A multi-national group of us with a professional and academic interest in ‘White Hat’ pen testing and the related cybersecurity laws in different countries were drawing some comparisons between different jurisdictions. Of course cybercrime has enjoyed explosive growth through taking specific advantage of the challenges posed by traditional jurisdictional approaches. However, the EU for example has taken the initiative by implementing directives, as outlined below, to foster a cooperative and systematic approach between different EU jurisdictions, it seems to good effect. And recent history in relation to cybercrime has also shown the benefits of even wider cooperation, for example in cases involving the Irish authorities and the FBI.
Hence the incentive to review where Ireland stands in relation to laws relating to cybercrime. Please note this article does not constitute legal advice and professional legal advice should always be sought where appropriate.
But from a penetration tester’s perspective it’s important to be acutely aware of the applicable legislation as it’s only too easy to inadvertently infringe parts thereof. So the immutable golden rule should be prior full and properly authorised sign-off in writing on all pen testing assignments.
In Ireland the Criminal Justice (Offences Relating to Information Systems) Act 2017, amongst others, addresses cybercriminal activity.
A number of informed articles surrounding this Act are in the public domain, such ‘New Hacking and Cybercrime Offences’ by McCann Fitzgerald dated 13 June 2017, and ‘New Legislation to Tackle Cybercrime’ by IFSC.ie and of course any legal cautionary warnings in the articles should be heeded.
Interesting is that the article ‘New Legislation to Tackle Cybercrime’ also draws attention to cybercrime being a ‘reportable’ offence under Schedule 1 of the Criminal Justice Act 2011. As quoted, failing to report to the Gardaí information which a person knows or believes might be of material assistance to preventing or investigating a cybercrime is, in itself, a criminal offence. Similar, it seems, to the legal onus to report just the reasonable suspicion of, much less actual, anti money-laundering and terrorism financing activity in the financial sector. Penalties for non-reporting in the financial sector are severe to say the least. For the Irish hacking and cybercrime legislation to have any bite, it seems the same should apply for non-reporting in the case of the 2017 Act.
The 2017 Act itself is quite readable and can be found here. It is a commendably clear, concise and pragmatic piece of work. A worthwhile investment of an hour or so to scan through for those with Executive and line responsibility over IT and data infrastructure, as well as professionals in the information and cyber security domains.
The article ‘New Hacking and Cybercrime Offences’ by McCann Fitzgerald outlines five new dedicated cybercrime offences. These relate to legitimacy of access to systems or information, interference with or impediment to data or systems, and would cover attacks including ransomware, ‘man-in-the-middle’ attacks including WiFi, denial of service (DoS) attacks, and so forth.
It is interesting that email phishing attacks are not a specific offence. This is whilst being the largest delivery vector of malware and system intrusion methods by far. However, legal view seems to be that this would be caught under other more general criminal legislation. One of the challenges therefore being, as I see it, that this widespread malicious activity cannot be efficiently targeted and tackled head-on. It would be interesting to know the rationale behind this single largest attack vector not being specifically addressed in the 2017 Act.
The other important area which avoided specific mention is social engineering, or in non-jargonistic terms, impersonation and misrepresentation. Hopefully the evolving cybercrime legislative domain will find appropriate wording to tripwire this malicious activity too.
Here’s another very useful source from ICLG.com on interpreting the 2017 Act.
One interesting hypothesis: In respect of accessing information or systems without proper authorisation, in terms on the Act, what if we purchase, say, pre-owned devices including hard drives from which data has not been properly and forensically deleted. Simply hitting the delete key does not erase a file, it just deletes the directory link to that file. The file is most likely still there and can be recovered with modest technical skills. What might the authorised information access issues be in this situation? My interpretation is that it would be an infringement to access the information without proper authorisation. But please note, that is not legal advice and I am not a qualified lawyer.
The driver for the 2017 Act and other updates was the EU Cybercrime Directive of 2013, and the Act sets out to implement key elements, thought apparently not all, of the Directive.
The 2017 Act also represents significant change over more dated legislation in attempting to investigate and prosecute cybercrime. The record seems to show that previous remedy against cybercrime was pursued via the Criminal Damage Act 1991 and Criminal Justice (Theft and Fraud Offences) Act 2001, more indirectly than directly. The main challenge seemed to be the pace at which technology and cybercrime evolved, and continue to evolve – a different world to the traditional legislative process. Hence the newer legislation.
A challenge: can anyone find a record of any cases that have been brought under the 2017 Act, now in place for more than three years?
This 2017 legislation and other initiatives such as the National Cyber Security Centre of Ireland and Cyber Ireland startup cluster in Cork is an encouraging trend in Ireland’s European and wider partnership role in effectively combating cybercrime.