28 Aug “The day of the ball is not the time to learn how to dance”. A Legal Perspective – Sample Scenario for undertaking a cyber security exercise

Author: Helaine Leggat

 

“The day of the ball is not the time to learn how to dance”[1]

Every organisation has vulnerabilities. The work for the board is to ascertain their extent.

While every organisation should undertake regular risk assessments, it is a particular requirement under the Part 2C of the Security of Critical Infrastructure Act 2018 (SOCI) that the responsible entity for a system of national significance may be required to undertake a cyber security exercise in relation to (i) the system, and (ii) one or more specified types of cyber security incidents.[2]

Section 30CN of SOCI provides:

• A cyber security exercise is an exercise:
• that is undertaken by the responsible entity for a system of national significance; and
• that relates to the system; and
• that either:
• relates to all types of cyber security incidents; or
• relates to one or more specified types of cyber security incidents; and
• if the exercise relates to all types of cyber security incidents[3] – the purpose of which is to:
• test the entity’s ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
• test the entity’s preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and
• test the entity’s ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and…”

 

The purpose of this article

The purpose of this article is to consider some of the legal ramifications arising from the requirements to respond appropriately and to mitigate relevant impacts by exploring a possible cyberattack scenario in the defence of property, with a specific focus on electronic transactions, intellectual property, corporations, and criminal law.

 

The approach to this article

To extend its usefulness it is intended that the considerations explored in this scenario be of a more general application, and not only SOCI-focused.  The approach to considering the scenario will be presented in 3 Parts:

• Part 1 – incorporated hereunder serves to establish some basic principles of law;
• Part 2 (September ICT Insider) – will present the scenario, widely framed, allowing for a broad range of possibilities to be explored; and
• Part 3 (October ICT Insider) will provide specificity to the scenario, in order to more accurately apply the relevant law to the facts of the scenario.

 

Scenario Target organisation

Notably, the SOCI requirement that the response be ‘appropriate’ is a matter to be informed by the relevant organisation’s ‘Regulatory Universe’[4] – meaning all the laws with which the organisation must comply (federal, state and sector specific), and its appetite for risk. This in turn raises the questions: “What does the law require?” and “What does cybersecurity mean to a particular organisation?”

 

What does cybersecurity mean to an organisation?

To answer this question, it is necessary to first consider the security triad (CIA Triad):

• Confidentiality – what are the consequences if organisational data is published, or intellectual property stolen?
• Integrity – what are the consequences of not being able to rely upon the data in the organisational systems?
• Availability – what are the consequences if an organisation cannot operate due to data and systems not being available?

 

Electronic law and cybercrime

To understand the importance of the CIA Triad, it is helpful to re-visit the electronic transactions and communications laws of the 1990s.

The purpose of the electronic model laws (and conventions) whose terms were adopted into the national legal systems of participating states[5] was to offer national legislatures a set of internationally acceptable rules.  These rules were designed to remove a number of legal obstacles to the use of electronic transactions and communications, creating a more certain legal environment for electronic commerce. Legislation based on or influenced by the UNCITRAL Model Law has been adopted in 83 States and a total of 163 jurisdictions.

Electronic transaction laws are based on two principles, (i) functional equivalence also known as media neutrality, and (ii) technology neutrality.[6]  The term functional equivalence means that transactions conducted using paper documents and transactions conducted using electronic communications[7] should be treated equally by the law and not given an advantage or disadvantage against either.

The requirements for legal recognition are:

• Assuring the maintenance of the integrity of the information contained in the document, where the “Integrity of information” … “contained in a document is maintained …”[8]; and
• At the time the information was given, it was reasonable to expect that the “information would be readily accessible so as to be useable for subsequent reference”.

The former requirement is reflected in the ‘I’ of the CIA Triad. The latter, in the ‘A’ of the CIA Triad.

The ‘C’ for Confidentiality in the CIA Triad is roughly equivalent to privacy, requiring measures designed to prevent sensitive information from unauthorised access.

A breach in CIA is the equivalent of the definition of a computer offence.

 

Computer offences and boundaries to defence

In determining an appropriate response to a cyberattack i.e. how to respond appropriately, and lawfully, and to mitigate relevant impacts, it is imperative to understand what constitutes a computer offence. The objective of an organisation is defence, which may or may not, include ‘active’[9] as opposed to merely ‘passive’ defence, but which must never constitute offence, which is a right accorded only to government in the interests of national security.

