Meris, Madelaine Anne: Hacking and the Law

Introduction

On August 21, 2000, Philippine authorities dropped all criminal charges filed against Onel De Guzman and Reomel Ramones, persons accused of unleashing the ILOVEYOU worm which infected computers worldwide in May 2000 and caused an estimated damage of $10B. The government released the two since there were no laws punishing authors of malicious software in the country at the time. However, three months after the spread of the worm, the Philippine Congress passed the Electronic Commerce Act of 2000 (Republic Act No. 8792), which in part provides for the punishment of the act of hacking. However, the government must yet learn from its oversight for the Congress has yet to pass an Anti-Cyber Crime Law that will properly address inimical cyber crimes.

“Hacking”, or more appropriately cracking as discussed in this paper, is just one of the acts which endangers cyberspace. However, as technology evolves, the techniques or tools used by crackers and the purpose of their acts have also evolved. While cracking has been penalized in Section 33 of the Electronic Commerce Act of 2000 (Republic Act No. 8792) and has been a catch-all law or a general law punishing almost all kinds of cracking and malicious activities carried out against computer systems, the increasing number and nature of threats has made it important for our laws to address said phenomenon. This paper will first look at what is hacking and will discuss the difference between ethical and unethical hacking. Second, it will show the various tools used by unethical hackers and the effects they produce. Third, it will show the insufficiency of present laws to address the threats brought about by hackers, and proposes the enactment of an Anti-Cyber Crime Law which will address these threats including the creation of a government agency whose principal task will be securing the country’s cyberspace.

Hacking and Cracking: Distinguishing the Ethical from the Unethical

There has always been a negative connotation of hackers or hacking per se to the general public. In the information technology (IT) community however, being called a hacker is considered a compliment. Such is the case because a hacker is defined as a person who enjoys learning the details of computer systems and then stretching their capabilities. Meanwhile, hacking describes the rapid development of new programs or reverse engineering of already existing software to make the code better and more efficient. [1] These terms are general in a way that such persons who do the act of hacking or hackers may do so with a positive or negative purpose in mind. Those individuals who use their hacker skills for a positive or defensive purpose are called ethical hackers or what the IT community calls as “white hats”. On the other hand, those hackers who use their hacker skills for offensive purposes and who often resort to malicious or destructive activities in cyberspace are called crackers or “black hats”. [2] It is unfortunate that the term hackers is used as an equivalent of crackers which is mostly propagated by the mass media who didn’t make any distinction to these terms. Even the Electronic Commerce Law of 2000 refers to both terms of hacking or cracking as the same, giving them the same definition. Dones (2009) [3] even proposes that the use of both the terms of hackers and crackers may result to prosecution of ethical hackers, based on the rule of statutory construction that the use of words in its ordinary industrial context carries a great weight; thus, criminal hacking or cracking should be distinguished from hacking.

Ethical hacking is a very important activity in order to secure information systems which nowadays mostly operate through computer networks including the use of the internet. Information security involves the preservation of the confidentiality, integrity and availability of information to an individual, business, enterprise or agency. The last element is usually the subject of “black hat” attacks in what are called denial of service attacks which obstructs persons or networks from availing of certain information which may render some computer systems unusable. [4] The threats against information security are real and pervasive since attacks perpetrated by crackers against information systems are increasing and becoming more sophisticated. This is the reason why the use of technical skills to defend an information system through ethical hacking, which includes the legitimate use of hacking tools, is important. An ethical hacker employs his or her hacking skills or hacking tools to protect an information system by, first looking into the system to find the problems and vulnerabilities that may penetrate it and then putting in place measures to protect it. For further legitimation, an ethical hacker must ask permission when hacking someone else’s system and must not do anything he cannot reverse. [5]

Unethical hacking or cracking is carried out by black hat hackers or crackers who specialize in unauthorized penetration to attack systems for profit, for political motivations, for a social cause or even for mere fun. Such penetration is done without authorization and hence they should not be confused with ethical hackers. Their attacks may vary such as distributing computer viruses, internet worms, and spam through the use of botnets. [6] This is substantially how the E-commerce Law has defined crackers, however, as technology advances, the number and nature of attacks and malicious acts that a cracker may carry out has magnified and our laws must adapt to address such threats and attacks.

