Computer hacking is not old as the world itself but it is surely becoming a common occurrence. The latest incidents involving the Bash bug have again highlighted the fact that irrespective of all our information security investments, we are still at risk.

While the attacks against computer systems change, the law remains constant. But can the law on its own sort out the Bashdoor mess?

Bashdoor, also known as Shellshock, is a security bug in the Unix Bash shell only discovered in September 2014. Unix Bash, which is also adopted in Linux and Mac OS environments, is very commonly used in various applications such as web servers. This latest bug discovery has exposed such applications to a malicious code that can be run through the Bash command line or script and which, simply put, can open up such applications or systems to unauthorised access and modification through rogue code injection. Millions of computers, tablets, smartphones and other central systems are at risk. Credit card details and whole databases can be stolen.

Once Bashdoor reached the public domain, cybercriminals reacted very quickly and within hours they were already creating botnets on affected computers in order to launch DDOS attacks from such compromised machines. By the end of September, it was reported that around 1.5 million daily attacks and probes were being tracked through honeypots.

Bash, a free Unix based command-line shell software, has been available since around 1992 and it’s incredible how this bug, or coding flaw, remained undiscovered for almost 22 years. Thousands of servers were compromised in a matter of days.

The ease with which Bashdoor can be utilised, and the simple ability to run injected code in various systems and servers, has made Bashdoor far more lethal than the Heartbleed bug which was originally reported earlier this year. While Heartbleed enabled hackers to spy on machines, Shellshock enables hackers to take over the whole system and modify it at will. It can potentially grant hackers access to every device connected to the internet. Scary indeed.

Various foreign government agencies also reacted quickly and rated Bashdoor as a high possible threat, also in light of the fact that several critical national infrastructures make use of the Bash software. Software patches to try and minimise the impact of the bug have been released. However, some of these patches were incomplete and it will always be unclear how many systems will not be updated with the latest patches and will remain vulnerable.

The possibilities posed through the use of the Bashdoor bug for unauthorised access and modification of computing devices is almost unprecedented. But while security companies are scrambling to patch all systems and software, our criminal law is very clear in relation to such activities. In this sense, the Bashdoor threat is not introducing anything novel on the legal front but the mere scale of the technical vulnerability cannot be ­underestimated.

The unauthorised access or modification of computing systems, software and data is regulated under Article 337C of our Criminal Code. Introduced in 2001, this Article largely replicates the provisions contained in the Council of Europe Cybercrime Convention which Malta only fully ratified in 2012.

Millions of computers, tablets, smartphones and other central systems are at risk

Article 337C is very exhaustive and encapsulates various actions which could lead to the unauthorised access and modification offence. In fact, this Article stipulates that an offence would occur if anyone, without proper authorisation, uses a computer or any other device or equipment to access any data, software or supporting documentation held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation.

The same Article also includes the criminalisation of any unauthorised activity aimed at preventing or hindering access to any data, software or supporting documentation as well as the hindering or impairment of the functioning or operation of a computer system, software or data including the actual taking over or making use of any data, software or supporting documentation. The installation, alteration, damage, destruction, variation or addition to any data, software or supporting documentation without prior authorisation is also a criminal offence under the same Article 337C of our Criminal Code.

The beauty of Article 337C lies in its technological neutrality in the sense that irrespective of the technology used, including the latest attacks such as Shellshock, the law criminalises the act itself. The way that Shellshock works, that is through remote code injection and execution, is pretty simple and scary. However our criminal laws ­already sufficiently cater for such situations, irrespective of how technological complex these attacks are.

Alas, the reality is far more complex than the word of the law and this particularly applies in the field of information technology. The real challenge lies not in whether criminal laws would apply but whether law enforcement agencies have sufficient resources to prosecute the ever-increasing number of cybercrime incidents being reported. In the meantime, you’d ­better patch up.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT law (www.fenechlaw.com). He also lectures ICT law and cybercrime at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.