Experts differ on how to get tough on computer crime

A letter sent in July to Canada’s Minister of Justice requesting better enforcement of hasher penalties for computer crimes has been met with a great deal of scepticism from industry experts.

The letter, which focused on the issue of computer virus crime, was sent by the Information Technology Association of Canada (ITAC) to Anne McLellan, Minister of Justice and Attorney General of Canada. Four main issues were addressed: a request for more serious penalties than the 10- year maximum under section 430(5) of the Criminal Code pertaining to mischief in relation to data; criminalization of the possession of virus-creating tools; international coordination of laws and enforcement due to the cross-border nature of virus attacks; and greater awareness of the criminal provisions that police and prosecutors might increase enforcement on.

“I’m not happy with the (current) penalties, but I’m even less happy with enforcement by the police and prosecution by the prosecutors,” said Gaylen Duncan, president and CEO of ITAC and author of the letter.

“If you come in and clean out my files (with a virus), is that any different from someone throwing a bomb in my office?” Duncan asked.

“If it was a bomb, [the police] would be here right away. I’d be surrounded by yellow tape. With computers people say, ‘What are you talking about, don’t you have a back-up?’ Well yeah, and I have another office I could move to if this one gets smashed, but what are you going to do about the guy who smashed this office?”

Duncan said ITAC is looking for tougher laws on computer crime in general but is focusing on the virus issue in particular right now due to the current rash of attacks with viruses such as Melissa and Worm.ExploreZip.

But other experts in the security field don’t see harsher penalties as the solution.

Shayne Gregg, a senior manager in Deloitte & Touche’s Enterprise Risk Services practice in Vancouver, said the issue relates more to education than harsh penalties.

“We can raise the penalties all we want, but if no one knows about them and we’re never going to catch them anyway because we don’t have a properly funded police force, then it’s probably irrelevant,” Gregg said.

“I don’t think most people know there is legislation that would put them behind bars. I think most of them think they would just get a slap on the wrist…I think the penalty is OK at 10 years, but nobody knows about it so it’s kind of pointless what level you raise it to.”

Nahum Goldmann, CEO of ADDSecure.Net Inc., a computer security firm in Ottawa, went even further to say that it doesn’t matter what Canadian penalties are or who knows about them since he has not heard of a major virus originating in Canada to begin with.

“The jurisdiction of the justice minister here doesn’t mean anything to the guys who create viruses. They would just laugh. The guy who sits in Nigeria or Venezuela and hears the Canadian justice minister is going to put tougher penalties on criminals, they’re trembling, they really start to cry,” Goldmann quipped.

He said he believes the solution is to define legal standards for how organizations should deal with viruses and prevent their propagation.

Chris Ram, counsel in the criminal law policy section of the Department of Justice, had not read ITAC’s letter at press time but was fairly certain it would cross his desk soon. He said he can’t speak for the minister until she has read the letter and responded, “but generally the government’s position has been that the provisions in the (Criminal) Code are adequate.”

Ram explained that although the maximum punishment for mischief related to data is 10 years, sentences of 14 years or life are possible if the circumstances warrant it.

“Any kind of mischief, including computer mischief, that causes actual danger to life is punishable by life. So you can actually get life if you send [the virus] to the air traffic control centre or a hospital. Certainly, if harm was caused of some sort, there are other possible charges like criminal negligence causing bodily harm or death. The maximum for that is life as well,” said Ram, indicating that ITAC’s letter will not likely spur a movement to harsher penalties.

“It’d be pretty tough to convince a parliamentary committee that we should be sending people to jail for life for writing computer viruses,” Ram said.

As for making it a criminal offence to possess virus-making tools, ITAC’s Duncan likened the issue to possessing burglary tools, where a carpenter or locksmith might have legitimate reason to own such tools, but if a known burglar is caught with them on the way to a break-in, the break-in doesn’t need to be completed for an arrest to be made.

Likewise, he said, if a known hacker or virus writer is found to have virus-creating tools on his or her computer, that should be a crime in and of itself.

But Deloitte & Touche’s Gregg said such laws would be unrealistic and unenforceable.

“Most of the tools used to create viruses are simple code and simple tools freely available and used in business. I think that would make a large number of organizations who are valid developers of code very uncomfortable, knowing that at any moment they could be shoved in prison for owning these things,” Gregg said.

The ITAC letter claims there is opportunity for Canada to be a world leader in the fight against viruses with tougher laws, but Goldmann of ADDSecure.Net was again sceptical.

“We (Canada) are a very marginal player. We are not a leader in the issue of viruses…When somebody asks us to help, we should participate. I agree with that. And if there is an international convention on tougher penalties for computer criminals, especially in the area of viruses, we should sign it and maybe participate in writing it. Then we could get legislation which corresponds to this convention,” Goldmann said.

The justice department’s Ram said Canada is involved in several major global initiatives dealing with issues surrounding computer crime, but he could not comment on the details of those discussions.

The full text of ITAC’s letter is available on the association’s Web site at