The excuse that the Computer Crime Bill is new to everybody is unacceptable as Computer Crime Legislation has a 20-year history and there is no reason why Malaysia should not enact the best, as distinct from the harshest, Computer Crime Act by learning from the experience of others


Speech - Computer Crimes Bill 1997 (Comm. Stage Debate I)
by Lim Kit Siang

(Dewan Rakyat, Thursday): The Minister for Energy, Telecommunications and Posts, Datuk Leo Moggie gave an assurance that the Government would look into the various proposals made during the debate on the cyberbills as cyberlaws are new to everybody and to the country.

I take it that this is a diplomatic way of indicating that the government would not support any of the six amendments which I had given notice that I would move during the Committee Stage of the Computer Crimes Bill - leaving the door open that they might be considered on a future occasion.

I find this most unacceptable, for it reflects very poorly on the professionalism of the Attorney-Generalís Chambers, especially as I had given notice of these six amendments at the Parliamentary Cyberbill Forum organised by the multi-party Parliamentary IT Forum last Friday.

Furthermore, I also find the excuse that the Computer Crime is new to everybody is unacceptable as Computer Crime Legislation has a 20-year history and there is no reason why Malaysia should not enact the best, as distinct from the harshest, Computer Crime Act by learning from the experiences of others.

The first computer crimes law did not go back to 1990 when the United Kingdom Computer Misuse Act was passed, but about 20 years go to 1978 when the state of Florida made history to become the first to enact a computer crimes law - just as in 1995, the state of Utah made history in enacting the first digital signature law in the world.

At present, 48 of the 51 states in the United States have laws against computer crimes.

The United States has concurrent federal and state jurisdictions over computer crimes. The US federal law against compuer crimes was enacted in 1984 and amended in 1986, 1988, 1989, 1990 and 1996.

Canada was the first common-law country to enact laws specifically against computer crimes in 1983.

Many other countries have computer crime laws, Apart from UK and Singapore which I had mentioned in the debate, these countries include Australia, New Zealand, Norway, Sweden, Denmark, Finland, France, Germany, Netherlands and Switzerland.

Computer crime legislation is therefore not so new as if Malaysia is treading on completely virgin territory. In actual fact, there are plenty of materials and experiernces from other countries for Malaysia to learn from to enable us to enact the best computer crimes law in the world.

If the Attorney-Generalís Chambers had been professional and serious in wanting to enact the best computer crimes law in the world, it should have made a thorough study of the computer crimes laws in other countries and their experiences in implementing the laws, and be able to entertain all questions and discuss in depth all aspects of the Computer Crimes Bill it had drafted, including amendments which had been proposed, rather than striking the attitude that this is something very new, let us pass this Bill first and see how it works as we can always amend it later!

I do not know about other MPs, but I find such an attitude completely unacceptable, irresponsible, flippant and most unprofessional!

Yesterday, I had warned of the dangers of applying old laws and old legal concepts to new technologies. MPs must be particularly vigilant of such pitfalls when enacting cyberlaws. This is a problem not just confined to Malaysia but is also prevalent even in the developed countries.

Persons responsible for writing, enforcing and interpreting the law have failed to grasp the full import of the cybernetic revolution and have striven valiantly but, for the most part, ineffectually to force computer technology into pigeon holes that were designed for quill pens and parchment.

Even the phrase "computer crime" is a misnomer. Computers do not commit crimes any more than firearms kill people. People commit all the crimes.

This is why the computer crime legislation in the United Kingdom and Singapore are known as Computer Misuse Act. Can the Attorney-Generalís Chamber explain they have chosen to use the less correct term of Computer Crimes Bill - committing the same mistakes as terms like "smart schools", confusing technology with knowledge or wisdom!

(1) Amendment to Section 3(3)

This is to propose that the maximum sentence for the offence of unauthorised access to computer material under Section 3 be RM10,000 fine, three yearsí jail or both, instead of the proposed RM50,000 fine, five yearsí jail or both.

Despite my amendments, Malaysia would have the worldís most severe penalty for the offence of unauthorised access.

At the Parliamentary Cyberbill Forum last Friday, Datuk Abdul Gani Patail from the Attorney Generalís Chambers gave three reasons for the the stiff penalties in the Computer Crime Bill: firstly, to deter offenders; secondly, to help investors and users feel confident with computer use; and thirdly, create a conducive atmosphere for the development of IT.