International conventions (treaties) are a source of national law in a similar way to model laws. Here the executive branch of government accedes to a treaty, and the terms of the treaty are subsequently adopted into national (domestic) laws.

 

Council of Europe Convention on Cybercrime

The Convention on Cybercrime^[10] (Cybercrime Convention) adopted in November 2001, also known as the Budapest Convention, is the first international treaty seeking to address internet and computer crime by harmonising national laws. The Convention aims principally at harmonising domestic criminal substantive law (what) in the area of cybercrime, providing for domestic criminal procedural law powers (how) necessary for the investigation and prosecution of offences.

Nine offences are defined in the Cybercrime Convention. These are illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights.[11]

To date there are 61 parties to the convention and 21 countries have signed or been invited to accede.[12]

 

Australia – Criminal Code Act 1995 and computer offences

In considering the scenario, we will apply the provisions below.

In Australia, computer offences are provided for under Chapter 10, Part 10.7 of the Criminal Code Act 1995 (Criminal Code) to include, unauthorised, access, modification or impairment.

Clearly, an action undertaken in responding to or mitigating against a cyberattack, may itself constitute a computer offence.  Notably the Criminal Code provides legal defences in relation to circumstances involving external factors.[13]  Additionally, the Criminal Code provides that these offence include both physical and fault (mens rea) elements. These will be considered later.

It is precisely the limits to the defence to CIA in relation to the activities defined as computer offences that need to be understood in determining what constitutes a response that is appropriate and able to mitigate relevant impact. As will be seen, timing and proportionality are critical in determining the lawfulness of a response to cyberattack.  Lawful response is not the equivalent of offence. Furthermore, in defending against a cyberattack, the fault elements of a computer offence will not be met.

 

Computer offences – definitions under the Criminal Code Act 1995 – access, impairment and modification

References in this Part are limited to such access, modification or impairment caused, whether directly or indirectly, by the execution of a function of a computer.

‘Access to data held in a computer’ means:

• the display of the data by the computer or any other output of the data from the computer; or
• the copying or moving of the data to any other place in the computer or to a data storage device; or
• in the case of a program—the execution of the program.

‘Impairment of electronic communication to or from a computer ‘includes:

• the prevention of any such communication; or
• the impairment of any such communication on an electronic link or network used by the computer; but does not include a mere interception of any such communication.

‘Modification’ in respect of data held in a computer, means:

• the alteration or removal of the data; or
• an addition to the data.

 

Computer offences – definitions under the Criminal Code Act 1995 – Unauthorised access, modification or impairment

‘Unauthorised access, modification or impairment’ has the meaning given in section 476.2:

(1) In this Part: [14]

• access to data held in a computer; or
• modification of data held in a computer; or
• the impairment[15] of electronic communication to or from a computer; or
• the impairment[16] of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means;

by a person is unauthorised if the person is not entitled to cause that access, modification or impairment.

(2) Any such access, modification or impairment caused by the person is not unauthorised merely because he or she has an ulterior purpose for causing it.

(3) For the purposes of an offence under this Part, a person causes any such unauthorised access, modification or impairment if the person’s conduct substantially contributes to it.

 

Serious computer offences – with intent

Division 477 provides for ‘serious computer offences’, and section 477.1 for ‘Unauthorised access, modification or impairment with intention to commit a serious Commonwealth, State or Territory offence’:

• A person commits an offence if:
• the person causes:
• any unauthorised access to data held in a computer; or
• any unauthorised modification of data held in a computer; or
• any unauthorised impairment of electronic communication to or from a computer; and

(c)   the person knows the access, modification or impairment is unauthorised; and

(d)   the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the access, modification or impairment.[17]

 

Unauthorised modification of data to cause impairment

Section 477.2 provides:

• A person commits an offence if:

(a) the person causes any unauthorised modification of data held in a computer; and

(b) the person knows the modification is unauthorised; and

(c) the person is reckless as to whether the modification impairs or will impair:

• access to that or any other data held in any computer; or
• the reliability, security or operation, of any such data.

 

Unauthorised impairment of electronic communication

Section 477.3 provides:

• A person commits an offence if:
• the person causes any unauthorised impairment of electronic communication to or from a computer; and

(b) the person knows that the impairment is unauthorised.

 

Other computer offences – Unauthorised access to, or modification of, restricted data

Division 478, section 478.1 provides for ‘Other computer offences’ namely, ‘Unauthorised access to, or modification of, restricted data’:

• A person commits an offence if:
• the person causes any unauthorised access to, or modification of, restricted data; and
• the person intends to cause the access or modification; and
• the person knows that the access or modification is unauthorised.

