tag:theconversation.com,2011:/africa/topics/cyber-law-2149/articlesCyber law – The Conversation2023-12-14T13:12:48Ztag:theconversation.com,2011:article/2168662023-12-14T13:12:48Z2023-12-14T13:12:48ZWhy federal efforts to protect schools from cybersecurity threats fall short<figure><img src="https://images.theconversation.com/files/565284/original/file-20231212-19-mthmhn.jpg?ixlib=rb-1.1.0&rect=35%2C35%2C5928%2C3943&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The cost of safeguarding America's schools from cybercriminals could run as high as $5 billion.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/payments-system-hacking-online-credit-cards-payment-royalty-free-image/1355213459?phrase=school+cybersecurity&adppopup=true">boonchai wedmakawand via Getty Images</a></span></figcaption></figure><p>In August 2023, the White House <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/">announced</a> a plan to bolster cybersecurity in K-12 schools – and with good reason. Between 2018 and mid-September 2023, there were <a href="https://www.k12dive.com/news/ransomware-attacks-targeting-schools-colleges/694313/">386 recorded cyberattacks</a> in the U.S. education sector and cost those schools $35.1 billion. K-12 schools were the primary target.</p>
<p>The new White House initiative includes a collaboration with federal agencies that have cybersecurity expertise, such as <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/">the Cybersecurity and Infrastructure Security Agency, the Federal Communications Commission</a> and <a href="https://www.the74million.org/article/white-house-takes-on-urgent-k-12-cybersecurity-threat-at-first-ever-summit/">the FBI</a>. Technology firms like Amazon, Google, Cloudflare, PowerSchool and D2L have <a href="https://www.cnbc.com/2023/08/08/white-house-launches-effort-to-secure-k-12-schools-from-cyberattacks.html">pledged to support the initiative</a> with training and resources. </p>
<p>While the steps taken by the White House are positive, as someone who <a href="https://www.uncg.edu/employees/nir-kshetri/">teaches</a> and conducts <a href="https://scholar.google.com/citations?user=g-jALEoAAAAJ&hl=en&oi=ao">research</a> about cybersecurity, I don’t believe the proposed measures are enough to protect schools from cyberthreats. Here are four reasons why:</p>
<h2>1. Schools face more cyberthreats than other sectors</h2>
<p>Cyberattacks on K-12 schools <a href="https://blog.sonicwall.com/en-us/2023/03/sonicwall-data-shows-attacks-on-schools-skyrocketing/">increased more than eightfold</a> in 2022. Educational institutions <a href="https://theconversation.com/ransomware-criminals-are-targeting-us-universities-141932">draw the interest of cybercriminals</a> due to their <a href="https://resources.securityscorecard.com/all/education-report-cybersecurity?xs=226460#page=1">weak cybersecurity</a>. This weak cybersecurity provides an opportunity to access networks containing highly sensitive information.</p>
<p>Criminals can <a href="https://www.ftc.gov/news-events/news/press-releases/2011/09/ftc-testifies-childrens-identity-theft">exploit students’ information</a> to apply for fraudulent government benefits and open <a href="https://www.computer.org/csdl/magazine/co/2018/05/mco2018050092/13rRUwfqpHi">unauthorized bank accounts and credit cards</a>. In testimony to the House Ways and Means Subcommittee on Social Security, a Federal Trade Commission official noted that children’s Social Security numbers are uniquely valuable because they have no credit history and can be paired with any name and date of birth. Over 10% of children enrolled in an identity protection service were <a href="https://www.ftc.gov/news-events/news/press-releases/2011/09/ftc-testifies-childrens-identity-theft">discovered to have loans</a>.</p>
<p>Cybercriminals can also use such information to launch ransomware attacks against schools. Ransomware attacks involve locking up a computer or its files and demanding payment for their release. The ransomware victimization rate in the education sector <a href="https://assets.sophos.com/X24WTUEQ/at/j74v496cfwh4qsvgqhs4pmw/sophos-state-of-ransomware-education-2023-wp.pdf">surpasses that of all other surveyed industries</a>, including health care, technology, financial services and manufacturing.</p>
<p>Schools are especially vulnerable to cyberthreats because more and more schools are <a href="https://chicago.chalkbeat.org/2020/4/3/21225466/chicago-plans-to-give-100-000-tech-devices-to-students-here-are-the-rules">lending electronic devices</a> to students. Criminals have been found to <a href="https://www.kaspersky.com/blog/back-to-school-malware-2019/28316/">hide malware</a> within online textbooks and essays to dupe students into downloading it. Should students or teachers inadvertently download malware onto school-owned devices, criminals can launch an attack on the entire school network.</p>
<p>When faced with such an attack, schools can be <a href="https://buffalonews.com/news/local/experts-say-ransomware-attack-on-buffalo-public-schools-should-have-been-anticipated/article_60a77598-8446-11eb-8b6b-d3137700ab43.html">desperate to comply</a> with criminals’ demands to <a href="https://www.nytimes.com/2020/11/19/nyregion/schools-closing.html">ensure students’ access to learning</a>.</p>
<h2>2. Schools lack cybersecurity personnel</h2>
<p>K-12 schools’ poor cybersecurity performance can be attributed, in part, to lack of staff. About <a href="https://www.edweek.org/technology/k-12-tech-leaders-dont-feel-prepared-for-cyberattacks/2023/05">two-thirds of school districts</a> lack a full-time cybersecurity position. Those with cybersecurity staff often <a href="https://edtechmagazine.com/k12/article/2023/10/school-cybersecurity-becomes-focus-feds-and-k-12-leaders">don’t have the budget</a> for a chief information security officer to oversee and manage the district’s strategy. Often, <a href="https://edtechmagazine.com/k12/article/2023/10/school-cybersecurity-becomes-focus-feds-and-k-12-leaders">the IT director takes on this role</a>, but they have a broader responsibility for IT operations without a specific emphasis on security.</p>
<h2>3. Schools lack cybersecurity skills</h2>
<p>The <a href="https://www.plantemoran.com/explore-our-thinking/insight/2020/11/cybersecurity-in-k12-schools-how-to-prevent-a-data-breach">lack of cybersecurity skills</a> among existing staff hinders the development of strong cybersecurity programs.</p>
<p>Only <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">10% of educators</a> say that they have a deep understanding of cybersecurity. The majority of students say that they have <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">minimal or no knowledge</a> about cybersecurity. Cybersecurity awareness tends to be even <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">lower in higher-poverty districts</a>, where students have <a href="https://www.darkreading.com/cyberattacks-data-breaches/preventing-cyberattacks-schools-k-12-cybersecurity-education">less access</a> to cybersecurity education.</p>
<p>The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/#:%7E:text=Today%2C%20Secretary%20of%20Education%20Miguel,our%20schools'%20cybersecurity%2C%20protect%20American">300 K-12 schools, school districts and other organizations involved in K-12 education</a> in the forthcoming school year. With <a href="https://research.com/universities-colleges/number-of-public-schools-in-the-us#:%7E:text=There%20are%20130%2C930%20K%2D12,%5BNCES%5D%2C%202020">130,930 K-12 public schools</a> and <a href="https://ballotpedia.org/Public_school_district_(United_States)">13,187 public school districts</a> in the U.S., CISA’s plan serves only a tiny fraction of them.</p>
<h2>4. Inadequate funding</h2>
<p><a href="https://www.fcc.gov/">The FCC</a> has proposed a pilot program that would allocate <a href="https://docs.fcc.gov/public/attachments/DOC-395069A1.pdf">$200 million</a> over three years to boost cyberdefenses. With an annual budget of $66.6 million, this falls short of covering the entirety of cybersecurity costs, given that it will cost an estimated $5 billion to adequately secure the nation’s K-12 schools.</p>
<p><a href="https://nordlayer.com/blog/cost-benefit-analysis-of-cybersecurity-spending/">The costs encompass</a> hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. <a href="https://www.govpilot.com/blog/how-to-train-government-workers-on-cyber-security-attacks">Frequent training</a> is also needed to respond to evolving threats. As technology advances, cybercriminals adapt their methods to exploit vulnerabilities in digital systems. Teachers must be ready to address such risks.</p>
<h2>Costs are sizable</h2>
<p>How much should schools and districts be spending on cybersecurity? Other sectors can serve as a model to guide K-12 schools.</p>
<p>One way to determine cybersecurity funding is by the number of employees. In the financial services industry, for example, these costs range from <a href="https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget">$1,300 to $3,000</a> per full-time employee. There are <a href="https://www.weareteachers.com/how-many-teachers-are-in-the-us/">over 4 million teachers</a> in the United States. Setting cybersecurity spending at $1,300 per teacher – the low end of what financial firms spend – would require K-12 schools to spend a total of $5 billion.</p>
<p>An alternate approach is to determine cybersecurity funding relative to IT spending. On average, <a href="https://venturebeat.com/security/benchmarking-your-cybersecurity-budget-in-2023/#:%7E:text=On%20average%20in%202022%2C%20enterprises,their%20IT%20budgets%20on%20cybersecurity">U.S. enterprises are estimated to spend 10%</a> of their IT budgets on cybersecurity. Since K-12 schools were estimated to spend <a href="https://edtechevidence.org/wp-content/uploads/2021/07/FINAL-K12-EdTech-Funding-Analysis_v.1.pdf">more than $50 billion</a> on IT in the 2020-21 fiscal year, allocating 10% to cybersecurity would also require them to spend $5 billion.</p>
<p>Another approach is to allocate cybersecurity spending as a proportion of the total budget. In 2019, cybersecurity spending represented <a href="https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget">0.3%</a> of the federal budget. Federal, state and local governments collectively allocate <a href="https://educationdata.org/public-education-spending-statistics#:%7E:text=Public%20K%2D12%20expenditures%20total,education%20or%20%247%2C430%20per%20student">$810 billion</a> for K-12 education. If schools set cybersecurity spending at 0.3%, following the example of federal agencies, that would require an annual budget of $2.4 billion.</p>
<p>By contrast, a fifth of schools <a href="https://www.securitymagazine.com/articles/99982-the-hidden-cost-of-the-cybersecurity-deficit-in-k-12-education">dedicate less than 1% of their IT budgets</a> – not their entire budgets – to cybersecurity. In <a href="https://www.edweek.org/technology/k-12-tech-leaders-dont-feel-prepared-for-cyberattacks/2023/05">12% of school districts</a>, there is no allocation for cybersecurity at all.</p><img src="https://counter.theconversation.com/content/216866/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cybercriminals target schools because they’re uniquely vulnerable. A cybersecurity expert explores whether a new White House initiative will be enough to deter bad actors.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1727432021-11-29T04:10:53Z2021-11-29T04:10:53ZThe government’s planned ‘anti-troll’ laws won’t help most victims of online trolling<figure><img src="https://images.theconversation.com/files/434348/original/file-20211129-21-1cyuuci.jpeg?ixlib=rb-1.1.0&rect=0%2C7%2C5000%2C3315&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Yesterday, Prime Minister Scott Morrison and Attorney-General Michaelia Cash <a href="https://www.attorneygeneral.gov.au/media/media-releases/combatting-online-trolls-and-strengthening-defamation-laws-28-november-2021">announced</a> proposed new legislation aimed at making online “trolls” accountable for their actions. </p>
<p>Over the past few weeks, we’ve heard Morrison decry trolls as “cowardly” and “un-Australian”, language that made it into the talking points at yesterday’s media conference. But is his new-found concern about trolling all it’s cracked up to be?</p>
<p>The proposed new legislation would give courts the power to force social media companies to pass on to people the details of their trolls, so they can pursue defamation action against them. </p>
<p>This decision is largely a reaction to the High Court’s <a href="https://theconversation.com/high-court-rules-media-are-liable-for-facebook-comments-on-their-stories-heres-what-that-means-for-your-favourite-facebook-pages-167435">upholding</a> of the ruling in the Dylan Voller case, which now holds media companies responsible for defamatory comments posted on their social media pages. But there are some things that we need to be wary of in this legislation.</p>
<h2>Defamation isn’t the same as trolling</h2>
<p>Speaking to the media yesterday, Morrison argued this legislation is a necessary means to curb online trolling. But the policy proposal largely deals with issues of defamation, which isn’t necessarily the same thing. </p>
<p>As I have <a href="https://theconversation.com/the-media-dangerously-misuses-the-word-trolling-79999">previously pointed out</a>, trolling is a grossly overused term that encompasses a range of activities. Defamation, meanwhile, is far more specific and legally defined. To prove defamation, one has to prove the content posted has damaged the victim’s reputation. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/high-court-rules-media-are-liable-for-facebook-comments-on-their-stories-heres-what-that-means-for-your-favourite-facebook-pages-167435">High Court rules media are liable for Facebook comments on their stories. Here's what that means for your favourite Facebook pages</a>
</strong>
</em>
</p>
<hr>
<p>Framing this announcement in the context of the very real harms of targeted online bullying and harassment is, I believe, disingenuous. I say this because those who suffer this kind of harassment aren’t likely to be bringing defamation suits. In short, this legislation won’t necessarily help them.</p>
<p>What’s more, a version of the newly announced powers already exists anyway. The recent <a href="https://www.esafety.gov.au/sites/default/files/2021-07/Online%20Safety%20Act%20-%20Fact%20sheet.pdf">Online Safety Act 2021</a> allows the e-Safety Commissioner to order social media companies to remove bullying or harassing content within 24 hours, or face a A$555,000 fine. Crucially, it also gives the commissioner powers to demand information about the owners of anonymous accounts who engage in online abuse.</p>
<p>Where social media companies fail to provide information about the offending poster, the newly announced laws would see them held accountable for the defamatory content. But that assumes they know this information in the first place.</p>
<p>Social media companies already collect users’ details on sign-up, including their name, email address, country of residence and, increasingly, telephone number. But for many social media platforms, there is nothing to stop users setting up an account with a fake name, using a throwaway email address or a “burner” phone, and then ditching all of that but maintaining the account once the information has been initially verified.</p>
<p>Even if the information provided is correct, it doesn’t mean the person will necessarily answer their phone or respond to an email. As one journalist asked yesterday, should social media companies be held accountable in that instance? The standard <a href="https://community.hrdaily.com.au/profiles/blogs/putting-the-reasonable-person-to-the-test">“reasonable person” assessment in law</a> would likely find not, meaning any defamation action brought against the company itself would likely fail.</p>
<h2>Social media ID laws by stealth</h2>
<p>My main concern with this proposed legislation is that it will prompt social media companies to collect enough information on their users so they become readily identifiable upon request. This seems a very similar concept to the government’s suggestion earlier this year that Australians who set up social media accounts should have to provide 100 points of identification. </p>
<p>That proposal was met with a <a href="https://www.smh.com.au/politics/federal/it-s-a-long-bow-social-media-id-push-dubbed-a-privacy-risk-20210402-p57g7d.html">barrage of criticism</a>, both for reasons of simple privacy, and because some experts, including myself, believe removing anonymity <a href="https://theconversation.com/ending-online-anonymity-wont-make-social-media-less-toxic-172228">won’t fix online toxicity anyway</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ending-online-anonymity-wont-make-social-media-less-toxic-172228">Ending online anonymity won't make social media less toxic</a>
</strong>
</em>
</p>
<hr>
<p>The other real issue, ironically enough, is one of user safety. Yes, online anonymity gives trolls a mask to hide behind, but it also allows people to access support for addiction or mental health issues, for example, or for a young LGBTQI+ person in fear of real-world violence or disapproval to find a community online. Online anonymity can be a crucial shield for victims of domestic violence who want to avoid being found by their abusers.</p>
