Page 10 of 12
Network security, cyber crime and control of conte
Discussion of spam leads us to issues of security, cyber crime and content control. Countries need to ensure that new types of computer-mediated and online crime can be prosecuted under national criminal law and that these laws permit the international cooperation necessary to investigate and prosecute crimes carried out over the global Internet. The most obvious requirement is that the legal system must be able to accept electronic evidence, whether in the form of email, network audit trails, or electronic contracts.
Countries that have such laws – again both Japan and Australia in the Asia-Pacific region have well-regarded legislation in place – can help others. Regional organisations, for example ASEAN and the Pacific Islands Forum, can support nations working on e-strategies to make sure such laws are included in new policy and legal frameworks. At the same time, these new laws and new types of law enforcement methods must not infringe on human rights, particularly the rights to speech, privacy, and freedom from surveillance.
Creating a trusted environment in cyberspace is essential for the development of the information society, and it was one of the central themes of the WSIS process. The summit documents suggest that network security, information security, privacy and consumer protection should be considered in a holistic way, that is, security and the fight against cyber crime should not come at the cost of infringement of privacy and other rights.
Cyber attacks and the state
Organised hacking attacks, or cyber attacks, have been a feature of Internet security breaches in the Asia-Pacific region since the 1990s. Typically, these attacks are organised and focus on the official websites of other governments. For example, Chinese hackers have attacked Japanese and Taiwanese official websites during negotiations over disputed territories. Japanese and other hackers, likewise, have attacked Chinese websites. Such attacks often seem to be well organised and coordinated, giving the impression that they may have at least the tacit approval of the domestic authorities.
In 2001, after publication of a Japanese high-school history textbook that glossed over Japan’s occupation and aggression in Asia during World War II, hackers from China and South Korea attacked Japanese government websites, particularly that of the Ministry of Education. Most attacks take the form of website hacking or denial of service, but a Korean response to the Japanese textbook issue showed a different kind of online activism. Korean online discussion forums encouraged users to coordinate a collective “attack” on the Japanese Ministry of Education, picking a day and time when everyone would attempt to access the ministry’s website. The effect was the same as a software-driven denial¬of-service attack: the website was crippled by the huge volume of hits it received. But instead of being the act of a few hackers, it represented a collective action – the online equivalent of people taking to the streets in protest, except this protest was made virtually and had a cross-border impact.
Hacking attacks, viruses, worms, spam and other email-borne malevolent software are a serious threat to the security and stability of the Internet. Users can take some measures to combat these threats by, for example, using anti-virus software and by following good network practices when using the Internet and when downloading files. Service providers should ensure the security of their networks and servers by acting promptly on security alerts, upgrading equipment, installing patches and taking other appropriate measures. National strategies to use FOSS in place of more vulnerable proprietary systems can be effective; and FOSS is being promoted heavily throughout the region, as many of the country chapters in this edition attest. There are also initiatives between countries, such as those between China, Japan and South Korea, to support the development and deployment of FOSS in the region.
There are no easy solutions, and responses must be coordinated internationally. This might include supporting and improving the network of centres that are coordinating information about computer and network security incidents, as well as adopting model legal conventions to create more binding international cooperation.
Computer Emergency Response Teams
Organisations known as Computer Emergency Response Teams (CERTs) have been operating nationally and internationally since the early 1990s as focal points for information about computer and network security incidents. Usually operating at a national level, they also provide advice on best practices and training. There is a CERT or an organisation with a similar function in most developed nations, but there are too few in the developing world and too few Asia-Pacific countries have a functioning CERT. APCERT (Asia Pacific Computer Emergency Response Team) is a coalition of CERTs from 12 economies across Asia Pacific.
Creating new CERTs across the region was the focus of an APEC CERT seminar held in Kuala Lumpur in March 2003, with the goal of ensuring that the business and government sectors in each APEC economy have access to the services of a local CERT that will help them to prepare for, respond to and recover from attacks. The project has so far provided CERT training in Thailand, Vietnam and the Philippines, which are members of APCERT. There is clearly much work to be done in many other countries. Ensuring effective security response and training is an essential practical aspect of Internet governance.
Model laws and international agreements
The Council of Europe Convention on Cybercrime (2001) has been discussed in WSIS – before and after the Geneva summit – as a potential model international legal agreement to address online criminal activities. The council has stated that it hopes WGIG will consider the convention as a model law.
