Laws in Sri Lanka to prevent Cyber-Terrorism and analyse whether these laws are sufficient to prevent a Cyber-Warfare in the future
“Iran’s Military Response May
Be Concluded, But Cyber Warfare Threat Grows” (Kanno-Youngs & Nicole
Perlroth, Jan. 8, 2020) , “Threat of Cyberattack by Iran still
critical, Experts say” (The Wall Street Journal ,
Jan. 9, 2020) ,
these latest news headlines may conclude the major threat that 21st
century modern countries have to faced. “Cyber Security is the newest
and most unique national security issue of the 21st century” (Malawer, November 18, 2010) . Debate over Cyber Warfare is now affected to
all over countries. As a developing nation, Sri Lanka is also vulnerable to
this rising technological war to some extent.
In
this article, I addressed the existing Sri Lankan laws (Intellectual
Property Act (No.36 of 2003), Electronic Transaction Act (No.19 of 2006),
Computer Crime Act (No.24 of 2007), Cyber Security Bill) regarding Cyber Warfare and analyzed the loop holes and
vulnerabilities of current security strategies.
I concluded the article by proposing relevant methods to safeguard the
nation from a future “Cyber Warfare”.
1.0 Introduction
1.1 Introduction to the Issue
With the major development
of the technology, mankind has simultaneously created a lager trend in the use
of same technology as weapons of modern war. Over the last decades high profile
cyber-attacks are extremely increased among governments such as United States,
China, Russia and North Korea. In the wake of these threats, numbergof researchers have
focused about discussion of deterrence strategy to modern cold war which is
called as cyber warfare. Nowadays almost Sri Lankan infrastructure such like
Banks, Airports, Hospitals, Power Grids, Military and many other systems and
every aspect of human lives are depending on the internet and computer systems.
This means that every Sri Lankan person are all vulnerable to this cold war to
some extent, let alone entire Sri Lanka. This may could lead to a cyber warfare
in near future. “Colombo city is blacked out since two days”, “Airplanes cannot
land to the katunayake airport due to a system error”, “People’s bank has been
hacked” these are the possible disasters may present in near future, if Sri
Lanka wouldn’t protect against cyber warfare. Not only Sri Lanka, any country
would be collapsed into chaos under such kind of conditions. For that, are the
Sri Lankan laws sufficient to prevent a cyber warfare?
1.2 History and Background
The history of
cyber warfare is possible to date back to the evolution of the internet
simultaneously. In the last few years we have seen a number of examples of the
cyber-attacks and the computer crime incidents around all over the world. “Iran Banks Burned, The Customer Accounts
Were Exposed” (Bergman, 2019) , “Signs that Russia,
China and Iran might be preparing for a cyber war” (Lindsey, 2019) . These two incidents are the part of
larger trend in the use of technology as weapons of modern cold war. Not only the high profile countries, within
the Sri Lankan frame Sri Lanka CERTCC (Sri Lanka Computer Emergency Readiness
Team, coordination Centre) informed 3907 cyber security regarded incidents in
2017 and that was a prominent acceleration from 2010.
1.3 Aim and Objectives
The main objective
of this research is to analyses the loop holes and vulnerabilities of Sri
Lankan laws whether these laws are sufficient to prevent a cyber warfare in the
future. Secondary objective is to identifying the rules, regulations regarding
cyber security and proactive, reactive measures that can be taken against cyber
warfare.
2.0 Literature Review
2.1 Cyber-Warfare (cyb-war)
Michael N.
Schmitt’s article examines about how existing laws of Cyber Warfare may evolve
in response to growing world-wide threat of cyber warfare incidents in modern
world. He mentioned that, “NATO Cooperative Cyber Defense Centre of Excellence
launched a major research project in late 2009 to examine the public
international law governing cyber warfare” (Schmitt, September 4, 2013) . He continues his article on explaining on
extant law as set forth in the Tallinn manual on International law of cyber
warfare. Moreover, this
article mainly states about the reaction of states to cyber operations and how
to prevent cyber warfare as state wisely. He emphasized that “If the right of
self-defense was to remain meaningful, it had to adapt to the changed security
environment” (Schmitt, September 4, 2013) .