<p>Forcing social media companies to provide users’ details to a court also opens up the possibility of “abuse of process”. This is where the legal process itself is used as a form of intimidation and bullying or, worse, for an abuser to gain access to their victim. The government has assured us the policy will contain safeguards against this, but has provided no detail so far on how this will be achieved.</p>
<p>Finally, it’s worth noting that several of the highest-profile current plaintiffs in Australian defamation cases involving social media defamation are to be found among the government itself. So while it might sound cynical, we’re entitled to wonder whom this policy is really designed to help.</p><img src="https://counter.theconversation.com/content/172743/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jennifer Beckett does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The government’s plan to make social media companies hand over trolls’ details aims to make it easier for victims to sue their harassers for defamation. But this conflates two very different concepts.Jennifer Beckett, Lecturer in Media and Communications, The University of MelbourneLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1336792020-03-27T12:15:03Z2020-03-27T12:15:03ZSociety’s dependence on the internet: 5 cyber issues the coronavirus lays bare<figure><img src="https://images.theconversation.com/files/322734/original/file-20200324-141843-c1rt4c.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C5982%2C3961&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The pandemic is increasing society's reliance on digital connections.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/internet-of-things-concept-social-icon-on-3d-space-royalty-free-image/1165240659?adppopup=true">MR.Cole_Photographer/Moment via Getty Images</a></span></figcaption></figure><p>As more and more U.S. schools and businesses shutter their doors, the rapidly evolving coronavirus pandemic is helping to expose society’s dependence – good and bad – on the digital world. </p>
<p>Entire swaths of society, including <a href="https://www.american.edu/president/announcements/march-12-2020.cfm">classes we teach at American University</a>, have moved online until the coast is clear. As vast segments of society are temporarily forced into isolation to achieve social distancing, the internet is their window into the world. Online social events like virtual happy hours foster a sense of connectedness amid social distancing. While the online world is often portrayed as a societal ill, this pandemic is a reminder of how much the digital world has to offer.</p>
<p>The pandemic also lays bare the many vulnerabilities created by society’s dependence on the internet. These include the dangerous consequences of censorship, the constantly morphing spread of disinformation, supply chain vulnerabilities and the risks of weak cybersecurity. </p>
<h2>1. China’s censorship affects us all</h2>
<p>The global pandemic reminds us that even <a href="https://slate.com/technology/2020/03/china-coronavirus-tencent-wechat-facebook-consolidation-censorship.html">local censorship can have global ramifications</a>. <a href="https://citizenlab.ca/2020/03/censored-contagion-how-information-on-the-coronavirus-is-managed-on-chinese-social-media/">China’s early suppression of coronavirus information</a> likely contributed to what is now a worldwide pandemic. Had the doctor in Wuhan who spotted the outbreak been able to speak freely, public health authorities might have been able to do more to contain it early. </p>
<p>China is not alone. Much of the world lives in countries that impose <a href="https://freedomhouse.org/report/freedom-net/2016/silencing-messenger-communication-apps-under-pressure">controls on what can and cannot be said about their governments online</a>. Such censorship is not just a free speech issue, but a public health issue as well. Technologies that circumvent censorship are increasingly a matter of life and death. </p>
<h2>2. Disinformation online isn’t just speech – it’s also a matter of health and safety</h2>
<p>During a public health emergency, sharing accurate information rapidly is critical. Social media can be an effective tool for doing just that. But it’s also a source of disinformation and manipulation in ways that can threaten global health and personal safety – something tech companies are desperately, yet imperfectly, trying to combat. </p>
<p>Facebook, for example, has banned ads selling face masks or <a href="https://about.fb.com/news/2020/03/coronavirus/">promising false preventions or cures</a>, while giving the World Health Organization unlimited ad space. Twitter is placing links to the Centers for Disease Control and Prevention and other reliable information sources atop search returns. Meanwhile, Russia and others <a href="https://slate.com/technology/2020/03/coronavirus-china-russia-misinformation-censorship.html">reportedly are spreading rumors</a> about the coronavirus’s origins. Others are using the coronavirus to spread <a href="https://www.economist.com/china/2020/02/17/the-coronavirus-spreads-racism-against-and-among-ethnic-chinese">racist vitriol</a>, in ways that put individuals at risk.</p>
<p>Not only does COVID-19 warn us of the costs – and geopolitics – of disinformation, it highlights the roles and responsibilities of the private sector in confronting these risks. Figuring out how to do so effectively, without suppressing legitimate critics, is one of the greatest challenges for the next decade. </p>
<h2>3. Cyber resiliency and security matter more than ever</h2>
<p>Our university has moved our work online. We are holding meetings by video chat and conducting virtual courses. While many don’t have this luxury, including those on the front lines of health and public safety or newly unemployed, thousands of other <a href="https://thehill.com/policy/healthcare/public-global-health/487386-higher-education-institutions-close-move-classes">universities</a>, <a href="https://www.businessinsider.com/companies-asking-employees-to-work-from-home-due-to-coronavirus-2020#over-in-austin-texas-and-in-the-bay-area-indeed-told-employees-to-from-home-until-the-end-of-march-to-be-cautious-of-the-virus-6">businesses</a> and other institutions also moved online – a testament to the benefits of technological innovation.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=402&fit=crop&dpr=1 600w, https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=402&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=402&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=505&fit=crop&dpr=1 754w, https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=505&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/322733/original/file-20200324-155631-1txbb4v.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=505&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Harvard Business School professor Bharat Anand demonstrates HBX Live, an online classroom.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Harvard-Online-Classroom/308d5bddb0634eb5ba970fe59e305871/76/0">AP Photo/Gretchen Ertl</a></span>
</figcaption>
</figure>
<p>At the same time, these moves remind us of the importance of strong encryption, reliable networks and effective cyber defenses. Today network outages are not just about losing access to Netflix but about losing livelihoods. Cyber insecurity is also a threat to public health, such as when <a href="https://www.reuters.com/article/us-california-hospital-cyberattack/california-hospital-makes-rare-admission-of-hack-ransom-payment-idUSKCN0VS05M">ransomware attacks disrupt entire medical facilities</a>. </p>
<h2>4. Smart technologies as a lifeline</h2>
<p>The virus also exposes the promise and risks of the “internet of things,” the globe-spanning web of always-on, always-connected cameras, thermostats, alarm systems and other physical objects. Smart thermometers, blood pressure monitors and other medical devices are increasingly connected to the web. This makes it easier for people with pre-existing conditions to manage their health at home, rather than having to seek treatment in a medical facility where they are at much greater risk of exposure to the disease. </p>
<p>Yet this reliance on the internet of things carries risks. Insecure smart devices <a href="https://theconversation.com/internet-of-things-could-be-an-unseen-threat-to-elections-132142">can be co-opted to disrupt democracy</a> and society, such as when the <a href="https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/">Mirai botnet hijacked home appliances</a> to disrupt critical news and information sites in the fall of 2016. When digitally interconnected devices are attacked, their benefits suddenly disappear – adding to the sense of crisis and sending those dependent on connected home diagnostic tools into already overcrowded hospitals. </p>
<h2>5. Tech supply chain is a point of vulnerability</h2>
<p>The shutdown of Chinese factories in the wake of the pandemic interrupted the supply of critical parts to many industries, including the U.S. tech sector. Even Apple had to temporarily <a href="https://www.apple.com/newsroom/2020/02/investor-update-on-quarterly-guidance/?subId1=xid:fr1583953773221daa">halt production</a> of the iPhone. Had China not begun to recover, the toll on the global economy could have been even greater than it is now.</p>
<p>This interdependence of our supply chain is neither new nor tech-specific. Manufacturing – <a href="https://theconversation.com/medical-supply-chains-are-fragile-in-the-best-of-times-and-covid-19-will-test-their-strength-133688">medical</a> and otherwise – has long depended on parts from all over the world. The crisis serves as a reminder of the global, complex interactions of the many companies that produce gadgets, phones, computers and many other products on which the economy and society as a whole depend. Even if the virus had never traveled outside of China, the effects would have reverberated – highlighting ways in which even local crises have global ramifications.</p>
<h2>Cyber policy in everything</h2>
<p>As the next phase of the pandemic response unfolds, society will be grappling with more and more difficult questions. Among the many challenges are complex choices about how to curb the spread of the disease while preserving core freedoms. How much tracking and surveillance are people willing to accept as a means of protecting public health? </p>
<p>As Laura explains in “<a href="https://yalebooks.yale.edu/book/9780300233070/internet-everything">The Internet in Everything</a>,” cyber policy is now entangled with everything, including health, the environment and consumer safety. Choices that we make now, about cybersecurity, speech online, encryption policies and product design will have dramatic ramifications for health, security and basic human flourishing. </p>
<p>[<em>Get facts about coronavirus and the latest research.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=upper-coronavirus-facts">Sign up for our newsletter.</a>]</p><img src="https://counter.theconversation.com/content/133679/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Laura DeNardis receives research funding from the Hewlett Foundation Cyber Initiative. </span></em></p><p class="fine-print"><em><span>Jennifer Daskal does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Much of the world is moving online in response to the coronavirus pandemic. Society’s newly increased dependence on the internet is bringing the need for good cyber policy into sharp relief.Laura DeNardis, Professor of Communication Studies, American University School of CommunicationJennifer Daskal, Professor of Law and Faculty Director, Technology, Law & Security Program, American UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/972712018-05-29T13:02:00Z2018-05-29T13:02:00ZKenya’s new cybercrime law opens the door to privacy violations, censorship<figure><img src="https://images.theconversation.com/files/220470/original/file-20180525-51091-13m79b4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A new act is trying to lock down cyber crime in Kenya.</span> <span class="attribution"><span class="source">Ink Drop/Shutterstock</span></span></figcaption></figure><p>More and more Kenyans <a href="https://www.nation.co.ke/news/Internet-access-grows-in-Kenya/1056-3895304-nsw0nnz/index.html">are connecting to the internet</a>, most frequently from mobile devices like phones and tablets.</p>
<p>There are, of course, big benefits to increased connectivity. These include the rise of mobile money transactions and access to loans. But there are downsides, too. The country has been targeted by <a href="https://businesstoday.co.ke/how-alex-mutuku-drowned-in-his-own-success-as-hacker/">hackers</a> in <a href="https://www.standardmedia.co.ke/business/article/2001233552/man-charged-with-hacking-kra-and-causing-sh4b-loss">several</a> major <a href="https://www.standardmedia.co.ke/business/article/2001240392/19-kenyan-firms-hit-by-costly-ransomware-cyber-attack">attacks</a>.</p>
<p>In May 2018 the Kenyan government responded to these and other high profile cyber attacks by signing the <a href="https://www.nation.co.ke/news/New-cybercrime-law--is-not-too-bad---says-CS-Mucheru/1056-4570728-gag4e6/index.html">Computer and Cyber Crime Act</a> into law. This seems a strange decision, since legislation already exists that deals with these issues. </p>
<p>The <a href="https://www.unodc.org/res/cld/document/ken/1930/information-and-communications-act_html/Kenya_Information_and_Communications_Act_2_of_1998.pdf">Kenya Information Communication Act</a> and the Penal Code and its regulations already criminalised several cybercrimes. It could have been amended to, for instance, increase the penalties for certain crimes. Instead its provisions have been superseded by the <a href="http://kenyalaw.org/kl/fileadmin/pdfdownloads/bills/2017/ComputerandCybercrimesBill_2017.pdf">Computer and Cyber Crime Act</a>. </p>
<p>The new act is too vague when it comes to important details, particularly those that deal with the issue of surveillance. Will Kenya’s authorities use this legislation to “eavesdrop” on citizens? The act also criminalises the publication online of false information or hate speech. But it does not explain what “hate speech” entails in this context, and seems to lean towards outright censorship in parts.</p>
<p>The new act criminalises “false publications”, but offers no real definition of these. It also doesn’t give guidelines for distinguishing what it calls hate speech from speech that’s protected under Kenya’s existing laws. </p>
<p>That could pose a problem in a country where people often share opinions, news and views via the internet. Kenya is a polarised country – especially during election times. If one was to make a comment online that is offensive about a certain leader of a specific county it might be categorised under the new act as hate speech or incitement to violence.</p>
<p>The spirit of the act is to be applauded. It aims to boost security and Kenya’s cyber health. But it also violates fundamental individual rights and there is a need to reframe some provisions so it’s not abused by the criminal justice system.</p>
<h2>What the act says</h2>
<p>The new <a href="http://kenyalaw.org/kl/fileadmin/pdfdownloads/bills/2017/ComputerandCybercrimesBill_2017.pdf">Computer and Cyber Crime Act</a> has several stated aims. For instance, it offers a framework for the timely and effective detection, investigation and prosecution of computer crimes. Such crimes include unauthorised access to or interference with computer systems by third parties; the distribution of child pornography and online harassment like bullying and stalking; and the production of fake publications. </p>
<p>These and other crimes described in the act come with very steep fines. For example, the crime of “fake publication” attracts a fine of 5 million Kenyan shillings (USD$50,000) or 10 years in prison. Unauthorised interference or interception of state protected computers attracts the longest sentence: 20 years. </p>
<p>Unfortunately the legislation is extremely vague when it comes to defining some of the offences, leaving a great deal open to individual interpretation. That’s particularly troubling when it comes to things like “fake publications”, since the act could be misused to censor free expression in the online space. And that directly <a href="http://kenyalaw.org/kl/index.php?id=398">contradicts the country’s Constitution</a>.</p>
<p>The provisions around “publication of false information” and “hate speech” are too broadly framed. The worry is that such blanket provisions might lead to a damping down of free expression. Citizens may even self-censor, not sharing different opinions or views, because they worry that these will somehow contravene the act.</p>
<p>The act also lays the ground for international cooperation around prosecuting cyber crimes. And it sets up a crime reporting database. Any person who has information about a threat, attempt or actual cyber attack is now legally obliged to share this with the database within 24 hours of the incident. If they don’t, they’re liable for a fine or could be jailed for up to two years. </p>
<p>One problem with this is that it shifts liability on to the victim or target of the cyber crime. There should be a distinction between aiding and abetting a crime and actually being an ignorant victim or target who is not aware of the act’s reporting requirement.</p>
