Viewing

The Cybercrime Act (2015)

From a Global Perspective

Ayo Rotibi (Chief Consulting Officer)

iSecure Consulting Ltd, UK, NG

INEC Website Hacked: 22/03/15

Stuxnet: The World’s First Digital Weapon

Story

Moral lesson

Those motivated to do harm seek

vulnerabilities –and create malware

to exploit them

Some researchers hunt for these

vulnerabilities on behalf of

governments, others on behalf of

criminal syndicates, but many

‘white hat’ researchers constantly

do the same job for little or no pay

DAILY CONVERGENCE DEPENDENCY

294 billion e-mail sent

Generated/consumed information fill 168M DVDs

864K hours of video uploaded to YouTube

22M hours of movies watched on Netflix alone

Social networks reach 20% of the world population

SMS traffic generates $812K every minute

Average Skype conversation lasts 27 minutes

15% of the global population use their mobile

phones to shop online

There are more mobile phones on the planet than

there are people

TODAY AND THE NEAR FUTURE

Today 2030

Estimated World

Population

Estimated World

Population 7 billion

~8 billion people

Estimated Internet

Population

2.5 billion people

(35% of population is

online)

~5 billion people

(60% of population is

online)

Total Number of Devices 12.5 billion internet

connected physical

objects and devices

(~6 devices per person)

50 billion internet

connected physical

objects and devices

(~10 devices per person)

ICT Contribution to the

Economy

~4% of GDP on average 10% of worldwide GDP

Source: Evans, The Internet of Things. How the Next Evolution of the Internet Is Changing Everything.

CYBERX DEFINITIONS: CYBERSPACE

More than the internet, including not only hardware, software and information systems, but also people and social interaction within these networks

‘...systems and services connected either directly to or indirectly to the internet, telecommunications and computer networks.’ The ITU

‘...the complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.’ The ISO

CYBERX DEFINITIONS: CYBERSPACE

‘all forms of networked, digital activities; this includes the content of and actions conducted through digital networks.’ United Kingdom

‘...encompasses all forms of digital engagements, interactions, socializations and transactional activities; contents, contacts and resources deployed through interconnected networks.’ Nigeria

CYBERX DEFINITIONS: CYBERSECURITY

More than 50 nations have published some form of a cyber strategy defining what security means to their future national and economic security initiatives

https://ccdcoe.org/strategies-policies.html

Nigeria has not updated her Strategy Document here

Critical Information Infrastructure

Protection (CIIP)

Network

Security

Internet

Security

ICT Security

CyberSecurity

Information Security C

yb

erC

rim

e C

yb

erS

afe

ty

Relationship between Cyber Security and other Security Domains (Adopted from ISO/IEC 27032:2012, ‘Information technology – Security

techniques – Guidelines for cybersecurity)

CyberSecurity

Cybercrime: UNGA Resolutions 55/63 and 56/121

Resolution 56/123

“...invites Member States, when developing national law to combat the criminal misuse of information technologies, to take into account, the work and achievements of the Commission on Crime Prevention and Criminal Justice and of other international and regional organizations.”

Resolution 55/63

Eliminate save havens for criminals

Train and equip LEA to address cybercrime issues

Protection of individual freedom and privacy

Create Public awareness

Cybercrime: ITU GCA

Calls for the elaboration of strategies for the development of cybercrime legislation that is globally applicable and interoperable with existing national and regional legislative measures

“Considering the Council of Europe’s

Convention on Cybercrime as an example of

legal measures realized as a regional initiative,

countries should complete its ratification, or

consider the possibility of acceding to the

Convention of Cybercrime. Other countries

should, or may want to, use the Convention as

a guideline, or as a reference for developing

their internal legislation, by implementing the

standards and principles it contains, in

accordance with their own legal system and

practice.” WA1 Recommendation 1.3

Cybercrime: Budapest Convention 2001

Nations around the world have identified cyber crime (however it is defined) as a national priority. They also recognise that jurisdiction for prosecuting cybercrime stops at national borders, which underscores the need for cooperation and coordination through regional organisations.

“Convinced of the need to pursue, as a matter of

priority, a common criminal policy aimed at the

protection of society against cybercrime, by adopting

appropriate legislation and fostering international co-

operation” The Council of Europe Convention on Cybercrime

CyberSecurity Ecosystem

Regional and

Global Partnership

Cyber Crime

Cyber

Warfare

National Cyber

Assets / and Critical

Information

Infrastructures

Telecoms

Encryption

and

Cryptography

Territorial

Airspace

Academics

Policies

Presidential

Directives

Judiciary

Regulatory &

Enforcement

Agencies

Tools Safeguards

Concepts

Legislations

Risk Mgt

Cyber

Terrorism

Cybersecurity V Cybercrime

Non-intentional

ICT Security

Incidents

Offences

by means

of ICT

Offences

involving

ICT

Intentional attack

against ICT

Attack against

Critical

Infrastructures

Other attacks

against CIA of

ICT

Security/trust/resilience/

reliability of ICT

Rule of law / Criminal

Justice and Human Right

Cybersecurity

Strategies Cybercrime

Strategies

Cybercrime: Budapest Convention 2001

A comprehensive Cybercrime Strategy generally contains technical protection measures, as well as legal instruments.

