NZ hacking law leaves insider hole

A loophole in new legislation that would let malicious hackers employed by an organization go free, has some in the industry worried.

The Crimes Amendment Bill was passed through Parliament on Friday.

The clauses in the legislation that criminalize access to a computer system “without authorization” specifically exclude the case where “a person authorized to access a computer system accesses that computer system for a purpose other than the one for which that person was given access”.

Internal intrusion is easier and widely said to be a much more common offense than hacking into a system from outside.

Computerworld pointed out the exclusion in the legislation at an early stage of the bill’s drafting, more than two years ago, and some submissions at the committee stage, following the first reading, also suggested it was unwise.

Kerry Elton, CIO at CentrePort New Zealand Ltd., sees the omission as something that should be remedied.

“Protection of systems from employees is a concern. It’s often a question of mere trust,” she says.

Certain internal technological controls can be imposed, but holes in most operating systems pose a risk of these controls being circumvented, she says.

Ordinary staffers can in theory be restricted in the ways they can access the system, but a certain number of technical users are always given root access. This opens greater opportunities for abuse, and makes the intruder difficult to identify. The risk increases when, as is increasingly the case, an organization opens up its computer system to partners through network links, she says. People working for a partner company would still be “authorized” to access the system, but be outside the original company’s direct control.

While Elton says the gap in the law should be plugged, the form of an amendment “would depend on what the rest of the legislation says”, and would have to be carefully worded.

Others are not against better protection, but regard their own security policies as a superior answer to the problem or are keen to see the long-delayed bill passed and reviewed later.

Housing Corporation CIO Rob Herries sees internal discipline as sufficient to handle the problem.

“We get all our users to sign agreements covering confidentiality of data and spelling out what they’re allowed to do from their desktop.” It should not be necessary to invoke the criminal law, he says.

This point of view was put forward in 2000 by a Justice Ministry spokeswoman who participated in the act’s drafting. She cited British legal commentary which compared internal intrusion to a misdemeanor like misusing the office photocopier, and argued that internal discipline was more appropriate than law.

Warwick Sullivan of the New Zealand Defense Force also feels internal control is enough. He says that at the time of the first committee hearing the NZDF considered whether they wanted any extra protection.

“It would have been nice to have more legal powers, but we (decided) they aren’t really necessary. We have rules and if anyone (misused computers within NZDF) we’d just dismiss them.”

Itanz chief Jim O’Neill says the wording is a worry, and “a number of people in the industry” have mentioned this in the course of the act’s passage.

“It is a hole in the law, and if it has the effect of appearing to be a loophole, that’s dangerous.”

However, in both industry and political circles there was a strong feeling that the appropriate course was to get the legislation passed as quickly as possible, and then consider possible review.

“As it stands now, it’s certainly a heck of a lot better than (the protection) we’ve got at the moment,” O’Neill says. “There is a point of view in the industry that we wouldn’t want to hold it up for the sake of pushing for more amendments.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now