globe Asia Times Online
  April 28, 2001 atimes.com  

Search button Letters button Editorials button Media/IT button Asian Crisis button Global Economy button Business Briefs button Oceania button Central Asia/Russia button India/Pakistan button Koreas button Japan button Southeast Asia button China button Front button









Media/Information Technology

Law of the jungle costs cyberspace dearly
By Alan Boyd

SYDNEY - In the middle of last year, a disgruntled employee caused a reported US$1.4 million worth of damage to computer systems at a medium-sized Taiwanese firm because he didn't like his boss.

Although the perpetrator was quickly identified, police were never notified, and no insurance claim was filed. Instead, the management chose a typically Asian formula of house-cleaning.

"If it had been arson, or somebody had knocked off a company car, there would be cops poking around everywhere. But there's too much face involved with IT systems, so they simply pulled down the shutters and wrote if off to experience," said a network security investigator in Sydney.

A rather costly experience, but one that is being repeated daily in Asia, where technology-hungry corporations put more stake in guarding their competitive images than keeping cyber predators at bay. Consulting firm McKinsey calculates that Asians will be spending $35 billion a year on business-to-business online transactions alone by 2003, up from virtually nothing in 1997.

Internet access, the target for more than 50 percent of electronic crimes, generated $11 billion within the region in 1999, according to the International Telecommunication Union. Yet these same firms allocate only 1-2 percent of their total revenues to IT security systems, or less than an average corporation pays on cleaning services for its offices. Not surprisingly, the hacking fringe is having a field day. Malaysia was forced to set up a new cyber security panel in December after the official parliamentary website was defaced. South Korea has recorded a 400 percent increase since 1999 in the hacking of public websites. In China, a telephone subscriber with limited computer expertise was able to corrupt 30 government websites until he was detected. Police said the man was unhappy at the slow speed of repairs on a broken cable link.

And in Thailand, more than 2,000 credit numbers were stolen last year from a popular shopping site operated by Loxley Information, which had earlier decided against upgrading its security systems for financial reasons.

Only about 20-25 percent of cyber victims inform police in Asia, compared with 40 percent in the United States and western Europe, making it difficult to assess just how great the problem has become in this region. However, some detection agencies believe that Asian companies are writing off as much as $500 million a year from illegal computer access or the intentional defacement of content.

While most reported cases involve the release of viruses or website hacking, there is a vast unrecorded problem of internal infiltration, often involving the pilfering of confidential data or - even more alarmingly - the sabotage of operating systems.

Image aside, most firms are not reporting these incidents because they lack confidence in the ability of law-enforcement agencies to confront an insidious and constantly-changing threat that knows no territorial or legal boundaries.

"Clearly, cyber crime and electronic vandalism represent new crime methods, and create new and severe problems that are international in focus and very complex for law enforcement to tackle," Interpol secretary-general Ronald Noble admitted at a regional crime summit in Bangkok earlier this year.

Electronic crimes differ from conventional crimes in that they are usually easier to commit without fear of immediate detection, require minimal resources, can be conducted from another legal jurisdiction and often are not technically against the law. It is the legal gaps in the equation that are causing the most concern, especially among cross-border policing agencies such as Interpol. Investigators are confronted with a multi-layered conundrum of incompatible regulatory frameworks, outdated monitoring mechanisms, inadequate technology and a generational jump in manpower skills. A recent study by the World Information Technology and Services Alliance (WITSA) and consultants McConnell International found that only Singapore and the Philippines had comprehensive laws for all significant electronic crimes. (See Cyber police below.) India and Australia were next in the ranking, with most infringements covered. Due to the sheer novelty of cyber crimes, there are few antecedents that can be applied, with the result that laws are often based on criminal statutes that don't hold up well to technical scrutiny. The Philippines government had to abandon efforts to prosecute the architect of the so-called Love Bug virus last year because its data theft laws didn't cover IT.

It was a costly blunder. By the time these laws had been revised, the bug had infected 10 million computers worldwide and caused business losses of $10 billion-$15 billion. Similarly, investigators have been unable to borrow policing techniques from other transnational crimes, such as narcotics and money-laundering, because there are few cross-border covenants that can be applied. And in any case, the cyber sleuths themselves cannot agree on a common starting point.

Malaysia may be sensitive to web hacking, but it does not prosecute data interceptions, data thefts, network sabotage or computer-related forgery. India permits data interceptions but not unauthorized access. Indonesia and New Zealand have no specific cyber laws at all. Even Japan, home to some of the world's biggest electronics firms and the second-largest economy, has no updated laws against computer viruses, typifying the extraordinary complacency of political leaders in much of Asia.

"Japan's people and businesses have not yet fully realized that Japan is vulnerable to a cyberterrorist attack, and the effects such an attack would have on Japan. And in general, Japan's most powerful leaders have demonstrated a lack of technology understanding ..." said Raisuke Miyawaki, formerly the chief technology adviser to the Japanese government.

