What do I need to know about Cyber Law?
Cyber Law is an umbrella term used to describe the range of regulatory responses aimed at preventing the use of the internet, or cyber space, for criminal purposes.
Many people think that cyber crime is no big deal – that it is only playing with computers and is not really crime. This could not be further from the truth. In today’s society, computers and the networks that serve them are fundamental to the operation of commerce, defence, government, public utilities, and many safety systems. A crime committed in cyberspace can cause catastrophic financial loss and more gravely be the direct cause of the loss of human life – potentially on a scale previously only possible by the massive application of military force.
For the cybercriminal, or malicious actor as they are sometimes known, the internet provides a very cost effective and anonymous vehicle to carry out their various sinister aims.
Cybersecurity is the term for preventative methods that any individual, business or government can use to reduce the risk of becoming a victim of cybercrime.
Cybersecurity laws are laws that are aimed at preventing cyber crime, and bringing suspected malicious actors to account.
In Australia, there are various laws which attempt to regulate cybercrimes:
- Hacking (unauthorised access to a computer system) is a crime under Section 478.1 of the Criminal Code Act 1995 (Cth) (‘the Code’).
- Denial of service attacks (DDos) are prohibited as ‘unauthorised impairment of electronic communication’ under Section 477.3 of the Code.
- Phishing (a method of online fraud) is covered by the Code where the victim is the Commonwealth, and by State or Territory sanctions against fraud for victims who are individuals or companies. Fraud means to obtain financial advantage by deception, including by electronic means.
- The distribution or sale of the tools used to commit cybercrimes is a crime under the Code, as is possession of such items.
- The Code also criminalises identity theft, electronic theft (for example copyright infringement), unsolicited penetration testing (trying to break into an IT system without the permission of the owner), and any other activity that adversely affects an IT system or communications network.
As the above are offences against Australian law, there must be some connection to Australia to enliven the jurisdiction. There arises a key difficulty, in that even if the jurisdiction is made out, the perpetrator may often be beyond the reach of Australian law enforcement. This may be in a legal sense (ie in a country where no extradition rights exist) or practical sense (where a state actor is too powerful or indifferent to be held accountable).
The Security of Critical Infrastructure Act 2018 (Cth) seeks to manage national security risks of sabotage, espionage and coercion by foreign governments or non-state political actors. This Act provides an information-gathering power to the Commonwealth Government, and under it the Minister of Home Affairs can direct the operators of defined critical infrastructure as deemed necessary to mitigate national security risks.
Further, in response to a dramatic increase in the detection of cyber interference by off shore actors, the Government has recently introduced a bill to expand the powers of intervention under this act. For example, the bill provides for enhanced cyber security obligations on operators of systems of national significance requiring them to adopt prescribed cyber defensive activities. If the operator does not implement appropriate defences the Government is empowered to intervene. The bill also adopts a broader mandate as to critical industries, and during 2021 the Government will nominate particular organisations as ‘critical infrastructure’ or ‘systems of national significance’.
Obviously, in a capitalist democracy such as Australia, there are serious reservations among the business community about the adoption of these wider powers.
The key question to be considered is whether this response is proportionate to the threat posed by breaches of cybersecurity?
At a more local level, while a small business in a non-critical industry may not consider itself a target there is no doubt that the risk of cyber crime is ever present. Any computer connected to the internet is like a doorway to the rest of the world – and there are a lot of people with bad intentions on the other side of that door.
There are a range of defensive measures that can be adopted for very little cost and effort in proportion to the protection offered.
The Australian Cyber Security Centre (a branch of the Government’s spy agency the Defence Signals Directorate) publishes a range of guides for individuals and small to medium businesses that contain practical guidance on defence measures.
As a closing point, if a business is the victim of a cybersecurity attack, the owner is legally obliged to report the attack, and significant penalties can be avoided by being aware of and complying with these requirements. This is a difficulty best avoided when there is a business to be brought back online.
If you have not consulted one earlier, this is the point where a cyber law professional can really assist you.
Anthony Stanton, Solicitor, Garland Waddington Solicitors and Notaries
Anthony is lawyer and consultant with over 30 years experience in defence, government and business. He has a keen interest in cyber security in addition to his general practice in commercial law.