Cyber-Terrorism: Legal and Policy Options for Coordinated National Preparedness (II) – Femi Daniel

1
Femi Daniel

MANIFESTATIONS OF CYBER-TERRORISM

  1. Illegal Access to a Computer System or Network

Section 8 of the Cybercrimes Act 2015 provides-

Any person who without lawful authority, intentionally or for fraudulent purposes does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference with the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 2 years or to a fine of not more than N5,000,000.00 or to both fine and imprisonment.

The technical name for this offence is hacking. Hacking is simply an act of securing unauthorised access to a computer or computer network. Sections 385-389 of the Criminal Law of Lagos State 2011 is analogous to this section. The main tool of cyber-terrorists is to obtain unauthorised access to the computer system of another.

Hackers are divided into white-hat hackers and black hat hackers. The first category are authorised to perform security functions while the black-hat hackers are unauthorised. Reference to ‘hackers’ hereinafter means Black-hat hackers. Hackers terrorise individuals, organisations and governments in various ways and means. including-

  1. Code Hackers – They can succeed in making the computer do nearly anything they want. They can get access into the computer and therefore, use it for any sinister motive. Code hackers can cause substantial damage to reputation among other economic havocs.
  2. Crackers- this group is very similar to code hackers. Their pleasure is to ‘disgrace’ so called secured systems.
  • Cyberpunks- they have mastered the art of cryptography. They can decode digital signatures and other security devices mounted on a system. This gives them unhindered access to such sites to steal, destroy or modify programmes to further their sinister motive.
  1. Phreakers- they use the internet to wreak havoc on the telecommunication system like telephone, GSM, Digital TV etc. [26].

It must be stated that not all illegal access to a computer system amounts to cyber terrorism. The cyber-terrorist is an ideologue that is out on a higher purpose than mere immediate pecuniary gain. Hackers, except for some who are out on revenge mission, are usually criminals-for-hire. They can be employed or converted by terrorists to help implement a cyber-terrorism master-plan.

  1. Virus Attack

A computer virus, much like a flu virus, is designed to spread from host to host and has the ability to replicate itself. Similarly, in the same way that viruses cannot reproduce without a host cell, computer viruses cannot reproduce and spread without programming such as a file or document [27]. Section 16 of the Cyber Crime Act makes unauthorized modification of computer data a crime. The section is rendered as follows-

  1. (1) Any person who with intent and without lawful authority directly or indirectly modifies or causes modification of any data held in any computer system or network, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 3 years or to a fine of not more than N7,000,000.00 or to both such fine and imprisonment.

(2) For the purpose of this section, a modification of any data held in any computer system or network includes modifications that take place whereby the operation of any function of the computer system or network concerned, or any-

(a) program or data held in it is altered or erased;

 (b) program or data are added to or removed from any program or data held in it;

(c) program or data are suppressed to prevent or terminate the availability of the data or function to its authorized users; or

(d) act occurs which impairs the normal operation of any computer, computer system or network concerned.

Virus attack combines with hacking to constitute the most lethal weapon of the cyber-terrorist. If a virus is designed to avoid detection by the anti-virus system in the target computer, the program or data can be easily altered, erased, suppressed or impaired. The implication of virus attack on critical information infrastructure is huge. Monies and efforts spent on election information management, cloud-based data, national biometric database, e-governance infrastructure, control centres of major national assets could easily go down the drain with a single virus attack.

ALSO READ   Acquiescence; General Nature, Onus of Proof and Ingredients – Adedayo E. Salami

Other means of cyber-terrorist attacks in this class include Trojan Horses [28], Logic Bombs [29], Denial of Service Attack (DoS) [30], Worms [31].

  1. Invasion of Privacy

Another tool of cyber-terrorism is the illegal use of private information to hold people to ransom. The question any inquirer may ask is what has privacy got to do with terrorism? The Snowden case caused massive international relations disruption. Snowden as a former contractor to the CIA divulged highly sensitive information on how the US was invading the privacy of other countries contrary to international norms and decorum. This is a template for emerging cyber-terrorist manipulation.

By engaging many more ‘Snowdens’, terrorists can create sufficient distrust among international allies sufficient to weaken their resolve or break up their cooperation. This gives room to terrorists to hold the ace and take heinous initiatives without restraint.

