Laws in Sri Lanka to prevent Cyber-Terrorism and analyse whether these laws are sufficient to prevent a Cyber-Warfare in the future

“Iran’s Military Response May Be Concluded, But Cyber Warfare Threat Grows” (Kanno-Youngs & Nicole Perlroth, Jan. 8, 2020) , “Threat of Cyberattack by Iran still critical, Experts say” (The Wall Street Journal , Jan. 9, 2020), these latest news headlines may conclude the major threat that 21^st century modern countries have to faced. “Cyber Security is the newest and most unique national security issue of the 21st century” (Malawer, November 18, 2010).  Debate over Cyber Warfare is now affected to all over countries. As a developing nation, Sri Lanka is also vulnerable to this rising technological war to some extent.

In this article, I addressed the existing Sri Lankan laws (Intellectual Property Act (No.36 of 2003), Electronic Transaction Act (No.19 of 2006), Computer Crime Act (No.24 of 2007), Cyber Security Bill) regarding Cyber Warfare and analyzed the loop holes and vulnerabilities of current security strategies.  I concluded the article by proposing relevant methods to safeguard the nation from a future “Cyber Warfare”.

1.0 Introduction

1.1 Introduction to the Issue

With the major development of the technology, mankind has simultaneously created a lager trend in the use of same technology as weapons of modern war. Over the last decades high profile cyber-attacks are extremely increased among governments such as United States, China, Russia and North Korea. In the wake of these threats, numbergof researchers have focused about discussion of deterrence strategy to modern cold war which is called as cyber warfare. Nowadays almost Sri Lankan infrastructure such like Banks, Airports, Hospitals, Power Grids, Military and many other systems and every aspect of human lives are depending on the internet and computer systems. This means that every Sri Lankan person are all vulnerable to this cold war to some extent, let alone entire Sri Lanka. This may could lead to a cyber warfare in near future. “Colombo city is blacked out since two days”, “Airplanes cannot land to the katunayake airport due to a system error”, “People’s bank has been hacked” these are the possible disasters may present in near future, if Sri Lanka wouldn’t protect against cyber warfare. Not only Sri Lanka, any country would be collapsed into chaos under such kind of conditions. For that, are the Sri Lankan laws sufficient to prevent a cyber warfare?

1.2 History and Background

The history of cyber warfare is possible to date back to the evolution of the internet simultaneously. In the last few years we have seen a number of examples of the cyber-attacks and the computer crime incidents around all over the world.  “Iran Banks Burned, The Customer Accounts Were Exposed” (Bergman, 2019), “Signs that Russia, China and Iran might be preparing for a cyber war” (Lindsey, 2019). These two incidents are the part of larger trend in the use of technology as weapons of modern cold war.  Not only the high profile countries, within the Sri Lankan frame Sri Lanka CERTCC (Sri Lanka Computer Emergency Readiness Team, coordination Centre) informed 3907 cyber security regarded incidents in 2017 and that was a prominent acceleration from 2010.

1.3 Aim and Objectives

The main objective of this research is to analyses the loop holes and vulnerabilities of Sri Lankan laws whether these laws are sufficient to prevent a cyber warfare in the future. Secondary objective is to identifying the rules, regulations regarding cyber security and proactive, reactive measures that can be taken against cyber warfare.

2.0 Literature Review

2.1 Cyber-Warfare (cyb-war)

            Michael N. Schmitt’s article examines about how existing laws of Cyber Warfare may evolve in response to growing world-wide threat of cyber warfare incidents in modern world. He mentioned that, “NATO Cooperative Cyber Defense Centre of Excellence launched a major research project in late 2009 to examine the public international law governing cyber warfare” (Schmitt, September 4, 2013).  He continues his article on explaining on extant law as set forth in the Tallinn manual on International law of cyber warfare. Moreover, this article mainly states about the reaction of states to cyber operations and how to prevent cyber warfare as state wisely. He emphasized that “If the right of self-defense was to remain meaningful, it had to adapt to the changed security environment” (Schmitt, September 4, 2013).

            Stuart Malawer said that, “The most critical aspect of this issue is the notion of cyberwarfare, which is the use of computer technologies as both defensive and offensive weapons in international relations” (Malawer, November 18, 2010). In this journal article he addressed the concepts cyber warfare and cyber terrorism in the context of domestic and international connections form both legal and political perspective. He examined recent private sector and government sector reports on cyber warfare. And also in his article he emphasized the major issues that confronts the countries as they struggle to prevent the term “Cyber Warfare”. He concluded the facts by proposing procedures and methods to structuring comprehensive cyber security strategy for all countries which are struggle from Cyber warfare.