<p>Another is that once a planned crime has been reported, surveillance will be necessary to confirm it. Section 24 of the Act has a provision for searches without a warrant. This may take the form of blanket surveillance of, for instance, a WhatsApp group because of one person’s comments in that group. Others in the group who are not involved in any crime will also be “watched” by the state. This is a violation of citizens’ basic rights.</p>
<h2>Moving forward</h2>
<p>This act will have a big impact on Kenya’s information technology environment. In some cases this is a good thing: cyber crime must be taken seriously and criminals brought to book.</p>
<p>But there are challenges, too. The act in its current form infringes on Kenyans’ right to privacy through surveillance and the collection of data from users. The Act should be returned to parliament to amend the same and include parameters and guidelines on how the freedom of expression and privacy are to be limited. For example giving guidelines for one to understand what is hate speech, violent speech or ethnic incitement. Which speech is not protected and why. If not then the questions for Kenyans to ponder would be whether they are willing to give up their rights for cyber security.</p><img src="https://counter.theconversation.com/content/97271/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mercy Muendo does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Kenya’s new Computer and Cyber Crime Act must not be abused by the criminal justice system.Mercy Muendo, Lecturer, Information Technology and the Law, Mount Kenya University Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/809112017-07-26T06:52:37Z2017-07-26T06:52:37ZAs Thailand restricts internet freedom, cyber activists work to keep an open web<figure><img src="https://images.theconversation.com/files/179532/original/file-20170724-7881-1ffe3b9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/ssoosay/6235232281/in/photolist-auZcjR-4CMph-axXBgp-8K6FrG-6dVM1r-kJUif-dt86zM-oG813n-fGack-bQtarn-bRgAe2-fKGnnb-dPZnm3-59uS3M-ec5C8u-ec5C7S-atjh22-9jde2L-qCdGtw-fMBJ71-fFFSA-dBnfyK-ATott-dh5GdM-jb2yxo-JgwEi-8sZN7n-h99nbb-ezcEwe-6eakuc-8sNph9-atmVyE-atjgXg-6MFCQ7-atmVD1-atmVHS-atmVJU-atmVGb-6MBryp-j36r6k-azHxif-7ZC6Bc-ajgTk8-bCmRJf-qysLGw-8cwvBn-8sMHtA-JgyKf-nWYhR7-bTkNUR">ssoosay/flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>On June 9 2017, a Thai man was sentenced to 35 years in jail for sharing Facebook posts. The crime: he allegedly <a href="http://time.com/4812376/thailandlesemajestefacebookroyaldefamation">defamed</a> the king. </p>
<p>This harsh sentence is just one example of Thailand’s increasing repression in the digital sphere. Since the 2014 coup, the Thai military junta has take a hard stance toward online critics and dissidence.</p>
<p>In May, authorities threatened to shut down Facebook if the company failed to remove content deemed “<a href="https://coconuts.co/bangkok/news/failthaigovernmentwantsfacebookcomplylesemajestelawssocialmediagiantsaysnah/">inappropriate</a>”. Facebook, which did not comply, has not been shut down. At least, not yet. </p>
<h2>Cyber repression in Thailand</h2>
<p>Thailand’s cyber repression seems to be linked to its troubled history of military coups. </p>
<p>At the advent of the 2006 military coup, the <a href="http://www.tsu.ac.th/files/Computer_Crimes_Act_B.E._2550_Thai.pdf">Computer Crime Act</a> was passed, authorising state agencies to block internet content deemed a threat to national security. It encouraged “<a href="https://news.vice.com/article/thailands-royal-family-is-using-child-cyber-scouts-to-monitor-dissent">netizens</a>” (web users, many of them young) to monitor and report transgressive internet behaviours.</p>
<p>This early effort emerged from alarm about the fact that the country’s two main factions, <a href="http://www.eastasiaforum.org/2011/12/31/thailands-elemental-political-conflict/">the red shirts and the yellow shirts</a>, had taken their fight to cyberspace, with the red shirts vocally opposing the coup and questioning the country’s monarchy. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/179093/original/file-20170720-32541-1unikra.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Red shirts in Bangkok.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/franciuii/4521407737/in/photolist-7TxoZP-7SwgYw-7SwhBf-7Swgz7-7SsZgi-7LZYB4-8bEqyZ-7St18v-7St1JX-7SwgSC-7Swgoo-7Swh3L-7St1ur-93PjdU-7SwgD5-7Swgu7-7St1oP-7SwgMY-7Swhhy-7SsZH8-nAPrzR-7St1dt-93LeSk-kMu5VZ-8nWWVS-93Pjgo-8UxSMt-8UAWLC-8UAXuC-8UAXqC-6fBmqj-8UxTJR-6fBmdN-6fxbmv-8UAXbY-8UxSHV-9jVgn6-6fxb6x-8UAWNQ-6fBmy1-6fBmzY-8UAX3U-6fBmiS-8UxTCT-nRuTn5-84Yo9d-iujUXu-7YyrCy-6fxbpP-8UAX6Y">Francesca Castelli</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>Internet control increased tremendously after the May 2014 coup, staged to facilitate royal secession and preserve <a href="http://foreignpolicy.com/2014/05/22/the-strange-elite-politics-behind-thailands-military-coup/">elite</a> status quo in Thailand. </p>
<p>Hundreds of websites were blocked during May 2014 alone, and <a href="https://freedomhouse.org/report/freedom-press/2016/thailand">working groups</a> were set up to monitor and analyse internet content. </p>
<p>This heightened control was accompanied by a dramatic increase in <em>lèse majesté</em> charges against critics, dissidents and ordinary citizens. Non-criminal acts such as sharing or “liking” a Facebook post or chat message that insulted the monarchy became punishable by long <a href="https://freedomhouse.org/report/freedom-net/2016/thailand">jail sentences</a>.</p>
<p>And in 2015, the <a href="https://www.dailynews.co.th/article/334074">Single Gateway</a> proposal sought to monitor internet content by reducing the existing 12 internet gateways to a single, state-controlled portal.</p>
<h2>The Single Gateway policy under attack</h2>
<p>Against these continuing encroachments on digital privacy, Thai pro-democracy activists and civic groups have <a href="http://carnegieeurope.eu/2017/03/17/global-civic-activism-in-flux-pub-68301#thailand">waged a courageous battle</a>.</p>
<p>Opposition to the Single Gateway plan cleverly centred not on digital rights and freedom of expression (though those concerns were evident in the debate), but on more universal issues, such as e-commerce and the economy. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"651321029156052992"}"></div></p>
<p>Some business groups, <a href="https://ilaw.or.th/node/3862">concerned</a> that the proposal would slow internet connectivity in Thailand, raised alarm that the Single Gateway would discourage foreign investment in the country. Ordinary people, too, resented the <a href="https://hilight.kapook.com/view/126924?utm_source=change_org&utm_medium=petition">attempt to limit internet access</a>. </p>
<p>Thailand’s <a href="http://www.internetlivestats.com/internet-users/thailand/">internet-penetration rate is 42%</a>, and over 29 million citizens go online for entertainment, communication, public transport and food delivery. </p>
<p><a href="http://game.sanook.com/964561/">Online game players</a> and techies were worried that the policy would affect the speed of online games and expose their personal data.</p>
<p>Amid these diverse concerns, three forms of activism emerged. </p>
<p>The <a href="http://thaigiving.org/en/organization/detail/321/info">Internet Foundation for the Development of Thailand </a> and <a href="https://thainetizen.org/">the Thai Netizen Network</a> created a Change.org petition online to gather signatures against Single Gateway, providing information to citizens about the effects of the proposed legislation. </p>
<p>Alternative discussion forums also cropped up on Facebook and elsewhere. In groups like The Single Gateway: Thailand Internet Firewall, <a href="https://www.facebook.com/antisinglegatewayth/">Anti Single Gateway</a>, and <a href="https://www.facebook.com/OpSingleGateway/">OpSingleGatway</a>, people from across Thai society braved criminalisation to join the debate on internet control.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/179094/original/file-20170720-8687-34heri.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Civic groups are concerned about digital rights in Thailand.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/kengz/2617858426/in/photolist-4Zkd77-hFbWN8-4Zkdk9-9hEqQA-4Zke2b-4Zg1dD-4Zkdsh-4ZkdEq-641dLc-4Mr8dE-7dgBE6-fJqnTN-hFayR6-4PPwwp-wNH6F1-6zoNn6-hFavuX-fDDYdM-4Mr8V9-hFaTam-fJhaB1-sSz8dZ-8eRosr-8eRs34-8eRqKv-8eUDyL-8eUBSd-8eUz2Q-8eUzSj-8eRmxi-4Mr83w-8eUHBE-8eUwZf-8eUEcw-8eUyx7-8eRj6X-8eRg2T-8eUFgw-eN7eZ-8eUFWU-rVKx3v-szYkTs-rVKEez-sAhHsz-sSmHoW-szYx21-sSm32j-szYAEG-sSyotv-sA7aYH">Keng Susumpow</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>An anonymous group calling itself the <a href="http://www.bangkokpost.com/tech/local-news/733396/activists-threaten-full-scale-cyber-war-on-government">Thailand F5 Cyber Army</a> utilised a so-called “<a href="https://www.facebook.com/ThailandF5CyberArmy/">distributed denial of services</a>” (DDoS) system to wage cyber war on the Thai government. It <a href="http://www.bangkokpost.com/tech/localnews/739884/anonymousstepsupsinglegatewayprotest">demanded</a> that the junta completely cancel its Single Gateway policy. </p>
<p>They encouraged netizens to visit official websites (among them the Ministry of Defense, the National Legislative Assembly and the Internal Security Operation Centre) and to repeatedly press the F5 key, which causes the webpage to refresh constantly, overwhelming servers.</p>
<p>The attacks <a href="http://www.bangkokpost.com/tech/localnews/739884/anonymousstepsupsinglegatewayprotest">caused many government web pages</a> to shut down temporarily, in part because the sites were technologically outdated. </p>
<p>Coupled with other forms of resistance, this <a href="http://www.khaosodenglish.com/politics/2015/10/01/1443677010/">virtual civil disobedience</a> worked. On October 15 2015, the junta announced that it <a href="http://news.voicetv.co.th/business/272250.html">had scrapped</a> the plan.</p>
<h2>The Computer Crime Act campaign</h2>
<p>But the victory was short-lived. In April 2016, the junta proposed to modify the 2007 Computer Crime Act to better tackle cyber threats to <a href="http://www.posttoday.com/analysis/politic/428973">national security</a>, claiming it would help develop Thailand’s digital economy. </p>
<p>Activists again geared up for a fight. This time, given the law-and-order frame of the proposed amendment, public criticism of it took a different shape. </p>
<iframe src="https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fcartooneggcat%2Fposts%2F281404048928988%3A0&width=500" width="100%" height="497" style="border:none;overflow:hidden" scrolling="no" frameborder="0" allowtransparency="true"></iframe>
<p>The business sector abandoned its concern over the economic effects of internet control to focus on the proposed law’s broad threat of <a href="https://ilaw.or.th/node/4312">legal sanction</a> against violators, anticipating that fear would lead to <a href="http://themomentum.co/momentum-feature-cybercrime-act-2016-from-citizen%2520(">self-censorship</a> online. </p>
<p>Netizens used online forums to discuss the impacts of the cyber law, including the fact that it was gearing toward <a href="https://www.hrw.org/news/2016/12/21/thailand-cyber-crime-act-tightens-internet-control">increasing sentences</a> against loosely-defined cyber law “offenders”, whose crimes could merely be sharing a Facebook post deemed a threat to the nation’s moral integrity or considered distorted information.</p>
<p>Rights groups such as iLaw and Thai Network of Netizens took to <a href="https://prachatai.com/journal/2016/12/69250">Twitter</a> and engaged with progressive online magazines to raise public awareness of the issue. They also worked with environmental activists who had already experienced local authorities’ abuse of the Computer Crime Act. </p>
<p>Meanwhile, the <a href="https://www.geocities.ws/f5lessonbasic/%7EOpSingleGateway/%7EDdos/">F5 Cyber Army</a> continued its attacks on government websites, providing manuals so ordinary citizens could wage cyberwar. And an online petition, which received more than <a href="https://coconuts.co/bangkok/news/thai-netizens-say-no-restrictive-computer-crime-act/">300,000 signatures</a>, was submitted to members of the National Legislative Assembly. </p>
<p>This time, though, popular discontent went unheeded. On December 16 2016, the revised Computer Crime Act <a href="https://www.thairath.co.th/content/812662">passed in the Assembly</a>.</p>
<h2>Cyber activism and political messages</h2>
<p>There are lessons to be learned from the very different outcomes of these two similar campaigns against internet regulation.</p>
<p>Opposition to the Single Gateway plan concentrated on its likelihood to slow internet speed. The consequences for the economy and everyday conveniences were obvious, even to apolitical citizens and junta sympathisers.</p>
<p>This was a critical breakthrough, because these are vulnerable policy areas for the junta. Thailand’s military leadership derives its legitimacy partly from <a href="https://www.socialeurope.eu/2014/08/vertigo-of-change/">Bangkok’s middle class</a>, whose livelihood and everyday convenience depends on the country’s continued economic growth and <a href="http://www.jstor.org/stable/10.1525/as.2003.43.2.253?seq=1#page_scan_tab_contents">global connection</a>. </p>
<p>The junta had more success in its second attempt to limit internet freedom by changing its framing of the issue. By invoking a law-and-order rationale, which has constituted the junta’s source of legitimacy since its <a href="http://tongil.snu.ac.kr/ajp_pdf/201706/AJP_Vol%205%20No%201_07_Janjira%20Sombatpoonsiri_final.pdf">seizure of power</a>, the government could argue that the impact of the proposed law would be finely honed: only “wrongdoers”, not regular netizens, would be punished.</p>
<p>This sleight of hand ultimately enabled the government to criminalise an array of online activities, handing privacy-rights advocates a major defeat. Next time the junta seeks to obfuscate its agenda with a law-and-order rhetoric, Thai activists will be better prepared.</p><img src="https://counter.theconversation.com/content/80911/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Janjira Sombatpoonsiri does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Citizens and digital-rights advocates are pushing back against growing cyber repression in Thailand, where sharing the wrong Facebook post can land you in jail.Janjira Sombatpoonsiri, Assistant Professor, Thammasat UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/584762016-05-11T10:10:44Z2016-05-11T10:10:44ZAmerica is ‘dropping cyberbombs’ – but how do they work?<figure><img src="https://images.theconversation.com/files/121418/original/image-20160505-19844-aoq5sp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Inside the U.S. Army's Cyber Operations Center at Fort Gordon, Georgia.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/army-cyber/17871494565">Army-Cyber/flickr</a></span></figcaption></figure><p>Recently, United States Deputy Defense Secretary Robert Work publicly confirmed that the Pentagon’s Cyber Command was “<a href="http://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-for-first-time.html">dropping cyberbombs</a>,” taking its ongoing battle against the Islamic State group into the online world. Other American officials, <a href="https://www.whitehouse.gov/the-press-office/2016/04/13/statement-president-progress-fight-against-isil">including President Barack Obama</a>, have discussed offensive cyber activities, too.</p>
<p>The American public has only glimpsed the country’s alleged cyberattack abilities. In 2012 The New York Times revealed the first digital weapon, <a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html">the Stuxnet attack</a> against Iran’s nuclear program. In 2013, former NSA contractor Edward Snowden released a <a href="http://www.theguardian.com/world/2013/jun/07/obama-china-targets-cyber-overseas">classified presidential directive</a> outlining America’s approach to conducting Internet-based warfare. </p>
<p>The terms “cyberbomb” and “cyberweapon” create a simplistic, if not also sensational, frame of reference for the public. Real military or intelligence cyber activities are less exaggerated but much more complex. The most basic types are off-the-shelf commercial products used by companies and security consultants to test system and network security. The most advanced are specialized proprietary systems made for exclusive – and often classified – use by the defense, intelligence and law enforcement communities.</p>
<p>So what exactly are these “cyberbombs” America is “dropping” in the Middle East? The country’s actual cyber capabilities are classified; we, as researchers, are limited by what has been made public. Monitoring books, reports, news events and congressional testimony is not enough to separate fact from fiction. However, we can analyze the underlying technologies and look at the global strategic considerations of those seeking to wage cyber warfare. That work allows us to offer ideas about cyber weapons and how they might be used.</p>
<h2>A collection of capabilities</h2>