“Convinced of the need to pursue, as a matter of

priority, a common criminal policy aimed at the

protection of society against cybercrime, by adopting

appropriate legislation and fostering international co-

operation” The Council of Europe Convention on Cybercrime

Cybercrime: Computer Misuse Act 1990

This British Act is the foremost Cybercrime Legislation

Predates the Budapest Convention

Defines Computer misuse offences:

Unauthorised access to computer material.

Unauthorised access with intent to commit or facilitate commission of further offences.

Unauthorised modification of computer material.

Nigeria’s Perspective - Highlights

Based on criminalization (Cybercrime) of various

cyber activities:

Critical national information structure offences

Cyber-terrorism

Child pornography

Racism or xenophobia

Other cyber-related crimes

Nigeria’s Cybercrime Act 2015

Broadly captured under the following:

Critical Information Infrastructure Protection (CIIP)

Unauthorised access to computer data

Unauthorised modification of computer data

Damaging or denying access to computer system &

system interference

Unauthorised receiving or giving access to a

computer program or data

Illegal devices or data

Related Offenses

Duties of Providers

Nigeria’s Cybercrime Act 2015: Objectives

Provide an effective and unified legal, regulatory

and institutional framework for the Prohibition,

Prevention, Detection, Prosecution and

Punishment of cybercrimes in Nigeria;

Ensure the protection of critical national

information infrastructure; and

Promote cybersecurity and the protection of

computer systems and networks, electronic

communications; data and computer programs,

intellectual property and privacy rights

Cybercrime Act 2015 – Ecosystem

Regional and

Global Partnership Cyber

Security

National Cyber

Assets / and Critical

Information

Infrastructures

Telecoms

Digital

Forensics

Policies

Presidential

Directives

Concepts

Legislations

Cyber

Terrorism

Regulatory &

Enforcement

Agencies

Judiciary

Nigeria’s Cybercrime Act 2015: Part II

This is not captured under any of the

International Instruments earlier mentioned

UNGA Resolution 57/239 captures the essence

of protecting CNII

Other instruments include:

OECD Recommendation of the Council on the Protection of

Critical Information Infrastructures

The Green Paper on a European Program for Critical

Infrastructure Protection

Developments in the field of information and

telecommunications in the context of international security

And many more….

Nigeria’s Cybercrime Act 2015: Part III

The Convention on Cybercrime distinguishes between four different types of offences:

Offences against the confidentiality, integrity and availability of computer data and systems;

Computer-related offences;

Content-related offences; and

Copyright-related offences

Part III of the Act is in line with Article 2-12 of the Convention (even if there are over 50 of computer-related offences)

The Act does not include Copyright-related offenses

Nigeria’s Cybercrime Act 2015: Part III

Article 13 –Sanctions and measures states:

Each Party shall adopt such legislative and other measures as may be necessary to ensure that the criminal offences established in accordance with Articles 2 through 11 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty

Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions

Nigeria’s Cybercrime Act 2015: Part IV

Duties: 37.3 Obligation of Financial institutions to customers

Duties: 38.3 & 38.5 The provisions under this section need to be

strengthened in line with the spirit of Article 15: Condition and Safeguards

Legal Interception: 39 This aligns with Article 20: Real-time collection of traffic

data. However, the provision is short on the responsibility of government to the Service Providers.

20.b states “compel a service provider, within its existing technical capability”

Nigeria’s Cybercrime Act 2015: Parts VII and VIII

Judiciary and International Co-operation:

This aligns with Articles 23 – 25

Miscellaneous (Use of Terms):

Definition and use of terms are similar in the Act and Convention

The Act has more terms and definitions listed than the Convention

National cybersecurity Document

https://ccdcoe.org/strategies-policies.html

Nigeria has nothing to share!

From the perspective of National Security, we can view cyber security in terms of four objectives and our ability to achieve them:

Deter: Create and implement policies that allow us to generate a feasible and believable deterrence

Detect: Create and implement policies that allow us to detect when, where and how an intrusion has taken place.

React: Create and implement procedures and policies that define how we react to an intrusion in order to ensure that the exploit does not happen again, and that the vulnerability used to gain access to the system is eliminated.

Recover: Recover all assets and resources from a breach in security.

Cyber Security Objectives: National

Security Perspective

To date, there is not a universal understanding on basic cyber terms and definitions, so common solutions will remain scarce. However, the Budapest Convention offers a framework broad enough to accommodate most

The Cybercrime Act 2015 is aligned with the spirit of the Budapest Convention in many ways

Also aligns with the spirit of the Computer Misuse Act

Cybercrime is all about PEOPLE, PEOPLE (and less about technology)

Conclusion

NBA needs to play more active role to midwife the future

Need to set up Specialized Cybercrime Unit

Nigeria will do well to join other nations such as South Africa, USA, Canada, Japan and UK in acceding to the Budapest Convention

Conclusion

Contact

Email:

• arotibi@isecureconsulting.com

Mobile:

• 08187704842

Skype:

• arotibi

Questions