Section 37 of the 1999 constitution of Nigeria guarantees and protects the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. Privacy in the information age has been described as the rightful claim of the individual to determine the extent to which he wishes to share of himself with others. It means the individual’s right to control dissemination of information about himself [32].

A cyber-terrorist need not hack into the computer system or use any form of virus attack to hurt a nation or key national or organisational stakeholders, all he needs to do is to ‘harvest’ publicly and remotely held information to achieve his devious purpose. Here is a scenario of how this could be done- Gen. AB of DPP party is a retired army general who is running his campaign on the promise to secure Nigeria against terrorists, reflate the economy and improve infrastructure.

Terrorists having studied the backgrounds of the other candidates, realise electoral victory by Gen. AB would lead to their decimation. They therefore, decide to run social media campaigns projecting the general’s confidential health information about his impotence, claiming that the children who bear his name were actually adopted. This information was gotten from the Army Health Service which recently digitised the health information of past and present officers to modernise its medical records. A terrorist who works at the medical records office got the information and passed it to his organisation. This information was primed till it became a national scandal forcing the General to withdraw from the race. This no doubt is a veiled terrorist hatchet job that could be easily perfected and acted upon by many people.

Another variant of invasion of privacy is when private mass e-mail and SMS message is sent to people whose information had been garnered from telecommunications service providers or other mediums. Terrorists can use this medium to set off sectarian crises. For example, a phantom message reads:

BROTHERS AND SISTERS, THE CATHOLIC CHURCH IN SABON GORO OF KUCHIGORO LOCAL GOVERNMENT, ABUJA HAS JUST BEEN BURNT DOWN BY MUSLIM YOUTHS LED BY THE CHIEF IMAM OF KUCHIGORO. OVER 120 MEN, WOMEN AND CHILDREN HAVE BEEN KILLED. PLEASE RISE UP AND START SLAUGHTERING ANY NORTHERN MUSLIM AROUND YOU!

NB: YOU WILL NOT HEAR THIS FROM THE MAIN NEWS OR SOCIAL MEDIA AS THE GOVERNMENT HAS SUCCEEDED IN BUYING THEM ALL OVER.

This message is a trap which many gullible people can fall into to help terrorists fulfil their purpose. A dispassionate assessment of the information would reveal patent flaws, as there is no Kuchigoro Local Government in Abuja, neither is there any Catholic church burnt. The dimensions of destruction possible through cyber-terrorism are almost endless. This is a wake-up call to the nation to quickly prepare to prevent such possibilities.

ALSO READ   NWLR This Week: On the Exclusive Jurisdiction of the Federal High Court Over Matters on Corrupt Practices and Other Related Offences Act, 2000.

STUXNET: A MODEL CYBER-TERRORIST ATTACK

Stuxnet attack was a ground-breaking event in the field of cyber security. The incident transmuted an industrial scale cyber-attack from a mere hypothetical scenario into reality. The attack further revealed the level of sophistication a cyber-attack must have to achieve its goal of terror, death and huge socio-economic dislocation. Stuxnet was discovered in June 2010, it set the whole IT security sector in frenzy, trying to understand the phenomenal malware. Prof. Thomas M. Chen summarised the technical details of the attack in his monograph Cyber-terrorism After Stuxnet [33]. It will suffice to state for our purpose in this paper that the malware was very large (about 500 kilobytes) and very complicated in configuration. The erudite Professor gave some relevant details which is herein summarised.

The most probable means of infection is through a removable flash drive, because the target of the attack, as expected, was not internet connected. Stuxnet exploited vulnerabilities in Windows PC and took advantage of the hard-coded default password in Siemens Simatic WinCC software (CVE-2010-2772) which allowed access to the back-end data-base. Once injected into the database, Stuxnet infects the PC running the WinCC database.

What made Stuxnet lethal was the fact that its writers had perfect knowledge of the target. Stuxnet is interested only in Siemens Simatic S7 PLCs (programmable logic controller), which are programmed by Windows PCs run- ning Simatic Step 7 software. After Stuxnet infects a PC running Simatic Step 7, it will then load its own malicious blocks into a connected Simatic S7 PLC.