<p>A “cyberbomb” is not a single weapon. Rather, cyberweapons are collections of computer hardware and software, with the knowledge of their potential uses against online threats. Although frequently used against Internet targets such as websites and forums, these tools can have real-world effects, too. Cyberattacks have <a href="https://foreignpolicy.com/2014/03/03/hack-attack/">disrupted cellphone networks</a> and <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">tricked computers controlling nuclear centrifuges</a> into functioning differently from how they report their status to human operators. A simulated attack has shown how an enemy can remotely <a href="https://www.schneier.com/blog/archives/2007/10/staged_attack_c.html">disrupt electric power generators</a>.</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=429&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=429&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=429&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=539&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=539&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121420/original/image-20160505-13461-2vbxlg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=539&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Training military personnel on cyberwarfare tactics.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:US_Navy_070712-N-9758L-058_Matt_Inaki,_computer_network_defender_coach-trainer_of_SPAWAR_Systems_Center_San_Diego,_shows_how_to_monitor_the_activity_of_a_network_to_Air_Force_Staff_Sgt._Daryl_Graham_and_Information_Systems_Tech.jpg">MC3 Michael A. Lantron/U.S. Navy</a></span>
</figcaption>
</figure>
<p>The process of identifying potential targets, selecting them and planning “cyberbomb” attacks includes not only technological experts but military strategists, researchers, policy analysts, lawyers and others across the <a href="http://watson.brown.edu/costsofwar/files/cow/imce/papers/2011/The%20Military-Industrial%20Complex%20Revisited.pdf">military-industrial complex</a>. These groups constantly analyze technology to develop the latest cyber weapons and tactics. They also must ensure the use of a given “cyberbomb” aligns with national interests, and follows national and international laws and treaties.</p>
<p>For example, as part of their counterterrorism efforts, electronic intelligence services (such as the <a href="https://www.nsa.gov/">American NSA</a> and <a href="https://www.gchq.gov.uk/">British GCHQ</a>) routinely collect items like real names, user IDs, network addresses, Internet server names, online discussion histories and text messages from across the Internet. Gathering and analyzing these data could use both classified and unclassified methods. The agencies could also conduct <a href="http://www.hackersforcharity.org/ghdb/">advanced Google searches</a> or mine The Internet Archive’s <a href="https://archive.org/web/">Wayback Machine</a>. This information can be linked with other data to help identify physical locations of <a href="http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz">target computers or people</a>. Analysts can also observe interconnections between people and infer the types and strengths of those relationships. </p>
<p>This information can clue intelligence analysts in to the existence of previously undiscovered potential Internet targets. These can include virtual meeting places, methods of secure communications, types of phones or computers favored by the enemy, preferred network providers or vulnerabilities in their IT infrastructures. In some cases, cyberattacks need to be coordinated with spies or covert agents who must carry out physical aspects of the plan, especially when the electronic target of a “cyberbomb” is hard to reach – such as the computers inside the Iranian nuclear facility targeted by the Stuxnet worm.</p>
<p>Cyberattack purposes can vary widely. Sometimes, a government entity wants to simply monitor activity on a specific computer system in hopes of gaining additional intelligence. Other times, the goal is to place a hidden “backdoor” allowing the agency to secretly take control of a system. In some cases, a target computer will be attacked with the intent of disabling it or preventing future use by adversaries. When considering that kind of activity, planners must decide whether it’s better to leave a site functional so future intelligence can be collected over the long term, or to shut it down and prevent an adversary from using it in the near term.</p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121421/original/image-20160505-25085-1m2yqk7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Integrating cyber warfare with boots on the ground.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/army-cyber/22224758158/in/photostream/">Army-Cyber/flickr</a></span>
</figcaption>
</figure>
<p>Although not strictly a “cyber” attack, “cyberbombing” also might entail the use of decades-old electronic warfare techniques that <a href="http://spectrum.ieee.org/aerospace/military/electromagnetic-warfare-is-here">broadcast</a> electromagnetic energy to (among other things) disrupt an adversary’s wireless communications capabilities or computer controls. Other “cyberbombing” techniques include modifying or creating false images on an enemy’s radar screens ahead of an air attack, such as <a href="https://www.wired.com/2007/10/how-israel-spoo/">how Israel compromised</a> Syria’s air defense systems in 2007. These may be done on their own or to support more traditional military operations.</p>
<p>Finally, using an electromagnetic pulse (EMP) weapon to disrupt and/or disable all electronic circuits over a wide area – such as a city – could be considered the “Mother of All Cyber Bombs.” As such, its effect would be felt both by enemy forces and local (likely) noncombatant citizens, all of whom suddenly would be unable to obtain fresh water and electricity, and find their local hospitals, banks and electronic items ranging from cars to coffee pots unable to function. Depending on the heat and blast from the bomb’s detonation, some people might not notice – though those dependent on electronic medical devices like pacemakers probably would feel effects immediately. EMP is commonly associated with nuclear weapons, but even using nonnuclear EMP devices in a populated area would presumably cause enough “collateral damage” that it would violate international laws.</p>
<h2>Fighting against nongovernment groups</h2>
<p>In addition to the above techniques, and particularly when fighting opponents that are not foreign governments – such as ISIS – a unique type of “cyberbombing” seeks to target the online personas of terror group leaders. In this type of attack, one goal may be to tarnish their online reputations, such as publishing <a href="http://www.nbcnews.com/feature/edward-snowden-interview/exclusive-snowden-docs-show-british-spies-used-sex-dirty-tricks-n23091">manipulated images</a> that would embarrass them. Or, cyber weaponry may be used to gain access to systems that could be used to <a href="http://www.slate.com/articles/news_and_politics/war_stories/2016/04/we_re_dropping_cyberbombs_on_isis_what_that_means.html">issue conflicting statements or incorrect orders to the enemy</a>.</p>
<p>These types of “cyberbombs” can create psychological damage and distress in terrorist networks and help disrupt them over time. The United Kingdom’s JTRIG (Joint Threat Research Intelligence Group) within GCHQ <a href="https://theintercept.com/2014/02/24/jtrig-manipulation/">specializes in these tactics</a>. Presumably similar capabilities exist in other countries.</p>
<h2>Making cyberwar public</h2>
<figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=750&fit=crop&dpr=1 600w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=750&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=750&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=943&fit=crop&dpr=1 754w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=943&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/121419/original/image-20160505-8704-p4kjv1.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=943&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Deputy Secretary of Defense Robert Work.</span>
<span class="attribution"><a class="source" href="http://www.defense.gov/About-DoD/Biographies/Biography-View/Article/602787/robert-o-work">U.S. Department of Defense</a></span>
</figcaption>
</figure>
<p>Until recently, few nations publicly admitted planning or even thinking about waging offensive warfare on the Internet. For those that do, the exact process of planning a digital warfare campaign remains a highly guarded military and diplomatic secret. </p>
<p>The only people announcing their cyberattacks were assorted <a href="https://theconversation.com/how-anonymous-hacked-donald-trump-56794">hacktivist groups such as Anonymous</a> and the self-proclaimed “<a href="http://arstechnica.com/information-technology/2016/04/as-us-drops-cyber-bombs-isis-retools-its-own-cyber-army/">Cyber-Caliphate</a>” supporting ISIS. By contrast, the most prominent cyber-attack waged by a nation-state (<a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">2011’s Stuxnet</a>) – allegedly attributed to the United States and Israel – was never officially acknowledged by those governments. </p>
<p>Cyber weapons and the policies governing their use likely will remain shrouded in secrecy. However, the recent public mentions of cyber warfare by national leaders suggest that these capabilities are, and will remain, prominent and evolving ways to support intelligence and military operations when needed.</p><img src="https://counter.theconversation.com/content/58476/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career.</span></em></p><p class="fine-print"><em><span>Anupam Joshi receives or has received funding from a variety of federal and industrial sources for his research in cybersecurity such as NSF, DoD, NSA, NIST, MITRE, IBM, Northrop Grumman, Microsoft etc.
He is a member of the Maryland Cybersecurity Council.</span></em></p>The country’s actual offensive cyber capabilities remain shrouded in the classified world. But what is public is enough to discuss potential cyber weapons and how they might be used.Richard Forno, Cybersecurity lecturer & internet researcher, University of Maryland, Baltimore CountyAnupam Joshi, Professor, Department of Computer Science & Electrical Engineering , University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/424472015-06-03T05:17:59Z2015-06-03T05:17:59ZTo avoid militarising the internet, cyberspace needs written rules agreed by all<figure><img src="https://images.theconversation.com/files/83533/original/image-20150601-6960-i5z2vi.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">There needs to be rules that govern what takes place in the cloud as there are for what occurs on the ground.</span> <span class="attribution"><a class="source" href="http://commons.wikimedia.org/wiki/File:Peacekeeper-missile-testing.jpg">David James Paquin</a></span></figcaption></figure><p>In the world of foreign affairs, there are written or unwritten rules – behavioural norms – under which states operate. But there is little, if any, comparable set of structures governing actions taken in cyberspace. As this becomes a larger and more important part of life and the security implications that arise, this poses a problem.</p>
<p>The US government recently released its <a href="http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf">strategy for cyberspace</a>, the fourth update since 2010. Britain did the same in <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf">2011</a> and again in 2013. The aim of the documents is to outline the consequences of foreign actions taken in cyberspace in order to provide a deterrent to their use. The problem is, that in order to promote an international norm that could be agreed upon, any global strategy should really be drawn up by a state that hasn’t already launched cyber-attacks.</p>
<p>For example, the US strategy document lists China, Russia, Iran, and North Korea as its prime digital enemies. The <a href="http://jpr.sagepub.com/content/51/3/347.full.pdf">research</a> that <a href="http://www.northeastern.edu/cssh/faculty/ryan-maness">Ryan C Maness</a> at Northeastern University and I undertook for <a href="http://ukcatalogue.oup.com/product/9780190204792.do">our book on cyberwarfare</a> found 20 attacks by China on the US from 2001-2011, three by Russia, one by Iran, and three by North Korea. After 2011, there have been Russian intrusions into the White House and Department of State, Iran’s attack on Saudi Arabia in 2012, and North Korea’s attack on Sony in 2014.</p>
<p>What is needed is a set of understood norms that specify the consequences of offensive actions taken in cyberspace. According to the US strategy, around 2% of the cyber attacks listed would <a href="http://www.nytimes.com/2015/04/24/us/politics/pentagon-announces-new-cyberwarfare-strategy.html">invite a military response</a> since they are of a significantly offensive nature, rather than merely inconveniences. Unfortunately, these statements alone would not be a deterrent. A military response may be an option for the US, but ultimately such threats are deemed empty without a demonstrated commitment to carry them out.</p>
<p>This is the classic nuclear dilemma covered so well in <a href="http://www.newyorker.com/news/news-desk/almost-everything-in-dr-strangelove-was-true">Dr Strangelove</a>. How could any nation be sure another would commit to retribution in a given situation? Consequences are not a sure thing – as Syria discovered with <a href="https://theconversation.com/obamas-red-line-gives-green-light-to-syrian-proxy-war-15209">the US’s moving “red line”</a> in relation to chemical weapons. Suggesting that the evidence was not at all definitive, the US declined to launch an attack because it cannot be sure that Syrian president, Bashar al-Assad, condoned the attacks. </p>
<p>Cyber attacks prompt even deeper questions, as attribution is very difficult – and, even then, knowing who is responsible is of limited value when launching a conventional strike. Just because certain actors within a country might be responsible for an attack does not mean that the nation should be held accountable and punished.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=733&fit=crop&dpr=1 600w, https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=733&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=733&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=921&fit=crop&dpr=1 754w, https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=921&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/83705/original/image-20150602-19259-1xz0dlp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=921&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Everybody needs rules of engagement.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/digitalgamemuseum/5947830908/in/photolist-4jEtjA-7D7PPY-HQZBa-4kjxVW-4jAA4C-dFRxY3-4Z2hKv-4koP1k-a4AbUL-iEVoAL-5Vxcn7-9aVuEv-oca6L-cvGJPA-7RBJx3-rub8fJ-pPDNbq-cvGK5Y-4ut5UT-9ySbYd-9ySdbu-9yPcvT-9ySdhQ-9ySdoS-9yPa52-edZStq-npn1x6-bRRzL4-5MYE1a-65p6Gq-6xd71G-duzj99-9yP8Ag-9yPcsD-9yS9Dh-9yPco8-9ySbcs-9yScTy-5BtoRH-5Btpre-eWYKgU-9VcE5Z-65FyNY-65Fvy7-6xd5i1">digitalgamemuseum</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>A proper global cybersecurity strategy would need to move beyond consequences and threats towards a greater consideration of norms that could provide a basis for a collective response to the violation of agreed rules. These could include the limitation of physical damage, an agreement that civilians and civilian infrastructure are off-limits and to keep critical infrastructure such as power or water supply out of bounds in order to avoid the potential for humanitarian disasters.</p>
<p>But it’s tough for the US to call for military responses to cyber attacks when it is itself linked to nine such attacks between 2001-2011, including deploying the <a href="http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet malware</a> on Iran, the most advanced attack to date – not to mention all the revelations of the Snowden files. Other European nations can play a role here: with little connection to cyber-attacks, they could take a hand in outlining the future rules of the game without being hamstrung by obvious claims of hypocrisy and hidden agendas. </p>
<p>Cyberspace is the natural domain of research, education, social interaction and commerce. As far as is possible it needs to avoid militarisation. A just and proper strategy for cyberspace cannot be left to the aggressors or the victims to define – it is in the interest of all that every nation state contributes their voices.</p><img src="https://counter.theconversation.com/content/42447/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Brandon Valeriano does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>All interaction depends on rules, written or unwritten, to ensure a smooth ride. But in cyberspace there are none.Brandon Valeriano, Senior Lecturer in Politics and Global Security, University of GlasgowLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/379022015-03-16T19:15:14Z2015-03-16T19:15:14ZCyber CSI: the challenges of digital forensics<figure><img src="https://images.theconversation.com/files/74578/original/image-20150312-7144-18ltm1d.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Forensics is a very different business when it comes to technology.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/isherwoodchris/6912080969/in/photolist-bwNdRP-2hfLti-6DawT3-2XnEG-66Ktk3-7VNV7v-fA6sq9-5hTyYZ-nHfNuH-8FmrvY-4JX9-pyHCWo-55pJxp-jUjG4j-oHRusq-bvo5TK-fuwdri-cJWXWf-81qMNV-qpZTxJ-jdypb2-nvpta9-6ySKyQ-2AUWum-nwqgYP-oZPqhm-cLeN4b-bD3stx-qGpj6n-qEhm8E-bouBAJ-ofLef7-rhaBGD-qq9yy2-tucY2-fuwd7D-fuw6PT-jFx4cM-qq1Haj-qq88aR-qq9yEz-bq1X3o-9tmFNJ-dYPPLV-hQj94X-5xwmbv-5LrvNQ-9JLHuJ-fuwa9n-51D189">Chris Isherwood/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Forensics is changing in the digital age, and the legal system is still catching up when it comes to properly employing digital evidence.</p>
