SlideShare a Scribd company logo

Amare doc

A
amarelastname

This document discusses and compares the legal frameworks around information security and cybercrime for South Africa, Kenya, Nigeria, and Ethiopia. For South Africa, the document outlines laws around hacking, denial of service attacks, phishing, malware infections, identity theft, electronic theft, and other cybercrimes. Maximum penalties range from fines to 12 months imprisonment. Kenya's laws criminalize unauthorized computer access, interference with computer systems, and intercepting computer transmissions, with penalties up to 10 years imprisonment. Nigeria's laws cover offenses against critical infrastructure, unlawful computer access, data/system interference, and identity theft/impersonation. Ethiopia's Proclamation provides for crimes against computer systems/data such as illegal

Education
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Individual assignment Legal framework on information security Page 1 ASSOSA UNIVERSITY COLLEGE OF COMPUTING AND INFORMATICS EPARTMENT OF INFORMATION TECHNOLOGY COURSE TITLE: SOCIAL ETHICS IN IT INDIVIDUAL ASSIGNMENT PREPARED BY: NAME IDNO AMARE SIMACHEW…………………… ETR/0027/08 E.C Submitted To Instructor: TESFAYE T Submission Date: 01/06/2011 E.C ASSOSA,ETHIOPIA
Individual assignment Legal framework on information security Page i Table of Contents 1. Question...................................................................................................................................... 1 2. Answer........................................................................................................................................ 1 Cybercrime law in South Africa explained in detailed................................................................... 1 1. South Africa................................................................................................................................ 1 1.1 Hacking (unauthorized access) ................................................................................................. 1 1.2 Denial of service attacks ........................................................................................................... 1 1.3 Phishing..................................................................................................................................... 2 1.4 Infection of IT systems with malware (including ransom ware, spyware, Trojan and virus) .. 3 1,5 Identity theft or identity fraud (e.g. in connection with access device).................................... 4 1.6 Electronic theft (e.g. breach of confidence by a current or former employee or criminal copy right infringement).......................................................................................................................... 4 1.7Any other activity that adversely affect or threatens ................................................................. 4 1.8 Identity theft or identity fraud (example in connection with access device) ............................ 5 2. Kenya.......................................................................................................................................... 6 2.1 Offences .................................................................................................................................... 6 2.2 A person who knowingly and without authority discloses any password ................................ 8 2.3 A person who intentionally publishes false, misleading data................................................... 9 2.4 A person who intentionally inputs, alters, deletes, or suppresses computer data ..................... 9 2.5A person who, with fraudulent or dishonest intent.................................................................... 9 3. Nigeria....................................................................................................................................... 11 3.1Offences against critical national information infrastructure .................................................. 11 3.2 Unlawful access to a computer ............................................................................................... 12 3.3 Unauthorized modification of computer data ......................................................................... 12 3.3.1 System interference.......................................................................................................... 13
Individual assignment Legal framework on information security Page ii 3.4 Misuse of devices.................................................................................................................... 13 3.5 Computer related forgery........................................................................................................ 14 3.6 Computer related fraud ........................................................................................................... 14 3.7 Identity theft and impersonation ............................................................................................. 15 4.A proclamation to provide for the computer crime in Ethiopia................................................. 15 4.1 Section One Crimes against Computer System And Computer Data..................................... 16 4.1.1. Illegal Access .................................................................................................................. 16 4.1.2 Illegal Interception ........................................................................................................... 17 4.1.3 Interference with Computer System................................................................................. 17 4,.1.4 Causing Damage to Computer Data................................................................................ 17 4.1.5 Criminal Acts Related to Usage of Computer Devices and Data .................................... 18 4.1.5 Aggravated Cases............................................................................................................. 18 4.1.6 Computer Related Forgery............................................................................................... 18 4.1.7 Electronic Identity Theft .................................................................................................. 19 4.1.8 Criminal Liability of Service Providers ........................................................................... 19 5 .Strength of Ethiopian legal framework..................................................................................... 19 5.1Weakness of Ethiopian legal framework ................................................................................. 20 5.2 Conclusion .............................................................................................................................. 21 5.3 recommendation...................................................................................................................... 21 References..................................................................................................................................... 24
Individual assignment Legal framework on information security Page 1 1. Question 1. Write the current legal framework of South Africa, Nigeria and Kenya and compare with Ethiopian legal framework related to information security and computer crime. 2. Write the strength and weakness of Ethiopia legal framework related to these three countries. 3. Put your own recommendation for Ethiopia legal framework (constitution) related to information security and computer crime. 2. Answer Cybercrime law in South Africa explained in detailed 1. South Africa 1.1 Hacking (unauthorized access) hacking is recognized as an offence under section 86(1) of the ECT act, which states that it is an offence to intentionally access or intercept data without the appropriate authority of permission to do so. This also applies to unauthorized interface with data as contained in section 86(2) of the ECT act. Under the ECT act, the maximum penalty is affine (unspecified) or imprisonment for a period not exceeding 12 months. Under the cyber crime bill the offence of hacking is more broadly defined as it encompasses the unlawful and intentional access to data, a computer program, a computer data storage medium, or a computer system (section 2(1)). Under the cyber crimes bill, the maximum penalty is a fine (unspecified) or imprisonment for a period not exceeding five years (or both). 1.2 Denial of service attacks Section 86(5) of the ECT act states that any person who commit any of the acts described in section 86(1)-86(4) with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial of service to legitimate users is guilty of an offence.
Individual assignment Legal framework on information security Page 2 For the sake of completeness:  Section 86(1) –see discussion above in relation to hacking;  Section 86(2) – criminalizes the unlawful intentional interference with data in a way which cause such data to be modified, destroyed or otherwise rendered ineffective;  Section 86(3) – makes it an offence to unlawful produce, sell, offer to sell, procure for use ,design, adapt for use, distribute or posses any device including a computer program or a component, which is designed primarily to overcome security measure for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawful utilize such item to contravene this section; and  Section 86(4) - makes it an offence to utilize any device or computer program mentioned in section 86(3) in order to unlawful overcome security measures designed to protect such data from access thereto. Under the ECT act, the maximum penalty for contravening section 86(5) is a fine (unspecified) or imprisonment for a period not exceeding five years. 1.3 Phishing Phishing is recognized as an offence under section 87(2) of the ECT act which provides that a person who commits any of the acts described in section 86(1)-86(5) for the purpose of obtaining an unlawful advantage by causing fake data to be produced with an intent that it would be considered or acted upon as if it were authentic is guilty of offence. The maximum penalty under the ECT act is a fine (unspecified) or imprisonment for a period not exceeding five years. Phishing can also be prosecuted under the common law offence of theft and fraud. The maximum penalty imposed would depend on which court hears the cause (which would depend on a variety of factors, the quantum of the claim being one). If the case is prosecuted in the magistrate’s court, the court can impose a fine or imprisonment for a maximum period of 15 years in terms of its penal jurisdiction. If the case is heard in the high court of south Africa, the court has wider discretion and may impose any fine or term of imprisonment which they deem appropriate in the circumstance.
Individual assignment Legal framework on information security Page 3 Under cybercrime bill, there are separate offences for cyber fraud, cyber forgery and uttering and cyber extortion (section 8,9 and 10) which all attempt to deal with forms of phishing. A court which convicts a person of such an offence (where a penalty is not prescribed by any other law) can impose a sentence which the court deems appropriate and which is within that court’s penal jurisdiction. 1.4 Infection of IT systems with malware (including ransom ware, spyware, Trojan and virus) Yes, see the discussion above in respect to denial of service attack. Section 87(1) related to computer –related extortion, fraud and forgery of the ECT act is also relevant as it states that it is an offence to perform or threaten to perform any of the acts to described in section 86, for the purpose of obtaining any unlawful property advantage by undertaking to cease or desist from such action, or undertaking to restore any damage cased as the result of those actions. Under the ECT Act, the maximum penalty imposed for contravention of section 86(4) is a fine (unspecified) or imprisonment for period not exceeding five years. Under the cyber crimes Bill, there are separate offences for unlawful acts (in respect of software tools), as well as unlawful interference with data, computer program, computer data storage medium or a computer program or system(which is construed broadly enough to specifically include malware). Under the Cybercrimes Bill, the maximum penalty for contravention of theses sections is a fine (unspecified) or imprisonment for a period not exceeding 10 years (or both). Yes, see the discussion above in respect to denial- of- service attacks. Section86 (3) of the ECT Act is relevant and the maximum penalty which can be imposed for contravention of section86 (3) is a fine or imprisonment for a period not exceeding 12months. Under the Cyber Crimes Bill, it is an offence under section4 (1) to unlawfully and intentionally posses, manufacturer, assemble, obtain, sell, purchase, make available or advertise any software or hardware tool for purpose of contravening certain other section of the Cybercrimes Bill. The maximum penalty for contravention of this section is a fine (unspecified) or imprisonment for a period not exceeding 10 years (or both).
Individual assignment Legal framework on information security Page 4 1,5 Identity theft or identity fraud (e.g. in connection with access device) Yes, Section 87 of the ECT Act (which deals with computer-related extortion, fraud and forgery) is relevant and criminalizes the action of the person who performs or threatens to perform any of the acts in section 86 for the purpose of obtaining any unlawful property advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic. If the offender uses an access device to breach certain security measure and then uses data unlawfully, then the offender will have contravened section 87 and of the ECT Act. As stated above, the maximum penalty imposed for contravention of section 87 if a fine (unspecified) or imprisonment for a period not exceeding five years. Identify theft or fraud can also be prosecuted under the common law offence of “theft “or “fraud’ .The sentence jurisdiction would operate the same as discussed above in relation to “phishing”. Depending on the nature of offence it may also be possible to prosecute identity theft or fraud as an infringement of copy right under the copy right laws. Under the Cybercrimes Bill there are separate offences for cyber fraud, ciber forgery and uttering and cyber extortion (sections 8,9 and 10) which are broad enough to cover identity theft or fraud. A court which convicts a person of such an offence (where a penalty is not prescribed by any other law) can impose a sentence which court deems appropriate and which is within that courts penal jurisdiction. 1.6 Electronic theft (e.g. breach of confidence by a current or former employee or criminal copy right infringement). Yes, electronic theft may constitute an offence under section 86(1) of the ECT Act related to unlawful access to data (see the discussion above relation to hacking).it can also be prosecuted and which is within that courts penal jurisdiction. With regards to criminal copy right infringement, the copy right Act 98 of 1987 makes provision for criminal penalties, including the fine(maximum of R5,000 per infringement) and /or imprisonment of up to three years for first conviction. The maximum fine and/or imprisonment penalty for a second conviction is R10, 000 and or 5 years. 1.7Any other activity that adversely affect or threatens The security, confidentiality or availability of any IT system structure, communications network, device or data.
