Legal Aspects of
Internet Governance:
International Cooperation on
Cyber Security
15th September 2010
Internet Governance Forum
(Workshop 123)
Jayantha Fernando
Director/ Legal Advisor
ICT Agency of Sri Lanka
[email protected]
Where does Sri Lanka stand?
Sri Lankan ICT Sector
 ICT Sector - 5th Largest Revenue Earner for Sri Lanka
 Colombo Stock Exchange - Fastest Growing in Asia
 Colombo Stock Exchange Software replicated in Croatia, Mauritius etc (LSE bought MIT)
 First in South Asia to Liberalise Telecom Sector – 70% mobile
penetration. (5 mobile operators, 16 ISPs, 5 gateways)
 A large pool of educated workers – 50,000 new accountants per
annum, 30% per annum growth in IT workforce
 Sri Lanka is ranked 16th in the “Top 50 Global Outsourcing
Destinations’ (A.T Kearney Global Services Location Index- 2009)
and amongst the Top 20 emerging cities.
Network Readiness Index (NRI)
NRI – Sub Indices
e-Sri Lanka Program - Objectives
“ Take the dividends of ICT
- to every village,
- to every citizen,
- to every business and also
- transform the way government think and works ”
Started in January 2005 – funded by World Bank
Preparation phase 2002-2004
e-Sri Lanka Components
An Integrated
e~Development
Model
Peace
Re-engineering
Government
Information
Infrastructure
e-Society
ICT Policy,
Leadership &
Institutional
Development
ICT Human
Resources
Capacity
Building
ICT Investment
& Private Sector
Development
ICT Policy & Institutional
Development
PROGRAM OBJECTIVE
 To create an enabling Policy and Regulatory environment for the
knowledge economy and develop the local institutional capacity
to lead and implement an ambitious ICT program
Policy Reforms for ICT Growth
•
Key ICT Legal Reforms
– Intellectual Property Act No. 36 of 2003 (based on TRIPS)
• Enhanced Copyright Protection for Software
– Monetary Law (Amendment) Act 2002 and Treasury Bills (Amd) Act
No. 1 of 2004
– Payment and Settlement Systems Act No. 28 of 2005
• Establishes Sri Lanka as a destination for Electronic based Financial
Transactions
Key ICT Legal Reforms (based on
International Best practices)
– Electronic Transactions Act No. 19 of 2006 (based on UNCITRAL Model on eCommerce 1996 and UNCITRAL Model Law on e-Signatures 2001)
• Includes features of the “UN Convention on the Use of Electronic
Communications in International Contracts” (UN e-Contracting Convention of
2005)
• Sri Lanka – one of the first 3 countries in Asia to sign the convention (on 6th July
2006) along with China & Singapore
– Payment Devices Frauds Act No. 30 of 2006
(Criminalises & Prevents the possession and use of unauthorised or counterfeit
payment devices etc.)
– Computer Crimes Act No. 24 of 2007
Based on principles contained in Council of Europe Convention on Cyber Crime
(Budapest convention of 2001)
– Obscene Publications (Amendment) Bill 2010 – (Creates new offences to
deal with child Pornography)
Enforcement Measures
Ensuring Appropriate Balance and creating conducive
environment for enforcement (Special Procedure in Part II)
• Criminal investigations interfere with “rights of subjects”
• Interference must be justifiable and “proportionate” to the
needs of the Society sought to be protected
• Growth of Cyber Crime creates challenges in respect of how
best an appropriate balance could be reached between the
needs of investigators and rights of Data users
• Interests of ISP’s / intermediaries likely to be affected
•
•
•
•
Special Safeguards in Part II of the Computer Crimes Act 2007
Provisions to Use “Experts” to Support Law Enforcement
Checks and balances to safeguard information systems
Framework creating confidence to report Cyber Crime incidents
Cyber Crime Challenges
• Problems of identification and Capacity building needs
– Lack of understanding by “victims” what constitutes cyber crime
– Lack of understanding by enforcement as to what constitutes cyber crime
– Lack of awareness by Judges & Prosecution – inability to map offences to
Computer Crimes Act (eg:- phishing, DNS Fast fluxing etc)
– Retaining trained enforcement officials
• Lack of Reporting
– Lack of safe and secure locations and systems to report cyber crime
– Lack of infrastructure to safeguard confidentiality of the victim
– Requirement to give oral evidence in Courts (reluctance of victims and
“experts” to come forward)
• Investigation and International Co-operation
– Lack of proper Forensic Labs for e-Crimes and Lack of Institutional Framework
– International nature of Cyber Crime – Enforcement & Judicial co-operation
Addressing Challenges - Steps Taken
in Sri Lanka
Awareness, Infrastructure and Creating Institutions
– Awareness and Capacity Development
• For Law enforcement, Stake holders (banking etc) and even
public
– Safe & Secure Reporting - Creating a hotline for
reporting offences
– Establishing “Digital Forensic Lab” for Computer
Crimes Unit of Police (CID) - ICTA Leadership
– Implementing IT Usage and Information Securities
Policies (for Govt) – Voluntary for Private Sector
• E-Government Policy adopted by Cabinet of Ministers on
16th December 2009 – See www.icta.lk
– Admissibility of Electronic Evidence enhanced
Creating Institutional Arrangements
(CERTs & CSIRTS)
• Governments cannot rely on traditional Govt expertise to
combat cyber threats and address Cyber Forensic issues
• ICTA Established Sri Lanka CERT as a subsidiary (Nov 2006)
• See www.SLCERT.gov.lk
• Private sector driven Company model with Government Stake
holders ( Deals with threats, forensics and develops IS policies)
• Handled over 350 incidents since inception (Approx 10
incidents a month)
• Reported Incidents of Cyber Crime increased from 48 (in 2008)
to 69 in 2009
• Admitted as full member of APCERT and FIRST
– Centre of Excellence to deal with Cyber security issues
• Creating sector specific CSIRTS (Banking sector, ISPs etc)
Addressing Challenges – How
International Cooperation Can help
•
Establishing Framework for Legislation – International best practices
which will enhance cooperation and ensure compatibility of Legislation
•
Awareness & Capacity Development for Law enforcement & Judges
•
Cross border enforcement & Judicial cooperation
Other Areas
•
Role of Donor Assistance Programs
•
Role of Private sector
Council of Europe Convention
• Advantages of Budapest Convention
– Legal and Contractual basis for International cooperation in Cyber
Crime enforcement (Ranging from Police to Judicial cooperation)
– Facilitates the gathering of Electronic Evidence, investigation of
cyber-laundering, Cyber- terrorism and other serious crimes
– Provides for Cyber Crime legislation harmonisation and allows
participation in Cybercrime Convention Committee (T-CY)
• Sri Lanka Considering signing Council of Europe (CoE)
Convention on Cyber Crime
• Review of Part V “Harare Scheme on Mutual Legal
Assistance in Criminal Matters”- drawing on CoE
How International Cooperation Can
Help – Donors & Pvt Sector
• Include ICT Reforms in donor assisted ICT Development
Programs
– ICT Legislative Reform Component included under the eSri Lanka
Program
– Legal reform component supported by World Bank and others
– Success led to Capacity development and Institutional
Development support
– Judges Training and establishment of Sri Lanka CERT
– Digital Forensic Lab
• Role of Private Sector
– Eg:- Microsoft Security Cooperation Program (CSP)
Thank You !
[email protected]
www.icta.lk