIII
Judiciary and International Co-operation:
This aligns with Articles 23 – 25
Miscellaneous (Use of Terms):
Definition and use of terms are similar in the Act and Convention
The Act has more terms and definitions listed than the Convention
National cybersecurity Document
https://ccdcoe.org/strategies-policies.html
Nigeria has nothing to share!
From the perspective of National Security, we can view cyber security in terms of four objectives and our ability to achieve them:
Deter: Create and implement policies that allow us to generate a feasible and believable deterrence
Detect: Create and implement policies that allow us to detect when, where and how an intrusion has taken place.
React: Create and implement procedures and policies that define how we react to an intrusion in order to ensure that the exploit does not happen again, and that the vulnerability used to gain access to the system is eliminated.
Recover: Recover all assets and resources from a breach in security.
Cyber Security Objectives: National
Security Perspective
To date, there is not a universal understanding on basic cyber terms and definitions, so common solutions will remain scarce. However, the Budapest Convention offers a framework broad enough to accommodate most
The Cybercrime Act 2015 is aligned with the spirit of the Budapest Convention in many ways
Also aligns with the spirit of the Computer Misuse Act
Cybercrime is all about PEOPLE, PEOPLE (and less about technology)
Conclusion
NBA needs to play more active role to midwife the future
Need to set up Specialized Cybercrime Unit
Nigeria will do well to join other nations such as South Africa, USA, Canada, Japan and UK in acceding to the Budapest Convention
Conclusion
top related