LEGAL & REGULATORY ENVIRONMENT OF BUSINESS Assignment # 1

Proposed Legislation for: CYBER SECURITY

Submitted by: Registration # Submitted to: Submission Date:

Mr. M. Usman Khalid BD-53/2010 Mr. Rahat Aziz 15-November-2011

______________________________________________________________________________ Institute of Business Administration, Karachi.

Issue Under Consideration In the todays era of rapid growth, Information technology is impacting all walks of life all over the world. These technological developments have made the transition from paper to paperless transactions possible. We are now creating new standards of speed, efficiency, and accuracy in communication, which has become key tools for boosting innovations, creativity and increasing overall productivity. Computers are extensively used to store confidential data of political, social, economic or personal nature bringing immense benefit to the society. The rapid development of Internet and Computer technology globally has led to the growth of new forms of transnational crime especially Internet related. These crimes have virtually no boundaries and may affect any country across the globe. Thus, there is a need for awareness and enactment of necessary legislation in all countries for the prevention of computer related crime. They have changed the society overwhelmingly. Not long ago only some specific sectors of society had modernized their working procedures with the help of information and communication technology, now barely any sector of society has remained untouched. Why Cyber Laws? We may ask why is there a need for a separate law to govern the Cyber World? This may also assume significance looking to the fact that the phenomenal spread of Internet has been enabled mainly due to the absence of a centralised regulating agency. Anyone who has access to a computer and a telephone network is free to get hooked to the Internet. This uncontrollable growth of the Internet makes the need for regulation even more badly felt. Systems across the globe have many different rules governing the behavior of users. These users in most of the countries are completely free to join/ leave any system whose rules they find comfortable/ not comfortable to them. This extra flexibility may at times lead to improper user conduct. Also, in the absence of any suitable legal framework, it may be difficult for System Administrators to have a check on Frauds, Vandalism or Abuses, which may make the life of many online users miserable. This situation is alarming as any element of distrust for Internet may lead to people avoiding doing transactions with online sites thereby directly affecting e-Commerce growth. The (Mis)Use of Internet as an excellent medium of communication may in some situations lead to direct damage to physical societies. Non-imposition of taxes on online transactions may have its destructive effect on the physical businesses and also government revenues. Terrorists may also make use of web to create conspiracies and make violence in the society. Therefore, all of us whether we directly use Internet or not, will like to have some form of regulation or external control for monitoring online transactions and the cyber world for preventing any instability. Technical measures to protect computer systems are being implemented along with legal measures to prevent and deter criminal behavior. Pakistan has seen an adequate increase in the use of Information and Communications. The loop holes in the cyber space leading to cyber crimes pressurize countries to look for jurisdictions. A prospective legislation is proposed here to strengthen the cyber security measures and to stop the information theft in Pakistan after situational analysis of the international aspects of cyber law as done in China, USA and European Union.

______________________________________________________________________________ Institute of Business Administration, Karachi.

______________________________________________________________________________ Institute of Business Administration, Karachi.

Cyber Crimes Computer or Cyber crimes are considered as illegal, unethical or unauthorised behaviour of people relating to the automatic processing and transmission of data, use of Computer Systems and Networks". Common types of Cyber Crimes may be broadly classified in the following groups:1. Against Individuals: a. Against Person: i. Harassment through e-mails. ii. Cyber-stalking. iii. Dissemination of obscene material on the Internet. iv. Defamation. v. Hacking/cracking. vi. Indecent exposure. b. Against property of an individual: i. Computer vandalism. ii. Transmitting virus. iii. Internet intrusion. iv. Unauthorised control over computer system. v. Hacking /cracking. 2. Against Organisations: a. Against Government, Private Firm, Company, Group of Individuals: i. Hacking & Cracking. ii. Possession of unauthorised information. iii. Cyber terrorism against the government organisation. iv. Distribution of pirated software etc. 3. Against Society at large: i. Pornography (specially child pornography). ii. Polluting the youth through indecent exposure. iii. Trafficking. Proposed Legislation for the law to be called Bill for Cyber Security 2012 A Bill to provide for enhanced cyber security and punishment of the Information Security Crimes in Pakistan and/or affairs incidental thereto is stated as under: Whereas it is extremely important to take measures against; the infringement of confidentiality, objectivity, reliability, integrity and availability of data/information, using copyright data without acknowledging source, theft or misuse of critical data, attempt to gain access unlawfully or hack information/websites, by forcing punishment for such act/conduct and providing for sufficient powers to effectively combat such offences by facilitating their detection, investigation and prosecution.
OFFENCES AND PUNISHMENTS 3. Criminal access. Whoever intentionally gains unauthorized access to the whole or any part of an electronic system or electronic device with or without infringing security measures, shall be

______________________________________________________________________________ Institute of Business Administration, Karachi.

punished with imprisonment of either description for a term which may extend to two years, or with fine not exceeding three hundred thousand rupees, or with both. 4. Criminal data access.Whoever intentionally causes any electronic system or electronic device to perform any function for the purpose of gaining unauthorized access to any data held in any electronic system or electronic device or on obtaining sUch unauthorized access shall be punished with imprisonment of either description for a term which may extend to three years, or with fine or with both. 5. Data damage. Whoever with intent to illegal gain or cause harm to the public or any person, damages any data is shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both. Explanation.For the purpose of this section the expression data damage includes but not limited to modifying, altering, deleting, deterioration, erasing, suppressing, changing location of data or making data temporarily or permanently unavailable, halting electronic system, choking the networks or affecting the reliability or usefulness of data. 6. System damage.Whoever with intent to cause damage to the public or any person interferes with or interrupts or obstructs the functioning, reliability or usefulness of an electronic system or electronic device by inputting, transmitting, damaging, deleting. altering, tempering, deteriorating or suppressing any data or services or halting electronic system or choking the networks shall be punished with imprisonment of either description for a term which may extend to three years, or with fine or, with both. Explanation.For the purpose of this section the expression services include any kind of service provided through electronic system. 7. Electronic fraud.Whoever for wrongful gain interferes with or uses any data, electronic system or electronic device or induces any person to enter into a relationship or with intent to deceive any person, which act or omission is likely to cause damage or harm to that person or any other person shall be punished with imprisonment of either description for a term which may extend to seven years, or with fine, or with Both. 8. Electronic forgery.Whoever for wrongful gain interferes with data, electronic system or electronic device, with intent to cause damage or injury to the public or to any person, or to make any illegal claim or title or to cause any person to part with property or to enter into any express or implied contract, or with intent to commit fraud by any input, alteration, deletion, or suppression of data, resulting in unauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of the fact that the data is directly readable and intelligible or not shall be punished with imprisonment of either description for a term which may extend to seven years, or with fine or with both.

______________________________________________________________________________ Institute of Business Administration, Karachi.

9. Misuse of electronic system or electronic device.(l) Whoever produces, possesses, sells, procures, transports, imports, distributes or otherwise makes available an electronic system or electronic device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established under this Act or a password, access code, or similar data by which the whole or any part of an electronic system or electronic device is capable of being accessed or its functionality compromised or reverse engineered with the intent that it be used for the purpose of committing any of the offences established under this Act, is said to commit offence of misuse of electronic system or electronic devices: Provided that the provisions of this section shall not apply to the authorized testing or protection of an electronic system for any lawful purpose. (2) Whoever commits the offence described in sub-section (1) shall be punishable with imprisonment of either description for a term which may extend to three years, or with fine, or with both. 10. Unauthorized access to code.Whoever discloses or obtains any password, access as to code, system design or any other means of gaining access to any electronic system or data with intent to obtain wrongful gain, do reverse engineering or cause wrongful loss to any person or for any other unlawful purpose shall be punished with imprisonment of either description for a term which may extend to three years, or with, or with both. 11. Misuse of encryption.Whoever for %the purpose of commission of an offence or concealment of incriminating evidence, knowingly and willfully encrypts any incriminating communication or data contained in electronic system relating to that crime or incriminating evidence, commits the offence of misuse of encryption shall be punished with imprisonment of either description for a term which may extend to five years, or with fine, or with both. 12. Malicious code.(l) Whoever willfully writes, offers, makes available, distributes or transmits malicious code through an electronic system or electronic device, with intent to cause harm to any electronic system or resulting in the corruption, destruction, alteration, suppression, theft or loss of data commits the offence of malicious code: Provided that the provision of this section shall not apply to the authorized testing, research and development or protection of an electronic system for any lawful purpose. Explanation.For the purpose of this section the expression malicious code includes but not limited to a computer program or a hidden function in a program that damages data or compromises the electronic systems performance or uses the electronic system resources without proper authorization, with or without attaching its copy to a file and is capable of spreading over electronic system with or without human intervention including virus, worm or Trojan horse.

