Cyber security laws

Dr. M Nasir Mumtaz Bhutta
Institute of Computing
Bahauddin Zakariya University
Multan, Punjab, 60,000
Pakistan
Email: bhutta.nasir@gmail.com
www.bzu.edu.pk
Course: Information Security and Assurance
Cyber Security Laws
18 March 2015

Dr. M N M Bhutta www.bzu.edu.pk
Lecture Overview
• Why is it important to understand/define
Cyber Security Laws?
• Cyber Crimes.
• Well Known USA’s Cyber Security Laws.
• Pakistan’s Cyber Security Laws:
– Electronic Transaction Ordinance 2002.
– Electronic Cyber Crime bill/Act 2007.
• Recent Developments in Pakistan’s Cyber
Law.
2

Importance to Understand
Cyber Security Laws
• Cyber Security Laws are introduced:
– In response to cyber crimes.
– To improve organizational security.
– To protect people and their assets.
• Every country has its own set of laws.
• Organizations should ensure that which laws will be
applicable to them depending upon their location.
• Organizations should incorporate cyber laws as part of
their security policy and include lawyers in their security
decisions.
• Govt have laid down security compliance requirements
to protect people and their assets.
3

Cyber Crimes
• Some Latest Cybercrime Statistics
4

Cyber Crime Vs Conventional Crime
• Conventional Crime is:
– social and economic phenomenon and as old as
society.
– Legal wrong which can be followed by criminal
proceedings and can result in punishment.
• Cyber Crime is:
– Where computer is subject or object of crime.
– Unlawful act where computer is a tool or target or
both.
5

Complexity of Cyber Disputes
• Cyber crime takes place across whole world
geographic boundaries.
• Which court will have exclusive jurisdiction to the
crime?
• Different countries have different legal systems
and it can be extremely expensive depending
upon location.
• Doubts on efficacy of decisions given be courts
on global level and sanctions are questionable.
6

Types of Cyber Crimes
7

Targets of Cyber Crime
• Some important industries which are
targets of cyber crime are given below:
8

Cyber Security Technologies To
Fight Against Crimes & To
Improve Organizational Security
9

Penetration Testing/Ethical Hacking
(Web and Infrastructure Hacking)
• Penetration testing is legal and authorized exploitation of
computer systems to make them more secure.
• Penetration testing is performed in following phases:
– Reconnaissance: collecting detailed information about system
(e.g. all machines IP addresses etc. )
– Scanning: 1. Port Scanning (finding open ports on systems and
services being run). 2. Vulnerability Scanning (finding known
vulnerabilities for services running on the system)
– Exploitation: Attacking the system for the found vulnerabilities.
– Maintaining Access: After exploitation, creating a permanent
backdoor for easy access to the system later on.
– Reporting: Details about the found issues, detailed procedures
and presenting solutions to mitigate the security issues found.
10

Malware Analysis/Reverse Engineering
• Art of dissection of malware:
– To provide information about intrusion/attack (what exactly happened).
– The goal is exactly to find out: what a suspect binary program can do,
how to detect it, and how to measure and contain its damage.
• Host based signatures and network based signatures
are used to detect malwares on computers and
networks.
• Most often malware analysis is performed on executable files using
following techniques:
– Basic and Advanced Static Analysis
– Basic and Advanced Dynamic Analysis
11

Malware Analysis/Reverse
Engineering – II
• Basic Static Analysis
– It is performed on executable file without actually running it and without
viewing the instructions code.
– It answers whether file is malicious, provide information about its
functionality and some times to produce network signatures to detect
malwares.
• Advanced Static Analysis
– It is performed by dissecting the malware executable by loading it into
disassembler and looking into its instructions to find out what malware
do.
• Basic dynamic Analysis
– It involves running the malware and observing its behaviour on the system in
order to remove the files, produce effective signatures.
• Advanced Dynamic Analysis
– It involves debugging the internal state of malicious executable.
12

Digital Forensics (Computer & Network
Forensics)
• It is defined as application of science to law.
• It is the application of collection, examination
and analysis of data while preserving the
integrity of data and chain of custody.
• The process usually consists of following
phases:
– Collection: Identifying, collecting, labelling and storing data.
– Examination: Assessing and extracting particular interest of data.
– Analysis: Analysing the data using legally justifiable techniques.
– Reporting: Reporting results of analysis (actions to be taken to
secure against vulnerabilities, information about crime/attack etc)
13

CYBER LAWS
14

USA’s Cyber Security Laws - I
• Computer Fraud and Abuse Act (CFAA):
“Whoever … intentionally accesses a computer without authorization or exceeds authorized access,
and thereby obtains … information from any protected computer… shall be punished as provided in
subsection (c) of this section.”
• Electronic Protected Health Information (e-
PHI) and Health Insurance Portability and
Accountability Act (HIPAA):
– Protect information about individuals
identifiable health records.
– Protects information stored and information
available on network while being transferred.
15

