National security, police: No laws to deal with cyber crime

AGAINST the background of over 200 cyber attacks on public and private sector entities over the last five years, there is no legislation to define these incidents as crimes and help the authorities to bring the perpetrators to justice.

These were the testimonies given by members of the National Security Ministry's Cyber Security Incident Response Team (TT-CSIRT) and the police cyber and social media unit (CSMU) to members of the Parliament's Social Services and Public Administration Committee on Monday.

TT-CSIRT manager Angus Smith said, "From 2019 to now, we have had something like 200-plus different types of incidents throughout TT."

These incidents happened in the public and private sector.

Smith said these incidents include data breaches, business e-mail compromise and website defacement.

He added there were approximately 80 cyber incidents in the public sector and the remainder in the private sector over the last five years.

Committee chairman, Independent Senator Dr Paul Richards, asked if some government ministries were being targeted more than others.

Smith said there is no evidence of this.

This year, he continued. there were 22 public sector incidents and 29 private sector incidents.

"These are incidents that are reported to us."

Smith estimated that at least 85 per cent of the cyber incidents which happen in TT are reported to TT-CSIRT.

He added it is not mandatory for public or private sector entities to report cyber incidents to the team..

Richards asked how many of these incidents were committed by the same actors and who were they.

Smith said the actors are foreign groups.

"We have encountered a number of instance of foreign groups."

He added that two cases involves one entity being attacked twice.

"Generally when an entity gets attacks, generally so far it seems to be a one-off incident."

Richards asked about the resilience of state entities to these incidents.

Smith said some government ministries respond better to such incidents for several reasons.

These include more mature staff and better procedures.

CSMU head, Supt Amos Sylvester said while there have been many cyber incidents, there are no specific laws which identify them as crimes.

"We depend largely on legislation (to act against criminals)."

The only legislation which deals directly with computer related offences is the Computer Misuse Act 2000.

Sylvester lamented this law "never had the sight of the kinds of (computer/cyber) crimes that we are seeing now."

He added that since 2009, efforts to strengthen this legislation have been unsuccessful.

Sylvester was unaware of anyone being charged for computer-related offences in the last three years.

With most of the perpetrators being foreign-based, Sylvester said the police cannot seek help from their international counterparts through mutual assistance treaties, if there is no local legislation which allows the sharing of relevant computer offence infomation between different jurisdictions.

Sylvester also said the penalties for computer offences under the act are small.

Richards agreed that fines of $20,000 or three years in prison for such offences was light.

Committee member, Minister in the Agriculture Ministry Avinash Singh said this would encourage more people to commit cyber crimes.

Singh added that he has received e-mails from people claiming to asking for money.

"Some people (who receive these e-mails) actually send money.

CSMU officer Sgt Marvin Walker said Facebook has been used by some local perpetrators to lure people to particular locations where they are robbed.

Walker estimated there were 68 such reports this year while 38 happened in 2022.

He said in one of these incidents, someone was murdered.

While entities may strengthen their systems to combat cyber attacks, Walker said, "The weakest link is the human element."

He added that for a cyber attack to happen, all it needs is "one person to open up that remote access portal."

Walker said this is why the CSMU engages public and private sector entities in public awareness programmes about cyber crimes and related matters.