What key laws exist in terms of the criminality of hacking/DDOS attacks?
Technology (second edition)
Indonesian law does not have any specific regulation on hacking/DDOS attacks. Instead, such actions are covered under the broad scope of the ITE Law, as amended and its implementing regulations.
First, the ITE Law, as amended covers hacking through a prohibition for any person to purposefully, illegally and without any rights:
a. access another person’s computer and/or electronic system using any method;
b. access a computer and/or electronic system using any method in order to obtain electronic information and/or electronic documents;
c. access a computer and/or electronic system using any method by violating, trespassing, surpassing or penetrating the security system.
The conduct of the above actions is subject to imprisonment of six to eight years and/or fines of IDR600 million to IDR800 million (approximately USD41,000 to USD55,000 at current exchange rates).
There is no tailored provision in the ITE Law for DDOS attacks. Such attacks fall under the general prohibition on “causing disruption of an electronic system and/or causing an electronic system not to function as it should.” The failure to abide by such prohibition is subject to maximum imprisonment of 10 years and/or a maximum penalty of IDR10 billion (approximately USD685,000 at current exchange rates).
The Dutch Law on Computer Crime ("Wet Computercriminaliteit") which is incorporated in the Dutch Code of Criminal Procedure also covers criminality relating to hacking/DDOS attacks.
Under the Criminal Code (Law No. 2,848/1940), the act of attacking a computing device, whether connected to the internet or not, by breach of a security mechanism and for the purpose of collecting, altering or destroying data or information or installing vulnerabilities to obtain an illegal beneﬁt is deemed as crime.
The articles 509-1 to 509-7 of the Luxembourg criminal code (code pénal) covers criminality relating to hacking/DDOS attacks. It creates various offences relating to cybercrime, including:
- fraudulently accessing a processing system or an automated system for data transmission, or deleting or modifying data in these systems, or modifying the functioning of these systems;
- intentionally and in violation of other's rights undermining and distorting the functioning of a processing system or an automated system for data transmission;
- unlawful intercepting of data during a non-public transmission ;
- producing, selling, obtaining, detaining, importing, distributing or providing a computer device to commit one of these cybercrimes or an electronic key which permits to access, in violation of other's rights, a processing system or an automated system for data transmission.
The following cyber crime related laws are particularly relevant:
- Law no. 161/2003 on certain measures for transparency in the exercise of public functions and the business environment and for the prevention and sanctioning of corruption - Title III - Prevention of cyber crime;
- Law no. 64/2004 ratifying the Council of Europe Convention on Cybercrime (E.T.S. no. 185, November 23, 2001); since said ratification, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data; and
- the Criminal Code (Law no. 286/2009).
The Information Technology Act, 2000 (IT Act) contains sufficient provisions to criminalise both hacking and DDOS attacks. Though these terms are not defined under the Act, activities such as accessing or securing access, downloading data, introducing viruses, causing damage, disrupting operations and denying access, to computers, computer systems and computer networks, are prohibited, when committed in the absence of a consent from the owner or person in charge of such computer, computer system or computer network. Providing assistance to any person involved in any of the above listed activities is also treated at par with the actual act committed.
The nature and intent of hacking/ conduct of DDOS attacks may also trigger provisions under the Indian Penal Code, 1860.
Section 10 of Turkish Criminal Code numbered 5237 lists certain crimes and penalties sanctioned to them that are directly related to information systems. Please see the table below:
Imprisonment Sanctions and Punitive Fines
Article 243: Unlawful access to information systems
Up to one-year imprisonment and punitive fine
Article 244: Hindrance or destruction of the system, deletion or alteration of data
From one to five years of imprisonment
It is highly likely that act of hacking or “DDOSing” information systems will fall under one of the articles stated in the table above, in particular Article 243 and 244.
Chapter 4, section 9 c of the Penal Code (Sw. Brottsbalken) stipulates the illegality of DDOS attacks and hacking. The punishment is a fine or imprisonment for up to two years. If the DDOS attack or hacking can be considered severe, the punishment is imprisonment for up to six years.
Hacking and DDOS attacks are criminally sanctioned in Switzerland pursuant to the SCC. More generally, the unauthorised obtaining of data (including by unlawfully gaining access to a data processing system), damage to data, computer fraud, breach of secrecy or privacy through the use of an image-carrying device, obtaining personal data without authorisation, industrial espionage and the breach of the postal or telecoms secrecy are all criminally punishable with sanctions ranging from monetary penalties to imprisonment of up to three years.
The Criminal Law prohibits hacking or DDOS attacking computer systems. Specifically, Article 286 of the Criminal Law describes the criminality of the following acts:
- deleting, altering, adding or jamming the functions of the computer information system, making the system impossible to operate normally and causing serious consequences;
- deleting, altering, or adding the data stored in or handled or transmitted by the computer information system or any of its application program, causing serious consequences;
- intentionally creating or spreading destructive programs such as computer viruses, thus affecting the normal operation of the computer system and causing serious consequences.
Further, Article 285 of the Criminal Law describes the criminality of invading the computer information system of state affairs, national defence construction or sophisticated science and technology. Any person, who invades other computer information systems, obtaining the data restored in, handled or transmitted by the computer system or conducting illegal control of that computer information system and causing serious circumstances, may also be sentenced.
Cyber-attacks, hacking, virus infection and other cyber-crimes may constitute punishable criminal offenses pursuant to the Federal Criminal Code, which offences may be punished with imprisonment for up to twelve years.
Hacking, being the unauthorised intrusion into or control over computer network security systems for some illicit purpose, is encapsulated in Section 3(1) of the CCA which provides that “A person shall be guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that is the case.”