<p>Broadly speaking, digital evidence is information found on a wide range of electronic devices that is useful in court because of its probative value. It’s like the digital equivalent of a fingerprint or a muddy boot. </p>
<p>However, digital evidence tendered in court often fails to meet the same high standards expected of more established forensics practices, particularly in ensuring the evidence is what it purports to be. </p>
<h2>Technology changes evidence</h2>
<p>This is not the first time that technology has impacted the way evidence is gathered and presented in courts. And it’s not the first time that there have been problems in the way new evidence is used.</p>
<p>You might remember the case of the death of <a href="http://adb.anu.edu.au/biography/chamberlain-azaria-chantel-9719">Azaria Chamberlain</a> at Ayers Rock (Uluru) more than 30 years ago. Forensics played a key role in the conviction of Lindy Chamberlain in 1982. However, her conviction was later reversed in 1988 following closer scrutiny of the evidence.</p>
<p>Subsequent <a href="https://theconversation.com/azaria-chamberlain-inquest-forget-the-dingo-jokes-and-recognise-lindys-trauma-7590">coronial inquests</a>, a court case featuring controversial DNA forensic evidence, and the subsequent <a href="http://www.nt.gov.au/justice/courtsupp/coroner/findings/other/chamberlain_3.pdf">Australian Royal Commission</a> into Azaria’s death, resulted in a fundamental reconsideration of Australian forensic practices.</p>
<p>There is still a vigorous debate in the legal world over the usage and reliability of <a href="https://theconversation.com/we-need-to-rethink-the-relationship-between-forensic-science-and-the-law-37141">DNA evidence</a>, for example. This is now being mirrored in more recent court challenges over the use of digital evidence. </p>
<p>The special properties and technical complexity of digital evidence often makes it even more challenging, as courts find it difficult to understand the true nature and value of that evidence.</p>
<p>In fact, my first role as a digital forensics consultant is typically to act as an interpreter, explaining what the evidence means in a legal context. </p>
<h2>Cyber evidence</h2>
<p>It is increasingly common for criminal trials to rely on digital evidence. And, regrettably, it is not uncommon for innocents to be convicted and guilty people acquitted because of digital evidence.</p>
<p>There are several reasons for this. Firstly, the evidence might be compelling at first glance, but it could be misleading. The defendant may also have limited financial resources to rebut the evidence. The defence lawyers might also misread the evidence. Plea-bargaining offers can also lessen sentences. </p>
<p>Conversely, other investigations may not get to trial because of the complexity or incompleteness of the evidence.</p>
<p>Worryingly, some defendants are pleading guilty based on what appears to be overwhelming hearsay digital evidence without robust defence rebuttal. In these cases, the defence lawyer – whose job it is to analyse the evidence – may simply not understand it. This is why external digital forensics consultants can be so important.</p>
<p>However, the high cost of mounting a defence using forensic practitioners is often beyond the financial reach of many. For those qualified to receive <a href="https://theconversation.com/au/topics/legal-aid">legal aid</a>, it is increasingly hard to obtain sufficient funding because of stringent budgeting regimes in various Australian jurisdictions. </p>
<p>Other factors can affect the validity of the evidence, including: failure of the prosecution or a plaintiff to report exculpatory data; evidence taken out of context and misinterpreted; failure to identify relevant evidence; system and application processing errors; and so forth. </p>
<p>Investigators undertaking these important but tedious tasks are often under-resourced, over-burdened with complex cases, increasingly large and complex datasets, etc. </p>
<p>Forensic analyses and evidence presentations are sometimes confounded by inexperienced investigators and communicators, which is further exacerbated by faulty case management.</p>
<p>Another problem issue is the paucity of reliable forensic tools and processes that meet the needs of investigators and the expectations of the courts. However, I also suspect some courts in Australia and elsewhere may be unaware of these undercurrents, or what standards they should expect of the evidence.</p>
<h2>Getting it right</h2>
<p>Digital forensics is still in its infancy, and it is more of an art form lacking broad scientific standards to supports its use as evidence. </p>
<p>There is a call among researchers to test and trial better forensic practices and forensic tools. This is especially important due to the increasing size of data storage on some personal computing devices, let alone cloud and network storage, which presents greater recovery and jurisdictional challenges to practitioners.</p>
<p>We also need new tools and processes capable of locating and recovering sufficient evidence from larger data sets quickly, efficiently and thoroughly. Forensic tools are often commercial products, thus profit-driven rather than science-based, and do not fulfil real forensic needs. They increasingly fail to identify all evidence from larger datasets in a timely manner. The processes used by law enforcement tend to be agency-centric with little consensus on practice, standards and processes and sharing of case knowledge.</p>
<p><a href="https://theconversation.com/au/topics/cyber-insecurity">Cyber security threats</a> to governments, businesses and individuals highlight our vulnerability to malicious attacks on our information assets and networks. Prevention and threat mitigation is topical, but we often overlook the simple act of bringing miscreants to justice and proving the innocence of those framed by their actions. </p>
<p>There is an old adage in forensics (thanks to Arthur Conan Doyle’s fictional detective <a href="http://www.goodreads.com/quotes/124175-there-is-nothing-more-deceptive-than-an-obvious-fact">Sherlock Holmes</a>): “There is nothing more deceptive than an obvious fact.” This also applies to digital forensics, where I have all too often encountered cases of investigator bias and a laziness when seeking the truth. </p>
<p>Encouragingly, sounder tools and processes are emerging that I expect will rejuvenate this emerging discipline.</p><img src="https://counter.theconversation.com/content/37902/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Boddington works for Xtremeforensics (<a href="http://xtremeforensics.com/">http://xtremeforensics.com/</a>) and consults to TSW Analytical P/L (<a href="http://www.tswanalytical.com.au/home.html">http://www.tswanalytical.com.au/home.html</a>) .</span></em></p>Forensics is changing in the digital age, and the legal system is still catching up in terms of how it uses digital evidence.Richard Boddington, PhD student in computer science, Murdoch UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/329772014-10-21T05:30:03Z2014-10-21T05:30:03ZCyber-espionage is more difficult to pin to a state than spying in the physical world<figure><img src="https://images.theconversation.com/files/62100/original/dkwtfn6p-1413557966.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The internet has brought us all closer together... unfortunately.</span> <span class="attribution"><span class="source">GlebStock/Shutterstock</span></span></figcaption></figure><p>Who’s in your network, checking out your data? The latest invasive digital creature is <a href="http://www.computing.co.uk/ctg/news/2375547/suspected-russian-hackers-use-microsoft-zero-day-exploit-to-target-nato-ukraine-and-others">Sandworm</a>, a piece of malware discovered to be using a previously unknown Windows vulnerability to infiltrate government networks, spying on systems at NATO, the European Union, the Ukrainian government and others.</p>
<p>In recent years a number of such attacks have been about espionage: <a href="http://breakingdefense.com/2013/06/top-official-admits-f-35-stealth-fighter-secrets-stolen/">stealing sensitive information</a>, or <a href="http://www.theguardian.com/technology/2013/mar/22/south-korea-cyber-attack">disrupting the critical infrastructure</a> that nations depend on. Making use of sophisticated techniques and <a href="http://arstechnica.com/security/2012/10/zero-day-attacks-are-meaner-and-more-plentiful-than-thought/">zero-day exploits</a> (security vulnerabilities that have not been publicly announced), they are the result of considerable skills and resources. </p>
<p>With targets more political than commercial or criminal in nature, the suspicion is that, due to their deliberate and persistent pursuit of goals aligned with national interests, the attacks have state sponsors.</p>
<p>This is a worrying trend. Cyber-attacks can be launched with relatively little software, hardware and skills, but can have an enormous impact in terms of <a href="http://www.computerweekly.com/news/2240201357/Survey-reveals-true-global-cost-of-cyber-attacks">cost and disruption</a>. As global networks <a href="http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNI_Hyperconnectivity_WP.html">grow</a> in terms of traffic, speed and reach, the situation is only going to get worse. </p>
<p>One serious problem is the difficulty in attributing with any confidence a particular attack to its nation of origin. The internet’s technical architecture was built to provide open connectivity, not accountability.</p>
<p>This is complicated by how <a href="http://harvardnsj.org/2011/03/untangling-attribution-2/">multi-stage attacks</a>, which most modern cyber-attacks are, make it near-impossible to assert any reliable attribution. These operations are set up so that the attacker first compromises a third party’s computer in order to use it as a proxy platform to launch an attack on the final target. </p>
<p>There may be several such machines, each used to compromise another, creating a complex web of connections that obscure the attack’s origin. This chain can be sustained in order to allow data to be extracted from the target and brought back, undercover, to the attacker.</p>
<h2>Pointing the finger</h2>
<p>Some nations including Russia, China, and Israel are thought to maintain cyber-warfare teams and carry out state-sponsored attacks. For example, the security research firm Mandiant recently identified a suspected Chinese military cyberwarfare team, <a href="https://www.mandiant.com/news/release/mandiant-releases-report-exposing-one-of-chinas-cyber-espionage-groups/">Unit 61398</a>, down to the location of its building. This led the US government to <a href="http://www.reuters.com/article/2014/05/20/us-cybercrime-usa-china-unit-idUSBREA4J08M20140520">file criminal charges</a> for hacking against five named Chinese military officers.</p>
<p>Attributing cyber-attacks follows the principle of <a href="https://www.rusi.org/publications/journal/ref:A520B51198E962/#.VEBQjfmzEvw">sophistication</a>, examining the level of skills and resources required to pull off the attack. The use of zero-day exploits, for example, demonstrates considerable time and effort has gone into testing for an unknown vulnerability against which the target will have little protection. This is not likely to be something a bedroom hacker could achieve. </p>
<p>Attacks that are persistent, trying to overcome defences rather than looking elsewhere for easier targets, are also a sign of possible state backing. This is especially when the target is to steal sensitive information – such as the details of the <a href="http://www.dailymail.co.uk/news/article-2323067/Chinese-hackers-caught-trying-steal-secrets-new-stealth-fighter-tens-thousands-cyber-attacks-launched-jet-manufacturer-week.html">US F-35 stealth fighter</a> apparently lost to Chinese cyber-espionage – rather than just financial gain.</p>
<p>In the case of <a href="http://www.isightpartners.com/2014/10/cve-2014-4114/">Sandworm</a> the context of the conflict in Ukraine is a further giveaway, judging by the military and political organisations targeted and the intelligence-related documents sought. </p>
<h2>Signals in the noise</h2>
<p>The characteristics of internet traffic make its attribution more difficult still. The rising volume of <a href="http://dl.acm.org/citation.cfm?id=1028794">non-productive traffic</a>, such as network scanning, worms, traffic resulting from misconfigured routers or systems, and web indexing crawlers such as <a href="https://support.google.com/webmasters/answer/182072">Googlebot</a>, creates background noise.</p>
<p>The problem is that this background noise may also resemble genuine malicious attacks – in fact, it’s difficult to determine what is accidental and what is deliberate. This leaves a great number of false positives recorded in firewall logs which only makes pinpointing genuine attacks harder.</p>
<p>At the political level, any accusation of state-sponsored hacking needs to be backed up with proof. More often than not, however, the proxy launch pads for most multi-stage attacks are based in non-hostile states. The <a href="http://www.ccdcoe.org/tallinn-manual.html">Tallinn Manual</a>, the most comprehensive legal cyberwarfare rulebook, states that those on the receiving end of any cyber-attack can only respond by applying the “unwilling or unable” test. This is an underlying principle of international law which asserts that retaliation against an intermediary state used by an enemy to launch an attack is only permissible if the intermediary is either unwilling or unable to prevent the aggressor responsible from doing so.</p>
<p>Perhaps the greatest difficulty posed by any retaliatory cyber-attack is the geopolitics of the day. Political alliances, intelligence sharing, legal and ethical considerations, and potential sensitivity of offensive operations, all make it very difficult for nation states to launch such operations. The result is that the sort of public accusations of cyber attacks seen in the press and meant as a tool of deterrence are almost entirely useless – as can be seen Russia and China’s frequent and easy denials.</p><img src="https://counter.theconversation.com/content/32977/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Siraj Ahmed Shaikh does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Who’s in your network, checking out your data? The latest invasive digital creature is Sandworm, a piece of malware discovered to be using a previously unknown Windows vulnerability to infiltrate government…Siraj Ahmed Shaikh, Reader in Cyber Security, Coventry UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/307342014-08-21T05:23:01Z2014-08-21T05:23:01ZReady, aim, click: we need new laws to govern cyberwarfare<figure><img src="https://images.theconversation.com/files/56939/original/smdn23mv-1408551549.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Mouses not guns, a future view of the battlefield.</span> <span class="attribution"><a class="source" href="http://commons.wikimedia.org/wiki/File:Monitoring_a_simulated_test_at_Central_Control_Facility_at_Eglin_Air_Force_Base_(080416-F-5297K-101).jpg">Carrie Kessler/USAF</a></span></figcaption></figure><p>President Bush is <a href="http://www.snopes.com/rumors/bush.asp">reported</a> to have said: “When I take action, I’m not going to fire a US$2m missile at a US$10 empty tent and hit a camel in the butt. It’s going to be decisive.” As the quote suggests, when it comes to national defence, enemies are unlikely to be deterred by an army of three, a leaky canoe and a fleet of second-hand microlights. In times of war we usually expect a powerful, graphic display of military might.</p>
<p>Nations may feel reassured that the sheer scale and sophistication of their armed forces will be enough to deter any potential threat, with would-be attackers put off by the mere prospect of retaliation. But what if decisive action can be conducted without armed forces, without firing a single bullet, but by simply pressing “enter”? </p>
<p>This is the promise of cyber-warfare, where the hostile use of software against a state’s critical infrastructure such as energy and transport networks, financial markets, hospitals, can have immediate and devastating effects. The tools of cyber-warfare could be acquired with relative ease by new belligerent nations who were hitherto considered unthreatening by virtue of their lack of conventional forces. Belligerents may not even be nations, but <a href="http://www.bbc.co.uk/news/world-middle-east-22287326">unaffiliated hackers</a> driven by a common political, religious or economic ideology, who can quickly form, strike and disperse using the anonymity of the internet to hide their tracks. </p>