Threats to Cyberspace and IT Systems

The information technology revolution changed the way business and government operate. At the opportunity of less cost of doing business and increasing productivity, individuals and businesses all over the world jumped on the bandwagon of networked computers to do their business. Countries soon shifted the control of essential processes in manufacturing, utilities, banking and communications to networked computers systems and is a trend that continues to this day. For example, in a certain country, a network of networks directly supports the operation of all sectors of our economy such as: energy, transportation, finance and banking, information and telecommunications, etc. Computer systems may also control physical objects such as electrical transformers, trains, pipeline pumps, chemical vats and radars. [7]

The above discussion shows how vital securing information technology systems is to national security. Countries which have used computer technology for their whole country to operate effectively have to observe massive efforts to secure their cyberspace or their networks so that their countries will not come to a standstill. And with man’s present dependence on information technology and the cyberspace, every country must indeed give importance to this. To show that the threats of unethical hackers are real and increasing, the following are some of the tools or “weapons” they utilize: [8]

  1. Trojan horse – a program that appears to be valid and useful but contains hidden instructions that can cause damage to the system
  2. Virus – a special type of Trojan horse that can replicate itself and spread, just like a biological virus, and cause damage to the computer system or networks. It is composed of a mission component (deletion, modification, and/or insertion of data), trigger component (based on event and time), and a self-propagating component (attaching itself to files and programs).
  3. Back Door/Trap Door – a set of instructions that permits a user to bypass the system’s security measures. These are program codes placed by developers and vendors to make easier for them to modify or repair. Worm – a program that replicates itself via a permanent or dial-up network connection. Unlike a virus, which seeds itself within the computer’s hard disk or file system, a worm is self-supporting program. It can also be used to spread time bombs, virus, Trojan horses, etc.
  4. Address Resolution Protocol (ARP) Poisoning – is a technique used to attack an Ethernet wired or wireless network and may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The aim is to associate the attacker’s MAC address with the IP address of another node and any traffic meant for that IP address would be mistakenly sent to the attacker instead. [9]
  5. Phishing – process of fraudulently attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public through emails. It often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. [11]
  6. Pharming – is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent. Pharming has been called “phishing without a lure.” [11]
  7. Packet Storming – a form of attack that involves the flooding of the ports with large number of packets with the intent to deny service to the network. It can be repeated in rapid fire intervals generating enough traffic to shut major networks. [12]
  8. Packet Sniffing – program utilities that easily permits unauthorized persons to capture packet data and examine such. [13]

These are just some of the tools unethical hackers may utilize. Some of these tools are familiar such as virus or worms, while others such as ARP Poisoning and pharming are more sophisticated tools developed by hackers. As would be garnered from the above description of these tools, unethical hackers can carry out denial of service (DoS) attacks, identity theft, fraud, defacement attacks to websites, or other malicious acts which involves unauthorized access to computer systems that wreak havoc to a certain individual, enterprise or government. Important to note also is that unethical hackers have different motives or purpose for their attacks which include: economic gain, revenge, political objectives and advocacies, extortion, competitive advantage, invasion of privacy, and to meet a challenge. [14] They may also target different levels in our society: the home user, small enterprises, large enterprises, critical sectors/infrastructures, the government and even the global cyberspace. [15] Thereby, there are threats from persons coined as hactivists, cyberterrorists, and cybercriminals, which include malicious attackers, computer fraud perpetrators, network penetrators who steal important data and network intruders. Computer experts or information security experts have strongly enunciated that attacks to computer systems are becoming more sophisticated and are increasing in number, a difficulty they are experiencing especially since a lot of enterprises and services are becoming dependent on computer networks for their operations. [16]

Enactment of an Anti-Cyber Crime Law

The threats brought about by black hats must be addressed by every power of the government. Also, their attacks must responded to immediately for the effects they bring may have expensive and irreparable consequences. One of the powers of government is legislation. The Congress passed the Electronic Commerce Act of 2000 (E-Commerce Act) which punishes the act of Hacking or Cracking as follows:

Section 33. Penalties. – The following Acts, shall be penalized by fine and/or imprisonment, as follows:

(a) Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents shall be punished by a minimum fine of One Hundred Thousand pesos (P 100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;

But as argued earlier, said law is so general that it does not take into account the evolved kinds of unethical hacking being carried out especially as to the intent of these crackers. To illustrate, when a black hat phishes for usernames and passwords to carry out identity theft, the cracker only is punished for the unauthorized access into the computer system under the present law but not for the identity theft or other fraudulent act which the hacker may thereafter undertake. Also a stronger and more specific anti-cyber crime law is expected to deter computer users from indulging in criminal or malicious acts. [17] Present law also does not address if a massive attack is undertaken against the Philippines that will gravely affect our national security like what happened in Estonia. It must be noted that we are susceptible to cyber attacks with political motivations with the presence of the New People’s Army insurgents and the terrorist group Abu Sayaff. Finally, the E-Commerce Act is a law substantially pertaining to electronic documents or electronic data messages and does not really address the all the threats that unethical hackers may carry out. In fact, worth to mention is that the said provision was only a last minute insertion into the E-Commerce Act during the Bicameral Conference Committee of the Congress as a reaction to the ILOVEYOU virus. [18] This is why Congress must pass present bills addressing cyber crimes. In the Senate, Senate Bill 2347 entitled “Anti-Cyber Crime Act” proposed by Senator Manny Villar, provides more specific cyber crimes are expressly prohibited. The following acts are prohibited: computer fraud, computer forgery, computer sabotage, unauthorized access, unauthorized interception, and different kinds of data theft. The passage of this bill or any law which will address cyber crimes is due and very pressing since the Philippines is quickly becoming dependent on computer and information technologies.

