What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Computer Fraud and Abuse Act (“CFAA”), enacted in 1986 and repeatedly amended in the years following, governs the criminality of hacking and other unauthorized access to computers. CFAA provides, essentially, that whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer, if the conduct involved an interstate or foreign communication, shall be punished under the Act. The CFAA is primarily applied as a criminal law, but was amended in 1994 to allow civil actions as well.
CFAA specifically prohibits seven types of criminal activity:
- Obtaining national security information
- Compromising confidentiality
- Trespassing in a government computer
- Accessing to defraud and obtain value
- Damaging a computer or information
- Trafficking in passwords; and
- Threatening to damage a computer.
A violation of the CFAA may occur either when an individual trespasses into a computer “without authorization,” or when an individual “exceeds authorized access,” but courts have been unable to reach consensus of the meaning of those terms, leading to a split among Circuit Courts of Appeal on the scope of applicability of the CFAA to various kinds of conduct.
The CFAA is the subject of considerable controversy, since many believe the law is ambiguous, has failed to keep pace with changes in technology, and does not address the many ways in which insiders and outsiders may access or steal data. To date, however, there has been no consensus on reform, despite several proposals before Congress, most notably “Aaron’s Law,” a bipartisan bill introduced in 2013, and a subsequent reform proposal by the Obama administration in 2015.
The Criminal Code, Chapter 9 of the Laws of Malta (the ‘Code’) is the primary law dealing with ‘computer misuse’ and provides that unlawful access to or use of information and misuse of hardware and the hindering and impairing the functioning or operation of a computer system, software or the integrity or reliability of any data are criminal offences.
The Malta Government launched a Cyber Security Strategy (the ‘Strategy’) in 2016. The Government is committed to review the existing legislation and create legal and regulatory frameworks to cater for the Strategy’s goals such as securing cyber-space and combatting cybercrime.
Attacking a website via a denial of service attack, a distributed denial of service attack, or otherwise engaging in conduct that could damage, disrupt, impair or interfere with a website, computer system, server or database, is a criminal offence under the Norwegian General Civil Penal Code of 20 May 2005 no. 28 Sections 351 or 352. Depending on the severity of the attack, the offence may carry a penalty of fines and/or up to six years in prison.
The aforementioned Act Sections 201 and 204 governs the act of hacking. In accordance with Section 201, the unlawful manufacture, acquirement, possession or distribution of passwords, other information or malicious software carries a penalty of fines and/or up to 1 year in prison.
Gaining unauthorised access to a website, password, computer system, server, and database or otherwise is punishable with up to two years in prison, cf. the Act Section 204.
Turkish Penal Code w. no 5237 has a section specific for cyber crimes. Pursuant to the Code;
- Hacking into a system is subject to imprisonment of up to 1 year or up to TRY 36.500 (€ 9.150) judicial fine.
- Interfering or preventing proper running of the system is subject to imprisonment of 1 to 5 years.
- Altering, destroying, transferring, preventing access to data on a system is subject to imprisonment of 6 months to 3 years.
The Criminal Law prohibits hacking or DDOS attacking computer systems. Specifically, Article 286 of the Criminal Law describes the criminality of the following acts:
- deleting, altering, adding or jamming the functions of the computer information system, making the system impossible to operate normally and causing serious consequences;
- deleting, altering, or adding the data stored in or handled or transmitted by the computer information system or any of its application program, causing serious consequences;
- intentionally creating or spreading destructive programs such as computer viruses, thus affecting the normal operation of the computer system and causing serious consequences.
Further, Article 285 of the Criminal Law describes the criminality of invading the computer information system of state affairs, national defence construction or sophisticated science and technology. Any person, who invades other computer information systems, obtaining the data restored in, handled or transmitted by the computer system or conducting illegal control of that computer information system and causing serious circumstances, may also be sentenced.
The Mexican Federal Criminal Code establishes a series of crimes related to the illegal access to systems of private parties, the government and the financial sector. However, illegal access is only considered a crime if the systems are considered to be protected by security measures (which are not defined). DDOS attacks are not considered a crime under the Federal Criminal Code.
The Computer Misuse Act 1990 ("CMA 1990") covers the criminality of hacking and DDOS attacks. The Regulation of Investigatory Powers Act 2000 ("RIPA") also creates offences in respect of the unlawful interception of communications.
The CMA 1990 creates various offences relating to cybercrime including: unauthorised access to computer material (section 1(1)), unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer (section 3) and impairing a computer such as to cause serious damage or a significant risk of causing serious damage of a material kind (section 3ZA(1)). Persons found guilty of an offence under sections 1(1) or 3 of the CMA 1990 are liable for a prison term of up to 12 months, or a fine, or both (sections 1(3) and 3(6)). Those found guilty of an offence under section 3ZA(1) are liable for a prison term of up to 14 years, or life if the offence creates a significant risk of serious damage to human welfare or national security, or a fine, or both (section 3ZA(6) and (7)).
Under RIPA, it is an offence to intentionally and without lawful authority intercept a communication in the course of its transmission via a public or private telecommunications system (section 1). Persons found guilty are liable to a prison term of up to two years, or a fine, or both (section 7).
The following cyber crime related laws are particularly relevant:
- Law no. 161/2003 on certain measures for transparency in the exercise of public functions and the business environment and for the prevention and sanctioning of corruption – Title III – Prevention of cyber crime;
- Law no. 64/2004 ratifying the Council of Europe Convention on Cybercrime (E.T.S. no. 185, November 23, 2001); since said ratification, Romanian national laws have been amended so as to comply with the requirements of the convention regarding the collection, search, seizure, making available and interception of data; and
- the Criminal Code (Law no. 286/2009).
Pursuant to Section 615-ter of the Italian Criminal Code (Royal Decree no. 1398 of 19 October 1930), whoever accesses an IT or telematic system protected through security measures without authorisation, or continues to have access against the express or tacit will of the person having the right to exclude him, is punished with imprisonment for up to 3 years. If certain serious material circumstances detailed in Section 615-ter arise, the imprisonment can be up to 5 years, or if the breach relates to IT or telematic systems having military, national security, public order, healthcare or public interest relevance, the imprisonment can be up to 8 years.
The Dutch Law on Computer Crime ("Wet Computercriminaliteit") which is incorporated in the Dutch Code of Criminal Procedure also covers criminality relating to hacking/DDOS attacks.
Under the Criminal Code (Law No. 2,848/1940), the act of attacking a computing device, whether connected to the internet or not, by breach of a security mechanism and for the purpose of collecting, altering or destroying data or information or installing vulnerabilities to obtain an illegal benefit is deemed as crime.
Indonesian law does not have any specific regulation on hacking/DDOS attacks. Instead, such actions are covered under the broad scope of the ITE Law, as amended and its implementing regulations.
Firstly, the ITE Law, as amended covers hacking through a prohibition for any person to purposefully, illegally, and without any rights:
- access another person’s computer and/or electronic system using any method;
- access a computer and/or electronic system using any method in order to obtain electronic information and/or electronic documents;
- access a computer and/or electronic system using any method by violating, trespassing, surpassing, or penetrating the security system.
The conduct of the above actions is subject to imprisonment of six to eight years and/or fines of IDR600 million to IDR800 million (approximately USD45,000 to USD60,000 at current exchange rates).
There is no tailored provision in the ITE Law for DDOS attacks. Instead, it falls under the general prohibition on “causing disruption of an electronic system and/or causing an electronic system not to function as it should.” The failure to abide by such prohibition is subject to maximum imprisonment of 10 years and/or a maximum penalty of IDR10 billion (approximately USD750,000 at current exchange rates).
Although IT Act does not define “hacking”, it lists out the actions which may qualify as hacking. If a person without the permission of the owner/person in charge of a computer, computer system or computer network (systems): (i) accesses or secures access to such systems; (ii) downloads, copies or extracts data or information from any system; (iii) introduces any computer contaminant or computer virus into a system; (iv) damages a system or database or any programmes in such systems; (v) disrupts the use of any systems; (vi) acts that lead to the denial of access to the owner of the systems; (vii) facilitates or provides assistance to others to access systems; (viii) tampers with or manipulates systems by charging services of one person to the account of another; or (ix) destructs, alters, deletes or conceals a computer resource or computer code, it qualifies as hacking. Further, DDOS, short for Distributed Denial of Service, is a type of attack where multiple compromised systems, which are often inflected with a Trojan, are used to target a single system causing a “Denial of Service”. DDOS attacks which are virus attacks are also covered under the aforementioned actions and are a means of “hacking” a system. Thus, if any person, dishonestly or fraudulently, does any of the aforementioned actions, he shall be punished with imprisonment for a term which may extend to 3 years and/or fine which may extend to INR 500,000 (approximately US$ 7,700). Further, the IT Act prescribes punishment for identity theft and dishonestly receiving stolen computer resource or communication devices. The punishment for both offences are imprisonment for a term which may extend to 3 years and/or fine which may extend to INR 100,000 (approximately US$ 1,500). Hacking/DDOS attacks may meeting the requirements of “theft” and “criminal trespass” under Indian Penal Code, 1860 and hence, any person responsible for causing such actions is punishable with imprisonment and/or fine.
Although not specifically relating to DDOS attacks, there are several laws applicable to the cybersecurity sector. Three main Israeli cybersecurity-related statues are the Computers Law, 5755-1995, PPL and the Penal Law of 5737-1977. Such Penal Law criminalizes hacking and prohibits, among others, programming software to carry out an illegal operations.
The Security Regulations (which will enter into force in May 2018) will require any data-owner and data-holder to implement various security measures to protect personal data. In addition, specific regulators have issued regulations imposing minimum standards with respect to cybersecurity. Most notably is the recent guideline to financial institutional entities published by the Commissioner of the Capital Market, Insurance and Savings at the Israeli Ministry of Finance mentioned in Section 11 above, which includes guidelines for managing cyber risks within specified institutions and adopting certain measures to enhance cyber protection, and the draft of a similar guideline by the Banking Supervision Department of the Bank of Israel applicable to banks.
The Computer Misuse and Cybersecurity Act (Chapter 50A) ("CMCA") is the main legislation that criminalises hacking activities or DDOS attacks. Under the CMCA, it is an offence to access, use, intercept, modify or obstruct the use of a computer, data and computer service without proper authorisation. The CMCA also has extra-territorial effect on offences committed outside Singapore if the accused or the computer, program or data was in Singapore at the material time, or the offence creates a significant risk of serious harm in Singapore.
The Act n°88-19 of 5 January 1988 on software fraud creates various infractions such as fraudulent access or continued presence within all or part of an automatic data processing system and covers the criminality of hacking and DDOS attacks. This act was amended in 2004 and 2013 and, more recently, by the Act n°2015-912 of 24 July 2015 on intelligence. Amendments increased the quantum of the penalties applicable to incrimination against offenses of infringement of automated data processing systems, doubling the amount of fines for some of them.
Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.
Hacking and DDOS attacks are criminally sanctioned in Switzerland pursuant to the SCC. More generally, the unauthorised obtaining of data (including by unlawfully gaining access to a data processing system), damage to data, computer fraud, breach of secrecy or privacy through the use of an image-carrying device, obtaining personal data without authorisation, industrial espionage and the breach of the postal or telecoms secrecy are all criminally punishable with sanctions ranging from monetary penalties to imprisonment of up to three years.
As in the case of cybersecurity, there is no specific law that regulates the criminality of hacking; however, as mentioned in the previous subsection, article 178 of the Integral Criminal Code could be applied in the case of hacking attacks.