If you are having trouble viewing this email, click here to view this online



   ISSUE 52

26 November  2015

Article of the Month Around the World

The Budapest Cyber Crime Convention and its impacts


On September 1, 2015, the Council of Europe Convention on Cybercrime (ETS 185 of 2001), often referred to as the “Budapest Cybercrime Convention”, or “Cybercrime Convention” in short, entered into force in Sri Lanka. This is a historic achievement, because Sri Lanka becomes the first country in South Asia (and only the second Asian country, after Japan) to become a state party to this Convention. Philippines and Singapore are yet to complete the accession procedure, although they attend the Convention Committee as observer and ad-hoc observers, respectively.


The Budapest Cybercrime Convention is the only available global treaty which addresses Internet and computer crime, harmonises national laws, adopts improved investigative techniques based on international standards and enhances criminal justice cooperation among nation states to effectively combat the threat from cybercrime. To understand its significance and impact, it is worth considering two recent cases (one from Sri Lanka and the other from UK).

Sri Lanka

In a sextortion case reported last week to the Sri Lanka Police “High Tech Crime Unit”, a suspect used a fake facebook account to add many women as “friends”. The suspect then altered the “friends” photos and sought to extort money from these victims, threatening to post the photos of victims on the fake account if monies were not paid. Investigators eventually managed to uncover the genuine facebook account of the suspect and arrested him when he came to a hotel to collect a ransom. The case is now pending formal prosecution.

A recent data breach case, reported in the UK, saw personal and banking details of up to four million customers of the UK based phone/broadband services provider “Talk Talk” being accessed unlawfully by hackers. In some cases, alleged hackers had directly contacted customers, who eventually reported a loss of money. This prompted policy makers to call for stronger cybercrime measures stating that cybercrime is the “biggest threat to UK’s economy”. Many countries have estimated that the global economic loss from cybercrime has reached a staggering US$ 70 billion per year.

In both of the above-mentioned cases, investigators require information pertaining to Internet Protocol addresses (IP addresses), details of networks and communication systems in other countries. Such information and access to data would enhance the ability of such investigators to identify perpetrators of cybercrime and ensure safer internet environment for bona fide users. Cybercrime offences are transnational and multi-jurisdictional in nature. Therefore, the effective fight against cybercrime requires any country to obtain evidence stored on computer systems and networks in other countries.

In this context, the Budapest Cybercrime Convention is the only International Treaty that facilitates international cooperation and gives countries the ability to obtain electronic evidence stored on computer systems and networks in another country. The Convention greatly enhances the gathering of electronic evidence, as well as the investigation of cyber laundering and other serious crimes. Accession to this Convention significantly enhances the ability of Sri Lanka to carry out successful investigations of cybercrime offences, by gathering electronic evidence from state parties to the Convention. It will also help in law enforcement and judicial cooperation at international level, while ensuring adherence to human rights safeguards in the investigation process, a hallmark of this convention, made applicable amongst all parties to this Treaty.

Sri Lanka’s accession to this Convention was the fastest in the Council of Europe. This was possible due to the provisions contained in the Computer Crimes Act No. 24 of 2007 and several policies adopted in recent times, aligned with the Convention. Prior to Sri Lanka’s accession, there was an assessment of our country’s cybercrime legislative framework. The assessments carried out by the Council of Europe focused on the manner in which Computer Crimes offences were investigated (especially under the Computer Crimes Act and applicable procedural law). One key assessment was the adequacy of safeguards to match the Council of Europe standards. Sri Lanka was found to have safeguards consistent with the Convention standards and the “unanimous approval” of all state parties was obtained before Sri Lanka could be invited to Accede to the Convention.



Warrantless wiretapping

The Budapest Cybercrime Convention is a Criminal Justice Convention and therefore is a criminal justice response to cybercrime offences. The Convention does not deal with Internal Security and Intelligence matters, which in most countries (including Sri Lanka) are dealt with under other laws. Internal Security and Intelligence laws deal with prevention, etc whereas cybercrime laws deal with investigations after an offence is committed and a complaint is formally lodged.

Some concerns have been raised whether “warrantless wiretapping” would be legitimised or enhanced. However, a close review of the Computer Crimes Act of Sri Lanka shows that it is the exception rather than the rule. Under the provisions of the Computer Crimes Act, a Magistrate’s Court order is a “sine quo non” for such interceptions, thus, meeting the standards prescribed by the Budapest Cybercrime Convention.Finally, an advantage of Sri Lanka joining this Convention is that it would be under regular review, both in terms of compliance with the Convention and use of its provisions, through the work of the Cybercrime Convention Committee.