<p>Nations have had to take the threat of cyber-warfare seriously. Several significant military powers have now <a href="http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf">publicly declared policies</a> on cyber-warfare, and the topic has dominated diplomatic exchanges at the highest level. Perhaps the most poignant acknowledgement of cyber-warfare as a serious issue comes from its inclusion as a topic of importance in the <a href="http://www.icrc.org/eng/resources/documents/report/31-international-conference-ihl-challenges-report-2011-10-31.htm">2011 Report of the International Red Cross on International Humanitarian Law</a> and the challenges of contemporary armed conflicts. </p>
<p>The growing recognition of cyber-warfare as a topic of legal concern in particular is of great importance, particularly for international law, which, among other things, it sets out a framework for the legally permissible use of force. <a href="http://www.icrc.org/eng/war-and-law/">International Humanitarian Law</a> (also known as the Law of Armed Conflict) is the part of international law which tries to ensure that if there is armed conflict, it is conducted in as humane and restrained a manner as possible. </p>
<p>Determining how legal rules apply to cyber-warfare is obviously important. States will want to know whether cyber-offensives will come under the rules of international law, what limits may be applied and what action can be taken in response within the law. If a cyber-war is unavoidable, then states will also want to know what rules apply to the actual conduct of such war, for example in determining what targets are permissible, how rules on neutrality apply, and what kinds of cyber-weapons are permissible. </p>
<p>However, there is a lack of clarity on how international law applies to cyber-warfare. International law has evolved over time and is heavily influenced by traditional concepts of conventional armed warfare between clearly defined nation states. Cyber-warfare is so new it is not specifically addressed in any treaties. It is difficult enough to reach an agreement on international matters at the best of times, especially in dealing with conflicts. This difficulty will undoubtedly apply to cyber-warfare too. </p>
<p>In light of this considerable uncertainty, a <a href="http://www.security-centre.lancs.ac.uk/events/workshops/workshop_tallinn_manual.php">recent report</a> for <a href="http://www.security-centre.lancs.ac.uk/">Security Lancaster</a> outlines an agenda for future legal research on cyber-warfare. This calls for a reconsideration of whether international law is a useful framework. For example, international law focuses heavily on states, but are future cyber-attacks likely to come from states themselves? How should cyber-hostilities initiated by federated or balkanised hacker groups with no clear state affiliation be legally categorised? Would we be better off starting to construct a legal framework from scratch as opposed to one built around outdated concepts that no longer reflect the current military realities?</p>
<p>It should be acknowledged that not all share the view that cyber-warfare is a significant or worrying prospect. Its detractors point out that it has been responsible for no human casualties to date, and no hostile cyber-incident has as yet been treated as an act of war or openly admitted to by a state. But this ought not to deter us from taking the issue seriously, and to start thinking about an acceptable – and perhaps more importantly, workable – legal framework to cover the resort to and conduct of cyber-warfare.</p>
<p>We would do well to recall that another world leader, Winston Churchill, was widely derided at the time for forecasting the onset of World War II, and remember that if the lessons of history are not learned they are destined to be repeated. If World War III promises to be digital, we must be as prepared as we can be.</p><img src="https://counter.theconversation.com/content/30734/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Bela Bonita Chatterjee is a lecturer in law at Lancaster University. She is also a member of the Royal British Legion, the UK's leading armed forces charity. </span></em></p>President Bush is reported to have said: “When I take action, I’m not going to fire a US$2m missile at a US$10 empty tent and hit a camel in the butt. It’s going to be decisive.” As the quote suggests…Bela Bonita Chatterjee, Lecturer in Law, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/219342014-01-13T06:11:10Z2014-01-13T06:11:10ZUK trails European neighbours on cyber-security<figure><img src="https://images.theconversation.com/files/38852/original/v59wfk5t-1389370557.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber-security takes more than cautious laptop ownership.</span> <span class="attribution"><span class="source">sridgway</span></span></figcaption></figure><p>To my amazement, the latest <a href="http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf">Eurobarometer survey</a> on Cyber Security across Europe received very little attention in the UK, despite its quite revealing findings.</p>
<p>The report shows in no uncertain terms that, notwithstanding what politicians like Francis Maude MP <a href="http://news.sky.com/story/1181481/cybercrime-strategy-has-made-uk-secure">say</a>, the UK is doing quite poorly in comparison to our neighbours. Much more needs to be done to meet the cyber security standards of countries like Denmark, the Netherlands, France or Germany. </p>
<p>The Eurobarometer findings might come as a shock to ingenuous readers of a recent <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/265384/Progress_Against_the_Objectives_of_the_National_Cyber_Security_Strategy_December_2013.pdf">Cabinet Office report</a> announcing that two years after launching the national strategy, it has resulted in “making the UK one of the most secure places in the world to do business in cyberspace”. This seems to be quite of an overstatement, as the report shows the UK is in fact the worst place in Europe on a number of crucial areas, and there was no sign of improvement in the 12 months since the last survey, even with heavily publicised government <a href="http://www.businesscloud.co.uk/tech-talk/government-invests-extra-pound260m-into-uk-cyber-security">investment in cyber security.</a></p>
<h2>A failing strategy</h2>
<p>One of the most notable areas in which the UK is trailing its neighbours is identity theft. The barometer reveals that 11% of UK citizens have been a victim of this type of crime, the highest rate in Europe, where the average among member states is just 6%.</p>
<p>UK citizens are also the most likely to suffer the consequences of online banking fraud. Only 3% of Germans experience this crime, while 16% of UK citizens were affected. The EU average here is 7%. </p>
<p>Another sore point is online fraud. A total of 16% of the surveyed UK citizens (again the worst rate in Europe) have experienced fraud of this kind, whereas the EU average is 10%. </p>
<p>The UK also performs badly in email account hacking, given that 19% have fallen prey to it (surprise, surprise, the worst figure again across the 27 European countries), where the EU average is 12%.</p>
<p>These are all quite troubling findings, and make for an unequivocal assessment of a cyber security strategy that is, to put it mildly, not working.</p>
<h2>Plugged-in individuals</h2>
<p>If the record for suffering from a variety of cyber crimes is shamefully high in the UK - compared with countries like Germany, Denmark, the Netherlands or even France - it is certainly not UK citizens to blame. </p>
<p>The barometer shows that 63% of individuals changed their online services password in the past year, placing us in a creditable 4th position in Europe.</p>
<p>UK citizens also have a praiseworthy record for changing their passwords for social media accounts and shopping websites. The survey discovered that 36% had done the former in the past 12 months, and 27% had done the latter. An impressive 60% of UK people said they felt informed about cyber crime, and 48% were concerned about online payments. </p>
<h2>Putting the law on the side of the citizen</h2>
<p>So why has the UK performed so badly on cyber security? The figures don’t admit any trivial explanation. Its shortcomings can be attributable to a complex combination of multiple factors including poor governmental policies, a lack of access to cyber security education, and weak laws for data processing that favour banks and large companies rather than the rights of individuals.</p>
<p>We have, for example, recently witnessed a worrying increase in the number of cases where banks have not returned customers’ money <a href="http://www.thisismoney.co.uk/money/saving/article-2442642/Small-business-attacked-online-crooks--NatWest-wont-refund.html">stolen online</a>. They will conveniently blame them of negligence or fraud. For the banks, which can fall back on their own legal teams, this is the easiest and cheapest solution for addressing the problem of sophisticated attacks against their customers. Clients are left with almost no options to fight this cynical but profitable approach. Only new laws can stop this abuse. Laws to protect customers in these and similar cases would additionally force banks <a href="http://theconversation.com/ancient-it-makes-a-banking-meltdown-inevitable-21866">to seriously invest in IT</a> to curb down losses, which, in turn, would improve overall security. If these laws are not introduced, banks will have no motivation at all to invest in extra security, and customers will continue to pay for balance discrepancies. This is clearly an open avenue for abusive behaviour, and we will in all likelihood see more of it in the near future if nothing is done.</p>
<p>We can unquestionably improve security by passing laws that force banks and other private companies to invest more extensively in security products and technology. They could be required to take responsibility for at least some of the losses, or pay more hefty fines in case of a mishap. But these companies are the main beneficiaries of the status quo, so this won’t happen, or not at the needed pace.</p>
<p>So perhaps we should turn to citizens once again. Over the past few years, Massively Open Online Courses have started to offer individuals the chance to improve their understanding of all kinds of subjects. MOOCs aimed at informing people on how to protect themselves online could raise awareness and contribute to even better cyber security practises. In a rare example of wisdom, it seems this is currently being done with NCSP funding and the cooperation of the Open University. It is expected to run for the first time on the summer. Another good governmental initiatives are the development of cyber security modules at GCSE and A-level, of a cyber security Higher Apprenticeship scheme, and some awareness campaigns. </p>
<h2>The Future</h2>
<p>The survey, which involved 1,314 UK citizens, was carried out between May and June last year. Any later and perhaps we might have found quite different results, given the impact of the revelations by Edward Snowden about the extent to which the US government spies on people around the world. </p>
<p>I hope the next Eurobarometer will attract more attention from the media, and will be acknowledged by our politicians. I expect funding in cyber security to become more accountable for in the future, in order to evaluate whether we are making the right investments, and external inputs like the Eurobarometer and <a href="http://www.cybersec.kent.ac.uk/Survey1.pdf">others</a> to be taken more seriously. </p>
<p>What I don’t expect anytime soon, for a variety of reasons highlighted before, are better UK results.</p><img src="https://counter.theconversation.com/content/21934/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Julio Hernandez-Castro does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>To my amazement, the latest Eurobarometer survey on Cyber Security across Europe received very little attention in the UK, despite its quite revealing findings. The report shows in no uncertain terms that…Julio Hernandez-Castro, Lecturer in Computer Security, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/216682013-12-20T15:25:59Z2013-12-20T15:25:59ZAnonymity will be the next victim of internet censorship<figure><img src="https://images.theconversation.com/files/38375/original/y9fg7k8h-1387551032.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The dark web is under threat.</span> <span class="attribution"><span class="source">Fir0002</span></span></figcaption></figure><p>The worrying developments in UK internet freedom over the last year make predictions for 2014 gloomy to say the least. Censorship now affects us all, so we should be thinking about it. And it’s not politically driven censorship we should be most afraid of.</p>
<p>This year has been characterised by tension between the UK government’s use of terrorism laws and free speech and, more recently, by <a href="http://www.bbc.co.uk/news/uk-25430582">concern</a> over the <a href="http://mccullagh.org/misc/articles/cwd.keys.to.the.kingdcom.1996.txt">unavoidable over-blocking</a> of content in the name of protection. Yet there are greater threats to our internet freedom than the heavy hand of the government.</p>
<h2>Oversight versus interference</h2>
<p>Both the government and internet service providers have abdicated responsibility for the quality control of the security filters being put in place in a bid to prevent children from accessing pornographic content at home.</p>
<p>ISPs such as <a href="https://www.openrightsgroup.org/blog/2013/bt-filters-reply">BT</a> and <a href="https://www.openrightsgroup.org/blog/2013/skys-reply-to-org-on-default-internet-filters">Sky</a> have delegated the task of deciding what to block to third party companies. For <a href="http://politics.co.uk/comment-analysis/2013/12/19/comment-three-embarrassing-truths-about-david-cameron-s-porn">accountability</a> and <a href="https://www.openrightsgroup.org/blog/2013/ukccis-overblocking">oversight</a> that is bad news but in terms of possible political interference it is actually good.</p>
<h2>Why censorship?</h2>
<p>There have been three main drivers for internet censorship. One is child abuse imagery, the banning of which is in line with the general population’s views. Websites containing child porn can be taken down, for example through the Internet Watch Foundation, and, since November, <a href="https://theconversation.com/blocks-just-move-child-porn-under-the-counter-20531">search engines have returned warnings and reduced results</a> when certain terms have been searched for. Although porn in general is not illegal, the ISPs’ filters will have an impact on the blocking of child abuse by negatively affecting the distribution of borderline illegal material. </p>
<p>The second driver is combating extremism. It is still unclear how censorship will be applied here, but <a href="https://theconversation.com/blocking-extremist-sites-is-not-the-same-as-fighting-child-porn-20930">classification is highly problematic</a>. No clear public mandate exists for this censorship, nor are links with legislation on issues such as hate speech or proscription of organisations, made explicit. In <a href="http://bt.custhelp.com/app/answers/detail/a_id/46768/kw/parental%20filter/c/346,6679,6680#settingup">its filters</a>, BT does not have an “extremism” category, although some content may fall within its “weapons and violence” or “hate” labels.</p>
<p>The final category is media organisations aiming to protect their copyright. The <a href="http://www.legislation.gov.uk/ukpga/2010/24/contents">2010 Digital Economy Act</a> allows for ISPs to apply sanctions (such as bandwidth restriction and disconnection) to users who have downloaded copyrighted material. ISPs have also been forced to block file sharing websites, such as <a href="http://www.bbc.co.uk/news/technology-17894176">The Pirate Bay</a> and BT includes the practice in its filtering. But file sharing isn’t always illegal and even when it is, public opinion is divided about whether or not it is acceptable. The heavy-handed measures that can be taken show the impact of the commercial interests in this domain.</p>
<h2>Mission creep</h2>
<p>It’s important to note that <a href="http://bt.custhelp.com/app/answers/detail/a_id/46768/kw/parental%20filter/c/346,6679,6680#settingup">BT is filtering in 14 categories</a>, even though David Cameron promised nothing broader than “porn” filters. The generous explanation for this is that the third party providers being used by ISPs already had a range of filtering options in place for parental controls or use in schools, for example filtering against high bandwidth activities like file sharing and media streaming.</p>
<p>More worryingly though, it <a href="http://www.theregister.co.uk/2013/12/17/bt_parental_controls_will_block_proxies_and_anonymiser_sites/">has been reported</a>
that the BT filters also restrict access to sites promoting the use of proxies. This is where the next battle over internet censorship will be fought. Restricting the technological means through which internet users can obscure their IP addresses, obtain some anonymity, and hide the content they are accessing from others is the next big target.</p>
<p>Again, the excuse may be that the third party providers already have this built into their products for good reasons. In the context of school web filters, for example, circumvention of filters needs to be prevented. </p>
<p>But it looks like these measures could well be broadened. The IWF and the Child Exploitation and Online Protection Centre have been<br>
