INTRODUCTION
With the Multimedia Super Corridor (MSC) initiative, Malaysia has planned for an explosive entry and a continued presence as a major driver of the charging information age. Encompassing what is now known as the Internet along with new and more robust communications networks and infrastructure, the MSC hopes to serve as a hub of development and dissemination of digital content for the world.
To achieve these goals, a level playing field with prescribed guidelines and regulations should exist for a controlled and ordered environment. This is envisioned to be provided by the tabling of the set of bills collectively known as the cyberlaws in Parliament during the session in March 1997.
A total of six bills are planned to be introduced and they cover the use of digital signatures, multimedia intellectual property, computer crime, telemedicine development, electronic government and the Multimedia Convergence Act. Of these, only three: the Computer Crime Bill, the Digital Signature Bill and the Copyright Amendment Bill would be tabled at this session of Parliament.
The rest of this paper will focus on the important aspects which need to be addressed by these cyberlaws as well as drawing parallels to existing and planned legislation globally. Comparisons with the existing code of Internet governance is made when and where appropriate. For ease of understanding, each of the issues which need to be addressed are discussed under the section pertaining to the relevant bill.
THE DIGITAL SIGNATURE BILL
Of the three cyberlaws to be introduced, I find this to be the single most important and much needed piece of legislation. This law will hopefully make mandatory two important attributes of electronic communication: that of authentication and non-repudiation.
Authentication allows a recepient the ability to certify that the document was written by a specified person while non-repudiation guarantees that the author will not be able to later deny writing a signed message.
Currently, Internet-borne messages and electronic transactions lack any form of strong authentication other than the email identity and source machine of the sender. As has been proven many times over, these messages are susceptible to forgery and fraud. It is relatively trivial to forge messages purportly from another person and to deceive an entity into providing service for unregistered users or subscribers.
This ease of injecting forged messages into the network has another negative side effect. An individual can send a message and then deny ownership of content at a later time when the message content comes under scrutiny. Responsibility and accountability are comprimised as a result of these failings.
These shortcomings can be alleviated with a technology called digital signatures, an offshoot from cryptographic research. A digital signature is a short stream of electronic data which positively identifies the author as well as the content of the message. Technically, the message text is passed through a mathematical hashing function which returns a streams of ones and zeroes peculiar to the initial message text. The possibility that two different messages will render the same hash result is very low and hence the hash can be called a signature of the message.
The hashed value is then digitally signed by the author of the message using an encryption function and attached to the bottom of the message the same way the handwritten signature is. By examining this hash value, one can determine the actual author of any message and by comparing the hashes of the message received with the attached signed hash, the authenticity and the integrity of the message can be ascertained.
With the Digital Signature Bill, we will now begin to recognize digital documents as submittable evidence in the judicial system as well as guarantee accountability of electronic documents. While this will allow industry and government to begin using this medium for official and formal transactions, some support infrastructure must also be catered for and regulated by an independent entity.
This entity is the Digital Certification Authority (DCA) which is primarily tasked with keeping and authenticating the central repository of digital encryption keys used to create digital signatures. While digital signatures will firmly tie a message to its author, the recepient will have to refer to some central repository to retrieve the encryption keys as well as certify that the signature was created with the sender's encryption key. Without a DCA, while a document may be signed, the validity of the key which signed the document comes into question. A DCA will allow a recepient to cross-check the key used with the certified copy in its repository.
The DCA will also serve as an intermediary to authenticate merchants to consumers and vice versa in electronic commerce transactions. This will allow both ends of any electronically transmitted financial transaction to be fully authenticated to each other as well as allow them to conduct the transaction in full privacy. Using a public key based encryption system would guarantee confidentiality, authentication and non-repudiation to occur for fair, safe and secure transactions. This calls for close cooperation between the DCA and the nation's central bank as well as credit and digital cash issuers, electronic merchants and shopping malls.
It must be noted that the DCA's task is not to guarantee the honesty nor the reputation of either party in the transaction. Rather, its task is to certify concretely that the encryption keys used belong to the respective parties. An analogy to present day function would be the Commisioner of Oaths. While the Commisioner of Oaths cannot certify the integrity of the statement, he can certify that the statement was made by a specific individual.
The creation and maintenance of the Digital Certification Authority is crucial to the acceptance of digital signatures as another method of authentication and identity. As such, much thought and fact finding must be done before any steps in these directions are taken. There are some examples of pseudo DCAs around the world, certifying keys over the Internet. These include Verisign, RSA Data Security and the loosely organized PGP Keyserver Network. While these organizations are not full DCAs and do not have any formal national or international mandate, a study of their methods, operations and procedures will greatly assist Malaysia in the creation of our Digital Certification Authority.
THE COMPUTER CRIME BILL
Computer crime, or hacking as its more commonly known as has been existent for as long as there has been curious people with the enthusiasm and the drive to burrow for further information. When used to refer to the act of illegaly using unauthorized methods to access information, I prefer to use the term cracking as I define hacking to be a legitimate action when an individual attempts to gather more information about the potentials of a computer system or software process. However, for this paper, I will use the public impression of the word which points towards computer intruders and the act of illegally gaining access into systems.
While this sort of activity has been occuring in the United States and Europe for quite a long while, it has only recently gained notoriety in Malaysia with the much publicised penetration of TMNet's WWW server and the successful response to THB AsiaConnect Sdn Bhd's public challenge, the latter of which I was involved in. This has, to an extent, raised the general public awareness of computer security issues and the threat of the interception and illegal modification of transmitted and static data.
While a large majority of current incidents are usually written off as pranks and are non-malicious in nature, the probability of malicious system intrusion occuring should not be taken lightly. Even non-malicious intrusions involve lost productivity and cost in terms of man-hours and resources dedicated to cleaning up after the intruder. The introduction of legislation in the form of the Computer Crime Bill to counter this hitherto unaddressed activity is thus welcomed and important.
However, the composition and definitions to be used in the Bill are very important and should be defined clearly and concisely to avoid any loopholes as well as to protect victims and wrongly accused suspects.
Intrusion should be defined clearly. For example, a server or computer on the Internet, when queried legitimately, advertises services which a user can request for. In many cases, private and authoritative services are mistakenly advertised as public services due to configuration errors by the operators of the computer. If a user took advantage of the service provided, the question to be asked is did any illegal intrusion take place ? The user can counter with an argument saying that when the target computer was queried for access priviledges, it responded stating the service was for public consumption, thus nothing illegal was done.
As such, any non-public service should clearly be described and warning messages indicating that the user is about to access a service for which he has no authorization and is liable for criminal prosecution must clearly and prominently be displayed. Also, service operators who erroneously allow public access to services which are supposed to be private and do not inform the user of restricted access should not hold any users of the service liable for any breach in security as by definition no breach occured.
This behaviour is consistent with the definition given by Judicial Commissioner Datuk R.K. Nathan in a judgement made last week where he defined hacking as the act of intruding into computer systems by stealth and secrecy. The use of a publicly advertised service through legitimate methods is not intrusion. As an aside, it must be also noted that Datuk Nathan acknowledged that "hacking" can also mean the "free-wheeling intellectual exploration of the highest and deepest potential of computer systems" which may not be illegal.
The second concern in the implementation of this bill involves one of evidence. In all cases of computer intrusion, the target machine's electronic log files and audit trails are very crucial and sometimes is the only pointer to an intrusion. When a computer intruder is brought before a court, these logs will be submitted as evidence.
Due to the nature of electronic data, the operators of the target server are in a position to modify and change the content of the log files, before, during and after the intrusion process. As such, these logs cannot be submitted as evidence because the integrity of the evidence is comprimised. It would be trivial for any operator of a server, or even the intruder, to modify the server logs to falsely implicate an innocent person.
If electronic logs are to be submitted as legal evidence, it is important that they are auditted and stored by a responsible and trust-worthy third party for a period which covers the time before, during and after the alleged intrusion. This third party will have to undertake to ensure and certify the integrity of the log files and the entries contained therein.
Alternatively, the textual logs may also be submitted to an independent, non-commercial certification body which would digitally sign and timestamp the logs for future use. In this scenario, the signed and timestamped logs can be kept by the respective organizations and do not have to be kept by any third party.
Thirdly, the issue of user identification should be given due consideration. In all results of computer intrusion analysis, the usual output is a username and host identification pair. While this can positively identify the user account and host used as the attacking host, it still fails to identify the actual individual using the account.
Legitimate accounts may be comprimised and used to launch an attack on a server. In this case, the owner of the account is not guilty of the offence and can claim innocence. In fact, this method can even be used by intruders to deny responsibility for their actions and unless apprehended red-handed, be used as a fail safe excuse for innocence.
To assist in enforcement and apprehension of computer criminals, a warrant for the confiscation and a search of the suspected intruder's computer systems should be issued. With this, the enforcement authorities can then search and scrutinise the confiscated equipment and software for items of data and information which can implicate the intruder with the intrusion. While these practices can be abused, it sometimes is necessary as the only method of apprehending system intruders. Abuse can be prevented by requiring proper and concrete justification before a search warrant or confiscation order is issued.
Lastly, but not the least, the body responsible for the enforcement of the criminal acts defined in this bill should be trained and armed with the necessary knowledge in dealing with these sort of situations. Insufficient knowledge will render the bill virtually inefficient as the intruders will then be able to disguise their activities to escape the scrutiny of the enforcers.
THE COPYRIGHT (AMENDMENT) BILL
The Internet provides for a quick and suitable medium condusive to the shuttling of bits around the planet. This has greatly enhanced communications and assisted in the creation of dispersed development teams. Just as this technology benefits consumers of licensed information, it has also served as a catalyst for easy distribution of unlicensed software and information.
While existing copyright and patenting legislation covers the protection of physical and analog property, the amendments to the opyright Bill are hoped to include the same protection for electronic information and intellectual property.
However, a caveat needs to be addressed. In the network architecture of today where the direction of data flow is usually one way from the producer to the consumer, network engineers have taken some performance enhancng measures which server to conserve Internet bandwidth and the time it takes to access online documents. More often than not, this is implemented via the use of proxies.
A proxy fetches the information across the network for the user and stores a local cached copy of the information. The next time any user requests for the same information, the cached copy is used instead of necessitating another network access. This greatly speeds up the access for popular and frequently requested documents.
However, a strict implementation of intellectual copyright law would term the temporary copy stored on the proxy server as an unlicensed copy. Clearly, some form of free-use clause must exist for situations like these and distinctions must be made for copyrightable events and free use events. The purpose for which an electronic copy is to be used and who the eventual viewer is therefore important in determining this state.
SUMMARY
It is hoped that when the proposed bills are introduced in Parliament and during the ensuing debate and questioning, these issues are taken into account. While the introduction of cyberlaws are new globally, Malaysia stands in a good position to set the trend and to take a leading position in its eventual implementation. The mesh of the analog and digital world which is fast rushing towards us also requires a change in mindset and the use of new skills to ride the information wave.
Planning and implementing this legislation, thus, needs to be done carefully and concisely. Similar legislation in the region as well as in developed countries must be studied in order to draw out the best of the advantages while leaving the pitfalls behind.
Providing a set of good, strong and enforceable cyberlaws will greatly help the MSC and propel the nation ahead as a leader in the information revolution.