Accession to the Convention has created a paradigm shift in the manner in which investigation of Cybercrime offences are carried out and also set the stage for Data Protection and Privacy legislation, drawing on European best practices thus, enabling Sri Lanka to meet the “adequacy standards” for smooth cross border flow of data.

Jayantha Fernando

 Mr. Jayantha Fernando is an Attorney with a specialised LLM degree in IT and Telecommunications Law from the University of London. He spearheaded ICT legal reforms, including Sri Lanka’s recent accession to the Budapest Cybercrime Convention and the UN Electronic Communications Convention. He is Programme Director/ Legal Advisor at the ICTA.


1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru


Special News


'From September 23rd onwards Bank CSIRT of Sri Lanka will be known as FIN_CSIRT. The name change was done by the Steering Committee (of which Sri Lanka CERT is a member) in order to accommodate other registered Finance Companies.


'...Recovery starts with detox and support groups. Or with workers in hazmat suits sealing away your electronic devices in containers marked “biohazard.” Or with a trip to a remote stretch of desert, where you’ll learn the skills needed to survive in the wild. ....'



'....Underlying the internet, often literally lying under the sea, is a surprisingly vulnerable array of cables that keep the world connected.

When we talk about modern tech warfare, we’re usually focused on nuclear reactors, water pumps, or transportation systems. We might think of the super-virus deployed by the United States and Israel to slow down Iran’s nuclear program in 2010. We don’t typically consider the miles of undersea cables that, according to the US Federal Reserve,carry $10 trillion in transactions every day.....'

Android Tablets with Pre-Installed Trojan Sold on Amazon


'....A nasty Trojan that allows malicious actors to remotely control infected devices has been pre-loaded on many types of Android tablets sold on Amazon and other online stores, Cheetah Mobile has warned......'

Google Pushes Mandatory Full-Disk Encryption in Android 6.0

'...Google has stepped up the security of its Android operating system with the release of Android 6.0 Marshmallow by requiring manufacturers to enable full-disk encryption out-of-the-box for new devices.

Previously, Google announced that full-device encryption was recommended for all devices that could meet certain performance levels, but it has since made the security measure mandatory in the most recent Android Compatibility Definition Document. Google also requires that AES with a key of 128-bit or higher be used, and that the key be stored on the device only if AES encrypted...'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in October  2015
  Statistics - Sri Lanka CERT|CC

2016 Predictions: The Fine Line Between Business and Personal

'...Like any other year, 2015 had its mix of ups and downs in the world of security. A fine line exists between the threats that we face and the solutions we have at our disposal; any slip-up on the part of defenders can make an existing problem that much worse....'

BYOD vs. CYOD: What's Right For Your Business?

'...The last few years have been all about BYOD—or bring your own device—an IT revolution that freed employees from the shackles of dated or unsuitable hardware in favor of, well, whatever they wanted to use. The benefits are obvious: most employees have their own computers at home and know how to use them, so they can spend more time getting down to business and less time trying to work out why this application doesn’t have that feature.....'

Hack to cost UK's TalkTalk up to $53 million

'...This was how we learned that Ashley Madison users were being targeted for extortion online. While looking into the leaked files, we identified several dozen profiles on the controversial site that used email addresses that belonged to Trend Micro honeypots. The profiles themselves were quite complete: all the required fields such as gender, weight, height, eye color, hair color, body type, relationship status, and dating preferences were there. The country and city specified matched the IP address’s longitude/latitude information. Almost half (43%) of the profiles even have a written profile caption in the home language of their supposed countries....'

Notice Board
  Training and Awareness Programmes - November  2015
- 2015-11-15- 2015-11-19 Sri Lanka Visit of the officials of the Gwanju Metropolitan of Education Visit Gamini M.M.V Nuwaraeliya, Mahinda Rajapakshe Vidyalaya Homagama, National Institute of Education and Ministry of Education
- 2015-11-28 to 2015-12-01
Workshop on the Progress Review (2015), Presentation of identified areas for year 2016 plans and leadership Personality, Attitudes and skills Development Uva- Kuda oya Commando Regiment Training School 
- 2015-10-31 to 2015-11-06
Education leadership Development Center - Meepe A/L syllabus Training for A/L ICT teachers
- 2015-11-14 to 2015-11-20 Education leadership Development Center - Meepe IA/L syllabus Training for A/L ICT teachers

Brought to you by: