The Conversation

  • Written by Greg Austin, Professor UNSW Canberra Cyber, UNSW
The Conversation

In Germany this week, the legal limbo that defines cyberspace around the world was on full display.

The country’s Federal Office for IT Safety (BSI for its German initials) had been tracking a cyber attack targeting some of the country’s parliamentarians since early December. It ultimately led to the public release of mobile phone numbers, credit card information and ID card details of hundreds of members of parliament, and other public figures.

Only some MPs were informed by BSI about the attacks, while others learned about them only after the details were published in the media. MPs were outraged that BSI had failed to notify them that their personal data was being targeted, despite knowing about elements of the attack for up to four weeks.

Read more: New guidelines for responding to cyber attacks don't go far enough

A deeper concern, raised by some MPs, was that over the same period, BSI (which is not a law enforcement agency) did not inform the German police that a political crime of this seriousness had possibly been committed. Once engaged, the police quickly found a suspect who reportedly confessed.

Hacking, whether or not data is publicly compromised, is a crime in most countries. The crime is constituted simply by the unlawful accessing of data or machines. But few countries have laws that require their cyber agencies that monitor hacking to report the criminal acts – either to third party victims or to the police.

This legal vacuum needs to be addressed urgently.

Is hacking a ‘serious crime’?

The challenge for cyber agencies or private sector firms which detect a hack is that these events are very common. Millions take place every day, and complex forensic information needs to be assembled in order to judge which incidents are serious enough to require notification. This sets up a defacto, but ill-defined, distinction between “petty crime” (most hacks) and “serious crime”.

What this means in reality can be illustrated by the practice in the Australian state of New South Wales. In NSW, there is an obligation under the Crimes Act to report serious crimes. These are defined as those attracting legal penalties of five years or more of imprisonment. But when it comes to cyber hacking, it’s often not immediately clear whether the extent of a hack would trigger such a penalty threshold.

This uncertainty was at play in the German hack, with BSI justifying its failure to notify with the claim it was still trying to analyse it, and did not know the full scale of it.

Even after arresting the suspect and knowing the scale of the attack, the head of cyber security at the Federal Police Office (BKA) said it was still unclear whether the hack was a serious crime inspired by political motives. The suspicion that it may have been politically motivated arises from the fact that the only political party whose MPs were not targeted was the extreme right party, AfD.

Read more: Russians hack home internet connections – here's how to protect yourself

What ‘mandatory reporting’ means in Australia

In 2018, after a long public debate, Australia introduced the Notifiable Data Breaches (NDB) scheme as an amendment to the Privacy Act. The NDB requires companies to notify the Office of the Information Commissioner (not the police), as well as any victims, if personal data they hold is compromised in a way that constitutes a serious breach of privacy.

This civil code provision is very weak due, in part, to the fact that it allows the firm or agency involved to self-assess the seriousness of the breach over a 30-day period before the obligation to notify kicks in.

It is also weak because there is a blanket exemption for law enforcement activities, and for the secrecy needs of the government. Australian cyber agencies, such as the Australian Signals Directorate and the Australian Centre for Cyber Security, appear to have zero obligation to tell either the police or victims that there has been been a hack or a data breach.

That means, if Australian cyber agencies learned that a foreign government had hacked an Australian citizen, the victim may never be told. Or if family photos of an unclothed child were hacked from a family computer by a paedophile, the victim’s family might never know.

A right to know?

In many countries, cyber agencies do notify large corporations of certain hack attacks, regardless of the kind or scale. There are several motivations for this mostly voluntary practice. One is to help corporations realise the seriousness of state-sponsored espionage against them. Another is to help the cyber agency itself coordinate an investigation of the hack, and figure out what might have been lost.

That is not the same as the police investigating the crime.

In most countries, only police agencies are authorised to investigate crimes for the purposes of court prosecution. Few jurisdictions, if any, have formally clarified the ways in which police and courts may rely on information on cyber hacks collected by cyber agencies or security companies.

Read more: 30 years ago, the world's first cyberattack set the stage for modern cybersecurity challenges

Australia is yet to have a serious debate about cyber crime reporting, and its forensic complexities: who is responsible for what, and where the priorities should lie. It’s at least a decade overdue.

While recognising that some distinction will need to be made between petty and serious cyber crimes, such a debate should recognise the right of citizens to be informed by our cyber agencies when they have been assaulted in cyber space and, if possible, by whom.

Authors: Greg Austin, Professor UNSW Canberra Cyber, UNSW

Read more http://theconversation.com/should-cyber-officials-be-required-to-tell-victims-of-cyber-crimes-theyve-been-hacked-109510


Central and North Queenslanders overwhelmingly back coal sector

More than 80 per cent of young people in Central and North Queensland believe the coal sector and the jobs it creates are critical to the state’s economy, particularly regional Queensland.   Mi...

Senator Canavan - avatar Senator Canavan

AWU National Secretary Daniel Walton on steel industry

Ambitious expansion plans make mockery of those who wrote off Australian steel industry GFG Alliance's planned rejuvenation of the Whyalla steelworks, and the Australian steel industry more generall...

Media Release - avatar Media Release

George Neophytou supports roads funding and more

Independent candidate for Gippsland East George Neophytou has pledged to support completion of duplication of the Princes Highway between Traralgon and Sale and to upgrading of the Sale alternative ...

George Neophytou Media Release - avatar George Neophytou Media Release

Business News

10 Excellent Business Ideas for Young Entrepreneurs in 2019-2020

Top 10 Low-Budget Business Ideas for Students in 2019 Whoever said that you should wait for 10 or even more years after your graduation to launch your own business? 69% of US citizens start their ...

Elsa Avendano - avatar Elsa Avendano

The 1-Page Marketing Plan

SKIP BUSINESS SCHOOL. READ THIS NEW BOOK INSTEAD. Named as one of the “10 best marketing books for small business owners” by The Huffington Post.   MEDIA RELEASE: MELBOURNE, DECEMBER 13, 2018 —...

Claire Marshall - avatar Claire Marshall

How to Empower Your Employees in 2019

Employee empowerment is the focus of many employers in this present day. The reality is that although you may hire competent and qualified professionals, you still need to invest in building them up...

News Company - avatar News Company


Road Trip On Your Mind? Keep These Aspects In Mind As Well

Take a Road Trip! The great road trip. Movies are made of this type of freedom. The roads are calling and you are feeling the need for a road trip. Join millions of other people who enjoy the great o...

News Company - avatar News Company

Best Short Term Accommodation in Brisbane

Brisbane, the capital city of Queensland in Australia is known for its museum and Science center. With a lot of creative spaces and gardens on the riverside, it is a magnificent and popular destinat...

News Company - avatar News Company

Best Short-term Accommodations in Sydney

If you are looking to spend a night or two in the sprawling city of Sydney, you might be in need of a lodging place or hotel to stay. We would like to give you here a list of the best short term acc...

News Company - avatar News Company