Stringent laws alone not enough in battle against cybercrimes

Internet experts have asked businesses to opt for broadband fibre Internet connection to avert cyber threats that come with the use of Wi-Fi networks. FILE PHOTO | NMG

By  CHRISTOPHER ROSANA

What you need to know:

  • The Act requires the operator of any critical infrastructure to report any suspicious activity to the authorities.

The trap seems simple enough. When reading the Computer Misuse and Cybercrimes Act, the guiding assumption writ large on every provision goes thus: if a person does X, we will catch them, and we will punish them with 20 years, problem solved. Whether we should be afraid or be comforted is not the immediate question.

The more pressing matter is the inherent flaw in that assumption. Cybercrimes and cyber-attacks are made to seem simplistic but important enough to warrant high penalties. Simultaneously, it makes the perpetrators seem bland and tactless. I have some bad news. This is how you lose pursuits, how you lose wars. We underestimate cyber-attacks at our peril.

The Act requires the operator of any critical infrastructure to report any suspicious activity to the authorities.

The sophistication of cyber-attacks comes like a sweeping torrent from the mountains and decimates everything that is on lower ground. There is rarely any time to anticipate cyber-attacks unless you have invested in systems that would serve this purpose. If any reporting has to be done, it is mostly after the fact.

Cyber-attacks occur in seconds and most of them only come to your attention after you have seen real damage.

We have made it seem like cyber-attacks announce their arrival and allow us to report them, then act if we want to.

The people capable of mounting such attacks have taken considerable amounts of time studying their target systems. This means they not only conduct their attacks effectively but they also have the corresponding capabilities to erase their tracks.

Hence, proving criminal liability is not as simple as it is made to sound. Finding evidence of cyber-attack or a cybercrime is an uphill task given the fact these sophisticated attackers can actually erase their tracks. What is worse, it is possible to make it seem as though the attack originated from someone else’s computer. If credible and admissible evidence is all we need to convict someone then in these scenarios it is akin to terra incognita. The law is only as effective as its ability to attribute prohibited conduct to the perpetrator.

In short, it must drive towards ‘X did Y’ but if evidence can be erased or even be made to someone else then we are sea without chart or compass.

In 1998, US intelligence officials undertook an extensive investigation to uncover the responsible perpetrators in cyber-attacks against the Department of Defence.

The investigation led them to believe that Iraq was responsible when, in fact, two teenagers from northern California were responsible. We believe falsehoods more firmly if we worked hard to get the supporting information.

In the Natanz nuclear facility, a seemingly innocent flash drive carried the Stuxnet worm that served as the facility’s undoing, to an extent.

Despite various suspicions on which states would be involved, there is no definitive proof on who was involved. If we were to judge the Stuxnet incident in a court of law, we would find it challenging to prove the responsible perpetrator.

READ: Microsoft official tips Kenyan firms on cyber security threat

Beyond the court, we may get away with making analyses on which states could plausibly be culprits in it based on national interest or other factors but this is not helpful if what we want is a certainty.

The Stuxnet incident also taught us the opposite of what we are seeing in the CyberCrimes Act today. Seconds are centuries in the realm of cyber-attacks. Breathe in, and all the centrifuges in the attacked facility are spiraling out of control. By the time you make a phone call to report it, you have made the news as the latest victim. There is simply no time.

An infected flash drive, a keyboard, a suspicious link, a keylogger collecting all the strokes you type. These are the modern armies. Lethal and stealthy. Nevertheless, they are stoppable. Cyber security starts in your mind before you praise your antivirus among friends. We must approach cyber-attacks with advance preparation. We need to inculcate habits that reinforce the technical steps we have already taken. It is unwise to think our best bet is to expect the law to intimidate the attackers. Chance favors the prepared.

Christopher Rosana, Legal assistant Nation Media Group

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.

Get it First!

Stay up to date on the editors' picks of the week.

Latest

  1. MPs want PSs, parastatal chiefs liable for tender woes

  2. Serena hotels operator TPS Eastern Africa profit doubles to Sh871m

  3. Cyberattacks targeting Kenya rise 5 times on AI-driven threats surge

In the headlines

View All