Stuart Malawer said that, “The most critical aspect of this issue is the notion
of cyberwarfare, which is the use of computer technologies as both defensive
and offensive weapons in international relations” (Malawer, November 18, 2010) . In this journal
article he addressed the concepts cyber warfare and cyber terrorism in the
context of domestic and international connections form both legal and political
perspective. He examined recent private sector and government sector reports on
cyber warfare. And also in his article he emphasized the major issues that
confronts the countries as they struggle to prevent the term “Cyber Warfare”.
He concluded the facts by proposing procedures and methods to structuring
comprehensive cyber security strategy for all countries which are struggle from
Cyber warfare.
2.2 Cyber Crime (cyb-crime)
Cyber-attacks are
something that have become a social phenomenon in the present society. Thomas
Rid and Ben Buchanan performed a research (Thomas Rid and Ben Buchanan, 2014) and attempt to move
the debate on attributing cyber-attacks. “Human Lives and the security of the
state may depend on ascribing agency to an agent” (Thomas Rid and Ben Buchanan, 2014) . They said that,
Cyber-crime’s damage can be physical, financial or reputational. In that
journal article emphasized, most industrial and technical or interconnected
countries are the most vulnerable and threated countries and less technical and
less interconnected countries have some aspect of advantage, but not least.
Another staple by this analysis is that, they mentioned some sensitive
information about how US government acting with Cyber related incidents. By
referencing this journal article, a researcher can get major key points about
current situation of cyber-attacks in real world.
Brian Cashell, William D. Jackson, Mark
Jickling and Baird Webel said “Information Security-the safe guarding of
computer systems and the integrity, confidentiality, and availability of the
data they contain – has long been recognized as a critical national policy
issue” (Brian Cashell, William D. Jackson, Mark Jickling, & Baird Webel ,
April 1, 2004) .
In this journal article states about Studies of the Effect of Cyber-Attacks on
Stock Prices and economy related incidents on cyber space. They emphasized the
question that, do both private and public sectors invest enough resources on
cyber security and information security? And also this report summarized the
facts that, theoretical works and surveys about limited empirical data on
attack costs on reliable and comprehensive statistics.
2.3 Cyber Terrorism (cyb-terrorism)
Aparrajitha
Ariyadasa’s journal article mainly states about how social media platforms are
used to terrorist propagandizing and recruiting. Aparrajitha Ariyadasa said that,
“social media have proved
particularly well-suited for terrorist propagandizing and recruiting for
several reasons” (Ariyadasa, 23 May 2019) in her journal
article. And also this article emphasized about past terrorist incidents which
were used cyber space to communicate and propagate. And also this article
mentioned about Sri Lankan laws to curb Cyber Terrorism.
“Cyber terrorism is the
premeditated, politically motivated attack against information, computer
systems, computer programs, and data which result in violence against
noncombatant targets by sub national groups or clandestine agents” (SURABHI) . This is how term “Cyber
Terrorism” defined in Medha Surabhi’s journal article. Moreover, it states
that, the similarities and differences on Cyber Terrorism and Cyber Warfare in
real world. In this article described about ways of occurring Cyber Terrorism
and victims and examples of Cyber terrorism. Also She continues on that, how to
prevent from Cyber Terrorism.
2.4 IP Privacy (IP)
According to Andreas
Fasbender, Dogan Kesdogan and Olaf Kubitz, “One of the key technologies with
the most tremendous growth over the past decade is summarized in the buzzword,
MOBILE COMPUTING” (Andreas Fasbender, Dogan Kesdogan, & Olaf Kubitz , 1996) . In this research
article they gave an overview of mobile IP and terms of security issues
regarding on IP Privacy. They emphasized the problem, if attacker analysis someone’s
traffic with the help of address headers of packets, he can access to the location
and also who has communicated with whom and for how long. Also this article
states about what are the possible extensions of security regarding IP privacy.
Every computer or device which wants
to connect to internet receives a unique IP address that facilitates
communication with other computers or devices. In his journal article, Joshua
J. Mcintyre said that, “Today’s online world lulls its inhabitants into a false
sense of anonymity while secretly recording their every move for future
discovery” (McIntyre) . Moreover, as they
explained, within the data exchange on internet, these address are recorded and
keep trails of user’s online privacy. They fingered to Internet Service
Provider (ISP) as middle man of this process. This means “ISPs have the power
to obliterate privacy online. Everything
we say, hear, read, or do on the Internet first passes through ISP computers” (McIntyre) . Also this journal article had given the more
relevant suggestions about how to protect our IP privacy within Cyber
space.
3.0 Methodology
Priority is given
to the Sri Lankan laws (Acts and Bills) and this research was based on
theoretical basis. Moreover, this is a quantitative analysis with the aim of
examining whether the Sri Lankan laws are sufficient to prevent a cyber
warfare. Internet, Blogs, Websites,
Journal Articles and other online sources are the primary sources which are
used as a way of gathering information. Analyzing Sri Lankan law acts,
referencing law articles, books are the secondary sources. Different part of
Sri Lankan cyber-crime act was compared whether it is safeguard the nation from
a cyber-attack.
4.0 Quantitative Analysis and
Discussion of Facts
4.1 What is Cyber-Warfare?
Before the 21st
century, the word “WAR” means two or more countries fighting each other using
weapons with the purpose of sizing lands and to prove superiority of each
other. However, in 21st century has arisen a new kind of warfare
that nations do battles without guns or bombs. These days the biggest threat
countries have to face is may be a rouge actor with a computer or a rouge
nation who is armed with a cyber army. Cyber-Warfare implies using
cyber-attacks by one country/state to destroy or damage the vital information
system of another country/state or even cause death. This could be DDOS
attacks, defacing essential websites, shut down essential data servers or
gathering classified data. Difference between conventional military attack and
cyber-attack is, a cyber-attack can be leave no trace, carried out from a
distance and also extremely hard to capture the perpetrator. Cyber-Warfare is
probably the greatest challenge that all countries have to face against nations
national security as concerns. Day by day more devices are connected to the
internet and going to be connected, more information is stored on those devices
and systems. This is precisely what make more attack surface is continues to
grow. However, cyber warfare is a relatively
new concept to the world. But they do exist and real world examples indicates
such attacks are happening among high profile countries. As international
warfare and competition continue to move into a digital era and all countries
need to develop new paradigms to respond to these new disasters.
4.2 Analyze of Sri Lankan Laws Regarding Cyber-Warfare
The laws regarding
within the Sri Lankan frame, there are several main acts are handling for the
Cyber warfare prevention.
i.
Intellectual
Property Act (No.36 of 2003)
ii.
Electronic
Transaction Act (No.19 of 2006)
iii.
Computer
Crime Act (No.24 of 2007)
iv.
Cyber
Security Bill
4.2.1 Intellectual Property Act (No.36 of 2003)
This act mainly focuses
regarding the copy rights. These rights take two forms, economic right and
moral right. Copyright protects the creators for their literary and artistic
works. (Act, No.19 of 2003) . When it’s causing for cyber-warfare it
deals with any matter related computers such like software modification and
misuse.
4.2.2 Electronic Transaction Act (No.19 of 2006)
This act mainly
focuses regarding the exchange and the creation of data, messages, e-transfer,
e-documents and other electronic form in Sri Lanka. When it comes for the cyber
warfare, it deals with the offences of hacking those protected electronic form.
(Electronic Transation Act, No.19 of 2006)
4.2.3 Computer Crime Act (No.24 of 2007)
This act mainly
addresses computer related crimes in Sri Lanka such like Hacking, Pornography,
Cyber Bullying, sexting etc. 38 chapters are included to Computer crime act
with consist of three main components, that are
i.
Computer
Crime – Computer related crimes such like data theft, criminal activities
ii.
Offences
related for Hacking activities – Creation of virus, worm / Exploitation of
computer system or network
iii.
Content
related crime or violation – Group of computers/networks get together and
distribute illegal stuffs (porn, torrents)
Section 03 and
section 04 respectively state that, unauthorized access to a computer or
computer system or any other information system can be offence under the
computer crime act of Sri Lanka. IT professionals are protected under Section
05, section 07 and 08 from unlawful uploading, buying, modification any data.
Section 09 and section 10 state that, Without the knowledge or authorization of
true programmer or owner, distribution of codes, programs, passwords are
offence under Computer crime act of Sri Lanka. Section 15 and section 16 of the
act state regarding the investigation of such offences. Further section 18
describes about powers which are given to the police officers within the act. Section
19 and 21 also describes about arrest & search procedures. The
investigations are done in accordance with the provisions of the “code of
criminal procedure Act, no 15 of 1979” under section is of computer crime act. (Computer Crime Act (No.24 of 2007)) . In section 15 to
section 24, there are many laws in order to protect cyber-crime victims. Section
23, section 24, section 28 and 29 states that duties and responsibilities of
the investigator. Behalf of the cyber warfare, there is section related to it,
and it is section 33. This section explains about, when an another government
made a request to Sri Lankan government for extradition of the person who
accused on an offence under this act, the minister of Sri Lanka shall
immediately notify the requesting government about the procedures which Sri
Lankan government has taken on that person or extradite that respective person.
Under section 34 of act illustrates about rights of non-Sri Lankan person
arresting procedures.
4.2.3 Cyber Security Bill
Sri Lanka
government has drafted a new cyber security bill and now it’s currently in
queue on the way to the parliament approval. (Mudalige, 2019) The goals of this bill is to protect
sensitive information and digital services from future cyber-attack, implement
an effective National Cyber Security Strategy in Sri Lanka, prevent
cyber-attacks and cyber space related incidents, establish a new “Cyber
Security Agency” and protect Critical Information Infrastructure within the
country (CII). Critical Information
Infrastructure includes all computers and information system that are necessary
for the continues delivery of essential services of the country. (Medianama, 2019) The proposed cyber
security agency will be identifying and designate all matters related to cyber
security incidents and threats in Sri Lanka.
Also it will be responsible for the Sri Lanka’s national cyber security
strategy such like preparation and execution of policies, strategies, projects
and programs. This agency will be the focal point of contact for all government
departments and institutions for relevant cyber security. According to the new
bill, an “Information Security Officer” (ISO) will be appointment to each
department and institution. He will be responsible for compliance and security
of the department or institution with the prescribed standards. The bill states
that the Owner of the CII will be responsible for taking all the necessary
steps to protect the CII. Moreover, the new bill describes about offences,
penalties and the powers of the minister.
5.0 Suggestions and Opinions (S & O)
When considering
the above facts with comparison of Sri Lankan Laws related to cyber security,
according to my point of view, Sri Lankan Cyber protection should be made an
effective. The reason is, Sri Lanka is still in few steps back than the other
countries because of Sri Lankan acts are not comprehensive regarding the
protection of National Cyber Space. To prevent these circumstance, the
government should make sure that national wide public awareness of IT related
education on individual security in order to make the user secure in cyber
space. Sri Lanka’s majority of users does not use legal software as they are
expensive. Cause of that reason, they have been move for use the pirated copies
of software. Use of pirated copies of software creates vulnerabilities in the
network which attacker can easily turn computers in to zombies and can lead to
a national wide cyber-attack. For avoid that, government should encourage the
public in use of open source software and government should working in hand
with IT companies should take an initiation to produce low cost editions of
that software. Specially, government sector employees should cover the area of
cyber security as the expansion of the government networks. Any employee’s
careless incident would eventually make the network vulnerable and prone to
attack.