 (3) In this section: restricted data means data:

• held in a computer; and
• to which access is restricted by an access control system associated with a function of the computer.

 

Other computer offences – Unauthorised impairment of data held on a computer disk

Section 478.2 provides for ‘Unauthorised impairment of data held on a computer disk etc.’:

 

A person commits an offence if:

• the person causes any unauthorised impairment of the reliability, security or operation of data held on:
• a computer disk; or
• a credit card; or
• another device used to store data by electronic means; and
• the person intends to cause the impairment; and
• the person knows that the impairment is unauthorised.

 

Possession or control of data with intent to commit a computer offence

Section 478.3 provides for ‘Possession or control of data with intent to commit a computer offence’:

A person commits an offence if:

• the person has possession or control of data; and
• the person has that possession or control with the intention that the data be used, by the person or another person, in:
• committing an offence against Division 477; or
• facilitating the commission of such an offence.

 

Meaning of possession or control of data

Under subsection (4), a reference to a person having possession or control of data includes a reference to the person:

• having possession of a computer or data storage device that holds or contains the data; or
• having possession of a document in which the data is recorded; or
• having control of data held in a computer that is in the possession of another person (whether inside or outside Australia).

 

Producing, supplying or obtaining data with intent to commit a computer offence

Section 478.4 provides for ‘Producing, supplying or obtaining data with intent to commit a computer offence’:

• A person commits an offence if:
• the person produces, supplies or obtains data; and
• the person does so with the intention that the data be used, by the person or another person, in:

(i) committing an offence against Division 477; or

(ii) facilitating the commission of such an offence.

 

Meaning of producing, supplying or obtaining data

In this subsection (4) a reference to a person producing, supplying or obtaining data includes a reference to the person:

• producing, supplying or obtaining data held or contained in a computer or data storage device; or
• producing, supplying or obtaining a document in which the data is recorded.

 

Other Foundational Definitions

In the context of recognising and facilitating electronic transactions and communications – the sine qua non to operating in the digital age – it is clear that the ‘information’ and the ‘information systems’ must be capable of reliably providing for CIA.  As stated above, a failure in CIA is tantamount to the definition of ‘unauthorised access, modification or impairment’ in the Criminal Code.

Notably, the Criminal Code does not define ‘data’, so we need to look elsewhere for a meaning. The definition of ‘data’ is provided for indirectly in the Australian Electronic Transactions Act 1999 (ETA)[18] by reference to the Copyright Act 1968 (Copyright Act).

The ETA defines ‘information’ to mean “information in the form of data, text, images or speech”, where:

‘data’ includes the “whole or part of a computer program within the meaning of the Copyright Act”, specifically:

‘computer program’ means “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result”, and under section 47AB ‘computer program’ includes “any literary work that is:

• incorporated in, or associated with, a computer program; and
• essential to the effective operation of a function of that computer program”.

The ETA defines ‘information system’ to mean “a system for generating, sending, receiving, storing or otherwise processing electronic communications” – clearly relying on literary works as defined.

Literary works are protected under Australian and international Intellectual Property law and are legally recognised as ‘property’.  The importance of this is that ‘property’[19] enables the defence of self-defence provided under Chapter 2, Part 2.3, section 10.4 of the Criminal Code.

The Copyright Act provides substantively for Intellectual Property (IP).  Law orders or prioritises rights and classifies property as either real and tangible (such as land), or intangible (such as the right of an author to their literary works (IP)), or personal but tangible, such as a book or computer.

With respect to the CIA of information and information systems and the increasing demands upon directors to identity and mitigate risk to information and information systems, the Australian Law Reform Commission (ALRC) has provided some useful definitions of ‘property’[20] namely:

“What is ‘property’?

7.11   The idea of property is multi-faceted. The term ‘property’ is used in common and some legal parlance to describe types of property that is both real and personal. ‘Real’ property encompasses interests in land and fixtures or structures upon the land. ‘Personal’ property encompasses tangible or ‘corporeal’ things—chattels or goods. It also includes certain intangible or ‘incorporeal’ legal rights, also known in law as ‘choses in action’, such as copyright and other intellectual property rights …”.  Intangible rights are created by law. Tangible things exist independently of law but law governs rights of ownership and possession in them—including whether they can be ‘owned’ at all.