2.2 Cyber Crime (cyb-crime)

            Cyber-attacks are something that have become a social phenomenon in the present society. Thomas Rid and Ben Buchanan performed a research (Thomas Rid and Ben Buchanan, 2014) and attempt to move the debate on attributing cyber-attacks. “Human Lives and the security of the state may depend on ascribing agency to an agent” (Thomas Rid and Ben Buchanan, 2014). They said that, Cyber-crime’s damage can be physical, financial or reputational. In that journal article emphasized, most industrial and technical or interconnected countries are the most vulnerable and threated countries and less technical and less interconnected countries have some aspect of advantage, but not least. Another staple by this analysis is that, they mentioned some sensitive information about how US government acting with Cyber related incidents. By referencing this journal article, a researcher can get major key points about current situation of cyber-attacks in real world.

            Brian Cashell, William D. Jackson, Mark Jickling and Baird Webel said “Information Security-the safe guarding of computer systems and the integrity, confidentiality, and availability of the data they contain – has long been recognized as a critical national policy issue” (Brian Cashell, William D. Jackson, Mark Jickling, & Baird Webel , April 1, 2004). In this journal article states about Studies of the Effect of Cyber-Attacks on Stock Prices and economy related incidents on cyber space. They emphasized the question that, do both private and public sectors invest enough resources on cyber security and information security? And also this report summarized the facts that, theoretical works and surveys about limited empirical data on attack costs on reliable and comprehensive statistics. 

2.3 Cyber Terrorism (cyb-terrorism)

            Aparrajitha Ariyadasa’s journal article mainly states about how social media platforms are used to terrorist propagandizing and recruiting. Aparrajitha Ariyadasa said that, “social media have proved particularly well-suited for terrorist propagandizing and recruiting for several reasons”  (Ariyadasa, 23 May 2019) in her journal article. And also this article emphasized about past terrorist incidents which were used cyber space to communicate and propagate. And also this article mentioned about Sri Lankan laws to curb Cyber Terrorism.

            “Cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents” (SURABHI). This is how term “Cyber Terrorism” defined in Medha Surabhi’s journal article. Moreover, it states that, the similarities and differences on Cyber Terrorism and Cyber Warfare in real world. In this article described about ways of occurring Cyber Terrorism and victims and examples of Cyber terrorism. Also She continues on that, how to prevent from Cyber Terrorism.

2.4 IP Privacy (IP)

            According to Andreas Fasbender, Dogan Kesdogan and Olaf Kubitz, “One of the key technologies with the most tremendous growth over the past decade is summarized in the buzzword, MOBILE COMPUTING” (Andreas Fasbender, Dogan Kesdogan, & Olaf Kubitz , 1996). In this research article they gave an overview of mobile IP and terms of security issues regarding on IP Privacy. They emphasized the problem, if attacker analysis someone’s traffic with the help of address headers of packets, he can access to the location and also who has communicated with whom and for how long. Also this article states about what are the possible extensions of security regarding IP privacy.

            Every computer or device which wants to connect to internet receives a unique IP address that facilitates communication with other computers or devices. In his journal article, Joshua J. Mcintyre said that, “Today’s online world lulls its inhabitants into a false sense of anonymity while secretly recording their every move for future discovery” (McIntyre). Moreover, as they explained, within the data exchange on internet, these address are recorded and keep trails of user’s online privacy. They fingered to Internet Service Provider (ISP) as middle man of this process. This means “ISPs have the power to obliterate privacy online.  Everything we say, hear, read, or do on the Internet first passes through ISP computers” (McIntyre).  Also this journal article had given the more relevant suggestions about how to protect our IP privacy within Cyber space. 

3.0 Methodology

Priority is given to the Sri Lankan laws (Acts and Bills) and this research was based on theoretical basis. Moreover, this is a quantitative analysis with the aim of examining whether the Sri Lankan laws are sufficient to prevent a cyber warfare.  Internet, Blogs, Websites, Journal Articles and other online sources are the primary sources which are used as a way of gathering information. Analyzing Sri Lankan law acts, referencing law articles, books are the secondary sources. Different part of Sri Lankan cyber-crime act was compared whether it is safeguard the nation from a cyber-attack.        

4.0 Quantitative Analysis and Discussion of Facts

4.1 What is Cyber-Warfare?

Before the 21^st century, the word “WAR” means two or more countries fighting each other using weapons with the purpose of sizing lands and to prove superiority of each other. However, in 21^st century has arisen a new kind of warfare that nations do battles without guns or bombs. These days the biggest threat countries have to face is may be a rouge actor with a computer or a rouge nation who is armed with a cyber army. Cyber-Warfare implies using cyber-attacks by one country/state to destroy or damage the vital information system of another country/state or even cause death. This could be DDOS attacks, defacing essential websites, shut down essential data servers or gathering classified data. Difference between conventional military attack and cyber-attack is, a cyber-attack can be leave no trace, carried out from a distance and also extremely hard to capture the perpetrator. Cyber-Warfare is probably the greatest challenge that all countries have to face against nations national security as concerns. Day by day more devices are connected to the internet and going to be connected, more information is stored on those devices and systems. This is precisely what make more attack surface is continues to grow.  However, cyber warfare is a relatively new concept to the world. But they do exist and real world examples indicates such attacks are happening among high profile countries. As international warfare and competition continue to move into a digital era and all countries need to develop new paradigms to respond to these new disasters.

4.2 Analyze of Sri Lankan Laws Regarding Cyber-Warfare

The laws regarding within the Sri Lankan frame, there are several main acts are handling for the Cyber warfare prevention.

                 i.          Intellectual Property Act (No.36 of 2003)

               ii.          Electronic Transaction Act (No.19 of 2006)

             iii.          Computer Crime Act (No.24 of 2007)

             iv.          Cyber Security Bill

4.2.1 Intellectual Property Act (No.36 of 2003)

This act mainly focuses regarding the copy rights. These rights take two forms, economic right and moral right. Copyright protects the creators for their literary and artistic works. (Act, No.19 of 2003). When it’s causing for cyber-warfare it deals with any matter related computers such like software modification and misuse.

4.2.2 Electronic Transaction Act (No.19 of 2006)

This act mainly focuses regarding the exchange and the creation of data, messages, e-transfer, e-documents and other electronic form in Sri Lanka. When it comes for the cyber warfare, it deals with the offences of hacking those protected electronic form. (Electronic Transation Act, No.19 of 2006)

4.2.3 Computer Crime Act (No.24 of 2007)

This act mainly addresses computer related crimes in Sri Lanka such like Hacking, Pornography, Cyber Bullying, sexting etc. 38 chapters are included to Computer crime act with consist of three main components, that are

                           i.          Computer Crime – Computer related crimes such like data theft, criminal activities

                         ii.          Offences related for Hacking activities – Creation of virus, worm / Exploitation of computer system or network

                       iii.          Content related crime or violation – Group of computers/networks get together and distribute illegal stuffs (porn, torrents)

Section 03 and section 04 respectively state that, unauthorized access to a computer or computer system or any other information system can be offence under the computer crime act of Sri Lanka. IT professionals are protected under Section 05, section 07 and 08 from unlawful uploading, buying, modification any data. Section 09 and section 10 state that, Without the knowledge or authorization of true programmer or owner, distribution of codes, programs, passwords are offence under Computer crime act of Sri Lanka. Section 15 and section 16 of the act state regarding the investigation of such offences. Further section 18 describes about powers which are given to the police officers within the act. Section 19 and 21 also describes about arrest & search procedures. The investigations are done in accordance with the provisions of the “code of criminal procedure Act, no 15 of 1979” under section is of computer crime act. (Computer Crime Act (No.24 of 2007)). In section 15 to section 24, there are many laws in order to protect cyber-crime victims. Section 23, section 24, section 28 and 29 states that duties and responsibilities of the investigator. Behalf of the cyber warfare, there is section related to it, and it is section 33. This section explains about, when an another government made a request to Sri Lankan government for extradition of the person who accused on an offence under this act, the minister of Sri Lanka shall immediately notify the requesting government about the procedures which Sri Lankan government has taken on that person or extradite that respective person. Under section 34 of act illustrates about rights of non-Sri Lankan person arresting procedures.

4.2.3 Cyber Security Bill

Sri Lanka government has drafted a new cyber security bill and now it’s currently in queue on the way to the parliament approval. (Mudalige, 2019) The goals of this bill is to protect sensitive information and digital services from future cyber-attack, implement an effective National Cyber Security Strategy in Sri Lanka, prevent cyber-attacks and cyber space related incidents, establish a new “Cyber Security Agency” and protect Critical Information Infrastructure within the country (CII).  Critical Information Infrastructure includes all computers and information system that are necessary for the continues delivery of essential services of the country. (Medianama, 2019) The proposed cyber security agency will be identifying and designate all matters related to cyber security incidents and threats in Sri Lanka.  Also it will be responsible for the Sri Lanka’s national cyber security strategy such like preparation and execution of policies, strategies, projects and programs. This agency will be the focal point of contact for all government departments and institutions for relevant cyber security. According to the new bill, an “Information Security Officer” (ISO) will be appointment to each department and institution. He will be responsible for compliance and security of the department or institution with the prescribed standards. The bill states that the Owner of the CII will be responsible for taking all the necessary steps to protect the CII. Moreover, the new bill describes about offences, penalties and the powers of the minister.

5.0 Suggestions and Opinions (S & O)

When considering the above facts with comparison of Sri Lankan Laws related to cyber security, according to my point of view, Sri Lankan Cyber protection should be made an effective. The reason is, Sri Lanka is still in few steps back than the other countries because of Sri Lankan acts are not comprehensive regarding the protection of National Cyber Space. To prevent these circumstance, the government should make sure that national wide public awareness of IT related education on individual security in order to make the user secure in cyber space. Sri Lanka’s majority of users does not use legal software as they are expensive. Cause of that reason, they have been move for use the pirated copies of software. Use of pirated copies of software creates vulnerabilities in the network which attacker can easily turn computers in to zombies and can lead to a national wide cyber-attack. For avoid that, government should encourage the public in use of open source software and government should working in hand with IT companies should take an initiation to produce low cost editions of that software. Specially, government sector employees should cover the area of cyber security as the expansion of the government networks. Any employee’s careless incident would eventually make the network vulnerable and prone to attack.

6.0 Conclusion

As I mentioned above, technology is getting vary in scale day by day. It’s getting developed and so does the users of it. When a cyber space is not a tight without limitation adequately, it’s users may use it for crime. As explained, cyber warfare can from anytime, anywhere from the world. For that, we should safeguard the nation before it is attacked. Not only Sri Lanka, Cyber warfare is a complex disaster that is vital for IT specialist and national security specialist in all countries. As you know, nowadays most of government and private sector organizations, the process heavily relies on computer based system. If those systems attacked, country will be in a chaos for several days or may be months. At present in Sri Lanka, cyber-crime incidents show a major increase due to loopholes in Sri Lankan laws. It shows that Sri Lankan law is always few steps behind the technology. This laws regarding the cyber security should be cover all aspects of cyber-crimes. In order to do that, IT experts and law makers should working in hand with the government. New threats are created every minute that laws can be unaware of. Sri Lankan laws and acts should be updated regularly according to defend against that new threats. With above mentioned evidences, it is perceivable that current Sri Lankan laws are not sufficient to safeguard the nation from a future cyber warfare. Therefore, as explained in suggestions, the required laws and strategies should be enhanced within the Sri Lankan law along with the individual user in Sri Lankan cyber space.

7.0 Bibliography

(n.d.). In Computer Crime Act (No.24 of 2007).

(n.d.). In Computer Crime Act (No.24 of 2007).

Act, I. P. (No.19 of 2003).

Andreas Fasbender, Dogan Kesdogan, & Olaf Kubitz . (1996). Analysis of Security and Privacy in Mobile IP. 17.

Ariyadasa, A. (23 May 2019). CAN SRI LANKAN LAW COMBAT TERROR IN INTERNET? . 5.

Bergman, F. F. (2019, December 10). Retrieved from The New York Times: https://www.nytimes.com/2019/12/10/world/middleeast/Iran-bank-hacking-protests.html

Brian Cashell, William D. Jackson, Mark Jickling, & Baird Webel . (April 1, 2004). The Economic Impact of Cyber-Attacks. 45.

Kanno-Youngs, Z., & Nicole Perlroth. (Jan. 8, 2020). The New York Times. Retrieved from https://www.nytimes.com/2020/01/08/us/politics/iran-attack-cyber.html

Lindsey, N. (2019, August 5). Retrieved from CPO Magazine: https://www.cpomagazine.com/cyber-security/the-rise-of-the-global-cyber-war-threat/

Malawer, S. (November 18, 2010). Cyberwarfare: Law & Policy Proposals for U.S. & Global Governance. 5.

McIntyre, J. J. (n.d.). BALANCING EXPECTATIONS OF ONLINE PRIVACY: WHY INTERNET PROTOCOL (IP) ADDRESSES SHOULD BE PROTECTED AS PERSONALLY IDENTIFIABLE INFORMATION . 53.

Medianama. (2019, June 03). Retrieved from https://www.medianama.com/2019/06/223-sri-lankas-new-cyber-security-bill-is-ready-cyber-security-agency-designation-of-critical-information-infrastructure-and-more/

Mudalige, D. (2019, may 29). Daily News. Retrieved from http://www.dailynews.lk/2019/05/29/local/186891/new-cyber-security-draft-bill-ready

(No.19 of 2006). In Electronic Transation Act.

Schmitt, M. N. (September 4, 2013). THE LAW OF CYBER WARFARE:. 32.

SURABHI, M. (n.d.). CYBER WARFARE AND CYBER TERRORISM . 15.

The Wall Street Journal . (Jan. 9, 2020). Retrieved from https://www.wsj.com/articles/threat-of-cyberattack-by-iran-still-critical-experts-say-11578621927

Thomas Rid and Ben Buchanan. (2014). Attributing Cyber Attacks. 35.