Tackling modern day extortion: the Cybercrime Act of Fiji
Have you ever been phished? Do you know how to spot a suspicious email, website or link? Do you know what ransomware is?
Introduction
Technology is increasingly used in our lives and with that comes an increased threat of cybercrime(s) to your business. This has been the case in the COVID-19 pandemic. As more people work from home, IT systems become strained and more susceptible to cyberattacks.[1] The pandemic has also enabled cyber criminals to leverage social isolation and economic vulnerability to prey on victims – for example, online dating or lottery scams.
No one is immune to online threats and there have been media reports of Fijians falling victim to online scams. In fact, it was only earlier this year, that the Fijian government encountered a cyber-attack to its online services and networks which temporarily halted its digital services.
An increasing form of cybercrime today is ransomware, which is a digital form of extortion.[2] Ransomware is a malicious software that encrypts data and holds onto it until a ransom is paid. The hacker will first gain unauthorized access to a computer system, which is mostly done through a phishing email that tries to get the email recipient to click on a link which will then download the software, install it the background and eventually lead to data encryption.[3] Since the beginning of the pandemic there has been an increase in ransomware attacks by nearly 500%.[4]
To combat cybercrime, the Fijian government passed a Cybercrime Act 2021 (the Act) on 12 February 2021 to protect its people against cyber offences. In this article we provide an overview of the Act and how it aims to tackle ransomware offences.
What is ransomware and what threat does it pose?
Ransomware steals and encrypts private, sensitive, personal data with threats to expose them unless the owner of the data pays a ransom for its decryption and release. Ransomware threatens the survival of businesses and individuals and people will go to great extents to protect their information.
Paying the ransom is not without risk as it allows the hacker to receive financial information. There is also no certainty that the encrypted data will be released, or that it will not happen again.
What is Fiji doing to prevent ransomware attacks?
Until the passing of the Act, computer-related crime had been regulated under the Crimes Act 2009 and the Proceeds of Crime Act 1997. Both Acts contained various computer-related offences related to (among other things) the unauthorized use or control of a computer system with the intent to commit a computer offence, along with other standard offences relating to financial gain through deception.
When the new Act comes into law, sections 336 to 346 of the Crimes Act which currently deal with computer offences will be repealed. The Act will bring into effect specific computer offences such as financial extortion, online identify theft and online forgery.
Section 10 of the Act creates an offence for computer-related financial extortion and fraud, with penalties of a maximum fine of $50,000 for individuals and $100,000 for corporate bodies.
Given the extra-territoriality of cybercrime, the Act also contains provisions for international co-operation. Section 25 of the Act provides that all computer-related offences under Part 2 to 4 (Section 5 to 14) of the Act are extraditable offences. This is where the Fijian government may come in to make a petition to foreign governments for their cooperation in assisting with investigations and extradition to Fiji of those suspected in committing the crime.
Fiji has bilateral agreements on the surrender of fugitive offenders with Australia, New Zealand, the United States of America and the United Kingdom, along with a number of other bilateral treaties which were extended to Fiji by virtue of its former status as a colony of Great Britain and are still valid,[5] The bilateral agreements mean that Fiji will work with those countries to assist with extradition requests.
What happens if I am a victim of ransomware and I pay – am I committing a crime?
While most authorities internationally discourage the payment of ransoms, following a ransomware attack, sometimes the victim is left with few options but to pay. Whether it is illegal to pay a ransom in these circumstances is an evolving area of law internationally.
In Fiji, the Proceeds of Crimes Act 1997 contains offences to transfer money or property which is derived from a criminal offence. However, where the funds paid to the hacker by a victim are not derived or realised themselves from the commission of an offence, then it is unlikely to give rise to an offence in Fiji.
In Fiji the payment of a ransom is unlikely in itself to constitute an offence except in circumstances where at the time of payment, the victim paying the ransom knows or has reasonable cause to suspect that the hackers are terrorists under section 70A of the Proceeds of Crime Act 2009, as this would be aiding terrorism.
What can you or your business do to prevent ransomware attacks?
Along with a slew of other reforms including the Online Safety Act 2018 the Act will assist to help regulate online safety and act as a deterrent to online criminals. That being said, individuals and businesses must be aware of the ever-increasing incidences of cyber threat. We’ve set out a few practical tips that you and your organization should institute in order to mitigate against the risks of cyber threat:
Be vigilant with online activities and learn to discern phishing emails from genuine emails.
Offer training or online modules to help your staff also be able to spot cyber threats.
Develop online and social media usage polices in your workplace which aim to lessen the risks of a cyber breach in your organisation.
Develop internal risk management policies and a disaster recovery plan in the event your organization encounters a cyber attack.
Ensure your employment arrangements set clear expectations around compliance with your online safety and social media policies and ensure that those policies address the use of workplace equipment by employees.
Conclusion
Cybercrime and ransomware attacks are a form of modern-day extortion and they are here to stay. The passing of the Act will strengthen Fiji’s legal frameworks to combat cybercrime in Fiji. However, it is important that Fijians and employers are vigilant and develop adequate policies and frameworks around addressing cyber threat in the workplace.
[1] Michael Parent, “Cyberattacks are on the rise amid work from home how to protect your business”, The Conversation, 8 December 2020, accessed via: https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268, accessed on 27 September 2021. [2] Danny Palmer, “Ransomware: There’s been a big rise in double extortion tactics as gangs try out new tricks”, ZD Net, accessed via: https://www.zdnet.com/article/ransomware-theres-been-a-big-rise-in-double-extortion-attacks-as-gangs-try-out-new-tricks/, accessed on 27 September 2021. [3] University of Berkley, Information and Security Office, accessed via :https://security.berkeley.edu/faq/ransomware/, accessed on 27 September 2021. [4] Michael Parent and David R Beatty, “The increase in ransomware attached during the COVID-19 Pandemic may lease to a new internet”, The Conversation, accessed via: https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490, accessed on 27 September 2021. [5] Fiji Government Office of the Department of Public Prosecutions Webpage, Extradition, accessed via: https://odpp.com.fj/extradition/, accessed on 27 September 2021.
Comments