NZ hacking law leaves insider hole

A loophole in new legislation that would let malicious hackers employed by an organization go free, has some in the industry worried.

The Crimes Amendment Bill was passed through Parliament on Friday.

The clauses in the legislation that criminalize access to a computer system “without authorization” specifically exclude the case where “a person authorized to access a computer system accesses that computer system for a purpose other than the one for which that person was given access”.

Internal intrusion is easier and widely said to be a much more common offense than hacking into a system from outside.

Computerworld pointed out the exclusion in the legislation at an early stage of the bill’s drafting, more than two years ago, and some submissions at the committee stage, following the first reading, also suggested it was unwise.

Kerry Elton, CIO at CentrePort New Zealand Ltd., sees the omission as something that should be remedied.

“Protection of systems from employees is a concern. It’s often a question of mere trust,” she says.

Certain internal technological controls can be imposed, but holes in most operating systems pose a risk of these controls being circumvented, she says.

Ordinary staffers can in theory be restricted in the ways they can access the system, but a certain number of technical users are always given root access. This opens greater opportunities for abuse, and makes the intruder difficult to identify. The risk increases when, as is increasingly the case, an organization opens up its computer system to partners through network links, she says. People working for a partner company would still be “authorized” to access the system, but be outside the original company’s direct control.

While Elton says the gap in the law should be plugged, the form of an amendment “would depend on what the rest of the legislation says”, and would have to be carefully worded.

Others are not against better protection, but regard their own security policies as a superior answer to the problem or are keen to see the long-delayed bill passed and reviewed later.

Housing Corporation CIO Rob Herries sees internal discipline as sufficient to handle the problem.

“We get all our users to sign agreements covering confidentiality of data and spelling out what they’re allowed to do from their desktop.” It should not be necessary to invoke the criminal law, he says.

This point of view was put forward in 2000 by a Justice Ministry spokeswoman who participated in the act’s drafting. She cited British legal commentary which compared internal intrusion to a misdemeanor like misusing the office photocopier, and argued that internal discipline was more appropriate than law.

Warwick Sullivan of the New Zealand Defense Force also feels internal control is enough. He says that at the time of the first committee hearing the NZDF considered whether they wanted any extra protection.

“It would have been nice to have more legal powers, but we (decided) they aren’t really necessary. We have rules and if anyone (misused computers within NZDF) we’d just dismiss them.”

Itanz chief Jim O’Neill says the wording is a worry, and “a number of people in the industry” have mentioned this in the course of the act’s passage.

“It is a hole in the law, and if it has the effect of appearing to be a loophole, that’s dangerous.”

However, in both industry and political circles there was a strong feeling that the appropriate course was to get the legislation passed as quickly as possible, and then consider possible review.

“As it stands now, it’s certainly a heck of a lot better than (the protection) we’ve got at the moment,” O’Neill says. “There is a point of view in the industry that we wouldn’t want to hold it up for the sake of pushing for more amendments.”