Individual assignment Legal framework on information security Page 5 See also the discussion above in relation to hacking with regards to the Cybercrime Bill and electronic theft. Any other activity that adversely affects or threatens the security, confidentiality, integrating or availability of any IT system, infrastructure, communication s network, devices and data. The ECT Act also criminalize attempting to commit any of the offences in the ECT Act or aiding and abetting those offences (section 88) the same penalties will apply as if the offence was successfully perpetrated. Under the cybercrime Bill there are numerous new offences relating to “malicious communications.” For example, it will be an offence to disseminate a data message which advocates, promotes or insights hate discrimination or violence against a person or group of persons “Revenge porn” will also constitute an offence under the cyber crime Bill (where a naked image of the a person is shared electronically without their consent). 1.8 Identity theft or identity fraud (example in connection with access device) Section 87 of the ECT act (which deals with computer related extortion, fraud and forgery) is relevant and criminalist the action of a person who performs or threaten to perform any of the acts in section 86 for the purpose of obtain any unlawful proprietary advantage or obtain any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic. If the offender uses an access device to breach certain security measure and then uses the data unlawfully. Then the offender will contravene section 87 and 86 of the ECT Act. As stated above the maximum penalty imposed for contravention of section 87 is fine (unspecified) or imprisonment for a period not exceeding five years. Identity theft or fraud can also be prosecuted under the common law offence of “theft “or “fraud “The sentencing jurisdiction would operate the same as discuss above in relation to “phishing”. Depending on the nature of the offence, it may also be possible to prosecute identity theft or fraud as an infringement of copyright under copy right laws. Under the cyber crimes bill, there are separate offences for cyber fraud, cyber forgery and uttering and cyber extortion which are broad enough to cover identity theft or fraud. a court which convicts a person of such an offence(where a penalty is not prescribed by any other law)can impose sentence which the court deems appropriate and which is within the courts penal jurisdiction
Individual assignment Legal framework on information security Page 6 2. Kenya The National Computer And Cybercrimes Co-Ordination Committee 2.1 Offences (1) A person who causes, whether temporarily or permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorized, commits an offence and is liable on conviction, to a fine not exceeding five Million shillings or to imprisonment for a term not exceeding three years, or to both. (2) Access by a person to a computer system is unauthorized if (a) That person is not entitled to control access of the kind in question to the program or data; or (b) that person does not have consent from any person who is entitled to access the computer system through any function to the program or data. (3) For the purposes of this section, it is immaterial that the unauthorized access is not directed at (a) Any particular program or data; (b) A program or data of any kind; or (c) A program or data held in any particular computer system. (1) A person who commits an offence under Section 14 with intent to commit a further offence under any law, or to facilitate the commission of a further offence by that person or any other person, commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding ten years, or to both. (1) A person who intentionally and without authorization does any act which causes an unauthorized interference, to a computer system, program or data, Commits an offence and is liable on conviction, to a fine not Exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) For the purposes of this section, interference is unauthorized, if the person whose act causes the interference (a) Is not entitled to cause that interference; (b) Does not have consent to interfere from a person who is so entitled. (3) A person who commits an offence under subsection (1) which, (a) Results in a significant financial loss to any person;
Individual assignment Legal framework on information security Page 7 (b) Threatens national security; (c) Causes physical injury or death to any person; or (d) Threatens public health or public safety, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (1) A person who intentionally and without authorization does any act which intercepts or causes to be intercepted, directly or indirectly and causes the transmission of data to or from a computer system over a telecommunication system commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) A person who commits an offence under subsection (1) which (a) Results in a significant financial loss; (b) Threatens national security; (c) Causes physical or psychological injury or death to any person; or (d) Threatens public health or public safety, is liable, on conviction to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (3) For the purposes of this section, it is immaterial that the unauthorized interception is not directed at (a) A telecommunication system; (b) Any particular computer system data; (c) A program or data of any kind; or d) A program or data held in any particular computer system. (1) A person who knowingly manufactures, adapts, sells, procures for use, imports, offers to supply, distributes or otherwise makes available a device, program, computer password, access code or similar data designed or adapted primarily for the purpose of committing any offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (2) A person who knowingly receives, or is in possession of, a program or a computer password, device, access code, or similar data from any action specified under subsection (1) and intends that it be used to commit or assist in commission of an offence under this Part commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
Individual assignment Legal framework on information security Page 8 2.2 A person who knowingly and without authority discloses any password (1) A person who knowingly and without authority discloses any password, access code or other means of gaining access to any program or data held in any computer system commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment For a term not exceeding three years, or to both. (2) A person who commits the offence under Subsection (1) (a) For any wrongful gain; (b) For any unlawful purpose; or (c) To occasion any loss, is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (1) A person who unlawfully and intentionally performs or authorizes or allows another person to perform a prohibited act envisaged in this Act, in order to (a) Gain access, as provided under section 14, to critical data, a critical database or a national critical information infrastructure; or (b) Intercept data, as provided under section 17, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to imprisonment for a period not exceeding twenty years or to a fine not exceeding ten million shillings, or to both. (2) A person who commits an offence under subsection (1) which causes physical injury to any person is liable, on conviction, to imprisonment for a term not exceeding twenty years. (3) A person who commits an offence under subsection (1) which causes the death of a person is liable, on conviction, to imprisonment for life. (4) A person who unlawfully and intentionally possesses, communicates, delivers or makes available or receives, data, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable on conviction to imprisonment for a period exceeding twenty years or to a fine not exceeding ten million shillings, or to both.
Individual assignment Legal framework on information security Page 9 (5) A person who unlawfully and intentionally performs or authorizes, or allows another person to perform a prohibited act as envisaged under this Act in order to gain access, as provided under section 14 ,to or intercept data ,as provided under section 17, which is in possession of the State and which is exempt information in accordance with the law relating to access to information, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a period not exceeding ten years, or to both. 2.3 A person who intentionally publishes false, misleading data (1) A person who intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both. 2.4 A person who intentionally inputs, alters, deletes, or suppresses computer data (1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) A person who commits an offence under subsection (1), dishonestly or with similar intent — (a) For wrongful gain; (b) For wrongful loss to another person; or (c) For any economic benefit for oneself or for another person, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. 2.5A person who, with fraudulent or dishonest intent (1) A person who, with fraudulent or dishonest intent
Individual assignment Legal framework on information security Page 10 (a) Unlawfully gains; (b) Occasions unlawful loss to another person; or (C) Obtains an economic benefit for oneself or for another person, through any of the means Described in subsection (2), commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or 2018 Computer Misuse and Cybercrimes imprisonment term for a term not exceeding ten years, or to both. (2) For purposes of subsection (1) the word “means" refers to (a) An unauthorized access to a computer system, program or data; (b) Any input, alteration, modification, deletion, suppression or generation of any program or data; (c) Any interference, hindrance, impairment or obstruction with the functioning of a computer system; (d) copying, transferring or moving any data or program to any computer system, data or computer data storage medium other than that in which it is held or to a different location in any other computer system, program, data or computer data storage medium in which it is held; or (e) Uses any data or program, or has any data or program output from the computer system in which it is held, by having it displayed in any Manner.
Individual assignment Legal framework on information security Page 11 3. Nigeria Approach To Cyber Security Issues In Nigeria: Challenges And Solution Protection of Critical National Information Infrastructure Designation of certain computer systems or networks as critical national information infrastructure. (1) The President may on the recommendation of the National Security Adviser, by Order published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria or the economic and social well being of its citizens, as constituting Critical National Information Infrastructure. (2) The Presidential Order made under subsection (1) of this section may prescribe minimum standards, guidelines, rules or procedure in respect of – (a) The protection or preservation of critical information infrastructure; (b) The general management of critical information infrastructure; (c) Access to, transfer and control of data in any critical information infrastructure; (d) infrastructural or procedural rules and requirements for securing the integrity and authenticity of data or information contained in any critical national information infrastructure; (e) the storage or archiving of data or information regarded critical national information infrastructure; (f) recovery plans in the event of disaster or loss of the critical national information infrastructure or any part of it; and (g) any other matter required for the adequate protection, management and control of data and other resources in any critical national information infrastructure 4. Audit and Inspection of critical national information infrastructure 4 The Presidential Order made under section 3 of this Act may require the audit and inspection of any Critical National Information Infrastructure, from time to time, to evaluate compliance with the provisions of this Act. 3.1Offences against critical national information infrastructure (1) Any person who commits any offence punishable under this Act against any critical national information infrastructure, designated pursuant to section 3 of this Act, is liable on conviction to imprisonment for a term of not less than fifteen years without an option of fine.
Individual assignment Legal framework on information security Page 12 (2) Where the offence committed under subsection (1) of this section results in grievous bodily injury, the offender shall be liable on conviction to imprisonment for a minimum term of 15 years without option of fine. (3) Where the offence committed under subsection (1) of this section results in death, the offender shall be liable on conviction to death sentence without out option of fine. 3.2 Unlawful access to a computer (1) Any person, who without authorization or in excess of authorization, intentionally accesses in whole or in part, a computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000 or to both fine and imprisonment. (2) Where the offence provided in subsection (1) of this section is committed with the intent of obtaining computer data, securing access to any program, commercial or industrial secrets or confidential information, the punishment shall be imprisonment for a term of not less than three years or a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (3) Any person who, with the intent to commit an offence under this section, uses any device to avoid detection or otherwise prevent identification with the act or omission, commits an offence and liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. 3.3 Unauthorized modification of computer data (1) Any person who directly or indirectly does an act without authority and with intent to cause an unauthorized modification of any data held in any computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than 3 years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (2) Any person who engages in damaging, deletion, deteriorating, alteration, restriction or suppression of data within computer systems or networks, including data transfer from a computer system by any person without authority or in excess of authority, commits an offence and liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment.
Individual assignment Legal framework on information security Page 13 (3) For the purpose of this section, a modification of any data held in any computer system or network takes place where, by the operation of any function of the computer, computer system or network concerned any- (i) program or data held in it is altered or erased; (ii) program or data is added to or removed from any program or data held in it; or (iii) act occurs which impairs the normal operation of any computer, computer system or network concerned. 3.3.1 System interference Any person who without authority or in excess of authority, intentionally does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference in the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5,000,000.00 or to both fine and imprisonment. 3.4 Misuse of devices (1) Any person who unlawfully produces, supplies, adapts, manipulates or procures for use, imports, exports, distributes, offers for sale or otherwise makes available- (a) any devices, including a computer program or a component designed or adapted for the purpose of committing an offence under this Act; (b) a computer password, access code or similar data by which the whole or any part of a computer, computer system or network is capable of being accessed for the purpose of committing an offence under this Act, or (c) any device designed primarily to overcome security measures in any computer, computer system or network with the intent that the devices be utilized for the purpose of violating any provision of this Act, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both imprisonment and fine. (2) Any person who with intent to commit an offence under this Act, has in his possession any devise or program referred to in subsection (1) of this section, commits an offence and shall be liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or to both fine and imprisonment.