7.12   In law, the term ‘property’ is perhaps more accurately or commonly used to describe types of rights—and rights in relation to things. In Yanner v Eaton, the High Court of Australia said:

                   The word ‘property’ is often used to refer to something that belongs to another. But … ‘property’ does not refer to a thing; it is a description of a legal relationship with a thing. It refers to a degree of power that is recognised in law as power permissibly exercised over the thing. The concept of ‘property’ may be elusive. Usually it is treated as a ‘bundle of rights’.

7.16   A ‘property right’ may take different forms depending on the type of property. Implicit in a property right, generally, are all or some of the following rights: the right to use or enjoy the property, the right to exclude others, and the right to sell or give away.  Property rights also depend on the statutory framework of laws and property rights affecting the particular type of property, and the interaction between that statutory scheme and the common law.

 

Corporations Law and director duties

Hand in hand with property rights and obligations, the Corporations Act 2001 (Cth) (Corporations Act) applies.  Specifically, that directors are subject to a range of legal duties including the core duties contained in sections 180 – 183 which largely codify the common law on directors’ duties.

The current requirements under the Corporations Act already render directors liable for cyber security – irrespective of whether the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234[21] (Information Security) applies or not.

In the judgement on 5 May 2022 of the Australian Federal Court in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496,[22]  Rofe J found that a licensed financial services organisation had failed to adequately manage cybersecurity risks and resilience and ordered inter alia that RI Advice pay a fine of $750,000.

The increasing threat landscape is contributing to the determination of director liability arising from llegally recognised obligations, failure to conform to the required standard, and proximate causation resulting in injury, damage or loss

In summary

The scenario to follow next month will take all of the above into consideration in an effort to identify an appropriate response and to mitigate relevant impacts.

 

 

[1] Quote by Rob Sloan at an AICD breakfast: https://www.aicd.com.au/risk-management/framework/cyber-security/5-questions-boards-must-ask-about-cybersecurity.html

[2] Section 30CM of Division 3 of this Part 2C.

[3] Under 30CN(1)(e), if the exercise relates to one or more specified types of cyber security incidents, the requirements apply mutatis mutandis.

[4] It is the Regulatory Universe that determines the kinds of inform that law affords protection, such as for example, Personal Information under the Privacy Act, protected information under SOCI and so on.

[5] Status: UNCITRAL Model Law on Electronic Commerce (1996) | United Nations Commission On International Trade Law

[6] Not of importance for this article, technology neutrality means that the law could not discriminate between different forms of technology for example by specifying technical requirements for the use of electronic communications that are based on an understanding of the operation of a particular form of electronic communication technology.

[7] (a) a requirement to give information in writing; (b) a requirement to provide a signature; (c) a requirement to produce a document; (d) a requirement to record information; (e) a requirement to retain a document.

[8] “… if, and only if, the information has remained complete and unaltered, apart from: (a) the addition of any endorsement; or (b) any immaterial change; which arises in the normal course of communication, storage or display”.

[9] The author works with two definitions of active defence. These derive from two authoritative sources. The first definition was prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (2013) (Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press p 257), and the second, is from a US Report (Active Defense Task Force. Center for Cyber & Homeland Security (October 2016). Into the Gray Zone. The Private Sector and Active Defense Against Cyber Threats). These will be expanded upon later as required.

[10] http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CL=ENG

[11] In 2006 the Additional Protocol to the Convention on Cybercrime came into force requiring states that have ratified the additional protocol to criminalise the dissemination of racist and xenophobic material through computer systems, as well as threats and insults motivated by racism or xenophobia. Reflecting the human rights and freedom of speech focus.

[12] Budapest Convention – Cybercrime (coe.int)

[13] Division 10, sections 10.1 – 10.4.

[14] Part 1 excludes law enforcement activities. See ss(4).

[15] Plain English meaning, where a function is weakened or damaged. This could include un-availability and a breach of CIA.

[16] Sic.

[17] (3) In a prosecution for an offence against subsection (1), it is not necessary to prove that the defendant knew that the offence was: (a) an offence against a law of the Commonwealth, a State or a Territory; or (b) a serious offence.

[18] Also in State and Territory equivalents.

[19] No definition of property is specifically provided for under this section, but under Chapter 7, Part 7.1, section 130.1 provides: “property ” includes: real property; personal property; money; and a thing in action or other intangible property; … recognising typical forms of property capable of ownership and protection. New forms of intangible property may also be argued in the context of s 51(xxxi) of the Constitution.

[20] https://www.alrc.gov.au/publication/definitions-of-property/

[21] https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf.

[22] https://download.asic.gov.au/media/zhodijpp/22-104mr-2022-fca-496.pdf