To catch a cybercriminal
Date: October 15, 2003Source: Computer Crime Research Center
By:
WHAT is cybercrime? The Oxford Reference Online defines cybercrime as crime committed over the Internet (www.oxfordreference.com/views/ENTRY.html?ssid=175131518&entry=t49.000925&srn=1&cate gory= - FIRSTHIT). Some people call cybercrime “computer crime.” The Encyclopaedia Britannica defines computer crime as any crime that is committed by means of special knowledge or expert use of computer technology.
Computer crime could reasonably include a wide variety of criminal offences, activities, or issues. The scope of the definition becomes even larger with the frequent companion or substitute term “computer-related crime.” Some writers are also of the opinion that “computer crime” refers to computer-related activities which are either criminal in the legal sense of the word or just antisocial behaviour where there is no breach of the law (Lee, M.K.O. (1995) Legal control of computer crime in Hong Kong, Information Management &Computer Security 3(2) 13-19 – http://mustafa.emeraldlibrary.com/vl=4775179/cl=50/nw=1/rpsv/~1177/v3n2/s3/p13).
The word “hacker” should also be defined here, as it will be used extensively in this article – hackers are basically people who break into and tamper with computer information systems. The word “cracker” carries a similar meaning, and “cracking” means to decipher a code, password or encrypted message.
What is concerning is that organised crime is escalating on the Internet, according to a 2002 statement by the head of Britain's National High-tech Crime Unit, Lee Hynds (www.ananova.com/news/story/sm_724492.html?menu). According to him the Internet provides organised crime groups with “a relatively low risk theatre of operations.”
As the topic of cybercrime is so wide, what I would like to do is focus on Malaysia’s Computer Crimes Act 1997, local law enforcement and practical tips on how to prevent cybercrime.
Computer crime laws in other countries, the enforcement and multilateral efforts to harmonise laws against cybercrime will be discussed in next month’s column.
Are there laws in Malaysia to prosecute cybercriminals? What are the penalties for cybercriminals in Malaysia?
The need for laws against cybercriminals is obvious. A school dropout from the Philippines who wrote the ILOVEYOU virus was not prosecuted by the Philippine Government because at that time, the country did not have laws relating to virus creators. Ironically, the then President Estrada stated that perhaps the Philippines should leverage on the fact that they have such good virus writers to attract global technology companies to base themselves in the Philippines, considering the capable talent available in the country.
Viruses and worms are getting more insidious nowadays – take for instance, the Swen worm, which cleverly disguises itself as an e-mail message from Microsoft with a patch attached.
Besides hacking and cracking, technology and the Internet can be used for a myriad of other illegal purposes: drug dealers use encrypted fax machines to send orders for narcotics to their suppliers in a neighbouring country.
Gangsters can use computers for extortion. Prostitution rings maintain their customer payments and client lists through computer software applications. Burglary rings track break-ins and then inventory their winnings from each job. Gangsters who want to murder a person in hospital can crack the hospital’s computers to alter the dosage of medication (www.scmagazine.com/scmagazine/2000_04/cover/cover.html).
Cybercriminals can range from teenagers who vandalise websites to terrorists who target a nation. However, we will leave the discussion on cyberterrorism to another installation of this column.
Laws specifically catered for criminal activity through, over and using the Internet is essential for a nation state to have, especially in this globalised, Internet age. Take the example of the ILOVEYOU virus again, which spread to at least 45 million computers worldwide causing billions of dollars in damage (www.ananova.com/news/story/sm_51942.html).
The Computer Crimes Act 1997 provides for offences against cybercrime. Now, it is not the case that the other Acts of Parliament do not provide for criminal offences (like the Communications and Multimedia Act 1998, the Digital Signature Act 1997 and the Optical Discs Act 2000), it is just that in terms of cybercrime itself, the Act of Parliament which is the most relevant is the Computer Crimes Act. This Act is divided into three parts, that is the “Preliminary,” “Offences” and “Ancillary And General Provisions” parts and is 12 sections long. It came into force on June 1, 2000.
Section 3 provides for the offence of unauthorised access to computer material. A person shall be guilty of an offence if three elements exist, that is:
- He causes a computer to perform any function with intent to secure access to any program or data held in any computer;
- The access he intends to secure is unauthorised; and
- He knows at the time that he accesses the computer without authorisation.
The section then states that the intent a person has to have to commit the offence need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer. One meaning of this part may be that it does not matter whether or not a hacker knows what the consequences of his act will be, which program or data he or she will access or even which computer he or she will access, just as long as he knows that his access is unauthorised. The penalty for this offence is a maximum fine of RM50,000, a maximum prison sentence of five years or both the fine and imprisonment.
Section 4 provides for the offence of unauthorised access with intent to commit or facilitate the commission of a further offence. A person shall be guilty of an offence under this section if two elements exist, that is:
- He or she accesses unauthorised computer material without access; and
- He or she accesses this computer material with the intent of: committing an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code; or facilitating the commission of such an offence whether by himself or by any other person.
A person guilty of an offence under this section shall on conviction be liable to a maximum fine of RM150,000 or a maximum prison term of 10 years or both the fine and imprisonment. As you can see, the legislature has provided for a higher fine and a higher prison term for this offence, as the crime here is more serious than in Section 3, as the commission of a further offence of fraud, dishonesty or injury is envisaged.
Section 5 provides for the offence of unauthorised modification of the contents of any computer. A person shall be guilty of the offence if he does any act which he knows will cause unauthorised modification of the contents of any computer. Section 5 also states that it is immaterial that the act in question is not directed at any particular program or data a program or data of any kind or a program or data held in any particular computer.
This most probably means that it does not matter whether or not the hacker knows which program or data, or even which computer will be affected by his actions, just as long as he knows his actions will cause unauthorised modifications. For the purposes of Section 5, it is immaterial whether an unauthorised modification is, or is intended to be, permanent or merely temporary. The penalty is a maximum fine of RM100,000 or a maximum prison sentence of seven years or both the fine and prison sentence. However, if the modification was done to cause injury, then the maximum fine is RM150,000 and the maximum prison term is 10 years.
Section 6 is the offence of wrongful communication. A person shall be guilty of an offence if he communicates directly or indirectly a number, code, password or other means of access to a computer to any person other than a person to whom he is duly authorised to communicate it to. The penalty for the offence is a maximum fine of RM25,000 or a maximum prison sentence of three years or both.
Section 7 provides for a criminal offence if a person assists in the commissioning of any of the offences above, attempts to commit any of the offences above or was preparing to commit any of the offences above.
Section 11 provides for the criminal offence if:
- A person assaults, obstructs, hinders or delays a police officer when the latter is attempting to enter any premises for the purposes searching, seizing or arresting as provided for under the Act; or
- A person fails to comply with any lawful demands of a police officer acting in the execution of his duty under the Act.
A person found guilty under Section 11 faces a maximum fine of RM25,000 or a maximum prison term of three years or to both the fine and prison term.
Section 9 of the Computer Crimes Act states that the provisions of the Act shall have effect outside as well as within Malaysia and where the commission of the offence was performed outside Malaysia, he may be dealt with in respect of such offence as if...
Next
Add comment
Email to a Friend
