Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 13 November 2002
Page: 6308


Senator GREIG (10:33 PM) —I rise tonight to speak about cybercrime in Australia. According to the Computer Emergency Response Team (CERT) Coordination Centre, the number of reported incidents of computer related security breaches in the first three-quarters of 2000 rose by 54 per cent over the total number of reported incidents in the previous year. CERT logged some 9,000 security breaches in Australia in 1999, and that number leapt to an extraordinary 22,000 incidents in the year 2000. In addition to this, it would appear that countless instances of illegal access, damage, fraud and illegal pornography around the world remain unreported, because victims fear the exposure of vulnerabilities, the potential for copycat crimes and the loss of public confidence.

Last year in this chamber, we passed the Cybercrime Bill 2001—now the Cybercrime Act—which amended the Criminal Code Act 1995 and beefed up the penalties for this type of crime. It enacted seven new computer offences to target people who access or modify computer data or communication to and from a computer which they do not have authority to access, modify or impair, and do so with the intention of committing a serious offence. But, despite the enactment of these new laws, electronic attacks, in the form of hacking of major web sites and servers and far-reaching virus and worm attacks, continue. Some companies are monitoring minute by minute to combat the new generation of viruses such as Bugbear-A, Klez, Braid-A and Sircam, which have superseded last year's viruses and worms such as the ILOVEYOU virus and the Anna Kournikova virus, amongst others.

The perception within the industry is that perpetrators of cybercrime are undeterred by the prospect of arrest or prosecution. They prowl the Net and are an ever-present threat to businesses, their clients, and ultimately the security of the nation. Cracking and virus introduction were targeted by the bill, as were `denial of service' attacks via message or ping floods. More serious offences included `denial of service' attacks and virus introduction actually causing unauthorised modification of data leading to impairment of information. Other offences cover the simple hacking of sites, where unauthorised entry into a protected system is an offence as is the writing, supply, control or possession of codes or programs which can be used to commit a computer offence.

The problem with this, however, is that the vast number of very common software programs that include utilities and applications which can be used for hacking would fall foul of the new cybercrime laws. For example, the Telnet program is attached to every copy of Microsoft Windows and is used on 80 per cent of the world's computers, and there are programs like John the Ripper which is attached to Unix. Indeed, the federal parliamentary network, which runs on Windows NT, would fall under the shadow of this extremely broad legislation, making the Commonwealth's IT network legally dodgy.

This problem is compounded for system or network administrators who frequently use programs like Netbus and Linux and who may possess not only programs that can be used for hacking but also, in some cases, benign virus codes. The offence of possession is tempered by the requirement of `intent to commit or facilitate an offence', but in so doing there is the inference that anyone in possession of any of these common applications may have to defend themselves against such allegations.

Although the government claims that the technology neutral terminology and broad scope of the bill made the proposed laws effective, industry insiders are less enthused. Philip Argy, the National Vice-President of the Australian Computer Society, is reported as saying he supports the legislation in principle but has `serious reservations about the broad powers being conferred upon statutory agencies such as ASIO'. In cracking down on cybercrime, the bill may have gone too far. Mr Argy uses an interesting analogy to explain how he sees the new laws. He says:

Assume the police say they have reason to believe there is a sardine just off the Sydney Opera House which could help with their inquiries. Based on this, they can get a warrant to trawl Sydney Harbour and any body of water which is connected to Sydney Harbour.

It can be argued every waterway on the planet is ultimately connected to Sydney Harbour in one way or another, and would therefore be included in such a trolling exercise.

In terms of computers, we are talking about a lot of networks, a lot of individuals and a lot of power. The bill amended the Criminal Code to include new offences aimed specifically at Internet activity, but it has been put to me on more than one occasion that the laws are too broad and are seen by many in the industry as using a sledgehammer to crack a walnut. The overall affect is that Mr Argy and others within the industry are concerned that civil liberties be protected and that strong legislation not be used by law enforcement agencies for harassment.

The bill addressed the practicalities of cybercrime by hugely expanding the associated law enforcement powers of investigation. The offences were given a wide and extraterritorial ambit under the bill in order to catch offenders who may otherwise escape liability by the simple method of bouncing commands off a remote computer or operating from a secure shell overseas. Additionally, police powers are now extended to allow seizure of data in the form of taking a mirror of a drive or disk on site for later analysis. Hypothetically, if a computer somewhere, for example at BHP, is suspected of sending a damaging virus, the police now have the power to insist that BHP provides them with a copy of all information it has stored on all its computers and every computer that its system is networked with—everything. There is no privacy or commercial protection. The absurdity and cost of this scenario is heightened if it turns out that the BHP virus was actually started by a 14-year-old hacker in Hobart.

Due to the nature of electronically stored information, pursuit of data by police through a network means everyone connected to the network is vulnerable to a search warrant—an approach that leaves no room for data privacy. In a more extreme example, if a search warrant was allowed to extend to data and computers accessible from, but not held on, electronic equipment at the premises being searched, then technically there is creation of an unlimited warrant in the case where such a machine is connected to the Internet—hence Mr Argy's Sydney Harbour comparison.

Industry fears that certain groups may be unfairly targeted by the legislation. So-called `white hat' security consultants who crack networks to find flaws and misconfigurations in network security are concerned that their jobs are threatened by these developments. Site operators who attract and generate large volumes of traffic may be guilty of the offence of crashing web or email servers simply by their ordinary high-load operations. For example, Madonna's Internet concert was so popular that it caused a large number of crashes all over the world, including Australia. The legislation would place Madonna in danger of falling foul of the law.

IT groups like 2600 Australia maintain that hacking plays an important role in the continuing development of security technology. Through their activities, hackers reveal problems with existing software and are a major motivation in the development of antihacking technology both through their own work and as a response by the general community to their activities. The advantage of the Internet is that it is a medium designed to facilitate a free flow of information and data, and legislating to restrict that operation should not destroy or control that freedom. It would at any rate be practically and effectively useless.

The importance of the legislation is that it points the finger at the real problems behind cybercrime news stories—that is, the insufficient awareness or education of people using the Internet in terms of both operators ensuring their own security and companies promising security hardware and software but in fact leaving their customers wide open to attack. The Cybercrime Bill was a well meaning but clumsy step in the right direction, although it must be careful not to persecute the IT industry in its search for legitimate Internet criminals.