6.0 Conclusion
As I mentioned
above, technology is getting vary in scale day by day. It’s getting developed
and so does the users of it. When a cyber space is not a tight without
limitation adequately, it’s users may use it for crime. As explained, cyber
warfare can from anytime, anywhere from the world. For that, we should
safeguard the nation before it is attacked. Not only Sri Lanka, Cyber warfare
is a complex disaster that is vital for IT specialist and national security
specialist in all countries. As you know, nowadays most of government and
private sector organizations, the process heavily relies on computer based
system. If those systems attacked, country will be in a chaos for several days
or may be months. At present in Sri Lanka, cyber-crime incidents show a major
increase due to loopholes in Sri Lankan laws. It shows that Sri Lankan law is
always few steps behind the technology. This laws regarding the cyber security
should be cover all aspects of cyber-crimes. In order to do that, IT experts
and law makers should working in hand with the government. New threats are
created every minute that laws can be unaware of. Sri Lankan laws and acts
should be updated regularly according to defend against that new threats. With
above mentioned evidences, it is perceivable that current Sri Lankan laws are
not sufficient to safeguard the nation from a future cyber warfare. Therefore,
as explained in suggestions, the required laws and strategies should be
enhanced within the Sri Lankan law along with the individual user in Sri Lankan
cyber space.
7.0 Bibliography
(n.d.). In Computer Crime Act (No.24 of 2007).
(n.d.). In Computer Crime Act (No.24 of 2007).
Act, I. P. (No.19 of 2003).
Andreas Fasbender, Dogan Kesdogan, & Olaf Kubitz .
(1996). Analysis of Security and Privacy in Mobile IP. 17.
Ariyadasa, A. (23 May 2019). CAN SRI LANKAN LAW COMBAT
TERROR IN INTERNET? . 5.
Bergman, F. F. (2019, December 10). Retrieved from The New
York Times:
https://www.nytimes.com/2019/12/10/world/middleeast/Iran-bank-hacking-protests.html
Brian Cashell, William D. Jackson, Mark Jickling, &
Baird Webel . (April 1, 2004). The Economic Impact of Cyber-Attacks. 45.
Kanno-Youngs, Z., & Nicole Perlroth. (Jan. 8, 2020). The
New York Times. Retrieved from
https://www.nytimes.com/2020/01/08/us/politics/iran-attack-cyber.html
Lindsey, N. (2019, August 5). Retrieved from CPO Magazine:
https://www.cpomagazine.com/cyber-security/the-rise-of-the-global-cyber-war-threat/
Malawer, S. (November 18, 2010). Cyberwarfare: Law &
Policy Proposals for U.S. & Global Governance. 5.
McIntyre, J. J. (n.d.). BALANCING EXPECTATIONS OF ONLINE
PRIVACY: WHY INTERNET PROTOCOL (IP) ADDRESSES SHOULD BE PROTECTED AS
PERSONALLY IDENTIFIABLE INFORMATION . 53.
Medianama.
(2019, June 03). Retrieved from
https://www.medianama.com/2019/06/223-sri-lankas-new-cyber-security-bill-is-ready-cyber-security-agency-designation-of-critical-information-infrastructure-and-more/
Mudalige, D. (2019, may 29). Daily News. Retrieved
from
http://www.dailynews.lk/2019/05/29/local/186891/new-cyber-security-draft-bill-ready
(No.19 of 2006). In Electronic Transation Act.
Schmitt, M. N. (September 4, 2013). THE LAW OF CYBER
WARFARE:. 32.
SURABHI, M. (n.d.). CYBER WARFARE AND CYBER TERRORISM . 15.
The Wall Street Journal . (Jan. 9, 2020). Retrieved from
https://www.wsj.com/articles/threat-of-cyberattack-by-iran-still-critical-experts-say-11578621927
Thomas Rid and Ben Buchanan. (2014). Attributing Cyber Attacks.
35.
Comments
Post a Comment