<a href="http://www.theguardian.com/technology/2013/nov/18/online-child-abuse-peer-to-peer">asked to investigate child abuse imagery in the “Dark Web”</a>. The only predictable, and sensible, recommendation for reducing child porn to come out of this will be to restrict access to the Dark Web. And that has to be done by restricting a user’s ability to disguise their activities. </p>
<h2>Media companies and the TTIP</h2>
<p>This by itself will not cause the UK government to restrict access to Tor, VPNs, or proxies in general. However, the media copyright lobby will want to make this happen because peer-to-peer networks, content indexed through torrent sites, possibly using some form of anonymous routing along the way, carry the majority of the “illegal” file sharing load.</p>
<p>Media companies stand to gain significant powers, possibly trumping national legislation, through trade agreements such as <a href="http://www.techdirt.com/articles/20131219/05544825628/actas-back-european-commission-reveals-plans-to-put-corporate-christmas-list-ip-demands-into-taftattip.shtml">TTIP</a>. Using these, they will want to close off all avenues of illegal file sharing, and they are unlikely to care about collateral damage to internet privacy. Thus, we have to worry about restrictions on the use of Tor anonymous routing, VPNs, proxies, and any other ways that allow us to be more anonymous and protected on the internet.</p>
<p>This prediction then brings together the two big internet freedom storylines of the last six months. The government’s desire for quick internet censorship solutions will end up impeding our capacity to defend ourselves against overzealous surveillance from intelligence services and tech companies.</p>
<h2>The Tor fightback</h2>
<p>The good news is that Tor traffic has <a href="http://www.youtube.com/watch?v=GwMr8Xl7JMQ">proved hard to detect and shut down</a>. Many countries have tried and failed. Security companies claiming to have the required technology typically are only able to block older versions.</p>
<p>These days, Tor connections look like normal secure web traffic. Currently only China systematically and openly blocks Tor (with its Great Firewall) for long periods of time. They do this by blocking the eight “directory authorities” that form the entry point to Tor, in combination with Deep Packet Inspection. In response, the Tor project continually develops new camouflage methods, and also <a href="https://ooni.torproject.org/">very promising tools for detecting internet censorship</a>. It is very sad that we may be using this tool sometime soon in the UK, and that Russia and Japan have been reported to be considering blocking Tor. All is not lost, but we should be on our guard.</p><img src="https://counter.theconversation.com/content/21668/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eerke Boiten is a senior lecturer in the School of Computing at the University of Kent, and Director of the University's interdisciplinary Centre for Cyber Security Research. He receives funding from EPSRC for the CryptoForma Network of Excellence on Cryptography and Formal Methods. </span></em></p><p class="fine-print"><em><span>Julio Hernandez-Castro does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The worrying developments in UK internet freedom over the last year make predictions for 2014 gloomy to say the least. Censorship now affects us all, so we should be thinking about it. And it’s not politically…Eerke Boiten, Senior Lecturer, School of Computing and Director of Interdisciplinary Cyber Security Centre, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/197862013-11-01T14:42:48Z2013-11-01T14:42:48ZNations can no longer afford to go it alone on cyber-security<figure><img src="https://images.theconversation.com/files/34238/original/cfptb4b6-1383312390.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber-crime knows no borders and nor should our defences.</span> <span class="attribution"><span class="source">dirkb86</span></span></figcaption></figure><p>Senior representatives from more than 90 governments met in Seoul recently to discuss cyber-space, including cyber-security and cyber-crime. It was the third in a series of international conferences that has followed a push from the UK government to bring a more international perspective to discussions about how to keep cyber-space open while addressing threats.</p>
<p>Cyber-crime does not operate in a world confined by national borders so an international response is our only option. We need to cooperate to protect devices and information infrastructures from malicious entities seeking to steal secrets, deny access to critical services and exploit our identities to commit crimes.</p>
<h2>Vulnerable businesses</h2>
<p>There is much work to be done. Weaknesses in infrastructures, policy and operations leave us vulnerable and threats to businesses and individuals are frequent and damaging. For example, a sophisticated malicious software recently infected a PC at a small <a href="http://www.bbc.co.uk/programmes/p01k8s1x">British bakery</a>, then managed to bypass all of the business’s online banking security software and steal £20,000. There is no end to the news of malware, viruses and spam that affect online accounts and home computers.</p>
<p>Recent <a href="http://www.ft.com/cms/s/0/b41a861a-e166-11e2-b796-00144feabdc0.html#axzz2jOhCGFu6">research</a> indicates that four in five of the UK’s largest quoted companies are unprepared for cyber attacks. The widely reported threats to systems within finance and banking are an uneasy reminder of our vulnerability – and a key priority of the Bank of England and other financial regulators. Even those companies that you might expect to see outsmarting cyber-criminals are not immune. Just a few weeks ago software company Adobe admitted that its system had been hacked and that data from nearly 3 million customers had been stolen. Now there are <a href="http://blogs.telegraph.co.uk/technology/willardfoxton2/100011227/ransomware-the-virus-stalking-tech-city/">reports</a> of ransomware attacks across companies in East London’s hi-tech cluster of businesses.</p>
<p>Currently, too many decisions relating to cyber-security rely on inadequate evidence, inconsistent data, deficient reporting and varying rules across networks and systems. This inconsistency on data is apparent in UK government. Two years ago the UK Cabinet Office published a <a href="https://www.gov.uk/government/publications/the-cost-of-cyber-crime-joint-government-and-industry-report">study</a> by Detica, which estimated that cyber-crime costs the UK economy £27bn per year. It gave a breakdown by business sector and type of crime. This type of data is critical for governments, businesses and technology companies to plan appropriate security responses. However, a <a href="http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf">2012 study</a> undertaken by Professor Ross Anderson and colleagues for the Ministry of Defence calculated that a more realistic estimate would be closer to £12bn, distributed in significantly different ways to the Detica claims. This would suggest a different pattern of appropriate responses.</p>
<h2>Defence beyond borders</h2>
<p>A report to which I contributed, <a href="http://www.oxfordmartin.ox.ac.uk/downloads/commission/Oxford_Martin_Now_for_the_Long_Term.pdf">Now for the Long Term</a> calls for the creation of an information exchange - CyberEx - to start tackling these issues. It could be funded by governments and businesses with an interest in collecting and analysing data on cyber-attacks to inform their own decisions about cyber-security. Each could share their own information and coordinate with others on responses to international threats. CyberEx could identify weaknesses in the global system, flag up suspicious Internet traffic and malicious software and help countries and businesses develop technical standards for their cyber-security efforts.</p>
<p>It could seek to minimise common vulnerabilities that enable the theft of sensitive information and the distribution of spam through systems, and work closely with international and domestic agencies to prevent common system attacks. The platform could also provide a useful mechanism for stakeholders to work together on responses to collective concerns, such as privacy protection. By providing an accessible, open platform for information exchange, CyberEx could help governments, businesses and individuals to better understand common threat patterns, identify preventative measures and minimise future attacks.</p>
<p>But you are only as strong as your weakest link, so CyberEx would also need to help developing countries improve their cyber infrastructure. For example, Professor Anderson’s MoD study concluded that significant numbers of “stranded traveller” scams and Advance Fee Frauds originate in West Africa, particularly Nigeria.</p>
<p>We are at the start of conversations with interested parties on the potential for CyberEx, so the details of how and where the exchange would be hosted are still to be worked out. The report’s recommendation is a starting point but it is an important one. It could move us closer to using an exchange platform to counter common but high-risk cyber threats. It is a conversation that must continue if we are to meet the challenges posed by increased societal dependence on information infrastructures.</p><img src="https://counter.theconversation.com/content/19786/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ian Brown receives funding from the UK Research Councils (currently EPSRC), the European Commission, and BT. He is on the advisory councils of the Open Rights Group, Privacy International and the Foundation for Information Policy Research.</span></em></p>Senior representatives from more than 90 governments met in Seoul recently to discuss cyber-space, including cyber-security and cyber-crime. It was the third in a series of international conferences that…Ian Brown, Oxford Martin Fellow, The Global Cyber Security Capacity Centre, University of OxfordLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/166002013-08-02T05:44:14Z2013-08-02T05:44:14ZMinor irritant or real threat? Time to decide what a troll is<figure><img src="https://images.theconversation.com/files/28456/original/qp8dvxmp-1375291849.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Know your enemy: trolls come in many shapes and sizes</span> <span class="attribution"><span class="source">Dunechaser</span></span></figcaption></figure><p>Somewhere around 2010, the concept of trolling arrived in the national consciousness with a flurry of news stories: the hateful tweet <a href="http://www.telegraph.co.uk/sport/olympics/diving/9442445/Hunt-for-Tom-Daley-Twitter-troll-seaside-police-raid-nets-suspect-17.html">Tom Daley</a> received about his father during the Olympics; the defacement of <a href="http://www.bbc.co.uk/news/uk-england-manchester-11650593">Jade Goody’s</a> memorial site; the harassment and death threats sent to <a href="http://www.guardian.co.uk/uk/2012/jun/11/louise-mensch-troll-sentenced-email">Louise Mensch</a> and <a href="http://www.thesundaytimes.co.uk/sto/news/uk_news/Society/article1062544.ece">Nadine Dorries</a>; and most recently, the torrent of rape and sexual assault threats <a href="http://www.independent.co.uk/voices/comment/trolls-caroline-criadoperez-and-how-to-tackle-the-dark-side-of-twitter-8735415.html">Caroline Criado-Perez</a> received, just for campaigning to have Jane Austen put on a banknote.</p>
<p>Some trolling targets have started to disregard the <a href="http://www.urbandictionary.com/define.php?term=DNFTT">Do Not Feed The Troll</a> mantra by variously retweeting offensive messages, or by turning the tables on the trolls and making sport of them. In 2012, TV host Jimmy Kimmel ran a four-part <a href="http://www.youtube.com/watch?v=RRBoPveyETc">Celebrities Read Mean Tweets series</a> which has been watched over 40m times, and comedian Isabel Faye created a catchy, <a href="http://www.youtube.com/watch?v=uz2jbCJXkpA">all-singing tribute</a> to her trolls.</p>
<p>But when we look over these examples and more besides, a striking issue presents itself. This so-called trolling ranges from school-playground insults right through to sustained threats of extreme violence. A wide spectrum of behaviour is being described under the same banner. Some trolls can be laughed off but others cause real hurt. This begs the question: what does the word troll even mean? By using one word to describe all kinds of internet harassment, have we artificially inflated beyond all useful limits?</p>
<p>The lack of an answer has crucial consequences. Take, for instance, the grim subject of rape. Most of us probably think that we have a good idea of what this word means, and yet there have been cases, such as that of <a href="http://www.salon.com/2013/01/26/when_the_law_wont_call_it_rape/">Lydia Cuomo</a>, where the very definition of rape was so effectively disputed that her attacker was found innocent of the rape charge against him, even though he was found guilty of other horrific sexual offences. The case clearly shows that definitions are of vital importance, since they can effectively determine whether an individual’s actions can even be considered criminal, let alone come to trial.</p>
<p>The fundamental problem is that while many individuals think they know what the word trolling means, as my research shows, <a href="http://cass.lancs.ac.uk/?p=621">we’re actually nowhere near a single, agreed-upon definition</a>. A clear definition can and should determine what behaviours a word like trolling captures. Such a definition might conceivably cover everything from mildly annoying comments through to deeply menacing behaviour. Perhaps more usefully, it might be used purely to describe conduct that is not serious enough to merit criminal action, leaving other, better-suited terms like cyber-harassment and cyber-stalking to capture the extreme, menacing, and persistent behaviours.</p>
<p>Whatever we decide, this is only the start of the issue. Current UK legislation is lacking when it comes to to dealing with online antisocial behaviour. The most recent relevant legislation, the <a href="http://www.legislation.gov.uk/ukpga/2003/21/contents">Communications Act</a>,
came into force in July 2003. An Act of this magnitude – more than 250,000 words spanning over four hundred sections – takes years to write and enact. As such, the section relevant to <a href="http://www.legislation.gov.uk/ukpga/2003/21/section/127">online behaviour</a> is based on the internet of the 1990s rather than that of the new millennium. The Act came into force before the creation of massive, ubiquitous social networks like Facebook (founded in 2004) and Twitter (founded in 2006). As sites like these have evolved, so too has trolling, yet the legislation remains largely unchanged to reflect this.</p>
<p>Recognising the need for greater clarification, in June this year, after six months of consultation with the public, the <a href="http://www.cps.gov.uk/southwest/cps_southwest_news/news_articles/in_the_dock__prosecuting_cyber_bullying__electronic_stalking_and_trolling/">Crown Prosecution Service</a>(CPS) published <a href="http://www.cps.gov.uk/consultations/social_media_guidelines.pdf">guidelines</a> on prosecuting cases involving communications sent via social media. However, like much current legislation designed for supposedly similar offline behaviours, these guidelines do not explicitly address the critical differences that the online environment offers: the speed at which content can be reproduced; the breadth of audience that can be reached; the inability of targets to entirely eradicate malicious content in some cases; and not least, the expense and difficulty involved in identifying, and then prosecuting even very serious online offences.</p>
<p>This difficulty is further exacerbated by a legislative culture in which offline crime is still generally considered as more serious than any supposed online counterpart. For instance, the CPS provides useful guidance on behaviours such as <a href="http://www.cps.gov.uk/legal/s_to_u/stalking_and_harassment/#a02b">stalking</a>, <a href="http://www.cps.gov.uk/legal/s_to_u/stalking_and_harassment/#a02a">harassment</a>, and <a href="http://www.cps.gov.uk/legal/v_to_z/youth_offenders/#a25">school bullying</a>, but if one reads these guidelines, it seems that the offline version is considered the norm. Any online variant, where it is even acknowledged, is simply considered a sub-type. This overlooks the fact that supposedly equivalent behaviours like cyber-stalking, cyber-harassment, and cyber-bullying can have their own unique attributes, methods, and consequences and should, as such, be dealt with differently. Indeed, what little the CPS has to say about online antisocial behaviours tends <a href="http://www.cps.gov.uk/southwest/cps_southwest_news/news_articles/in_the_dock__prosecuting_cyber_bullying__electronic_stalking_and_trolling/">to be vague</a>.</p>