The complexity of the malware and its elaborate nature of the operation suggests that the operators had the support of state actors to achieve the deployment of Stuxnet. The intent of the attackers was multiple-layered- Slow down the Iranian nuclear acquisition capability, completely destroy the programme and foreclose future interest in such high impact project. Another possible intent is to use this as a test case for the sale of cyber protective solutions to willing buyers.

DO YOU WANNACRY?

On Friday 12th May, 2017, over a 100,000 organisations in about 150 countries [34] woke up to a nightmare, their valuable information could no longer be accessed, it has been held hostage! The message on their computer screens said, ooops, your files have been encrypted [35] the page shows a chilling message to the victim, informing him/her of the encryption of messages in the computer, a countdown timer to when payment must be raised and when files will be lost, is shown. The Bitcoin wallet account of the Infonappers [36] with the ransom amount is placed conspicuously on the page. The ransomeware is programmed to encrypt almost all types of files. Over 149 types of files have been listed including but not limited to .ppsx, .ppt, .pptm, .java, .jpeg, .jpg, .mp4, .mpeg etc. [37].

The question a lot of people have asked is how did we come about this ransom ware? According to the Chief Legal Officer of Microsoft, Brad Smith-

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem… And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action [38].

The National Security Agency (NSA) of the US had been stockpiling vulnerabilities in the Windows operating system for some time, this fell into the hands of the wrong people thereby causing a cataclysmic impact on the world.

ALSO READ   Advocacy for the Poor - Olutayo A. Awoyele

A look at the Cybercrimes Act 2015 shows that the Act envisages this type of criminal/terrorist activity. Section 8 of the Act provides for Systems Interference. It is rendered thus:

  1. Any person who without lawful authority, intentionally or for fraudulent purposes does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference with the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and shall be liable on conviction to imprisonment for a term of not more than 2 years or to a fine of not more than N5,000,000.00 or to both fine and imprisonment.The operative words in the ransomware context are damaging, deleting or suppressing computer data.

    Section 16 of the Act further strengthens the argument by highlighting what modification entails

    (2) For the purpose of this section, a modification of any data held in any computer system or network includes modifications that takes place whereby the operation of any function of the computer system or network concerned, or any-

    (a) program or data held in it is altered or erased;

    (b) program or data are added to or removed from any program or data held in it;

    (c) program or data are suppressed to prevent or terminate the availability of the data or function to its authorized users; or

    (d) act occurs which impairs the normal operation of any computer, computer system or network concerned.

    Section 16 (2c) hits the bull’s eye. The elements to be proved by the prosecutor would include- suppression of data; prevention from availability; termination of availability to authorised users.

    Some legal and regulatory issues arise from this incident which needs further exposition outside of this paper. NITDA under its mandate in Section 6(f) of the NITDA act has a duty to provide up-to-date advise to all security and non-security agencies of the government including private sector participants on security architecture to be deployed in the protection of cyber assets.

Some issues to be looked at include encryption standards, PKI etc.

If a software provider makes an update on its service and such was not accepted by the user leading to security breach and loss, who is liable? The court in this instance would consider the terms and conditions for the software, the opportunity the user had to upgrade, the ease of use of the newly updated software among others. In this regard, it is essential for NITDA to review the terms and conditions of the software service providers or provide guidelines to ensure IT service consumers are well protected. Another issue that the Wannacry incident raises is the obligation to report to the Nigerian Cyber Emergency Response Team (Ng. CERT) according to section 21 of the Cybercrimes Act (2015). The Ng. CERT and NITDA must improve communication on this issue, due to its impact on national security.

In addition to other necessary advisories NITDA must issue to Nigerians and Federal MDAs in particular, offline back up and, or secured cloud back up of critical national information must become mandatory in order to reduce the effect of future ransomware attacks.

Continued from here

Send your press release/articles to: info@dnlpartners.com . Follow us on Twitter at @Dnl_Legalstyle and Facebook at DNL Legal and Style



© Copyright DNL Legal & Style 2017.

This piece may only be copied on the condition that DNL Legal & Style is duly acknowledged in this manner: “Source: DNL Legal & Style. View the original

Leave a Reply