Recent Developments In USA’s
Cyber Security Laws
• Cybersecurity Enhancement Act 2014
– Public-Private Collaboration on Cybersecurity
– Cybersecurity Research and Development
– Education and Workforce Development
– Cybersecurity Awareness and Preparedness
– Advancement of Cybersecurity Technical Standards
• National Cybersecurity Protection Act 2014
• Cybersecurity Workforce Assessment Act 2014
16

Pakistan’s Cyber Security Laws
Details About:
17

Cyber Laws in Pakistan
• There are different laws, promulgated in Pakistan.
• These laws not only deal with crime of Internet
• These deal with all dimensions related to computer
& networks.
• Two of them are most known.
• They are:
– Electronic Transaction Ordinance 2002
– Electronic / Cyber Crime Bill 2007

Electronic Transaction Ordinance
2002
• Overview
– The Electronic Transactions Ordinance (ETO), 2002, was
the first IT-relevant legislation created by national
lawmakers.
– A first step and a solid foundation for legal sanctity and
protection for Pakistani e-Commerce locally and globally.
– Laid the foundation for comprehensive Legal
Infrastructure.
– It is heavily taken from foreign law related to cyber crime.

Pre-ETO 2002
• No recognition of electronic documentation
• No recognition of electronic records
• No recognition of evidential basis of
documents/records
• Failure to authenticate or identify digital or electronic
signatures or forms of authentication
• No online transaction could be legally binding
• Electronic Data & Forensic Evidence not covered.
No Rules

ETO 2002
• Sections
– There are 43 sections in this ordinance
– It deals with following 8 main areas relating to e-
Commerce.
• Recognition of Electronic Documents
• Electronic Communications
• Digital Signature regime and its evidential consequences
• Web Site & Digital Signatures Certification Providers
• Stamp Duty
• Attestation, notarization, certified copies
• Jurisdiction
• Offences

ETO 2002
• Important Sections are:
– 36. Violation of privacy information
• gains or attempts to gain access
• to any information system with or without intent
• to acquire the information unauthorized
• Imprisonment 7 years
• Fine Rs. 1 million

ETO 2002
– 37. Damage to information system, etc.
• alter, modify, delete, remove, generate, transmit or
store information
• to impair the operation of,
• or prevent or hinder access to, information
• knowingly when not authorized to do so
• Imprisonment 7 years
• Fine Rs. 1 million

ETO 2002
– 38. Offences to be non-bailable,
compoundable and cognizable
• All offences under this Ordinance shall be non-
bailable, compoundable and cognizable.
– 39. Prosecution and trial of offences.
• No Court inferior to the Court of Sessions shall try
any offence under this Ordinance.

Post ETO 2002
• Electronic Documentation & Records
recognized
• Electronic & Digital forms of authentication
& identification given legal sanctity
• Messages through email, fax, mobile
phones, Plastic Cards, Online recognized.

Electronic/Cyber Crime Bill 2007

Overview
• “Prevention of Electronic Crimes Ordinance, 2007″
is in force now
• It was promulgated by the President of Pakistan on
the 31st December 2007
• The bill deals with the electronic crimes included:
– Cyber terrorism
– Data damage
– Electronic fraud
– Electronic forgery
– Unauthorized access to code
– Cyber stalking
– Cyber Spamming/spoofing

• It offers penalties ranging from six months
imprisonment to capital punishment for 17
types of cyber crimes
• It will apply to every person who commits
an offence, irrespective of his nationality or
citizenship.
• It gives exclusive powers to the Federal
Investigation Agency (FIA) to investigate
and charge cases against such crimes.

Punishments
• Under this law there are defined
punishment for the offence.
• Every respective offence under this law
has its distinctive punishment which can
be imprisonment or fine.

Offence Imprisonment (years) Fine
Criminal Access 3 3 Lac
Criminal Data Access 3 3 Lac
Data Damage 3 3 Lac
System Damage 3 3 Lac
Electronic Fraud 7 7 Lac
Electronic Forgery 7 7 Lac
Misuse of Device 3 3 Lac
Unauthorized access to code 3 3 Lac
Malicious code 5 5 Lac
Defamation 5 5 Lac
Cyber stalking 3 3 Lac
Cyber Spamming 6 months 50,000
Spoofing 3 3 Lac
Pornography 10 -----
Cyber terrorism Life 10 Million

Sections
• Data Damage:
– Whoever with intent to illegal gain or cause
harm to the public or any person, damages
any data, shall come under this section.
• Punishment:
– 3 years
– 3 Lac

• Electronic fraud:
– People for illegal gain get in the way or use
any data, electronic system or device or with
intent to deceive any person, which act or
omissions is likely to cause damage or harm.
• Punishment:
– 7 years
– 7 Lac