<p>Whatever we want the word trolling to mean, we are nowhere near a consensus, and neither UK legislation nor CPS guidance currently helps to resolve the problem. As we see in the harrowing Cuomo case, where we lack clear legal guidance or definitions, however abundantly morally wrong a behaviour may be, prosecuting an individual for that behaviour may become almost impossible.</p><img src="https://counter.theconversation.com/content/16600/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Claire Hardaker does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Somewhere around 2010, the concept of trolling arrived in the national consciousness with a flurry of news stories: the hateful tweet Tom Daley received about his father during the Olympics; the defacement…Claire Hardaker, Lecturer in Linguistics and English Language, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/89532012-08-23T04:43:30Z2012-08-23T04:43:30ZCybercrime bill makes it through – but what does that mean for you?<figure><img src="https://images.theconversation.com/files/14559/original/wkw7vjmf-1345695963.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Australia’s place in the online world is changing, with significant consequences.</span> <span class="attribution"><span class="source">lintmachine</span></span></figcaption></figure><p>Yesterday afternoon the Australian Senate passed the <a href="http://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:%22legislation/billhome/r4575%22">Cybercrime Legislation Amendment Bill 2011</a> following <a href="http://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:%22legislation/amend/r4575_amend_6c550c60-3a7a-4582-b978-30c4b9cb28e0%22">amendments</a> suggested by the Labor Party.</p>
<p>It’s been <a href="http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r4575">more than a year</a> since the bill was first introduced to the lower house and in that time it’s faced opposition both <a href="http://wa.greens.org.au/content/flawed-cybercrime-bill-dodges-national-security-inquiry">inside</a> and <a href="http://www.crikey.com.au/2012/08/23/and-softly-went-our-privacy-into-the-night/">outside</a> parliament.</p>
<p>The purpose of the bill is to align Australia with the <a href="http://en.wikipedia.org/wiki/Convention_on_Cybercrime">Council of Europe Convention on Cybercrime</a>, to which 34 other countries – including the US, Germany and most European nations – are already signatories.</p>
<h2>Special effects</h2>
<p>The bill effects changes in the <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/">Telecommunications Act 1997</a> and <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/">Telecommunications (Interception and Access) Act 1979</a> and will force carriers and internet service providers (ISPs) to preserve stored communications, when requested by certain domestic authorities (such as the Australian Federal Police), or when requested by those authorities acting on behalf of nominated foreign countries.</p>
<p>This means a warrant will be needed before the police or security agencies can force carriers or ISPs to monitor, capture and store website use, data transmissions, voice and multimedia calls, and all other forms of communication over the digital network.</p>
<p>But, as mentioned, the introduction of this bill has attracted significant criticism.</p>
<p><a href="http://www.crikey.com.au/2011/08/16/cybercrime-legislation-australia/">Writing for Crikey</a> in August 2011, Bernard Keane highlighted a number of concerns about the bill, including the fact there are no restrictions on the use of information requested by foreign countries. A foreign country could call upon Australia to assist in an investigation that may lead to the death penalty.</p>
<p>Criticism also came from non-profit online rights organisation <a href="http://www.efa.org.au/">Electronic Frontiers Australia</a> (EFA). In its submission last year to the Federal Government’s <a href="http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=jscc/index.htm">Joint Select Committee on Cyber-safety Inquiry</a> (which <a href="http://www.zdnet.com/au/cybercrime-bill-passes-senate-set-to-become-law-7000002971/">made recommendations</a> that led to amendments to the bill) the EFA wrote:</p>
<blockquote>
<p>EFA is very concerned with amendments to the computer crime offences in the Criminal Code, and believe these parts of the current legislation are both deeply problematic, and unnecessary for adherence to the Convention.</p>
<p>EFA is concerned that some aspects of this legislation can potentially enable arbitrary interference with privacy and correspondence. We believe it should treated with great caution.</p>
<p>But worse, we believe the Criminal Code changes would apply serious criminal penalties, up to ten years’ imprisonment, on a very broad range of actions, well beyond what is required for the Convention, and for this reason the legislation should be rejected in its current form.</p>
</blockquote>
<h2>Toeing the line</h2>
<p>So why did the government, with opposition support, proceed with the bill in the face of <a href="http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=jscc/cybercrime_bill/subs.htm">criticism</a> by industry and civil liberties advocates such as EFA?</p>
<p>It could be argued that the Cybercrime Legislation Amendment Bill 2011 is a much-needed update of existing legislation and that it brings Australia in line with Europe. And there’s no doubt that the digital network is being used ever increasingly for crime, espionage and terrorism. </p>
<p>Indeed, following the passing of the Bill, Attorney-General Nicola Roxon stated:</p>
<blockquote>
<p>This is good news for fighting crime, and will help make it easier for police to track down cybercriminals around the world.</p>
<p>This will help combat criminal offences relating to forgery, fraud, child pornography and infringement of copyright and intellectual property.</p>
</blockquote>
<h2>Where we’re at</h2>
<p>The introduction of the new bill comes at an interesting time. On August 10 Nicola Roxon decided to <a href="http://www.theage.com.au/technology/technology-news/roxon-puts-web-surveillance-plans-on-ice-20120809-23x9l.html">defer plans</a> to increase web surveillance – a plan which would have affected all Australians by introducing a two-year data-retention plan for ISPs.</p>
<p>In essence, if that plan ever comes to fruition, everything you do online – every keystroke, website visited, video watched – would be monitored and stored for two years.</p>
<h2>Unanswered questions</h2>
<p>So the bill’s been passed. But the underlying issues remain, and do nothing to address the following critical questions:</p>
<ul>
<li>What is the government doing to build a more secure network? </li>
<li>What is it doing to develop best-practice guides for individuals and companies operating on the network?</li>
<li>Should Australia really be implementing laws that allow foreign governments to access its information? </li>
<li>Will Australian carriers and ISPs now be required to hand over to the US everything that exists on the network, including private personal information for people such as Julian Assange of <a href="http://www.wikileaks.org/">Wikileaks</a>?</li>
<li>What about emails and phone calls that Julian Assange makes to his parents and family in Australia from the Ecuadorian embassy in London?</li>
</ul>
<p>The Australian government needs to step back and look at how to address some of the concerns being voiced within Australia.</p>
<p>The Cybercrime Legislation Amendment Bill 2011 will assist law enforcement agencies but failure to address the underlying problems that exist with technology used in the network will mean law enforcement will simply be treading water.</p>
<p>The bill will now return to the lower house for approval and will likely become law before the end of 2012.</p>
<h2>Further reading</h2>
<ul>
<li><a href="https://theconversation.com/why-is-anonymous-hacking-australia-8480">Why is Anonymous hacking Australia?</a> - Mark Gregory, The Conversation</li>
<li><a href="https://theconversation.com/anonymous-operation-australia-can-the-federal-police-stop-them-8778">Anonymous’ Operation Australia – can the federal police stop them?</a> - Mark Gregory, The Conversation</li>
<li><a href="https://theconversation.com/were-watching-you-why-the-government-should-focus-on-cybersecurity-not-surveillance-8846">We’re watching you: why the government should focus on cybersecurity, not surveillance</a> - Mark Gregory, The Conversation</li>
<li><a href="http://www.crikey.com.au/2012/08/23/and-softly-went-our-privacy-into-the-night/">And softly went our privacy into the night</a> - Bernard Keane, Crikey<br></li>
</ul><img src="https://counter.theconversation.com/content/8953/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Mark A Gregory does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Yesterday afternoon the Australian Senate passed the Cybercrime Legislation Amendment Bill 2011 following amendments suggested by the Labor Party. It’s been more than a year since the bill was first introduced…Mark A Gregory, Senior Lecturer in Electrical and Computer Engineering, RMIT UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/49902012-01-20T05:20:13Z2012-01-20T05:20:13ZMegaupload in mega trouble (so back-up your online content)<figure><img src="https://images.theconversation.com/files/7065/original/cbcz7nrq-1327035653.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">US authorities have seized the file-sharing website.</span> <span class="attribution"><span class="source">johntrainor</span></span></figcaption></figure><p>The big copyright news overnight was not the <a href="https://theconversation.com/major-turn-off-leading-lights-stage-an-internet-blackout-to-fight-sopa-4964">continuing protests against the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA)</a>, but the shutdown and seizure of Megaupload.com, a popular “cyberlocker”, and 17 related sites.</p>
<p>The Mega empire was hosted on servers in the United States, the Netherlands, and elsewhere around the world. Acting on a <a href="http://thenextweb.com/insider/2012/01/20/heres-the-full-72-page-megaupload-doj-indictment/?awesm=tnw.to_1CsWd&utm_campaign=social%20media&utm_medium=Spreadus&utm_source=Twitter&utm_content=Here's%20the%20full%2072%20page%20Megaupload%20DOJ%20indictment">grand jury indictment</a> obtained from a US district court, US authorities coordinated with their counterparts in New Zealand, Hong Kong, the Netherlands, the UK, Germany, Canada and the Philippines to:</p>
<ul>
<li>seize 18 domain names and take the related sites offline</li>
<li>seize a reported US$50 million of assets, and</li>
<li>arrest four of the seven individuals charged in the indictment.</li>
</ul>
<p>At the time of writing, the three remaining individuals are yet to be apprehended.</p>
<p>Cyberlockers are websites that provide private data storage facilities by allowing individuals to upload content for later retrieval or sharing with others. Many of us probably already use cyberlockers such as <a href="http://www.dropbox.com/">Dropbox</a>, Microsoft’s <a href="https://skydrive.live.com/">SkyDrive</a> or Amazon’s <a href="https://www.amazon.com/clouddrive/learnmore">Cloud Drive</a> in our work.</p>
<p>Such services have plenty of obvious non-infringing uses – if you want to share a 700MB video you took of your recent trip with family and friends, uploading it to a service such as Megaupload and giving your friends the download link is one of the cheapest and most efficient ways to do so.</p>
<p>Anybody could upload files to Megaupload, but files that failed to be downloaded for a short period (21 days for material uploaded by unregistered users, 90 days for registered “free” users, no limit for registered “paid” users) were deleted. In practice, this ensured Megaupload was used largely for the storage of popular content which, not surprisingly, often turned out to be infringing.</p>
<p>That material was made somewhat difficult to find because Megaupload (probably for strategic legal reasons) had no search tool on its website. Instead, users had to find the URLs for content from an external source – directly from a friend, from another website or via a search engine.</p>
<p>The business made money from selling premium use subscriptions, and from advertising on the site. All in all, the indictment alleges Megaupload made some US$175 million in income since opening shop in 2005, from a claimed 1 billion+ visitors.</p>
<p>(Incidentally, the breakdown is US$150 million from user subscriptions, and just US$25 million from advertising. If this is correct, it’s more evidence that many users are willing to pay to access “free” content. If this single site can make US$150 million from user subscriptions when offering a hodge-podge of files of dubious quality and without the ability to effectively search among them, imagine how much content owners could make if they made their content more reasonably available.)</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=463&fit=crop&dpr=1 600w, https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=463&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=463&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=582&fit=crop&dpr=1 754w, https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=582&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/7066/original/wf6d8bdw-1327035833.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=582&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Megaupload</span></span>
</figcaption>
</figure>
<p>While there’s no doubt that many of Megaupload’s visitors were intent on downloading infringing content, it’s less clear whether the site’s providers can be held liable for those infringements. In <a href="http://torrentfreak.com/from-rogue-to-vogue-megaupload-and-kim-dotcom-111218/">an interview given to TorrentFreak</a> just a month ago, founder “Kim Dotcom” (aka Kim Schmitz) claimed that:</p>
<p>“Mega has nothing to fear. Our business is legitimate and protected by the DMCA [<a href="http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act">Digital Millennium Copyright Act</a>] and similar laws around the world. We work with the best lawyers and play by the rules. We take our legal obligations seriously. Mega’s war chest is full and we have strong supporters backing us. We have been online for 7 years and we are here to stay, so no need to worry about us.”</p>
<p>The legal protection that Dotcom was referring to is the safe harbour provided to online service providers (including cyberlockers) as long as they satisfy certain criteria.</p>
<p>The indictment alleges that Mega does not qualify for a number of reasons, including because they themselves had actual knowledge that the materials on the sites were infringing (or knew “facts or circumstances that would make infringing material apparent”), and because they were receiving a financial benefit directly attributable to copyright-infringing activity within its control. </p>
<p>The indictment discloses plenty of evidence of potentially illegal conduct. Megaupload paid money to users who supplied its most popular files via the “Uploader Rewards” program, and it seems that key employees sometimes paid out that money with full awareness it had accrued courtesy of infringing files.</p>
<p>Other executives uploaded infringing content themselves, and on various occasions distributed Megaupload links to infringing content. Plenty of emails demonstrate their intention to engage in wholesale copyright infringement of YouTube’s content (that’s right – they tried to copy ALL of it).</p>
<p>But as <a href="http://james.grimmelmann.net/">Professor James Grimmelman</a> of New York Law School <a href="http://arstechnica.com/tech-policy/news/2012/01/why-the-feds-smashed-megaupload.ars">told online technology publication Ars Technica</a>, “much of what the indictment details are legitimate business strategies many websites use to increase their traffic and revenues: offering premium subscriptions, running ads, rewarding active users.”</p>
<p>This case opens the door to vigorous pursuit of other online hosting providers. As this case demonstrates, the US government already has considerable powers to shut down such sites. If the SOPA legislation (discussed on The Conversation <a href="https://theconversation.com/major-turn-off-leading-lights-stage-an-internet-blackout-to-fight-sopa-4964">on Wednesday</a>) is eventually passed in the US, it will give the US government additional powers over foreign sites that have no connection to the US.</p>
<p>Even more problematically, the legislation (as currently drafted) will give private entities unprecedented abilities to interfere with revenue and advertising of sites, including foreign sites, by alleging that they are “dedicated to theft of US property”. </p>
<p>It’s vital that any future attempts to target file hosting sites make principled, transparent distinctions between those providing useful, legitimate services with substantial non-infringing uses, and bad actors engaging in unlawful conduct.</p>
<p>That holds good whether they’re in the form of official government action to enforce the criminal law, or private action by rightholders such as that envisaged by SOPA. If SOPA is enacted in its current form, no such distinction seems likely to be made.</p>
<p>Those of us who currently use cyberlockers for lawful purposes should enjoy them while we can – but create offline backups just in case.</p>
<p><em><strong>Rebecca Giblin can be found on Twitter <a href="https://twitter.com/rgibli">@rgibli</a>.</strong></em></p><img src="https://counter.theconversation.com/content/4990/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rebecca Giblin does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The big copyright news overnight was not the continuing protests against the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA), but the shutdown and seizure of Megaupload.com, a popular “cyberlocker…Rebecca Giblin, Academic, Faculty of Law, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.