Another proposal in said bill is the creation of a Cyber Crime Prevention and Investigation Center which will principally combat cyber-related fraudulent activities and including the coordination of investigation into cyber-related cases with all law enforcement agencies. [19] The creation of this body is very important as the government’s cyber security efforts, which are contained in a National Cyber Security Plan are implemented only through the National Cyber Security Coordinator. Under the umbrella of the Coordinator are different government agencies with specific functions. Government agencies such as the Philippine National Police and National Bureau of Investigation are tasked with cyber forensics, the Department of Justice deals with the law, the Bangko Sentral ng Pilipinas are tasked with banking, et al. If such body will be created, its focus will be on securing Philippine Cyberspace which is very big task already considering that more and more Filipinos are using computer technology. Furthermore, securing the cyberspace involves many aspects, which are: cyber crime prevention whether through ethical hacking or otherwise, spreading information and building awareness to the people, responding to the incidents of cyber attacks, implementing the Anti-Cyber Crime Law and fostering international cooperation. Indeed the new body will have huge tasks ahead of it. As discussed above, ethical hacking is a vital undertaking to secure computer and information systems. In the US, the Pentagon has been training their own ethical hackers to secure their cyberspace which has been a subject of lots of attacks from all over the world. [20] This has further legitimated the act of hacking if done in an ethical way and defensive purpose. I believe that such program must also be adopted here in the country so that we may secure our own cyberspace, for indeed the Filipinos have talent in such activities, just ask Mr. Onel de Guzman.

Conclusion

The country has convicted one JJ Giner in 2005 for hacking due to his act of defacing government websites, particularly that of the National Economic Development Authority. His reason was that he was trying to gain employment from the said office. Ever since, defacement of government websites have recently been perpetrated by hackers. However, these may be just small attacks which are a foreshadowing of a big one. Whatever happens, we must do what we can to be ready for anything, deter whatever attacks and respond if ever cyber incidents occur. And to help us achieve these goals, we must have the law on our side. This paper strongly proposes the enactment of an Anti-Cyber Crime Law, the creation of an Anti-Cyber Crime Office, and strengthening cooperation with other countries who share the world of cyberspace with us. It is important to note that the law may be instrumental in creating awareness to the people about the countries cyber security and existing threats that every person should know. The government with the help of the private sector and its citizens can achieve the goal of a secure world even if it is dependent on information technology and the cyberspace. As long as it punishes the unethical and give due credence to the ethical.


Endnotes

[1] Pantola, Alexis. “Introduction to Information Security and Ethical Hacking”. Presentation at the AFP Summit on Enhancing Cybersecurity, 10 March 2010.

[2] Ibid.

[3] Dones, Jenny Anne. “Ethical Hacking”, 2009, in http://techlaw.berneguerrero.com (Accessed 7 April 2010).

[4] Pantola, Alexis. “Introduction to Information Security and Ethical Hacking”. Presentation at the AFP Summit on Enhancing Cybersecurity, 10 March 2010.

[5] Ibid.

[6] Wikipedia.org http://en.wikipedia.org/wiki/Black_hat (Accessed 9 April 2010)

[7] The National Strategy to Secure Cyberspace. US Deparment of Defense, February 2003.

[8] Purugganan, Abraham A. “Protecting the Philippine Cyberspace: Design Elements for a National Security Plan”, MNSA Thesis, May 2001.

[9] Wikipedia.org http://en.wikipedia.org/wiki/ARP_spoofing (Accessed 11 April 2010)

[10] Wikipedia.org http://en.wikipedia.org/wiki/Phishing (Accessed 10 April 2010)

[11] Search Security.org Definitions, Pharming (Accessed 11 April 2010)

[12] Abraham A. “Protecting the Philippine Cyberspace: Design Elements for a National Security Plan”, MNSA Thesis, May 2001.

[13] Ibid.

[14] Ibid.

[15] The National Strategy to Secure Cyberspace. US Deparment of Defense, February 2003.

[16] Notes during the AFP Summit on Enhancing Cybersecurity, 10-11 March 2010.

[17] Senate Bill No. 2347, 14th Congress, “Anti-Cyber Crime Act”.

[18] Notes during the AFP Summit on Enhancing Cybersecurity, 10-11 March 2010.

[19] Senate Bill No. 2347, 14th Congress, “Anti-Cyber Crime Act”.

[20] Thompson, Mark. “To Battle Computer Hackers, Pentagon Trains Its Own”, Time.com (Accessed 10 April 2010)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: