By Eric Lip, a trainee at OTP Law Corporation
I. Cyber law in Singapore: A Quick Overview (Part 1 of 2)
The latest annual report by the Cyber Security Agency of Singapore (“CSA”) highlighted a worrying trend of increasing major cyber attacks as well as cyber-crime. Cyber-crimes now account for close to a staggering one-fifth of all crimes committed in Singapore.[1]
The risks and threats in cyberspace are varied and laws are constantly evolving to tackle new threats. At present, there are 4 key pieces of legislation on this topic:
i. The Cybersecurity Act;
ii. The Personal Data Protection Act;
iii. The Computer Misuse Act; and
iv. Sectorial regulations, such as the MAS regulations for banks, IMDA regulations for info communications, etc.
In this two-part article, we seek to provide an overview of the legal landscape pertaining to such cyber threats by discussing (a) how these cyber threats are dealt with by the law; and (b) Singapore’s strategy in enhancing cybersecurity, especially legislatively. We will also be discussing the first three pieces of legislation above.
In Part 1, we break down the technical and legal aspects of cybercrime for easy understanding.
II. Part 1: Understanding common cyber threats and the criminal law
A. Definitions
Typically, discussions about cyber threats cover both cybercrime and cybersecurity.
Cybercrime includes:
(a) Real-world crimes that are perpetrated using a computer (e.g. online cheating, extortion cases); and
(b) Criminal acts that are targeted at computer/ computer systems (i.e., hacking).
Cybercrime is under the purview of the Ministry of Home Affairs and the Singapore Police Force.
On the other hand, cybersecurity refers to preventing unauthorised access or use of a computer or computer system and its data. Matters relating to cybersecurity are under the purview of the Cybersecurity Agency. Where personal data is accessed during the cybersecurity breach, then the Personal Data Protection Commission will be involved.
III. Offences under CMA
The starting point for tackling cybercrimes is the Computer Misuse Act (“CMA”). The CMA covers unauthorised access, use or modification of computer, computer materials and computer services.
This means that an offender can be charged for the chain of actions comprising his or her cybercrime. For instance, if a hacker accesses your PayPal account to make transactions without your permission and subsequently locks you out of your account, the hacker may be liable for the following:
- s 3 and s 4 CMA for access without your permission with intent to commit further crime;
- s 5 CMA for unauthorised modification of computer material to cause the unauthorised transaction
- s 7 CMA for unauthorised obstruction of use of computer by preventing you from accessing your account.
The CMA has extraterritorial reach, which means that the CMA will apply even if an offence took place outside of Singapore or by a person residing outside Singapore. This is necessary given the borderless nature of cyber threats.
Below, we take a look at some of the common cyber threats targeting computer/computer systems as well as the sections of the CMA that attempt to address them
A. DDoS attacks
Distributed denial-of-service (“DDoS”) attack: a DDoS attack involves disruption of a target, such as a server, website or network resource, by overwhelming the target with superfluous concurrent requests.
This means that websites can be temporarily shut-down, which can be incredibly inconvenient for Internet users. A prime example would be when Dyn, a Domain Name System provider, was attacked in 2016. This led to major Internet platforms and services like Airbnb, Paypal and Spotify being temporarily unavailable.
A DDoS attack is a deliberate attempt to interfere with the servers of the target. This will clearly be caught under s 7 of the CMA, which makes it an offence for any person to knowingly cause unauthorised interference or impediment of the usefulness or effectiveness of a program or data stored in a computer. Any person guilty of an offence under s 7 shall be liable for a fine up to $10,000 or imprisonment up to 3 years or both.
B. Website defacement
Website defacement: refers to the attack on websites to change its contents and visual appearance.
While this may sound simplistic and harmless, it can have serious consequences, such as tarnishing the victim’s reputation. Take, for instance, when the Prime Minister’s Office’s and the Istana’s websites were defaced in 2013 to display mocking messages and pictures.
Website defacement will be caught under s 5 of the CMA as unauthorised modification of computer materials. Any person guilty of an offence under s 5 shall be liable for a fine up to $10,000 or imprisonment up to 3 years or both.
C. Ransomware
Ransomware: much like its namesake, ransomware is a form of malware that denies a victim’s access to the device or data until a ransom amount is paid.
Ransomware continues to grow in sophistication and can have devastating effects on victims. A favoured way to find new victims is to send out seemingly innocuous emails, inviting the reader to download an attachment or click on a website link. CandGrab, one of the more aggressive ransomware, is believed to have extorted around US$300 million in ransom payments.
Any infection of a computer with malware, including ransomware, attracts liability under s 5 CMA for unauthorised modification. The denial of a victim’s access to data or the computer further results in liability under s 7 of the CMA as unauthorised obstruction.
D. Phishing
Phishing: phishing is the method employed to trick victims into providing sensitive information such as passwords and credit card details. Phishing often takes the form of fake websites/e-mail accounts intended to pass off as the authentic websites/e-mail account in order for the accused’s to steal sensitive information such as passwords.
Phishing, as a form of social engineering to obtain information from victims, can take various forms and there is no single provision that addresses phishing directly.
However, under s 3 of the CMA, it is an offence for any person to knowingly cause a computer to perform any function for the purpose of obtaining unauthorised access to any program or data held in any computer. As such, while the CMA does not directly address the point on the phishing of sensitive information, the accused’s access to the program or data is nevertheless unauthorised and constitutes as an offence. Conviction under this section incurs liability for a fine up to $5,000 or imprisonment up to 2 years.
Further, there may also be an additional offence under s 5 of the CMA for unauthorised modification of computer material. For instance, if the accused uses the victim’s credit card details to make unauthorised payments, such as that in Public Prosecutor v Tan Hock Keong Benjamin [2014] SGDC 16, it would constitute an offence under s 5 of the CMA as an unauthorised modification to the contents of the data stored in the bank’s servers.
IV. Other cybercrimes
Besides offences under the CMA, cybercrimes also include traditional crimes committed using the Internet as a medium. These are covered under a number of other Acts, such as the Penal Code and the Protection of Harassment Act (“PoHA”). The scale of such operations is startling. In 2017 alone, there were 826 cases of internet love scams reported which involved around $37 million..
A. Online cheating
The Penal Code provides for the following offences:
- Cheating under s 415 of the Penal Code, which is punishable by 3 year imprisonment, fine, or both;
- Cheating by personation under s 416 of the Penal Code, which involves pretending to be someone else or representing that he or any other person is someone else. This is punishable by a 5 year imprisonment, fine, or both; and
- Cheating of property under s 420, which involves causing the victim to deliver property to the cheat. This is punishable by a 10 year imprisonment, fine, or both.
With online anonymity and the increased ease of making transactions online, online scams have become a major concern, especially on e-commerce platforms and online marketplaces.
However, not every case of online scam would result in criminal prosecution under the Penal Code as there may not be sufficient dishonest or fraudulent intent, or evidence that shows such intent. Thus, victims of online scams may also consider trying to recover the amount cheated through a civil claim. A claim may be filed with the Small Claims Tribunals for amounts up to $10,000, or $20,000 with the consent of both parties. Nevertheless, recovery may not be that simple as consent is unlikely to be obtained, and the true identity of the criminal is not always easily found out.
B. Extortion
As a related point, online scams, especially online love scams, may even involve extortion if the scammer manages to get hold of compromising evidence of the victims. Cyber extortion may also take the form of email extortion, where scammers threaten to release screenshots of the victim watching pornographic materials, or the previously discussed ransomware, where important data is withheld from the victims until payment is made.
Extortion is an offence under s 385 of the Penal Code and punishable with imprisonment of 2 to 5 years with caning.
C. Doxxing
Doxxing: the act of doxxing refers to the publishing of a person’s personally identifiable information with the intention to harass, threaten or abuse the person.
There are also elements of the cyberspace landscape that are covered by other legislation. In May 2019, the PoHA was amended to include doxxing as an offence. Under the new amendment, the accused can face a fine up to $5,000 or a jail term of up to six months.
The methods that perpetrators employ to perform doxxing can range in legitimacy, from searching publicly available databases to outright hacking to obtain such data. For instance, one may be able to learn details about a person, such as his/her residential address, through the person’s own photos shared. If the information is obtained via illegal methods such as hacking or phishing, such acts will be caught under the CMA discussed above.
V. Conclusion
While the CMA has extraterritorial effect and contains offence-creating provisions that can tackle most cyber threats, it is not a silver bullet against cyber threat. It remains challenging in practice to identify and prosecute a perpetrator of cybercrime due to the internet anonymity and the transnational nature of cybercrime. This creates many challenges in gathering evidence for the prosecution of cybercriminals. As such, deterrence in the form of criminal punishment is insufficient in tackling cyber threats.
Proper measures need to be in place to ensure that there is adequate cybersecurity defence in order to protect against cybersecurity threats. In the second part of this article, we explore Singapore’s strategy towards enhancing cybersecurity. In particular, we will discuss two important pieces of legislation, the Cybersecurity Act and the Personal Data Protection Act (“PDPA”), that sets out the obligations of organisations regarding cybersecurity arrangements.
[1] Hariz Baharudin, “Fewer cyber threats detected here last year, but online crime still rising: CSA report” The Straits Times (18 June 2019) https://www.straitstimes.com/tech/cyber-crime-still-rising-accounts-for-almost-a-fifth-of-all-crime-in-singapore-csa-report