Inconsistent penalties are another problem. A hacker caught defacing a website in the United Kingdom could be charged under terrorism statutes, but if he caused the same damage to a site in most Asian countries he would probably attract only a small fine. For domestic political ends, Asian governments have put the bulk of resources into controlling inflammatory content and keeping teenagers out of pornographic sites, while affording cyber crimes a lower priority than more visible social threats like illicit drugs.

The Association of Southeast Asian Nations (Asean), the most representative grouping for Southeast Asian states, did not cover online security at all in its draft IT covenant, preferring instead to build up the investment end of the trade. Asia-Pacific Economic Cooperation (Apec) focuses on the prickly issue of market restrictions.

One outcome of this narrow commercial emphasis has been a surveillance vacuum, with police forces unable to provide enough personnel with technical backgrounds to confront the nimble cyber threat. In response, Interpol is coordinating efforts to set up a regional taskforce capable of guiding local authorities in the complexities of online crimes. But the resources will still have to come from Asia: Interpol has only five full-time cyber investigators of its own. The US's Federal Bureau of Investigation, which is helping several Asian countries beef up their surveillance techniques, is in similar trouble. A new inter-agency authority set up under its leadership in Michigan accumulated a six-month case backlog in the first week of operation.

Interpol acknowledged its limitations in February by signing a preliminary agreement with a private research group in the US for technical backup, establishing a precedence that will probably become the pattern elsewhere as the corporate sector belatedly confronts the cyber threat.

Five Japanese firms initiated the first Asian online corporate alliance in late 1999, but it has failed to attract strong political backing, partly because of Tokyo's own reticence on the cyber issue, but also due to competitive pressures within the industry. Authorities in Japan have made a concerted effort for the past two years to catch up with Western countries at an enforcement level, but only after intense lobbying from Washington and European capitals.

Asian countries also have a big stake in the Japanese commitment, as Tokyo is the region's only effective bridge in efforts by the G8 grouping to broker a common legal framework through the Council of Europe. Now in its 25 draft, the council's statute is scheduled for release at the end of this year, but could be delayed by the inevitable conflicts over regulatory intervention in content, safeguards on individual rights and retaliatory penalties.

There is no certainty that Asian governments will embrace the package, even under threat of trade or investment boycotts. But if they don't, regional business will be the main loser.

"Outdated laws and regulations, and weak enforcement mechanisms for protecting networked information, create an inhospitable environment in which to conduct e-business within a country and across national boundaries," WITSA warned in its study.

"As cyber crime increasingly breaches national borders, nations perceived as havens run the risk of having their electronic messages blocked by the network. Countries where legal protections are inadequate will become increasingly less able to compete in the New Economy," the report noted.

Cyber police
The first efforts to police computer crimes were made in 1977, when the US Congress debated - and rejected - a draft bill that was primarily aimed at boosting awareness of the potential threat. Follow-up discussions by the Organization for Economic Cooperation and Development (OECD) resulted in a series of recommendations on required changes in their legal codes.

However, this approach was flawed due to the OECD's narrow membership among the more advanced economies, and a misguided decision to base the reforms on existing penal legislation. A list of infringements that could be used to formulate a uniform policing policy was issued for the first time in 1989 by the Council of Europe, and updated in 1995.

This categorized IT offenses "as encompassing any criminal offense, in the investigation of which investigating authorities must obtain access to information being processed or transmitted in computer systems". A new committee was established by the Council of Europe in 2000 to identify and define new crimes, jurisdictional rights and criminal liabilities due to communication on the Internet. Due for completion this year, the document will probably form the basis of a draft international convention on cyber crime.

In a parallel move, the G-8's transnational crime panel is refining a plan of action. A set of principles was released in 1997 and specific guidelines on trans-border access to stored computer data were drafted in 1999.

Computer crime legislation covers 10 identifiable types of offenses:
* Data interception. Interception of data in transmission;
* Data modification. Alteration, destruction or erasing of data;
* Data theft. Taking or copying data, regardless of whether it is protected by other laws, such as privacy or copyright statutes;
* Network interference. Impeding or preventing access for others, usually through a distributed denial of service (DDOS) attack, or flooding websites or Internet Service Providers;
* Network sabotage. Modification or destruction of a network or system;
* Unauthorized access. Hacking or cracking to gain access to a system or data;
* Virus dissemination. Introduction of software damaging to systems or data;
* Aiding and abetting. Enabling the commission of a cyber crime;
* Computer-related forgery. Alteration of data with intent to represent it as authentic, and;
* Computer-related fraud. Alteration of data with intent to derive economic benefits from its misrepresentation.


Sources: Stanford University, World Information Technology and Services Alliance

((c)2001 Asia Times Online Co, Ltd. All rights reserved. Please contact content@atimes.com for information on our sales and syndication policies.)









Front |China | Southeast Asia | Japan | Koreas | India/Pakistan | Central Asia/Russia | Oceania

Business Briefs | Global Economy | Asian Crisis | Media/IT |Editorials | Letters | Search/Archive


back to the top

©2001 Asia Times Online Co., Ltd.

Building B - 5th Floor, 102/1 Phra Arthit Road, Chanasangkhram, Bangkok 10200, Thailand