______________________________________________________________________________ Institute of Business Administration, Karachi.

(2) Whoever commits the offence specified in sub-section (1) shall be punished with imprisonment of either description for a term which may extend to five years, or with fine or with both. 13. Cyber stalking.(l) Whoever with intent to coerce , intimidate, or harass any person uses computer, computer network, internet, network site ,electronic mail or any other similar means of communication to. (a) communicate obscene, vulgar, profane, lewd, lascivious , or indecent language, picture or image; (b) make any suggestion or proposal of an obscene nature; (c) threaten any illegal or immoral act; (d) take or distribute pictures or photographs of any person without his consent or knowledge; (e) display or distribute information in a manner that substantially increases the risk of harm or violence to any other person, commits the offence of cyber stalking. (2) Whoever commits the offence specified in sub-section (1) shall be punishable with imprisonment of either description for a term which may extend to seven years or with fine not exceeding three hundred thousand rupees, or with both: Provided if the victim of the cyber stalking under sub-section (1) is a minor the punishment may extend to ten years or with fine not less than one hundred thousand rupees, or with both. 14. Spamming.(1) Whoever transmits harmful, fraudulent , misleading, illegal or unsolicited electronic messages in bulk to any jerson without the express permission of the recipient, or causes any electronic system to show any such message or involves in falsified online user account registration or falsified domain name registration for commercial purpose commits the offence of spamming. (2) Whoever commits the offence of spamming as described in sub-section (1) shall be punishable with fine not exceeding fifty thousand rupees if he commits this offence of spamming for the first time and for every subsequent. commission of offence of spamming he shall be punished with imprisonment of three months or with fine , or with both. 15. Spoofing. Whoever establishes a website, or sends an electronic message with a counterfeit source intended to be believed by the recipient or visitor or its electronic system to be an authentic source with intent to gain unauthorized access or obtain valuable information which later can be used for any unlawful purposes commits the offence of spooling. (2) Whoever commits the offence of spooling specified in sub-section (1) shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both. 16. Unauthorized interception.( 1) Whoever without lawful authority intercepts by technical means, transmissions of data to, from or within an electronic system including electromagnetic emissions from an electronic system carrying such data commits the offence of unauthorized interception. (2) Whoever commits the offence of unauthorized interception described in subsection (1) shall be punished with imprisonment of either description for a term which may extend to five years, or with fine not exceeding five hundred thousand rupees, or with both.

______________________________________________________________________________ Institute of Business Administration, Karachi.

17. Cyber terrorism.( 1) Any person, group or organization who, with terroristic intent utilizes, accesses or causes to be accessed a computer or computer network or electronic system or electronic device or by any available means, and thereby knowingly engages in or attempts to engage in a terroristic act commits the offence of cyber terrorism. Explanation 1.For the purposes of this section the expression terroristic intent means to act with the purpose to alarm, frighten, disrupt, harm, damage, or carry out an act of violence against any segment of the population, the Government or entity associated therewith. Explanation 2. For the purposes of this section the expression terroristic act includes, but is not limited to, (a) altering by addition, deletion, or change or attempting to alter information that may result in the imminent injury, sickness, or death to any segment of the population; (b) transmission or attempted transmission o a harmful program with the purpose of substantially disrupting or disabling any computer network operated by the Government or any public entity; (c) aiding the commission of or attempting to aid the commission of an act of violence against the sovereignty of Pakistan, whether or not the commission of such act of violence is actually completed; or (d) stealing or copying, or attempting to steal or copy, or secure classified information or data necessary to manufacture any form of chemical, biological or nuclear weapon, or any other weapon of mass destruction. (2) Whoever commits the offence of cyber terrorism and causes death of any person shall be punishable with death or imprisonment for life, and with line and in any other case he shall be punishable with imprisonment of either description for a term which may extend to ten years, or with fine not less than ten million rupees, or with both. 18. Enhanced punishment for offences involving sensitive electronic systems. (1) Whoever causes criminal access to any sensitive electronic system in the course of the commission of any of the offences established under this Act shall, in addition to the punishment prescribed for that offence, be punished with imprisonment of either description for a term which may extend to ten years, or with fine not exceeding one million rupees, or with both. (2) For the purposes of any prosecution under this section, it shall be presumed, until contrary is proved, that the accused had the requisite knowledge that it was a sensitive electronic system. 19. Of abets, aids or attempts to commits offence (1) Any person who knowingly and willfully abets the commission of dr who aids to commit or does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall be liable on conviction to the punishment provided for the offence. (2) Any person who attempts to commit an offence under this Act shall be punished for a term which may extend to oneha1f of the longest term of imprisonment provided for that offence. Explanation .For aiding or abetting an offence to be committed under this section, it is immaterial whether the offence has been committed or not. 20. Other offences.Whoever commits any offence, other than those expressly provided under this Act, with the help of computer .electronic system, electronic device or any other electronic mean;

______________________________________________________________________________ Institute of Business Administration, Karachi.

shall be punished, in addition to the punishment provided for that offence. with imprisonment of either description for a term which may extend to two years, or with fine not exceeding two hundred thousand rupees, or with both. 21. Offences by corporate body ..A corporate body shall be held liable for an offence under this Act if the offence is committed on its instructions or for its benefit. The corporate body shall he punished with fine not less than one hundred thousand rupees or the amount involved in the offence whichever is the higher: Provided that such punishment shall not absolve the criminal liability of the natural person who has committed the offence. Explanation. For the purposes of this section corporate body, includes a body of persons incorporated under any law such as trust, waqf, an association, a statutory body or a company.

Proposed Chapters of the Act Chapter 1: Introduction

1.Title and extent of operation of the Act. This Act may be called the Cyber Security Act 2012. It shall extend to the whole of Pakistan. It shall come into force at once. 2.Punishment of offences committed within Pakistan. Every person shall be liable to punishment under this Act and not otherwise for every act or omission contrary to the provisions thereof, of which he shall be guilty within Pakistan. 3.Punishment of offences committed beyond, but which by law may be tried within Pakistan. Any person liable, by any Pakistan Law, to be tried for an offence committed beyond Pakistan shall be dealt with according to the provision of this Code for any act committed beyond Pakistan in the same manner as if such act had been committed within Pakistan. 4.Extension of Code to extra-territorial offences. The provisions of this Code apply also to:-

(a) The offence was committed in Pakistan; (b) Result of the offence has had an effect in Pakistan; (c) The offence was committed by a Pakistani national or a person resident or carrying out business in Pakistan; (d) The offence was committed in relation to or connected with an information system or data in Pakistan or capable of being connected, sent to, used by or with any electronic system in Pakistan; or (e) The offence was committed by any person, of any nationality or citizenship whatsoever or in any place outside or inside Pakistan, having an effect on the security and integrity of Pakistan or its nationals or having universal application under international law, custom and usage. ______________________________________________________________________________ Institute of Business Administration, Karachi.

Explanation: In this section the word "offence" includes every act committed outside Pakistan which, if committed in Pakistan, would be punishable under this Code.

Chapter 2: Definition of terms

Chapter 3: Offences
Some of the major types of offences against which many countries across the globe have enacted various Acts (mostly at preliminary levels) are as follows: 1. Unlawful access to data in computers, 2. Damaging data in computer etc. 3. Possession of device to obtain unauthorised telephone facilities, 4. Unauthorised access to computer and computer material 5. Committing mischief with data. 6. Data spying, 7. Computer fraud, 8. Forgery of prohibitive data, 9. Alteration of data, 10. Computer sabotage. 11. False entry in an authentic deed 12. False entry in permit licence or passport 13. Electronic record made wrongfully 14. Electronic record made wrongfully by public servant 15. Interferences with business by destruction or damage of computer 16. Interferences with computer 17. Destruction of public document 18. Destruction of private document 19. Unauthorised access with intention to commit offences/ computer crimes 20. Unauthorised use and interception of computer services 21. Knowingly access of computer without authorisation related to national defence or foreign relation 22. Intentional access of computer without authorisation to obtain financial information 23. Unauthorised access of computer of a Govt. Deptt. Or agency 24. Knowingly causing transmission of data/program to damage a computer network, data or program or withhold or deny use of computer, network etc. 25. Knowingly causing transmission of data/program with risk that transmission will damage a computer network, data or program or withhold or deny use of computer, network etc, an unauthorised access of computer with intent to defraud.

Chapter 4: PROSECUTION AND TRIAL OF OFFENCES 22. Offences to be compoundable and non-cognizable.All offences under this Act shall be compoundable, non-cognizable and bailable except the offences punishable with imprisonment for seven years or more. 23. Prosecution and trial of offences.(l) The Tribunal shall take cognizance of and try any offence under this Act. (2) In all matters with respect to which no procedure has been provided in this Act or the rules made thereunder, the provisions of the Code shall, mutatis mutandis, apply for the trial.

______________________________________________________________________________ Institute of Business Administration, Karachi.

(3) All proceedings before the Tribunal shall be deemed to be judicial proceedings within the meanings of sections 193 and 228 of the Pakistan Penal Code 1860 (XLV of 1860 ) and the Tribunal shall be deemed to be a Court for the purposes of sections 480 and 482 of the Code. 24. Order for payment of compensation.The Tribunal may, on awarding punishment of imprisonment or fine or both for commission of any offence, make an order for payment of any compensation to the victim for any damage caused to his electronic system or data by commission of the offence and the compensation so awarded shall be recoverable as arrears of land revenue: Provided that the compensation awarded by the Tribunal shall not prejudice any right to a civil remedy for the recovery of damages beyond the amount of compensation awarded.

1. 2. 3. 4.

This Act may be called the Cyber Security Act 2012. It shall extend to the whole of Pakistan. It shall come into force at once. Every person shall be liable to punishment under this Act for every act or omission contrary to the provisions thereof, if: 5. Information traffic flowing inside/outside of stakeholders will be protected by compatible firewalls and gateways. 6. Whoever commits the offence of accessing information unlawfully and damaging the private/public data/information which is private property of any individual or organization may be sentenced jail from 1 to 10 years. Also a fine ranging from Rs. 1000 to the extent of loss incurred due to such act/conduct may be imposed. 7. All the stakeholders (Public and Private Organizations etc) will make sure that they take maximum possible security measures to protect important data/information. To ensure security of critical information, all stakeholders will install firewalls, anti-hacking softwares, and network security applications. Advantages: 1. Developing a public-private plan for strengthening national security in the case of internet-based attacks. 2. Providing legal framework for information security of organizations dealing in online business and e-commerce. 3. Strengthening the information sharing process. 4. Providing a baseline for subsequent legislation on the proposed subject. 5. Creating awareness regarding risk associated with information theft. 6. Enhancing security measures for information sharing on cellular devices. 7. Safeguarding the objectivity and reliability of data. 8. Restricting access to hackers/spammers on critical electronic information. Disadvantages: ______________________________________________________________________________ Institute of Business Administration, Karachi.

1. Public-private interests may not always converge. 2. The Act may federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications and energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. 3. It may give the President authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems. 4. Implementation of information security infrastructure is very costly and difficult for small organization or individuals. 5. Complex nature of information security protocols required only trained and qualified IT security implementers. 6. Compatibility issues of security tools (software & Encryptions) with corporate applications are very common and need ample amount of time to resolve these issues. 7. Compatibility issued due to usage of different network protocols. 8. Maintenance and monitoring cost.

Process of Passing the Law: Passing of this proposed law from parliament comprises of three stages: 1. Pre-Parliament Stage 2. During-Parliament Stage 3. Post-Parliament Stage Pre-Parliament Stage: To start with, concerns and grievances related cyber security issues will be discussed with Pakistan Telecommunication Authority (PTA) and Ministry of Information Technology. After taking into confidence these stakeholders, the bill will be forwarded to the Law ministry for legal opinion. Law ministry will return the bill to Ministry of Information Technology after formulating the bill in the shape suitable to be presented in the Parliament. During Parliament Stage: ______________________________________________________________________________ Institute of Business Administration, Karachi.

The bill will go through following stages in parliament. a) b) c) d) Speech Stage Debate Stage Committee Stage Vote Stage (51% needed to approve the bill)

IT minister will gives a speech on the issue for which the legislation is being proposed. Then debate will be held on this. A special committee may also be formulated to discuss technical issues related to the legislation in discussion. Finally, the voting stage will take place and bill will be passed with a simple majority of 51%. The bill will then be sent to Senate for approval. The same process is repeated in Senate. After approval from the Senate, the bill is forwarded to president for final approval. Post-Parliament Stage: Once the parliament has approved, the bill will be sent to President of the Pakistan for his assent. If the need be, he may refer it back to parliament for a review otherwise the bill will be signed by him and become a law immediately to be enacted.

______________________________________________________________________________ Institute of Business Administration, Karachi.