Section 4 of the CCA further provides that
“(1) A person shall be guilty of an offence under this section if he commits an offence referred to in section 3 with intent—
(a) to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or
(b) to facilitate the commission of such an offence whether by himself or by any other person.
(2) For the purposes of this section, it is immaterial whether the offence to which this section applies is to be committed at the same time when the unauthorized access is secured or on any future occasion.”
A person found guilty of an offence under Section 3 of the CCA is liable to a fine not exceeding RM50,000 and/or imprisonment not exceeding 5 years while a person found guilty of an offence under Section 4 of the CCA is liable to a fine not exceeding RM150,000 and/or to imprisonment for a term not exceeding 10 years.
Hacking is also a criminal offence under the CA in respect of the circumvention (or the cause or authorisation thereof) of any technological protection measure that is applied to a copy of a copyrighted work. Section 41(1)(h) of the CA provides that “any person who during the subsistence of copyright in a work or performers’ right circumvents or authorizes the circumvention of any effective technological measures referred to in subsection 36A(1) shall, unless he is able to prove that he had acted in good faith and had no reasonable grounds for supposing that copyright or performers’ right would or might thereby be infringed, be guilty of an offence and shall on conviction be liable…a fine of not less than RM4,000 and not more than RM40,000 for each contrivance in respect of which the offence was committed and/or to imprisonment for a term not exceeding 10 years and for any subsequent offence to a fine of not less than RM8,000 and not more than RM80,000 for each contrivance in respect of which the offence was committed and/or to imprisonment for a term not exceeding 20 years”.
Persons who commit hacking offences may also be penalised under the PC and other applicable legislation for other offences ancillary thereto, these include Section 378 of the PC for taking dishonestly without consent any movable property, or dishonest misappropriation of property under Section 403 of the PC, or identity theft under Section 416 of the PC.
B. Denial of Service Attack
While there is no specific legislation for denial of service attacks, Section 233(1)(b) of the CMA provides that a person who initiates a communication using any application service, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address, commits an offence. A person found guilty of an offence under Section 233(1)(b) of the CMA is liable to a fine not exceeding RM50,000 and/or to imprisonment for a term not exceeding 1 year and shall also be liable to a further fine of RM1,000 for every day during which the offence is continued after conviction.
Section 431A of the PC provides that a person who commits mischief by cutting or injuring any electric telegraph cable, wire, line, post, instrument or apparatus for signalling, shall be punished with imprisonment for a term which may extend to 2 years and with a fine.
The Act no.88-19 of 5 January 1988 on software fraud creates various offenses such as fraudulent access or continued presence within all or part of an automatic data processing system and covers the criminality of hacking and DDOS attacks. This act was amended recently in order, in particular, to increase the quantum of applicable penalties.
Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.
The Computer Misuse and Cybersecurity Act (Chapter 50A) ("CMCA") is the main legislation that criminalises hacking activities or DDOS attacks. Under the CMCA, it is an offence to access, use, intercept, modify or obstruct the use of a computer, data and computer service without proper authorisation. The CMCA also has extra-territorial effect on offences committed outside Singapore if the accused or the computer, program or data was in Singapore at the material time, or the offence creates a significant risk of serious harm in Singapore.
Chapters 10.6 and 10.7 of the Criminal Code Act 1995 (Cth) govern the criminality of telecommunications services and cybercrime in Australia. The penalties range from 1 year to 10 years imprisonment based on the nature of the offence committed. The various offences created in these chapters include:
(a) computer intrusions;
(b) unauthorised modification of data, including data destruction;
(c) DDoS attacks using botnets;
(d) creation and distribution of malicious software; and
(e) interference with telecommunications services.
There are also a number of offences relating specifically to telecommunications services in the Telecommunications Act. These include the contravention of carrier licence conditions or cabling requirements, and each offence carries a specified number of penalty units with a maximum of 20,000. Under the Crimes Act 1914 (Cth), a penalty unit is presently valued at AUD210.
Hacking and DDoS attacks implicate the following statutes:
The primary federal criminal statute regulating “hacking”, distributed denial of service attacks or other computer crimes, in themselves, is the Computer Fraud and Abuse Act (the “CFAA”), 18 U.S.C. § 1030. The CFAA criminalizes various computer-related conduct, such as intentional access to protected computers without authorization obtaining information (18 U.S.C. § 1030(a)(2)(c)); knowing access to protected computers with intent to defraud if the value of the use exceeds $5,000 (18 U.S.C. § 1030(a)(4)); knowing transmission of programs, information, codes, or commands and thereby intentionally causing damage to protected computers (18 U.S.C. § 1030(a)(5)(A)); intentional access to protected computers without authorization and the resulting damage (18 U.S.C. § 1030(a)(5)(B-C)). The phrase “protected computer” in the CFAA refers to any computer used in interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B).
It also should be noted that certain other federal statutes, such as the Securities Act of 1933, have been amended to cover computer-related conduct, and, therefore, each such statute must be addressed separately. Moreover, computer-related crimes such as hacking also can be prosecuted under numerous other federal statutes, including, e.g., the Copyright Act, the National Stolen Property Act, mail and wire fraud statutes, the Electronic Communications Privacy Act of 1986, the Telecommunications Act of 1996, and the Child Pornography Prevention Act of 1996.
Finally, many states have enacted anti-hacking and/or anti-wiretapping laws designed to address computer-related crimes. State consumer fraud statutes and other state tort and contract theories (e.g., trespass, invasion of privacy) also may be used to address computer crimes such as hacking.
The Penal Code and the Unauthorised Computer Access Prohibition Act cover the criminality of hacking/DDOS attacks. Also, the acquisition of a trade secret or a specially designated secret through an unauthorised access or the like may be subject to criminal penalty under the Unfair Competition Prevention Act or the Specially Designated Secret Protection Act, respectively.