cyber security laws

Dr. M Nasir Mumtaz Bhutta

Institute of Computing

Bahauddin Zakariya University

Multan, Punjab, 60,000

Pakistan

Email: [email protected]

www.bzu.edu.pk

Course: Information Security and Assurance

Cyber Security Laws

18 March 2015

Dr. M N M Bhutta www.bzu.edu.pk

Lecture Overview

• Why is it important to understand/define

Cyber Security Laws?

• Cyber Crimes.

• Well Known USA’s Cyber Security Laws.

• Pakistan’s Cyber Security Laws:

– Electronic Transaction Ordinance 2002.

– Electronic Cyber Crime bill/Act 2007.

• Recent Developments in Pakistan’s Cyber

Law.

2


Importance to Understand

Cyber Security Laws

• Cyber Security Laws are introduced:

– In response to cyber crimes.

– To improve organizational security.

– To protect people and their assets.

• Every country has its own set of laws.

• Organizations should ensure that which laws will be

applicable to them depending upon their location.

• Organizations should incorporate cyber laws as part of

their security policy and include lawyers in their security

decisions.

• Govt have laid down security compliance requirements

to protect people and their assets. 3


Cyber Crimes

• Some Latest Cybercrime Statistics

4


Cyber Crime Vs Conventional Crime

• Conventional Crime is:

– social and economic phenomenon and as old as

society.

– Legal wrong which can be followed by criminal

proceedings and can result in punishment.

• Cyber Crime is:

– Where computer is subject or object of crime.

– Unlawful act where computer is a tool or target or

both.

5


Complexity of Cyber Disputes

• Cyber crime takes place across whole world

geographic boundaries.

• Which court will have exclusive jurisdiction to the

crime?

• Different countries have different legal systems

and it can be extremely expensive depending

upon location.

• Doubts on efficacy of decisions given be courts

on global level and sanctions are questionable.

6


Types of Cyber Crimes

7


Targets of Cyber Crime

• Some important industries which are

targets of cyber crime are given below:

8


Cyber Security Technologies To

Fight Against Crimes & To

Improve Organizational Security

9


Penetration Testing/Ethical Hacking

(Web and Infrastructure Hacking)

• Penetration testing is legal and authorized exploitation of

computer systems to make them more secure.

• Penetration testing is performed in following phases:

– Reconnaissance: collecting detailed information about system

(e.g. all machines IP addresses etc. )

– Scanning: 1. Port Scanning (finding open ports on systems and

services being run). 2. Vulnerability Scanning (finding known

vulnerabilities for services running on the system)

– Exploitation: Attacking the system for the found vulnerabilities.

– Maintaining Access: After exploitation, creating a permanent

backdoor for easy access to the system later on.

– Reporting: Details about the found issues, detailed procedures

and presenting solutions to mitigate the security issues found.

10


Malware Analysis/Reverse Engineering

• Art of dissection of malware: – To provide information about intrusion/attack (what exactly happened).

– The goal is exactly to find out: what a suspect binary program can do,

how to detect it, and how to measure and contain its damage.

• Host based signatures and network based signatures

are used to detect malwares on computers and

networks.

• Most often malware analysis is performed on executable files using

following techniques:

– Basic and Advanced Static Analysis

– Basic and Advanced Dynamic Analysis

11


Malware Analysis/Reverse

Engineering – II

• Basic Static Analysis

– It is performed on executable file without actually running it and without

viewing the instructions code.

– It answers whether file is malicious, provide information about its

functionality and some times to produce network signatures to detect

malwares.

• Advanced Static Analysis

– It is performed by dissecting the malware executable by loading it into

disassembler and looking into its instructions to find out what malware

do.

• Basic dynamic Analysis

– It involves running the malware and observing its behaviour on the system in

order to remove the files, produce effective signatures.

• Advanced Dynamic Analysis

– It involves debugging the internal state of malicious executable.

12


Digital Forensics (Computer & Network

Forensics)

• It is defined as application of science to law.

• It is the application of collection, examination

and analysis of data while preserving the

integrity of data and chain of custody.

• The process usually consists of following

phases: – Collection: Identifying, collecting, labelling and storing data.

– Examination: Assessing and extracting particular interest of data.

– Analysis: Analysing the data using legally justifiable techniques.

– Reporting: Reporting results of analysis (actions to be taken to

secure against vulnerabilities, information about crime/attack etc)

13


CYBER LAWS

14


USA’s Cyber Security Laws - I

• Computer Fraud and Abuse Act (CFAA): “Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer… shall be punished as provided in subsection (c) of this section.”

• Electronic Protected Health Information (e-

PHI) and Health Insurance Portability and

Accountability Act (HIPAA):

– Protect information about individuals

identifiable health records.