Council of Europe members as well as non-member states can become signatories of the convention. In fact, Japan was involved in the drafting of the convention, and as such the convention could become the basis for harmonising national laws on a foundation of internationally accepted principles. A joint statement of the APEC Ministerial Meeting in Chile, held in November 2004, agreed to strengthen member economies’ ability to combat cyber crime by enacting domestic legislation consistent with the provisions of international legal instruments, including the said convention and relevant UN General Assembly resolutions.
The convention is in fact three separate treaties in one. First, it is a treaty that calls for the harmonisation of substantive laws and criminalisation of specific activities, such as network security violations, copyright infringement, and fraud. Second, it is an enabling device that calls on countries to create surveillance power, such as interception of communications, search and seizure. It does not limit the application of surveillance power to the crimes defined in the “first” treaty. Third, it is one of the largest international agreements to date calling for surveillance across borders, establishing a mutual legal assistance arrangement where countries can compel others to assist in investigations.
The convention provides a starting point in the fight against cyber crime, but it is controversial, particularly in expanding the power for cooperation in international law enforcement and extending cross-border surveillance. Governments may also be compelled to investigate and collect evidence on their citizens for sharing with foreign governments, without any claim of criminal activity. That means the convention does not require dual criminality as a prerequisite for cooperation, resulting in the surveillance of individuals who have broken no law. The impact of the convention to Asia Pacific could be substantial, particularly if its power is exploited by authoritarian regimes.
The convention also offers weak support for human rights and privacy, instead relying heavily on individual signatory national regimes to protect these essential freedoms, something that is lacking in many Asia-Pacific countries. For example, the exchange of information under the convention must always adhere to national legislation. However, where such provisions are absent in a nation, there is a lot of information that could be exchanged with little or no protection.
The Convention on Cybercrime is problematic as a model for many developed and developing nations, and for the Asia-Pacific region in particular. If WGIG is to consider adopting the convention, it must clearly identify these weaknesses and make sure that protection mechanisms against them are in place before the convention can be in anyway endorsed by WSIS.
Regulation of content
The regulation and control of content will be a difficult issue for WGIG to address. If it makes any recommendation that smacks of supporting censorship – except for the most heinous and globally agreed forms of illegal content – the resulting uproar will overshadow its other work. However, many governments in Asia Pacific are imposing strict control on Internet content. A recent report by Reporters Without Borders, entitled “Internet under Surveillance”,14 about obstacles to the free flow of information online was damning about the policies of many Asia-Pacific countries.
The degree of control imposed by governments ranges from the extreme, such as in Myanmar where not only is content limited but all access to the Internet is severely restricted, to the minimal, as in South Korea and Japan. The extent of control often reflects the general situation of the society in each country. As already mentioned, the Internet in China is closely controlled. All Internet traffic passes through a small number of gateways and is filtered for undesirable content. Email is filtered, as are requested webpages.
China blocks many hundreds of thousands of websites, and the list is updated very frequently. Anecdotal evidence suggests that new websites supporting well-known “disruptive” causes such as Falun Dafa and Falun Gong are blocked within 30 minutes of going online. China has also a reputation for jailing cyber dissidents, according to Reporters Without Borders. As of early May 2004, 61 people had been detained for posting messages or articles on the Internet that were considered subversive.
Singapore is often presented as a Big Brother state, the government being everywhere and watching. But its treatment of the Internet is by contrast quite light. It filters around 100 high-profile websites that are considered as undermining public security, national defence and personal dignity, but this filtering is little more than a symbolic gesture. Malaysia and more recently Thailand have been more aggressive in clamping down on material critical of their governments. The Malaysian government has regularly harassed the online newspaper Malaysiakini for articles critical of the government and its supporters. In Thailand, the government, and particularly Prime Minister Thaksin Shinawatra, has used defamation law to restrict freedom of expression. Malaysia has strived to become an IT hub, spending billions of dollars building infrastructure and industries, and promoted itself vigorously as a cyber paradise. Heavy-handed treatment of publications like Malaysiakini quickly tarnishes the reputation the country has carefully tried to build.
Top-down control processes do not work on the Internet: they are not appropriate when applied to the technology, while they stifle innovation and creativity when applied to content.
The common vision developed during WSIS is of a “people-centred, inclusive and development-oriented Information Society”, that is, an information society for everyone: “This implies that every person must have access to the means of communication and must be able to exercise their right to freedom of opinion and expression, which includes the right to hold opinions and to seek, receive and impart information and ideas through any media and regardless of frontiers.”15 If WGIG is to make any recom-mendation on issues of content, these words from the Civil Society Declaration to the Geneva summit of WSIS provide it with a good starting point. The principles enshrined in the UN Charter and in the Universal Declaration of Human Rights, particularly Article 19, should be respected by the countries of Asia Pacific.