As an IT/cybersecurity practitioner for 16 years, I had foreseen the possible catastrophic impact should malicious hackers launch an attack against our critical cyberinfrastructure. So if you ask me whether we need a cybercrime law or not, my answer is “yes,” definitely. In fact we needed it 10 years ago. However, I agree with the view that libel by ICT shouldn’t be considered a crime.
I believe that the Cybercrime Prevention Act of 2012 (Republic Act No. 10175) was passed with some provisions that deviate from its original objective—that is, to prosecute cybercriminals. A definitive answer as to what constitutes a cybercrime is very crucial in the implementation of the law. From a “cyberperspective,” cybercrimes include (but are not limited to) the following: identity theft, compromised confidentiality and integrity of information, distribution of worms and Trojans, disruption of online services (DOS/DDOS), systems intrusions, unauthorized modification of data and other online information, information theft, and installation and distribution of unlicensed software.
As we all know, the libel provision in RA 10175 prompted some of our cybercitizens or netizens to attack government-owned websites, an act which is in itself a crime under the new law. Unfortunately, their overreaction to the law’s libel provision has taken away the spotlight from the real reason we need a cybercrime law. The “hackattacks” should have shown to all and sundry how vulnerable our systems are and how easy it is to disrupt online services.
Beyond libel, what we should worry about and focus on more is the risk of cyberwar, which is a bigger threat. In a cyberwar, the main actors would no longer be mere “hacktivists” but cyberterrorists and state-sponsored hackers whose objective would be not just to deface websites and steal Facebook accounts, but to disrupt and compromise economic security.
By definition, one of the pillars of national security is economic security. In cyberwar, the enemy can successfully take down the economy of a nation or state by merely pressing the “Enter” key. A cyberterrorist can cause havoc without necessarily blowing anything or himself up. A cyberspy can steal and gather vital information about a target country without being physically present there. In this modern and technology-driven world, the war has shifted from guns and bombs to bits and bytes. A cyberwar can be won without firing a single bullet.
Others claim that it is easy and possible to trace the real source of an attack and identify the real perpetrator, I disagree. Having been exposed to the defensive and offensive areas of cybersecurity, I can categorically say it is very difficult and almost impossible to trace the real source of an attack, much more identify the real identity of the perpetrators. Using various hacking tools, hackers may launch cyberattacks while sitting in an Internet café or coffee shop in Manila, Philippines, yet make it appear like the attack is coming from other cities or countries. I believe this is exactly the reason why the hackers responsible for the cyberattacks were so defiantly aggressive—they are certain that they cannot be traced or they know government is not equipped enough to trace and identify them. Make no mistake, cyberspace is a borderless world and the Internet provides a perfect cover and refuge to everyone, and these hackers have almost perfected the skills of anonymity.
Angel Redoble, a certified ethical hacker and computer hacking forensic investigator with a master’s degree in Information Security Management from UPSAM-ASIMILEC in Madrid, Spain, is president and CEO of ARMCI Solutions and Consultancy.