– Protects information stored and information

available on network while being transferred. 15


Recent Developments In USA’s

Cyber Security Laws

• Cybersecurity Enhancement Act 2014

– Public-Private Collaboration on Cybersecurity

– Cybersecurity Research and Development

– Education and Workforce Development

– Cybersecurity Awareness and Preparedness

– Advancement of Cybersecurity Technical Standards

• National Cybersecurity Protection Act 2014

• Cybersecurity Workforce Assessment Act 2014

16


Pakistan’s Cyber Security Laws

Details About:

17


Cyber Laws in Pakistan

• There are different laws, promulgated in Pakistan.

• These laws not only deal with crime of Internet

• These deal with all dimensions related to computer

& networks.

• Two of them are most known.

• They are:

– Electronic Transaction Ordinance 2002

– Electronic / Cyber Crime Bill 2007


Electronic Transaction Ordinance

2002

• Overview

– The Electronic Transactions Ordinance (ETO), 2002, was

the first IT-relevant legislation created by national

lawmakers.

– A first step and a solid foundation for legal sanctity and

protection for Pakistani e-Commerce locally and globally.

– Laid the foundation for comprehensive Legal

Infrastructure.

– It is heavily taken from foreign law related to cyber crime.


Pre-ETO 2002

• No recognition of electronic documentation

• No recognition of electronic records

• No recognition of evidential basis of documents/records

• Failure to authenticate or identify digital or electronic signatures or forms of authentication

• No online transaction could be legally binding

• Electronic Data & Forensic Evidence not covered. No Rules


ETO 2002

• Sections

– There are 43 sections in this ordinance

– It deals with following 8 main areas relating to e-

Commerce.

• Recognition of Electronic Documents

• Electronic Communications

• Digital Signature regime and its evidential consequences

• Web Site & Digital Signatures Certification Providers

• Stamp Duty

• Attestation, notarization, certified copies

• Jurisdiction

• Offences


ETO 2002

• Important Sections are:

– 36. Violation of privacy information

• gains or attempts to gain access

• to any information system with or without intent

• to acquire the information unauthorized

• Imprisonment 7 years

• Fine Rs. 1 million


ETO 2002

– 37. Damage to information system, etc.

• alter, modify, delete, remove, generate, transmit or

store information

• to impair the operation of,

• or prevent or hinder access to, information

• knowingly when not authorized to do so

• Imprisonment 7 years

• Fine Rs. 1 million


ETO 2002

– 38. Offences to be non-bailable,

compoundable and cognizable

• All offences under this Ordinance shall be non-

bailable, compoundable and cognizable.

– 39. Prosecution and trial of offences.

• No Court inferior to the Court of Sessions shall try

any offence under this Ordinance.


Post ETO 2002

• Electronic Documentation & Records

recognized

• Electronic & Digital forms of authentication

& identification given legal sanctity

• Messages through email, fax, mobile

phones, Plastic Cards, Online recognized.


Electronic/Cyber Crime Bill 2007


Overview

• “Prevention of Electronic Crimes Ordinance, 2007″ is in force now

• It was promulgated by the President of Pakistan on the 31st December 2007

• The bill deals with the electronic crimes included: – Cyber terrorism

– Data damage

– Electronic fraud

– Electronic forgery

– Unauthorized access to code

– Cyber stalking

– Cyber Spamming/spoofing



• It offers penalties ranging from six months imprisonment to capital punishment for 17 types of cyber crimes

• It will apply to every person who commits an offence, irrespective of his nationality or citizenship.

• It gives exclusive powers to the Federal Investigation Agency (FIA) to investigate and charge cases against such crimes.


Punishments

• Under this law there are defined

punishment for the offence.

• Every respective offence under this law

has its distinctive punishment which can

be imprisonment or fine.


Offence Imprisonment (years) Fine

Criminal Access 3 3 Lac

Criminal Data Access 3 3 Lac

Data Damage 3 3 Lac

System Damage 3 3 Lac

Electronic Fraud 7 7 Lac

Electronic Forgery 7 7 Lac

Misuse of Device 3 3 Lac

Unauthorized access to code 3 3 Lac

Malicious code 5 5 Lac

Defamation 5 5 Lac

Cyber stalking 3 3 Lac

Cyber Spamming 6 months 50,000

Spoofing 3 3 Lac

Pornography 10 -----

Cyber terrorism Life 10 Million


Sections

• Data Damage:

– Whoever with intent to illegal gain or cause

harm to the public or any person, damages

any data, shall come under this section.

• Punishment:

– 3 years

– 3 Lac



• Electronic fraud:

– People for illegal gain get in the way or use

any data, electronic system or device or with

intent to deceive any person, which act or

omissions is likely to cause damage or harm.

• Punishment:

– 7 years

– 7 Lac



• Electronic Forgery:

– Whoever for unlawful gain interferes with data, electronic

system or device, with intent to cause harm or to commit

fraud by any input, alteration, or suppression of data,

resulting in unauthentic data that it be considered or acted

upon for legal purposes as if it were authentic, regardless

of the fact that the data is directly readable and intelligible

or not.

• Punishment:

– 7years

– 7 Lac



• Malicious code:

– Whoever willfully writes, offers, makes

available, distributes or transmits malicious

code through an electronic system or device,

with intent to cause harm to any electronic

system or resulting in the theft or loss of data

commits the offence of malicious code.

• Punishment:

– 5 years

– 5 Lac



• Cyber stalking:

– Whoever with intent to harass any person uses computer,

computer network, internet, or any other similar means of

communication to communicate obscene, vulgar, profane,

lewd, lascivious, or indecent language, picture or image.

– Make any suggestion or proposal of an obscene nature

– Threaten any illegal or immoral act

– Take or distribute pictures or photographs of any person

without his consent or knowledge

– Commits the offence of cyber stalking.

– 3 Years

– 3 Lac



• Spamming:

– Whoever transmits harmful, fraudulent, misleading,

– illegal or unsolicited electronic messages in bulk to any

person

– without the express permission of the recipient,

– involves in falsified online user account registration or

falsified domain name registration for commercial purpose

commits the offence of spamming.

• Punishment:

– 6 month

– 50,000



• Spoofing:

– Whoever establishes a website, or sends an

electronic message with a counterfeit source intended

to be believed by the recipient or visitor or its

electronic system to be an authentic source

– with intent to gain unauthorized access or obtain

valuable information

– Later, Information can be used for any lawful

purposes commits the offence of spoofing.

– 3 Years

– 3 Lac



• Cyber terrorism: – Any person, group or organization who, with terroristic

intent utilizes,

– accesses or causes to be accessed a computer or computer network or electronic system or device or by any available means,

– knowingly engages in or attempts to engage in a terroristic act commits the offence of cyber terrorism.

• Punishment – Whoever commits the offence of cyber terrorism and

causes death of any person shall be punished with death

– Or imprisonment for life, and with fine

– Otherwise he shall be punishable with imprisonment of ten years or with fine ten million rupees


Recent Developments for Cyber

Laws in Pakistan

• In 2013, Pakistan came to know that USA through National Security

Agency (NSA) were spying on Pakistan through intercepting 13.5

billion pieces of email, phone and fax communication.

• Senate Committee on Defence and Defence production organized

seminar and following important points were concluded in that:

– To protect and promote Pakistan’s cyber security, relevant legislations to be

done.

– Cyber security threat should be accepted as new emerging national security

threat.

– Establishing a National Computer Emergency Response Team (PakCERT).

– Establishing Cyber Security Task Force consisting of relevant security

professionals to combat this threat.

– Inter-Services Cyber Command should be established to coordinated cyber

security and defence for the Pakistan Armed Forces.

– Pakistan should take initiative to talk to 8 SAARC Members.

39


Pakistan Cyber Security Task

Force

• Federal Investigation Agency (FIA) has

established Cyber Security Task Force to

combat the cyber security threat for

Pakistan.

• Pakistan Computer Emergency Response

Team (PakCERT) is established to protect

IT assets and professionals from cyber

crimes like hacking etc.

(www.pakcert.org).

40

http://www.pakcert.org/


Why we must know Cyber Laws?

• Under which organizations does the

organization operate and which specific laws

apply to Organization.

• By law, which information assets need to be

protected?

• How laws can be incorporated into

Organizational security policy.

• When conducting Vulnerability Assessments

and Penetration tests for organizations.

41


References:

• To prepare this lecture, following sources are consulted:

– https://www.congress.gov/bill/113th-congress/senate-

bill/1353/text?q=%7b%22search%22:%5b%22cybersecurity%22%5d%7d

– https://www.congress.gov/bill/113th-congress/senate-


– https://www.congress.gov/bill/113th-congress/house-


– http://www.go-gulf.com/blog/cyber-crime/

– Zibber Mohiuddin, “Cyber Laws in Pakistan: A Situational Analysis and Way

Forward”, June 2006.

– ISACA’s Cyber Security Student Handbook.

– http://www.dawn.com/news/1023706

– Justice Khalil ur Rehman, “Cyber Laws in Pakistan”.

– Tariq Bilal, “Modern Cyber Laws in Pakistan”.

– Taha Mehmood, “Cyber Laws in Pakistan”, PowerPoint presentation.

– Sehrish Mushtaq, “Cyber Laws in Pakistan”, PowerPoint Presentation.

42

https://www.congress.gov/bill/113th-congress/senate-bill/1353/text?q=%7b%22search%22:%5b%22cybersecurity%22%5d%7d










https://www.congress.gov/bill/113th-congress/house-bill/2952/text?q=%7b%22search%22:%5b%22cybersecurity%22%5d%7d





http://www.go-gulf.com/blog/cyber-crime/





http://www.dawn.com/news/1023706

Dr. M N M Bhutta www.bzu.edu.pk 43

Thanks for listening !

»Questions ?

cyber security laws

Technology

cyber laws

pakistans cyber security

assurance cyber security

targets of cyber crime

known usas cyber security

types of cyber crimes

electronic cyber crime

information security