• Electronic Forgery:
– Whoever for unlawful gain interferes with data, electronic
system or device, with intent to cause harm or to commit
fraud by any input, alteration, or suppression of data,
resulting in unauthentic data that it be considered or acted
upon for legal purposes as if it were authentic, regardless
of the fact that the data is directly readable and intelligible
or not.
• Punishment:
– 7years
– 7 Lac

• Malicious code:
– Whoever willfully writes, offers, makes
available, distributes or transmits malicious
code through an electronic system or device,
with intent to cause harm to any electronic
system or resulting in the theft or loss of data
commits the offence of malicious code.
• Punishment:
– 5 years
– 5 Lac

• Cyber stalking:
– Whoever with intent to harass any person uses computer,
computer network, internet, or any other similar means of
communication to communicate obscene, vulgar, profane,
lewd, lascivious, or indecent language, picture or image.
– Make any suggestion or proposal of an obscene nature
– Threaten any illegal or immoral act
– Take or distribute pictures or photographs of any person
without his consent or knowledge
– Commits the offence of cyber stalking.
– 3 Years
– 3 Lac

• Spamming:
– Whoever transmits harmful, fraudulent, misleading,
– illegal or unsolicited electronic messages in bulk to any
person
– without the express permission of the recipient,
– involves in falsified online user account registration or
falsified domain name registration for commercial purpose
commits the offence of spamming.
• Punishment:
– 6 month
– 50,000

• Spoofing:
– Whoever establishes a website, or sends an
electronic message with a counterfeit source intended
to be believed by the recipient or visitor or its
electronic system to be an authentic source
– with intent to gain unauthorized access or obtain
valuable information
– Later, Information can be used for any lawful
purposes commits the offence of spoofing.
– 3 Years
– 3 Lac

• Cyber terrorism:
– Any person, group or organization who, with terroristic
intent utilizes,
– accesses or causes to be accessed a computer or
computer network or electronic system or device or by any
available means,
– knowingly engages in or attempts to engage in a terroristic
act commits the offence of cyber terrorism.
• Punishment
– Whoever commits the offence of cyber terrorism and
causes death of any person shall be punished with death
– Or imprisonment for life, and with fine
– Otherwise he shall be punishable with imprisonment of ten
years or with fine ten million rupees

Recent Developments for Cyber
Laws in Pakistan
• In 2013, Pakistan came to know that USA through National Security
Agency (NSA) were spying on Pakistan through intercepting 13.5
billion pieces of email, phone and fax communication.
• Senate Committee on Defence and Defence production organized
seminar and following important points were concluded in that:
– To protect and promote Pakistan’s cyber security, relevant legislations to be
done.
– Cyber security threat should be accepted as new emerging national security
threat.
– Establishing a National Computer Emergency Response Team (PakCERT).
– Establishing Cyber Security Task Force consisting of relevant security
professionals to combat this threat.
– Inter-Services Cyber Command should be established to coordinated cyber
security and defence for the Pakistan Armed Forces.
– Pakistan should take initiative to talk to 8 SAARC Members.
39

Pakistan Cyber Security Task
Force
• Federal Investigation Agency (FIA) has
established Cyber Security Task Force to
combat the cyber security threat for
Pakistan.
• Pakistan Computer Emergency Response
Team (PakCERT) is established to protect
IT assets and professionals from cyber
crimes like hacking etc.
(www.pakcert.org).
40

Why we must know Cyber Laws?
• Under which organizations does the
organization operate and which specific laws
apply to Organization.
• By law, which information assets need to be
protected?
• How laws can be incorporated into
Organizational security policy.
• When conducting Vulnerability Assessments
and Penetration tests for organizations.
41

References:
• To prepare this lecture, following sources are consulted:
– https://www.congress.gov/bill/113th-congress/senate-
bill/1353/text?q=%7b%22search%22:%5b%22cybersecurity%22%5d%7d
– https://www.congress.gov/bill/113th-congress/senate-
– https://www.congress.gov/bill/113th-congress/house-
– http://www.go-gulf.com/blog/cyber-crime/
– Zibber Mohiuddin, “Cyber Laws in Pakistan: A Situational Analysis and Way
Forward”, June 2006.
– ISACA’s Cyber Security Student Handbook.
– http://www.dawn.com/news/1023706
– Justice Khalil ur Rehman, “Cyber Laws in Pakistan”.
– Tariq Bilal, “Modern Cyber Laws in Pakistan”.
– Taha Mehmood, “Cyber Laws in Pakistan”, PowerPoint presentation.
– Sehrish Mushtaq, “Cyber Laws in Pakistan”, PowerPoint Presentation.
42

Dr. M N M Bhutta www.bzu.edu.pk43
Thanks for listening !
»Questions ?

Cyber security laws

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Cyber security laws (20)

More from Nasir Bhutta (11)

Recently uploaded (20)

Cyber security laws