Individual assignment Legal framework on information security Page 14 (3) Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer or network for any unlawful purpose or gain, commits an offence and shall be liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or to both fine and imprisonment. (4) Where the offence under subsection (1) of this section results in substantial loss or damage, the offender shall be liable to imprisonment for a term of not less than five years or to a fine of not less than N10,000,000.00 or to both fine and imprisonment. (5) Any person who with intent to commit any offence under this Act uses any automated means or device or any computer program or software to retrieve, collect and store password, access code or any means of gaining access to any program, data or database held in any computer, commits an offence and shall be liable on conviction to imprisonment for a term of not less than five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment. 3.5 Computer related forgery Any person who knowingly accesses any computer or network and inputs, alters, deletes or suppresses any data resulting in inauthentic data with the intention that such inauthentic data will be considered or acted upon as if it were authentic or genuine, regardless of whether or not such data is directly readable or intelligible, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7,000,000.00 or to both fine and imprisonment. 3.6 Computer related fraud (1) Any person who knowingly and without authority or in excess of authority causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer, whether or not for the purpose of conferring any economic benefits for himself or another person, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (2) Any person who with intent to defraud sends electronic message to a recipient, where such electronic message materially
Individual assignment Legal framework on information security Page 15 misrepresents any fact or set of facts upon which reliance the recipient or another person is caused to suffer any damage or loss, commits an offence and shall be liable on conviction to imprisonment for a term of not less than five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment. 3.7 Identity theft and impersonation Any person who in the course of using a computer, computer system or network (a) Knowingly obtains or possesses another person’s or entity’s identity information with the intent to deceive or defraud, or (b) Fraudulently impersonates another entity or person, living or dead, with intent to (i) gain advantage for himself or another person; (ii) Obtain any property or an interest in any property; (iii) Cause disadvantage to the entity or person being impersonated or another person; or (iv) avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice, commits an offence and liable on conviction to imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both fine and imprisonment. 4.A proclamation to provide for the computer crime in Ethiopia Ethiopia has one of the lowest percentages of internet penetration in the world and in Africa. Still the number of internet users and the percentage of penetration in the country are rising by the day. At the beginning of the twenty first century, the number of internet users in the country was around 10,000 people, but as of June 2017, this number has raised to 16,037,811 with an internet penetration rate of 15.4% and an overall growth of 160,278 from the year 2000.  From various study conducted in Ethiopia regarding cybercrimes, seven forms of cybercrimes are experienced; 1. Computer virus, worm, malware or other malicious attack (57.1 %,) 2. Website defacement (40%), illegal access (17.1%), and spam (14.7%) are the leading cybercrimes frequently perpetuated against the institutions. 3. Causing damage to computer data (62.9%) 4. Denial of service (DOS) (45.7%)
Individual assignment Legal framework on information security Page 16 5. System interference (45.7%) 4.1 Section One Crimes against Computer System And Computer Data  Now, therefore, in accordance with Article 55(1) of the Constitution of the Federal Democratic Republic of Ethiopia, it is hereby proclaimed as follows. 4.1.1. Illegal Access 1/ whosoever, without authorization or in excess of authorization, intentionally secures access to The whole or any part of computer system, computer data or network shall be punishable with Simple imprisonment not exceeding three years or fine from Birr 30,000 to 50, 000 or both. 2/ where the crime stipulated under sub article (1) of this Article is committed against: a) a computer system, computer data or network that is exclusively destined for the use of a legal Person, the punishment shall be rigorous imprisonment from three to five years and fine from Birr 30,000 to 50,000; b) A critical infrastructure, the punishment shall be rigorous imprisonment from five to 10 years And fine from Birr 50,000 to 100,000. “Computer Crime Proclamation No.958/2016” 1. Whoever, without authorization or in excess of authorization, intentionally secures access to the whole or any part of computer system, computer data or network shall be punishable with simple imprisonment not more than three years or fine from Birr 30,000 to 50, 000 or both. 2. The crime specified under sub-article (1) of this Article is committed against: A. A computer system, computer data or network that is exclusively destined for the use of a legal person, the punishment shall be demanding from three years to five years and fine from Birr 30,000 to 50,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000.
Individual assignment Legal framework on information security Page 17 4.1.2 Illegal Interception  Whoever, without authorization or in excess of authorization, intentionally intercepts non-public computer data or data processing service shall be punishable with rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000.  Where the crime stipulated under sub-article (1) of this Article is committed against: A. A computer data or data processing service that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten years to fifteen years and fine from Birr 100,000 to 200,000 4.1.3 Interference with Computer System Whoever, without authorization or in excess of authorization, intentionally hinders, impairs (damages), interrupts or disrupts the proper functioning of the whole or any part of computer system by inputting, transmitting, deleting or altering computer data shall be punishable with rigorous imprisonment from three years to five years and fine not exceeding Birr 50,000. 1. Where the crime stipulated under sub-article (1) of this Article is committed against: A. A computer system that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten years to fifteen years and fine from Birr 100,000 to 200,000 or, in serious case, rigorous imprisonment from fifteen years to twenty years and fine from Birr 200,000 to 500,000 4,.1.4 Causing Damage to Computer Data 1 Whosoever, without authorization or in excess of authorization, intentionally alters, deletes, suppresses a computer data, renders it meaningless, useless or inaccessible to authorized users shall be punishable with rigorous imprisonment not exceeding three years and fine not exceeding Birr 30,000.
Individual assignment Legal framework on information security Page 18 2/ where the crime stipulated under sub article (1) of this Article is committed against: a) a computer data that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from three years to five years and fine from Birr 30,000 to 50,000; b) a critical infrastructure, the punishment shall be rigorous imprisonment from five to 10years and fine from Birr 50,000 to 100,000. 4.1.5 Criminal Acts Related to Usage of Computer Devices and Data 1. Whoever, knowing that it can cause damage to computer system, computer data or network, intentionally transmits any computer program exclusively designed or adapted for this purpose shall be punishable with simple imprisonment not exceeding five years or fine not exceeding Birr 30,000. 2. Whoever, knowing that it is to be used for the commission of unlawful act specified under Articles 3 to 6 of this Proclamation, intentionally imports, produces, offers for sale, distributes or makes available any computer device or computer program designed or adapted exclusively for the purpose of committing such crimes shall be punishable with rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000. 4.1.5 Aggravated Cases  Where the crime stipulated under Article 3 to 6 of this Proclamation is committed: A. against a computer data or a computer system or network which is designated as top secrete by the concerned body for military interest or international relation, or while the country is at a state of emergency or threat, the punishment shall be rigorous imprisonment from fifteen years to twenty five years 4.1.6 Computer Related Forgery  Whoever falsifies a computer data, makes false computer data or makes use of such data to injure the rights or interests of another or to procure for himself or for another person any undue right or advantage shall be punishable with simple imprisonment not exceeding three years and fine not exceeding Birr 30,000 or in a serious cases with rigorous imprisonment not exceeding ten years and fine from Birr 10,000 to 100,000.  Computer Related Fraud
Individual assignment Legal framework on information security Page 19 1. Whoever fraudulently causes a person to act in a manner prejudicial to his rights or those of third person by distributing misleading computer data, misrepresenting his status, concealing facts which he had a duty to reveal or taking advantage of the person’s erroneous beliefs, shall be punishable with rigorous imprisonment not exceeding five years and fine not exceeding Birr 50,000. 4.1.7 Electronic Identity Theft Whoever, with intent to commit criminal act specified under Article 10 of Proclamation or for any other purpose produces, obtains, sales, possesses or transfers any data identifying electronic identity of another person without authorization of that person shall be punishable with simple imprisonment not exceeding five years or fine not exceeding Birr 50,000. 4.1.8 Criminal Liability of Service Providers  A service provider shall be criminally legally responsible in accordance with Articles 12 to 14, of this Proclamation for any illegal computer content data disseminated through its computer systems by third parties, if it has: 1. Directly involved in the dissemination or edition of the content data; 2. Upon obtaining actual knowledge that the content data is illegal, failed to take any measure to remove or to disable access to the content data; or 3. Failed to take appropriate measure to remove or to disable access to the content data upon obtaining notice from competent administrative authorities. 5 .Strength of Ethiopian legal framework The efforts and initiatives being made by the government in fighting cybercrime from three cyberspace governance perspectives namely cyber security-related policies and strategies, legislative frameworks, and institutional arrangements. I will also provide some recommendations on what the government should do so that appropriate plans and measures can be implemented to a safer and secure Ethiopia.
Individual assignment Legal framework on information security Page 20 Despite the fact that Ethiopia is still lagging behind even compared to many developing countries, ICT penetration and usage is steadily growing. As the potential for ICT to increase economic growth and reduce poverty is an established fact, Ethiopia has to embrace ICT use in its entire social, economic and political structures. That is why the Ethiopian Government envisioned every aspect of Ethiopian life is ICT assisted and has made the development of ICT one of its strategic plan priorities. There is also a staggering increase in social networks users. The young generation of the country is logging on every day to the online environment. Recent reports show that as of 2012, there were over 1 million Face book users, with 45 per cent are between the age of 18- 40. According to the recent research paper of Trend Micro Incorporated, Ethiopia is one of the top 10 African countries with the biggest number of Face book users. The number of broadband subscription has also increased from 27,043 in 2011 to 30,372 in 2012. According to the Australia-based telecoms research company, BuddeCom, Ethiopia’s broadband market is also set for a boom following massive improvements in international bandwidth, national fiber backbone infrastructure and 3G mobile broadband services. There are also recent reports that show Ethiopia’s International Internet bandwidth is better than many other African countries as the country has been working towards improving its international bandwidth through international fiber optic links via Djibouti, Kenya and Sudan. 5.1Weakness of Ethiopian legal framework Despite the fact that Ethiopia cannot be immune from the threat of cybercrime, there is no consolidated report that shows the exact prevalence and impact of cybercrime in the country and to what extent the Ethiopian information society is vulnerable. This is because, among others, companies and individual users do not report cybercrime incidents for several reasons, do not keep organized record and some are not even know that they are targeted by cybercriminals. Records in the intelligence agencies and the law enforcement are also either not properly recorded or not accessible. Ethiopian-specific literatures on the extent of cyber-crime activities are also nonexistent. This inadequacy of statistics could lead to over- or under estimating the threat of cybercrime in the country.
Individual assignment Legal framework on information security Page 21 In this work, I tried to extract the better picture of cybercrime in the country based on, among others, two source of information. The first information was collected from a survey conducted on some institutions in Addis Ababa. Some technical reports obtained from Information Network Security Agency (INSA) are also used as source of information. Accordingly, the questionnaires were categorized in to the following four perspectives which I believe that they can give some picture of cyber security status at organizational level in Ethiopia. • Reality and prevalence of cybercrime, • Preparation of organizations to deal with cybercrime incidents, • Reporting of incidents and • Perceptions on legislative, policy and law enforcement measures 5.2 Conclusion Even though it has not been yet fully integrated in to everyday aspect of life, the use of ICT and ICTs supported services are embraced by individuals, government and business in Ethiopia. The government of Ethiopia is also working on the development ICT infrastructures and ICT based services which will increase the level of reliance on these infrastructures and services. But it is an established fact that with reliance on computer systems and other digital technologies comes vulnerability to cybercrime and cyber-attack. Therefore, once Ethiopia is connected to a global network, it becomes vulnerable to cybercriminals operating anywhere in cyberspace. And thus Ethiopia is vulnerable to cybercriminals not in theory but in practical terms. The government of Ethiopia is aware of the threats from cyberspace and is working towards curtailing these threats in terms of policy, institution and legislation. But these efforts are at very initial stage and are inadequate to deal with the ever changing cyber environment and growing threat of cybercriminals. 5.3 recommendation The current state of affairs of cyber security in Ethiopia should not be allowed to continue because cybercrime is thriving. To change this status quo and strengthen cyber security
Individual assignment Legal framework on information security Page 22 governance in Ethiopia, comprehensive works need to be done and I want to provide the following recommendations. • As cybercriminals take advantage of jurisdictions that lack comprehensive legal frameworks on cyber security in general and cybercrime in particular, I recommend that Ethiopia has to speed up its comprehensive proposed cybercrime law but also avoid the piecemeal and scattered legislation approach for it is among the bottlenecks of enforcement and interpretation.
Individual assignment Legal framework on information security Page 23
Individual assignment Legal framework on information security Page 24 References 1. www.wikipediay .com/computer crime 2. https://www.abyssinialaw.com/.../1545-the-state-of-cybercrime-governance-in-ethiopi... 3. https://www.michalsons.com › Cyber Crime 4. G. O, Odulajaand F.Wada Assessing Cyber crime and its Impact on E-Banking In Nigeria Using Social Theories (2012) 5. Criminal Code Act Chapter 77, Laws of the Federation of Nigeria. (1990)

More Related Content

DOCX
Cyber laws and sections according to IT Act 2000
Ranjita Naik
 
DOCX
information related crime in asu
yihunie ayalew
 
PPT
Infosec Law It Web (March 2006)
Lance Michalson
 
PPTX
Cyber Banking Conference
Endcode_org
 
PPTX
Cyber law
Keshab Nath
 
PPTX
Cybercrime and Laws.pptx
ManoharManu993491
 
PPTX
Cyber crime ✔
hubbysoni
 
PDF
Cyber law-it-act-2000
Mayuresh Patil
 
Cyber laws and sections according to IT Act 2000
Ranjita Naik
 
information related crime in asu
yihunie ayalew
 
Infosec Law It Web (March 2006)
Lance Michalson
 
Cyber Banking Conference
Endcode_org
 
Cyber law
Keshab Nath
 
Cybercrime and Laws.pptx
ManoharManu993491
 
Cyber crime ✔
hubbysoni
 
Cyber law-it-act-2000
Mayuresh Patil
 

Similar to Amare doc (20)

PPTX
Module 3- Information Tech. Act 2000.ppt
Soundarya Institute of Management & Science, Bengalore
 
PDF
Cybercrime in government
Jacqueline Fick
 
PPSX
Cyber law2
Setu Joshi
 
PPTX
What constitutes a cyber crime in the country
Ujjwal Tripathi
 
PPTX
Cyber security laws
Sri Manakula Vinayagar Engineering College
 
PPTX
Cyber crime ppt
Journalist Ish
 
PDF
Cybercrimeppt 160421074211
Andreaa Viv
 
PPSX
Cyber crime
Ranjan Som
 
DOCX
SITA LAB REPORT (XYBER CRIME)
Asish Verma
 
PPTX
Section 65 – Tampering with computer Source Documents.pptx
drsrivanicshod
 
PDF
Cybercrime Analysis using Criminal Information Management System: An E-Govern...
Ashish Karan
 
PPT
Cybercrime
promit
 
PPTX
138740042-cyber-law.pptx
Rahuljain40418
 
PPTX
Cyber laws in India
saumi17
 
PPTX
cyber law IT Act 2000
Yash Jain
 
PPT
Cyber Crime & Security
Dilip Prajapati
 
PDF
Cyber Security Attacks - Critical Legal and Investigation Aspects
Benjamin Ang
 
PPTX
Cyber crime and laws
Ajnish Rana
 
DOC
It act 2000 & cyber crime 111111
Yogendra Wagh
 
PPTX
Cyber crime and issues
Roshan Mastana
 
Module 3- Information Tech. Act 2000.ppt
Soundarya Institute of Management & Science, Bengalore
 
Cybercrime in government
Jacqueline Fick
 
Cyber law2
Setu Joshi
 
What constitutes a cyber crime in the country
Ujjwal Tripathi
 
Cyber security laws
Sri Manakula Vinayagar Engineering College
 
Cyber crime ppt
Journalist Ish
 
Cybercrimeppt 160421074211
Andreaa Viv
 
Cyber crime
Ranjan Som
 
SITA LAB REPORT (XYBER CRIME)
Asish Verma
 
Section 65 – Tampering with computer Source Documents.pptx
drsrivanicshod
 
Cybercrime Analysis using Criminal Information Management System: An E-Govern...
Ashish Karan
 
Cybercrime
promit
 
138740042-cyber-law.pptx
Rahuljain40418
 
Cyber laws in India
saumi17
 
cyber law IT Act 2000
Yash Jain
 
Cyber Crime & Security
Dilip Prajapati
 
Cyber Security Attacks - Critical Legal and Investigation Aspects
Benjamin Ang
 
Cyber crime and laws
Ajnish Rana
 
It act 2000 & cyber crime 111111
Yogendra Wagh
 
Cyber crime and issues
Roshan Mastana
 
Ad

Recently uploaded (20)

PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
advance database management system book.pdf
hinamannan364
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PPTX
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PPTX
UNIT III MENTAL HEALTH NURSING ASSESSMENT
Sonali Gupta
 
PDF
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
PDF
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
advance database management system book.pdf
hinamannan364
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
Chinmaya Tiranga Azadi Quiz (Class 7-8 )
Nitin Suresh
 
RMMM.pdf make it easy to upload and study
sajedul2
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
Lesson notes of climatology university.
sgladness67
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
UNIT III MENTAL HEALTH NURSING ASSESSMENT
Sonali Gupta
 
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
Ad

Amare doc

  • 1. Individual assignment Legal framework on information security Page 1 ASSOSA UNIVERSITY COLLEGE OF COMPUTING AND INFORMATICS EPARTMENT OF INFORMATION TECHNOLOGY COURSE TITLE: SOCIAL ETHICS IN IT INDIVIDUAL ASSIGNMENT PREPARED BY: NAME IDNO AMARE SIMACHEW…………………… ETR/0027/08 E.C Submitted To Instructor: TESFAYE T Submission Date: 01/06/2011 E.C ASSOSA,ETHIOPIA
  • 2. Individual assignment Legal framework on information security Page i Table of Contents 1. Question...................................................................................................................................... 1 2. Answer........................................................................................................................................ 1 Cybercrime law in South Africa explained in detailed................................................................... 1 1. South Africa................................................................................................................................ 1 1.1 Hacking (unauthorized access) ................................................................................................. 1 1.2 Denial of service attacks ........................................................................................................... 1 1.3 Phishing..................................................................................................................................... 2 1.4 Infection of IT systems with malware (including ransom ware, spyware, Trojan and virus) .. 3 1,5 Identity theft or identity fraud (e.g. in connection with access device).................................... 4 1.6 Electronic theft (e.g. breach of confidence by a current or former employee or criminal copy right infringement).......................................................................................................................... 4 1.7Any other activity that adversely affect or threatens ................................................................. 4 1.8 Identity theft or identity fraud (example in connection with access device) ............................ 5 2. Kenya.......................................................................................................................................... 6 2.1 Offences .................................................................................................................................... 6 2.2 A person who knowingly and without authority discloses any password ................................ 8 2.3 A person who intentionally publishes false, misleading data................................................... 9 2.4 A person who intentionally inputs, alters, deletes, or suppresses computer data ..................... 9 2.5A person who, with fraudulent or dishonest intent.................................................................... 9 3. Nigeria....................................................................................................................................... 11 3.1Offences against critical national information infrastructure .................................................. 11 3.2 Unlawful access to a computer ............................................................................................... 12 3.3 Unauthorized modification of computer data ......................................................................... 12 3.3.1 System interference.......................................................................................................... 13
  • 3. Individual assignment Legal framework on information security Page ii 3.4 Misuse of devices.................................................................................................................... 13 3.5 Computer related forgery........................................................................................................ 14 3.6 Computer related fraud ........................................................................................................... 14 3.7 Identity theft and impersonation ............................................................................................. 15 4.A proclamation to provide for the computer crime in Ethiopia................................................. 15 4.1 Section One Crimes against Computer System And Computer Data..................................... 16 4.1.1. Illegal Access .................................................................................................................. 16 4.1.2 Illegal Interception ........................................................................................................... 17 4.1.3 Interference with Computer System................................................................................. 17 4,.1.4 Causing Damage to Computer Data................................................................................ 17 4.1.5 Criminal Acts Related to Usage of Computer Devices and Data .................................... 18 4.1.5 Aggravated Cases............................................................................................................. 18 4.1.6 Computer Related Forgery............................................................................................... 18 4.1.7 Electronic Identity Theft .................................................................................................. 19 4.1.8 Criminal Liability of Service Providers ........................................................................... 19 5 .Strength of Ethiopian legal framework..................................................................................... 19 5.1Weakness of Ethiopian legal framework ................................................................................. 20 5.2 Conclusion .............................................................................................................................. 21 5.3 recommendation...................................................................................................................... 21 References..................................................................................................................................... 24
  • 4. Individual assignment Legal framework on information security Page 1 1. Question 1. Write the current legal framework of South Africa, Nigeria and Kenya and compare with Ethiopian legal framework related to information security and computer crime. 2. Write the strength and weakness of Ethiopia legal framework related to these three countries. 3. Put your own recommendation for Ethiopia legal framework (constitution) related to information security and computer crime. 2. Answer Cybercrime law in South Africa explained in detailed 1. South Africa 1.1 Hacking (unauthorized access) hacking is recognized as an offence under section 86(1) of the ECT act, which states that it is an offence to intentionally access or intercept data without the appropriate authority of permission to do so. This also applies to unauthorized interface with data as contained in section 86(2) of the ECT act. Under the ECT act, the maximum penalty is affine (unspecified) or imprisonment for a period not exceeding 12 months. Under the cyber crime bill the offence of hacking is more broadly defined as it encompasses the unlawful and intentional access to data, a computer program, a computer data storage medium, or a computer system (section 2(1)). Under the cyber crimes bill, the maximum penalty is a fine (unspecified) or imprisonment for a period not exceeding five years (or both). 1.2 Denial of service attacks Section 86(5) of the ECT act states that any person who commit any of the acts described in section 86(1)-86(4) with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial of service to legitimate users is guilty of an offence.
  • 5. Individual assignment Legal framework on information security Page 2 For the sake of completeness:  Section 86(1) –see discussion above in relation to hacking;  Section 86(2) – criminalizes the unlawful intentional interference with data in a way which cause such data to be modified, destroyed or otherwise rendered ineffective;  Section 86(3) – makes it an offence to unlawful produce, sell, offer to sell, procure for use ,design, adapt for use, distribute or posses any device including a computer program or a component, which is designed primarily to overcome security measure for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawful utilize such item to contravene this section; and  Section 86(4) - makes it an offence to utilize any device or computer program mentioned in section 86(3) in order to unlawful overcome security measures designed to protect such data from access thereto. Under the ECT act, the maximum penalty for contravening section 86(5) is a fine (unspecified) or imprisonment for a period not exceeding five years. 1.3 Phishing Phishing is recognized as an offence under section 87(2) of the ECT act which provides that a person who commits any of the acts described in section 86(1)-86(5) for the purpose of obtaining an unlawful advantage by causing fake data to be produced with an intent that it would be considered or acted upon as if it were authentic is guilty of offence. The maximum penalty under the ECT act is a fine (unspecified) or imprisonment for a period not exceeding five years. Phishing can also be prosecuted under the common law offence of theft and fraud. The maximum penalty imposed would depend on which court hears the cause (which would depend on a variety of factors, the quantum of the claim being one). If the case is prosecuted in the magistrate’s court, the court can impose a fine or imprisonment for a maximum period of 15 years in terms of its penal jurisdiction. If the case is heard in the high court of south Africa, the court has wider discretion and may impose any fine or term of imprisonment which they deem appropriate in the circumstance.
  • 6. Individual assignment Legal framework on information security Page 3 Under cybercrime bill, there are separate offences for cyber fraud, cyber forgery and uttering and cyber extortion (section 8,9 and 10) which all attempt to deal with forms of phishing. A court which convicts a person of such an offence (where a penalty is not prescribed by any other law) can impose a sentence which the court deems appropriate and which is within that court’s penal jurisdiction. 1.4 Infection of IT systems with malware (including ransom ware, spyware, Trojan and virus) Yes, see the discussion above in respect to denial of service attack. Section 87(1) related to computer –related extortion, fraud and forgery of the ECT act is also relevant as it states that it is an offence to perform or threaten to perform any of the acts to described in section 86, for the purpose of obtaining any unlawful property advantage by undertaking to cease or desist from such action, or undertaking to restore any damage cased as the result of those actions. Under the ECT Act, the maximum penalty imposed for contravention of section 86(4) is a fine (unspecified) or imprisonment for period not exceeding five years. Under the cyber crimes Bill, there are separate offences for unlawful acts (in respect of software tools), as well as unlawful interference with data, computer program, computer data storage medium or a computer program or system(which is construed broadly enough to specifically include malware). Under the Cybercrimes Bill, the maximum penalty for contravention of theses sections is a fine (unspecified) or imprisonment for a period not exceeding 10 years (or both). Yes, see the discussion above in respect to denial- of- service attacks. Section86 (3) of the ECT Act is relevant and the maximum penalty which can be imposed for contravention of section86 (3) is a fine or imprisonment for a period not exceeding 12months. Under the Cyber Crimes Bill, it is an offence under section4 (1) to unlawfully and intentionally posses, manufacturer, assemble, obtain, sell, purchase, make available or advertise any software or hardware tool for purpose of contravening certain other section of the Cybercrimes Bill. The maximum penalty for contravention of this section is a fine (unspecified) or imprisonment for a period not exceeding 10 years (or both).
  • 7. Individual assignment Legal framework on information security Page 4 1,5 Identity theft or identity fraud (e.g. in connection with access device) Yes, Section 87 of the ECT Act (which deals with computer-related extortion, fraud and forgery) is relevant and criminalizes the action of the person who performs or threatens to perform any of the acts in section 86 for the purpose of obtaining any unlawful property advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic. If the offender uses an access device to breach certain security measure and then uses data unlawfully, then the offender will have contravened section 87 and of the ECT Act. As stated above, the maximum penalty imposed for contravention of section 87 if a fine (unspecified) or imprisonment for a period not exceeding five years. Identify theft or fraud can also be prosecuted under the common law offence of “theft “or “fraud’ .The sentence jurisdiction would operate the same as discussed above in relation to “phishing”. Depending on the nature of offence it may also be possible to prosecute identity theft or fraud as an infringement of copy right under the copy right laws. Under the Cybercrimes Bill there are separate offences for cyber fraud, ciber forgery and uttering and cyber extortion (sections 8,9 and 10) which are broad enough to cover identity theft or fraud. A court which convicts a person of such an offence (where a penalty is not prescribed by any other law) can impose a sentence which court deems appropriate and which is within that courts penal jurisdiction. 1.6 Electronic theft (e.g. breach of confidence by a current or former employee or criminal copy right infringement). Yes, electronic theft may constitute an offence under section 86(1) of the ECT Act related to unlawful access to data (see the discussion above relation to hacking).it can also be prosecuted and which is within that courts penal jurisdiction. With regards to criminal copy right infringement, the copy right Act 98 of 1987 makes provision for criminal penalties, including the fine(maximum of R5,000 per infringement) and /or imprisonment of up to three years for first conviction. The maximum fine and/or imprisonment penalty for a second conviction is R10, 000 and or 5 years. 1.7Any other activity that adversely affect or threatens The security, confidentiality or availability of any IT system structure, communications network, device or data.
  • 8. Individual assignment Legal framework on information security Page 5 See also the discussion above in relation to hacking with regards to the Cybercrime Bill and electronic theft. Any other activity that adversely affects or threatens the security, confidentiality, integrating or availability of any IT system, infrastructure, communication s network, devices and data. The ECT Act also criminalize attempting to commit any of the offences in the ECT Act or aiding and abetting those offences (section 88) the same penalties will apply as if the offence was successfully perpetrated. Under the cybercrime Bill there are numerous new offences relating to “malicious communications.” For example, it will be an offence to disseminate a data message which advocates, promotes or insights hate discrimination or violence against a person or group of persons “Revenge porn” will also constitute an offence under the cyber crime Bill (where a naked image of the a person is shared electronically without their consent). 1.8 Identity theft or identity fraud (example in connection with access device) Section 87 of the ECT act (which deals with computer related extortion, fraud and forgery) is relevant and criminalist the action of a person who performs or threaten to perform any of the acts in section 86 for the purpose of obtain any unlawful proprietary advantage or obtain any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic. If the offender uses an access device to breach certain security measure and then uses the data unlawfully. Then the offender will contravene section 87 and 86 of the ECT Act. As stated above the maximum penalty imposed for contravention of section 87 is fine (unspecified) or imprisonment for a period not exceeding five years. Identity theft or fraud can also be prosecuted under the common law offence of “theft “or “fraud “The sentencing jurisdiction would operate the same as discuss above in relation to “phishing”. Depending on the nature of the offence, it may also be possible to prosecute identity theft or fraud as an infringement of copyright under copy right laws. Under the cyber crimes bill, there are separate offences for cyber fraud, cyber forgery and uttering and cyber extortion which are broad enough to cover identity theft or fraud. a court which convicts a person of such an offence(where a penalty is not prescribed by any other law)can impose sentence which the court deems appropriate and which is within the courts penal jurisdiction
  • 9. Individual assignment Legal framework on information security Page 6 2. Kenya The National Computer And Cybercrimes Co-Ordination Committee 2.1 Offences (1) A person who causes, whether temporarily or permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorized, commits an offence and is liable on conviction, to a fine not exceeding five Million shillings or to imprisonment for a term not exceeding three years, or to both. (2) Access by a person to a computer system is unauthorized if (a) That person is not entitled to control access of the kind in question to the program or data; or (b) that person does not have consent from any person who is entitled to access the computer system through any function to the program or data. (3) For the purposes of this section, it is immaterial that the unauthorized access is not directed at (a) Any particular program or data; (b) A program or data of any kind; or (c) A program or data held in any particular computer system. (1) A person who commits an offence under Section 14 with intent to commit a further offence under any law, or to facilitate the commission of a further offence by that person or any other person, commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding ten years, or to both. (1) A person who intentionally and without authorization does any act which causes an unauthorized interference, to a computer system, program or data, Commits an offence and is liable on conviction, to a fine not Exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) For the purposes of this section, interference is unauthorized, if the person whose act causes the interference (a) Is not entitled to cause that interference; (b) Does not have consent to interfere from a person who is so entitled. (3) A person who commits an offence under subsection (1) which, (a) Results in a significant financial loss to any person;
  • 10. Individual assignment Legal framework on information security Page 7 (b) Threatens national security; (c) Causes physical injury or death to any person; or (d) Threatens public health or public safety, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (1) A person who intentionally and without authorization does any act which intercepts or causes to be intercepted, directly or indirectly and causes the transmission of data to or from a computer system over a telecommunication system commits an offence and is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) A person who commits an offence under subsection (1) which (a) Results in a significant financial loss; (b) Threatens national security; (c) Causes physical or psychological injury or death to any person; or (d) Threatens public health or public safety, is liable, on conviction to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (3) For the purposes of this section, it is immaterial that the unauthorized interception is not directed at (a) A telecommunication system; (b) Any particular computer system data; (c) A program or data of any kind; or d) A program or data held in any particular computer system. (1) A person who knowingly manufactures, adapts, sells, procures for use, imports, offers to supply, distributes or otherwise makes available a device, program, computer password, access code or similar data designed or adapted primarily for the purpose of committing any offence under this Part, commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. (2) A person who knowingly receives, or is in possession of, a program or a computer password, device, access code, or similar data from any action specified under subsection (1) and intends that it be used to commit or assist in commission of an offence under this Part commits an offence and is liable on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both.
  • 11. Individual assignment Legal framework on information security Page 8 2.2 A person who knowingly and without authority discloses any password (1) A person who knowingly and without authority discloses any password, access code or other means of gaining access to any program or data held in any computer system commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment For a term not exceeding three years, or to both. (2) A person who commits the offence under Subsection (1) (a) For any wrongful gain; (b) For any unlawful purpose; or (c) To occasion any loss, is liable, on conviction, to a fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (1) A person who unlawfully and intentionally performs or authorizes or allows another person to perform a prohibited act envisaged in this Act, in order to (a) Gain access, as provided under section 14, to critical data, a critical database or a national critical information infrastructure; or (b) Intercept data, as provided under section 17, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to imprisonment for a period not exceeding twenty years or to a fine not exceeding ten million shillings, or to both. (2) A person who commits an offence under subsection (1) which causes physical injury to any person is liable, on conviction, to imprisonment for a term not exceeding twenty years. (3) A person who commits an offence under subsection (1) which causes the death of a person is liable, on conviction, to imprisonment for life. (4) A person who unlawfully and intentionally possesses, communicates, delivers or makes available or receives, data, to, from or within a critical database or a national critical information infrastructure, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable on conviction to imprisonment for a period exceeding twenty years or to a fine not exceeding ten million shillings, or to both.
  • 12. Individual assignment Legal framework on information security Page 9 (5) A person who unlawfully and intentionally performs or authorizes, or allows another person to perform a prohibited act as envisaged under this Act in order to gain access, as provided under section 14 ,to or intercept data ,as provided under section 17, which is in possession of the State and which is exempt information in accordance with the law relating to access to information, with the intention to directly or indirectly benefit a foreign state against the Republic of Kenya, commits an offence and is liable, on conviction, to a fine not exceeding five million shillings or to imprisonment for a period not exceeding ten years, or to both. 2.3 A person who intentionally publishes false, misleading data (1) A person who intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both. 2.4 A person who intentionally inputs, alters, deletes, or suppresses computer data (1) A person who intentionally inputs, alters, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible commits an offence and is liable, on conviction, to fine not exceeding ten million shillings or to imprisonment for a term not exceeding five years, or to both. (2) A person who commits an offence under subsection (1), dishonestly or with similar intent — (a) For wrongful gain; (b) For wrongful loss to another person; or (c) For any economic benefit for oneself or for another person, is liable, on conviction, to a fine not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years, or to both. 2.5A person who, with fraudulent or dishonest intent (1) A person who, with fraudulent or dishonest intent
  • 13. Individual assignment Legal framework on information security Page 10 (a) Unlawfully gains; (b) Occasions unlawful loss to another person; or (C) Obtains an economic benefit for oneself or for another person, through any of the means Described in subsection (2), commits an offence and is liable, on conviction, to a fine not exceeding twenty million shillings or 2018 Computer Misuse and Cybercrimes imprisonment term for a term not exceeding ten years, or to both. (2) For purposes of subsection (1) the word “means" refers to (a) An unauthorized access to a computer system, program or data; (b) Any input, alteration, modification, deletion, suppression or generation of any program or data; (c) Any interference, hindrance, impairment or obstruction with the functioning of a computer system; (d) copying, transferring or moving any data or program to any computer system, data or computer data storage medium other than that in which it is held or to a different location in any other computer system, program, data or computer data storage medium in which it is held; or (e) Uses any data or program, or has any data or program output from the computer system in which it is held, by having it displayed in any Manner.
  • 14. Individual assignment Legal framework on information security Page 11 3. Nigeria Approach To Cyber Security Issues In Nigeria: Challenges And Solution Protection of Critical National Information Infrastructure Designation of certain computer systems or networks as critical national information infrastructure. (1) The President may on the recommendation of the National Security Adviser, by Order published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria or the economic and social well being of its citizens, as constituting Critical National Information Infrastructure. (2) The Presidential Order made under subsection (1) of this section may prescribe minimum standards, guidelines, rules or procedure in respect of – (a) The protection or preservation of critical information infrastructure; (b) The general management of critical information infrastructure; (c) Access to, transfer and control of data in any critical information infrastructure; (d) infrastructural or procedural rules and requirements for securing the integrity and authenticity of data or information contained in any critical national information infrastructure; (e) the storage or archiving of data or information regarded critical national information infrastructure; (f) recovery plans in the event of disaster or loss of the critical national information infrastructure or any part of it; and (g) any other matter required for the adequate protection, management and control of data and other resources in any critical national information infrastructure 4. Audit and Inspection of critical national information infrastructure 4 The Presidential Order made under section 3 of this Act may require the audit and inspection of any Critical National Information Infrastructure, from time to time, to evaluate compliance with the provisions of this Act. 3.1Offences against critical national information infrastructure (1) Any person who commits any offence punishable under this Act against any critical national information infrastructure, designated pursuant to section 3 of this Act, is liable on conviction to imprisonment for a term of not less than fifteen years without an option of fine.
  • 15. Individual assignment Legal framework on information security Page 12 (2) Where the offence committed under subsection (1) of this section results in grievous bodily injury, the offender shall be liable on conviction to imprisonment for a minimum term of 15 years without option of fine. (3) Where the offence committed under subsection (1) of this section results in death, the offender shall be liable on conviction to death sentence without out option of fine. 3.2 Unlawful access to a computer (1) Any person, who without authorization or in excess of authorization, intentionally accesses in whole or in part, a computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000 or to both fine and imprisonment. (2) Where the offence provided in subsection (1) of this section is committed with the intent of obtaining computer data, securing access to any program, commercial or industrial secrets or confidential information, the punishment shall be imprisonment for a term of not less than three years or a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (3) Any person who, with the intent to commit an offence under this section, uses any device to avoid detection or otherwise prevent identification with the act or omission, commits an offence and liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. 3.3 Unauthorized modification of computer data (1) Any person who directly or indirectly does an act without authority and with intent to cause an unauthorized modification of any data held in any computer system or network, commits an offence and liable on conviction to imprisonment for a term of not less than 3 years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (2) Any person who engages in damaging, deletion, deteriorating, alteration, restriction or suppression of data within computer systems or networks, including data transfer from a computer system by any person without authority or in excess of authority, commits an offence and liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment.
  • 16. Individual assignment Legal framework on information security Page 13 (3) For the purpose of this section, a modification of any data held in any computer system or network takes place where, by the operation of any function of the computer, computer system or network concerned any- (i) program or data held in it is altered or erased; (ii) program or data is added to or removed from any program or data held in it; or (iii) act occurs which impairs the normal operation of any computer, computer system or network concerned. 3.3.1 System interference Any person who without authority or in excess of authority, intentionally does an act which causes directly or indirectly the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or any other form of interference in the computer system, which prevents the computer system or any part thereof, from functioning in accordance with its intended purpose, commits an offence and liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5,000,000.00 or to both fine and imprisonment. 3.4 Misuse of devices (1) Any person who unlawfully produces, supplies, adapts, manipulates or procures for use, imports, exports, distributes, offers for sale or otherwise makes available- (a) any devices, including a computer program or a component designed or adapted for the purpose of committing an offence under this Act; (b) a computer password, access code or similar data by which the whole or any part of a computer, computer system or network is capable of being accessed for the purpose of committing an offence under this Act, or (c) any device designed primarily to overcome security measures in any computer, computer system or network with the intent that the devices be utilized for the purpose of violating any provision of this Act, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both imprisonment and fine. (2) Any person who with intent to commit an offence under this Act, has in his possession any devise or program referred to in subsection (1) of this section, commits an offence and shall be liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or to both fine and imprisonment.
  • 17. Individual assignment Legal framework on information security Page 14 (3) Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer or network for any unlawful purpose or gain, commits an offence and shall be liable on conviction to imprisonment for a term of not less than two years or to a fine of not less than N5, 000,000.00 or to both fine and imprisonment. (4) Where the offence under subsection (1) of this section results in substantial loss or damage, the offender shall be liable to imprisonment for a term of not less than five years or to a fine of not less than N10,000,000.00 or to both fine and imprisonment. (5) Any person who with intent to commit any offence under this Act uses any automated means or device or any computer program or software to retrieve, collect and store password, access code or any means of gaining access to any program, data or database held in any computer, commits an offence and shall be liable on conviction to imprisonment for a term of not less than five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment. 3.5 Computer related forgery Any person who knowingly accesses any computer or network and inputs, alters, deletes or suppresses any data resulting in inauthentic data with the intention that such inauthentic data will be considered or acted upon as if it were authentic or genuine, regardless of whether or not such data is directly readable or intelligible, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7,000,000.00 or to both fine and imprisonment. 3.6 Computer related fraud (1) Any person who knowingly and without authority or in excess of authority causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer, whether or not for the purpose of conferring any economic benefits for himself or another person, commits an offence and is liable on conviction to imprisonment for a term of not less than three years or to a fine of not less than N7, 000,000.00 or to both fine and imprisonment. (2) Any person who with intent to defraud sends electronic message to a recipient, where such electronic message materially
  • 18. Individual assignment Legal framework on information security Page 15 misrepresents any fact or set of facts upon which reliance the recipient or another person is caused to suffer any damage or loss, commits an offence and shall be liable on conviction to imprisonment for a term of not less than five years or to a fine of not less than N10, 000,000.00 or to both fine and imprisonment. 3.7 Identity theft and impersonation Any person who in the course of using a computer, computer system or network (a) Knowingly obtains or possesses another person’s or entity’s identity information with the intent to deceive or defraud, or (b) Fraudulently impersonates another entity or person, living or dead, with intent to (i) gain advantage for himself or another person; (ii) Obtain any property or an interest in any property; (iii) Cause disadvantage to the entity or person being impersonated or another person; or (iv) avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice, commits an offence and liable on conviction to imprisonment for a term of not less than three years or a fine of not less than N7,000,000.00 or to both fine and imprisonment. 4.A proclamation to provide for the computer crime in Ethiopia Ethiopia has one of the lowest percentages of internet penetration in the world and in Africa. Still the number of internet users and the percentage of penetration in the country are rising by the day. At the beginning of the twenty first century, the number of internet users in the country was around 10,000 people, but as of June 2017, this number has raised to 16,037,811 with an internet penetration rate of 15.4% and an overall growth of 160,278 from the year 2000.  From various study conducted in Ethiopia regarding cybercrimes, seven forms of cybercrimes are experienced; 1. Computer virus, worm, malware or other malicious attack (57.1 %,) 2. Website defacement (40%), illegal access (17.1%), and spam (14.7%) are the leading cybercrimes frequently perpetuated against the institutions. 3. Causing damage to computer data (62.9%) 4. Denial of service (DOS) (45.7%)
  • 19. Individual assignment Legal framework on information security Page 16 5. System interference (45.7%) 4.1 Section One Crimes against Computer System And Computer Data  Now, therefore, in accordance with Article 55(1) of the Constitution of the Federal Democratic Republic of Ethiopia, it is hereby proclaimed as follows. 4.1.1. Illegal Access 1/ whosoever, without authorization or in excess of authorization, intentionally secures access to The whole or any part of computer system, computer data or network shall be punishable with Simple imprisonment not exceeding three years or fine from Birr 30,000 to 50, 000 or both. 2/ where the crime stipulated under sub article (1) of this Article is committed against: a) a computer system, computer data or network that is exclusively destined for the use of a legal Person, the punishment shall be rigorous imprisonment from three to five years and fine from Birr 30,000 to 50,000; b) A critical infrastructure, the punishment shall be rigorous imprisonment from five to 10 years And fine from Birr 50,000 to 100,000. “Computer Crime Proclamation No.958/2016” 1. Whoever, without authorization or in excess of authorization, intentionally secures access to the whole or any part of computer system, computer data or network shall be punishable with simple imprisonment not more than three years or fine from Birr 30,000 to 50, 000 or both. 2. The crime specified under sub-article (1) of this Article is committed against: A. A computer system, computer data or network that is exclusively destined for the use of a legal person, the punishment shall be demanding from three years to five years and fine from Birr 30,000 to 50,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000.
  • 20. Individual assignment Legal framework on information security Page 17 4.1.2 Illegal Interception  Whoever, without authorization or in excess of authorization, intentionally intercepts non-public computer data or data processing service shall be punishable with rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000.  Where the crime stipulated under sub-article (1) of this Article is committed against: A. A computer data or data processing service that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten years to fifteen years and fine from Birr 100,000 to 200,000 4.1.3 Interference with Computer System Whoever, without authorization or in excess of authorization, intentionally hinders, impairs (damages), interrupts or disrupts the proper functioning of the whole or any part of computer system by inputting, transmitting, deleting or altering computer data shall be punishable with rigorous imprisonment from three years to five years and fine not exceeding Birr 50,000. 1. Where the crime stipulated under sub-article (1) of this Article is committed against: A. A computer system that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from five years to ten years and fine from Birr 50,000 to 100,000. B. A critical infrastructure, the punishment shall be rigorous imprisonment from ten years to fifteen years and fine from Birr 100,000 to 200,000 or, in serious case, rigorous imprisonment from fifteen years to twenty years and fine from Birr 200,000 to 500,000 4,.1.4 Causing Damage to Computer Data 1 Whosoever, without authorization or in excess of authorization, intentionally alters, deletes, suppresses a computer data, renders it meaningless, useless or inaccessible to authorized users shall be punishable with rigorous imprisonment not exceeding three years and fine not exceeding Birr 30,000.
  • 21. Individual assignment Legal framework on information security Page 18 2/ where the crime stipulated under sub article (1) of this Article is committed against: a) a computer data that is exclusively destined for the use of a legal person, the punishment shall be rigorous imprisonment from three years to five years and fine from Birr 30,000 to 50,000; b) a critical infrastructure, the punishment shall be rigorous imprisonment from five to 10years and fine from Birr 50,000 to 100,000. 4.1.5 Criminal Acts Related to Usage of Computer Devices and Data 1. Whoever, knowing that it can cause damage to computer system, computer data or network, intentionally transmits any computer program exclusively designed or adapted for this purpose shall be punishable with simple imprisonment not exceeding five years or fine not exceeding Birr 30,000. 2. Whoever, knowing that it is to be used for the commission of unlawful act specified under Articles 3 to 6 of this Proclamation, intentionally imports, produces, offers for sale, distributes or makes available any computer device or computer program designed or adapted exclusively for the purpose of committing such crimes shall be punishable with rigorous imprisonment not exceeding five years and fine from Birr 10,000 to 50,000. 4.1.5 Aggravated Cases  Where the crime stipulated under Article 3 to 6 of this Proclamation is committed: A. against a computer data or a computer system or network which is designated as top secrete by the concerned body for military interest or international relation, or while the country is at a state of emergency or threat, the punishment shall be rigorous imprisonment from fifteen years to twenty five years 4.1.6 Computer Related Forgery  Whoever falsifies a computer data, makes false computer data or makes use of such data to injure the rights or interests of another or to procure for himself or for another person any undue right or advantage shall be punishable with simple imprisonment not exceeding three years and fine not exceeding Birr 30,000 or in a serious cases with rigorous imprisonment not exceeding ten years and fine from Birr 10,000 to 100,000.  Computer Related Fraud
  • 22. Individual assignment Legal framework on information security Page 19 1. Whoever fraudulently causes a person to act in a manner prejudicial to his rights or those of third person by distributing misleading computer data, misrepresenting his status, concealing facts which he had a duty to reveal or taking advantage of the person’s erroneous beliefs, shall be punishable with rigorous imprisonment not exceeding five years and fine not exceeding Birr 50,000. 4.1.7 Electronic Identity Theft Whoever, with intent to commit criminal act specified under Article 10 of Proclamation or for any other purpose produces, obtains, sales, possesses or transfers any data identifying electronic identity of another person without authorization of that person shall be punishable with simple imprisonment not exceeding five years or fine not exceeding Birr 50,000. 4.1.8 Criminal Liability of Service Providers  A service provider shall be criminally legally responsible in accordance with Articles 12 to 14, of this Proclamation for any illegal computer content data disseminated through its computer systems by third parties, if it has: 1. Directly involved in the dissemination or edition of the content data; 2. Upon obtaining actual knowledge that the content data is illegal, failed to take any measure to remove or to disable access to the content data; or 3. Failed to take appropriate measure to remove or to disable access to the content data upon obtaining notice from competent administrative authorities. 5 .Strength of Ethiopian legal framework The efforts and initiatives being made by the government in fighting cybercrime from three cyberspace governance perspectives namely cyber security-related policies and strategies, legislative frameworks, and institutional arrangements. I will also provide some recommendations on what the government should do so that appropriate plans and measures can be implemented to a safer and secure Ethiopia.
  • 23. Individual assignment Legal framework on information security Page 20 Despite the fact that Ethiopia is still lagging behind even compared to many developing countries, ICT penetration and usage is steadily growing. As the potential for ICT to increase economic growth and reduce poverty is an established fact, Ethiopia has to embrace ICT use in its entire social, economic and political structures. That is why the Ethiopian Government envisioned every aspect of Ethiopian life is ICT assisted and has made the development of ICT one of its strategic plan priorities. There is also a staggering increase in social networks users. The young generation of the country is logging on every day to the online environment. Recent reports show that as of 2012, there were over 1 million Face book users, with 45 per cent are between the age of 18- 40. According to the recent research paper of Trend Micro Incorporated, Ethiopia is one of the top 10 African countries with the biggest number of Face book users. The number of broadband subscription has also increased from 27,043 in 2011 to 30,372 in 2012. According to the Australia-based telecoms research company, BuddeCom, Ethiopia’s broadband market is also set for a boom following massive improvements in international bandwidth, national fiber backbone infrastructure and 3G mobile broadband services. There are also recent reports that show Ethiopia’s International Internet bandwidth is better than many other African countries as the country has been working towards improving its international bandwidth through international fiber optic links via Djibouti, Kenya and Sudan. 5.1Weakness of Ethiopian legal framework Despite the fact that Ethiopia cannot be immune from the threat of cybercrime, there is no consolidated report that shows the exact prevalence and impact of cybercrime in the country and to what extent the Ethiopian information society is vulnerable. This is because, among others, companies and individual users do not report cybercrime incidents for several reasons, do not keep organized record and some are not even know that they are targeted by cybercriminals. Records in the intelligence agencies and the law enforcement are also either not properly recorded or not accessible. Ethiopian-specific literatures on the extent of cyber-crime activities are also nonexistent. This inadequacy of statistics could lead to over- or under estimating the threat of cybercrime in the country.
  • 24. Individual assignment Legal framework on information security Page 21 In this work, I tried to extract the better picture of cybercrime in the country based on, among others, two source of information. The first information was collected from a survey conducted on some institutions in Addis Ababa. Some technical reports obtained from Information Network Security Agency (INSA) are also used as source of information. Accordingly, the questionnaires were categorized in to the following four perspectives which I believe that they can give some picture of cyber security status at organizational level in Ethiopia. • Reality and prevalence of cybercrime, • Preparation of organizations to deal with cybercrime incidents, • Reporting of incidents and • Perceptions on legislative, policy and law enforcement measures 5.2 Conclusion Even though it has not been yet fully integrated in to everyday aspect of life, the use of ICT and ICTs supported services are embraced by individuals, government and business in Ethiopia. The government of Ethiopia is also working on the development ICT infrastructures and ICT based services which will increase the level of reliance on these infrastructures and services. But it is an established fact that with reliance on computer systems and other digital technologies comes vulnerability to cybercrime and cyber-attack. Therefore, once Ethiopia is connected to a global network, it becomes vulnerable to cybercriminals operating anywhere in cyberspace. And thus Ethiopia is vulnerable to cybercriminals not in theory but in practical terms. The government of Ethiopia is aware of the threats from cyberspace and is working towards curtailing these threats in terms of policy, institution and legislation. But these efforts are at very initial stage and are inadequate to deal with the ever changing cyber environment and growing threat of cybercriminals. 5.3 recommendation The current state of affairs of cyber security in Ethiopia should not be allowed to continue because cybercrime is thriving. To change this status quo and strengthen cyber security
  • 25. Individual assignment Legal framework on information security Page 22 governance in Ethiopia, comprehensive works need to be done and I want to provide the following recommendations. • As cybercriminals take advantage of jurisdictions that lack comprehensive legal frameworks on cyber security in general and cybercrime in particular, I recommend that Ethiopia has to speed up its comprehensive proposed cybercrime law but also avoid the piecemeal and scattered legislation approach for it is among the bottlenecks of enforcement and interpretation.
  • 26. Individual assignment Legal framework on information security Page 23
  • 27. Individual assignment Legal framework on information security Page 24 References 1. www.wikipediay .com/computer crime 2. https://www.abyssinialaw.com/.../1545-the-state-of-cybercrime-governance-in-ethiopi... 3. https://www.michalsons.com › Cyber Crime 4. G. O, Odulajaand F.Wada Assessing Cyber crime and its Impact on E-Banking In Nigeria Using Social Theories (2012) 5. Criminal Code Act Chapter 77, Laws of the Federation of Nigeria. (1990)