I wonder whether the Attorney-Generalís Chambers is serious when giving these three reasons, and if so, let us have the facts and studies which cause the Attorney-Generalís Chambers to come to such a conclusion - as the Attorney-Generalís chambers cannot just invent reasons to justify having the harshest penalties for similar computer crime offence in the world without any study or feedback?

Has the Attorney-Generalís Chambers made a comprehensive study of computer intrusions meant to be protected by the Computer Crimes Bill before the House?

It has been estimated that acts of God or the acts of incompetent or careless employees may be expected to cause 84 per cent of the losses in a computer centre; the actions of dishonest employees may be expected to cause 13 per cent; and the actions of intruders 3 per cent.

The challenge of computer crime is immense: it is hard to prove, and even harder to detect. There are four steps in committing a computer crime:

1. Obtain access to the computer system.
2. Extend access until the criminal intent can be realized.
3. Scrutinize, modify, defraud or destroy information.
4. Remove evidence of unauthorised entry

The most important step is gaining access. Access to a computer system, program or database is controlled by making users identify themselves and then authenticate their identity. Authentication can be accomplished by testing knowledge of a password, possession of an artifact, or having some biological or behavioral characteristic. Any of these mechanisms can be defeated. Access control by use of an automatic fingerprint reader was thought to be invincible until a terrorist group kidnapped a bank manager and cut off his right thumb to activate a critical access control system. Actually the password is still by far the most used means of authentication.

Any intruder who is able to extend unauthorized access to get into a protected machine state can alter the audit trail. This is a continuous log kept by the computer as a record of who enters at what date and time. It may also record what programs were executed and which files were changed. However, a skillful intruder can alter the log to remove all traces of entry, and even to "frame" some legitimate user. As long as such weaknesses exist in the security posture of computers, attribution of computer crime to any but the most unsophisticated offenders is all but impossible.

For these reasons, the preoccupation of the Government with having the harshest penalties in the world for computer crimes without any discussion during the debate on the Bill on the most important question of promoting computer security systems and consciousness shows that the government has failed to grasp the real issues about computer security.

The underlying implication given by Datuk Abdul Gani Patail of the Attorney-Generalís Chambers at the Parliamentary Cyberbill Forum last Friday is that having the harshest penalties for computer crimes in Malaysia is one precondition for the success of the Multimedia Super Corridor (MSC).

Is there any basis or is it just a device by the Attorney-Generalís Chambers to put the Malaysian Computer Crimes Act on the world map by having the most severe and harshest penalties for the same offence of computer crimes in the whole wide world - to justify getting into the Guinness Book of Records?

The Multimedia Development Corporation through its FAQ (Frequently Asked Questions) about the MSC available on its website on the Internet disclosed that over 150 detailed interviews have been conducted with multimedia / IT companies to understand their requirements with "creating the best environment in the world to harness the benefits of multimedia technologies and applications". Did these multimedia/IT companies asked for having the most severe and harshest penalties for computer crimes in the world?

What are the issues which are regarded by the international multimedia/IT companies as critical issues which would influence their decision whether to participate in the MSC?

Having the most severe and harshest computer crimes law in the world does not make it into the list of critical issues which are regarded as barriers to participation by international multimedia/IT companies in the MSC.

According to the briefing given at the Parliamentary Cyberbill Forum, the critical issues regarded as barriers to participation by multimedia/IT companies in the MSC as a result of 50 overseas interviews are as follows, in order of their "critical-ness":

1. Availability and quality of telecommunications.
2. Shortage of skills.
3. Bumiputera policies.
4. Poor air links.
5. Corruption.
6. Foreign ownership limits.
7. Unwelcoming Environment.
8. Piracy of Intellectual Property.
9. Censorship.

There are differences in the outcome of 50 domestic interviews on the critical issues which are barriers to the success of the MSC, namely:

1. Shortage of skills.
2. Availability and quality of telecommunications.
3. Restricted access to foreign expertise.
4. Censorship
5. Bumiputera policies.
6. Implementation capabilities.
7. Unwelcoming environment.

In both domestic and international surveys about critical issues which are barriers to the success of MSC, there is no mention whatsoever about having the most severe and harshest penalties for computer crimes in the world or the MSC would be a failure.

What then are the justifications for having the harshest penalties in the world for the same computer crimes?

(30/4/97)


*Lim Kit Siang - Malaysian Parliamentary Opposition Leader, Democratic Action Party Secretary-General & Member of Parliament for Tanjong