Presidential website under cyber threat

A
17-year-old student from Kadugannawa made headlines this week when he
hacked into the official website of the country’s most influential
person; President Maithripala Sirisena.
The teenage computer ‘hacker’, having by-passed security on the web
site, posted a message on the homepage, without revealing his identity.
The message read; “Dear Mr. President,
We are extremely displeased about the decision to hold the GCE A/L in
April since the Sinhala/Hindu New Year falls between the exam dates.
Therefore, reconsider that decision. Furthermore, take care of the
security of Sri Lankan websites. Or else, we will have to face a cyber
war.
If you cannot control the situation hold a Presidential Election.
Stop the Prime Minister’s irresponsible behaviour.
Look more into the problems of the university students.
The Sri Lankan Youth”
Soon after the incident, the team that handled the President’s
website took the hackers message offline and replaced it with a message
saying the website was down for maintenance. Upon restoration of the
site, it came under attack a second time – raising serious concerns
about the competency of the team managing the President’s website.
Investigations
Immediately after the incident, the CID was tasked with handling the
investigation. They traced the IP address – the Internet Protocol
address, a numerical label assigned to every device – to Kadugannawa,
and arrested the 17-year-old student in connection with the incident.
After the arrest was made, there was an outcry, among some sections
of the society, against penalizing the student. Their argument was that
the student should be given support to study IT, considering the
‘skills’ he displayed in hacking the President’s website.
 |
Two people suspected of
hacking into President Mathripala Sirisena's website being taken
to court. Pic: Sarath Peiris |
However, law enforcement authorities identified the student’s action
as ‘crime’, as per Sections 3, 4, 5 and 6 of the Computer Crime Act, No.
24 of 2007, under which he is charged.
The definition of computer crime he committed is set out in the act
as follows:
3. Any person who intentionally does any act, in order to secure for
himself or for any other person, access to —
(a) any computer; or
(b) any information held in any computer,
knowing or having reason to believe that he has no lawful authority
to secure such access, shall be guilty of an offence and shall on
conviction be liable to a fine not exceeding one hundred thousand
rupees, or to imprisonment of either description for a term which may
extend to five years, or both such fine and imprisonment.
4. Any person who intentionally does any act, in order to secure for
himself or for any other person, access to— (a) any computer; or (b) any
information held in any computer, knowing or having reason to believe
that he has no lawful authority to secure such access and with the
intention of committing an offence under this Act or any other law for
the time being in force, shall be guilty of an offence and shall on
conviction be liable to a fine not exceeding two hundred thousand rupees
or to imprisonment of either description for a term which may extend to
five years or to both such fine and imprisonment.
Explanation 1 — for the purposes of paragraph (a) the mere turning on
of a computer is sufficient. Explanation 2 — for the purposes of
paragraph (b)- (a) there should be an intention to secure any program or
data held in any computer ; Doing any act to secure unauthorised access
in order to commit an offence Securing unauthorised access to a computer
an offence.
Computer Crime Act, No. 24 of 2007 3 (b) the access intended to be
secured, should be unauthorised; (c) it is not necessary to have access
directed at any particular program, data or computer.
5. Any person who, intentionally and without lawful authority causes
a computer to perform any function knowing or having reason to believe
that such function will result in unauthorised modification or damage or
potential damage to any computer or computer system or computer program
shall be guilty of an offence and shall on conviction be liable to a
fine not exceeding three hundred thousand rupees or to imprisonment of
either description for as term which may extend to five years or to both
such fine and imprisonment.
Illustrations
For any unauthorised modification or damage or potential damage to
any computer or computer system or computer programme to take place, any
one of the following may occur:—
(a) impairing the operation of any computer, computer system or the
reliability of any data or information held in any computer; or
(b) destroying, deleting or corrupting, or adding, moving or altering
any information held in any computer;
(c) makes use of a computer service involving computer time and data
processing for the storage or retrieval of data;
(d) introduces a computer program which will have the effect of
malfunctioning of a computer or falsifies the data or any information
held in any computer or computer system. Causing a computer to perform a
function without lawful authority an offence.
4 Computer Crime Act, No. 24 of 2007 Explanation- for the purposes of
paragraphs (a) to (d) above, it is immaterial whether the consequences
referred to therein were of a temporary or permanent nature.
6. (1) Any person who intentionally causes a computer to perform any
function, knowing or having reason to believe that such function will
result in danger or imminent danger to —
(a) national security;
(b) the national economy; or
(c) public order, shall be guilty of an offence and shall on
conviction be punishable with imprisonment of either description for a
term not exceeding five years.
(2) In a prosecution for an offence under paragraphs (a) or (c) of
subsection (1), a Certificate under the hand of the Secretary to the
Ministry of the Minister in charge of the subject of Defence or, in a
prosecution for an offence under paragraph (b) of subsection (1), a
Certificate under the hand of the Secretary to the Ministry of the
Minister in charge of the subject of Finance, stating respectively, that
the situation envisaged in subsection (1) did in fact exist in relation
to national security or public order, or the national economy, as the
case may be, shall be admissible in evidence and shall be prima facie
evidence of the facts stated therein.”
Charges
According to the Act, any person who is convicted for computer crime
will be liable to a fine not less than one hundred thousand rupees and
not exceeding three hundred thousand rupees or to imprisonment of either
description for a term not less than six months and not exceeding three
years, or to both such fine and imprisonment. This explains the gravity
of the offence the 17-year-old student committed.
However, IT specialists confirmed to the Sunday Observer that the
hack job on President Sirisena’s official website was unsophisticated,
and does not say much about the 17-year-old student’s skills. They
argued that most government-owned websites are run on outdated
platforms, without necessary security measures in place, making them
vulnerable to various types of cyber attacks.
Suchetha Wijenaike, an IT professional and a social activist, said
most of the government websites could be attacked in three simple and
very basic steps:
“Find out what CMS it is running (check the HTML source), find out
what outdated version of the CMS it is running (there are Google Chrome
and Firefox extensions for that) and use readily available and published
exploits to get in and do what you want,” he quipped, in a Facebook
post, following the incident, explaining the danger most of the
government owned websites faced. He attributed this danger to lethargic
officials who are in charge of government-owned websites.
“The government websites are mainly maintained by government
servants. Generally, in Sri Lanka, the rule number 1 of being a
government servant is ‘don’t do anything more than you absolutely have
to’. The server software and the CMSs they use haven’t been updated
since they were installed, mainly because no one wants to take
responsibility for pressing the button ‘Update’,” he said.
The incident, needless to say, was a wake-up call to many system
administrators running government websites without ensuring the
necessary security measures are in place. It was also revealed that the
same group who allegedly hacked the President’s website had also hacked
thirty-seven other website.
Apart from the teenager, the Police also arrested a 27-year-old youth
from Moratuwa over the incident.
In court, Defence counsel Susantha Dodaawatta with Harin
Hettiarachchi, appearing on behalf of the suspects said their clients
did not have criminal intent when committing the offence.
They informed Court that the two had merely wanted to raise the fact
that the President’s website hada weak security system. They further
submitted to Court that some parties were attempting to gain political
advantages by this incident.After being produced before court, the
teenager was sent to a children’s home while the other suspect was
remanded.
Realpolitik
The incident was politicized by some sections of the Joint
Opposition, who wanted to add a different spin to the story.
Udaya Gammanpila, a parliamentarian known for making controversial
remarks, addressing a press conference in Colombo, said the teenager did
not deserve to be punished.
Gammanpila dubbed the student who committed the alleged computer
crime a ‘talented youth’.
“In the US, youths even hack the official websites of NSA and
Pentagon, but the US government does not imprison them, but utilises
their capabilities in an effective way,” Gammanpila said addressing a
Joint Opposition press conference.
“The imprisoned boy had obtained A passes for all subjects during the
O/L examination which justifies that he is truly talented,” he said.
“The boy had not committed any offence although he secretly entered
the President’s official website. He had left a message saying there was
no proper security in the website. The boy should not be imprisoned, but
he should be disciplined and awarded a scholarship in the computer field
by the government,” Gammanpila, a lawyer by profession, said.
Gammanpila seems unaware however, of the story of Aaron Swartz, later
documented in the film, ‘The Internet’s Own Boy’. Swartz, a computer
programmer was considered an Internet genius, a prodigy even. At age 14,
he was on the working group for the popular web syndicator RSS and also
worked on Reddit – the ‘Internet’s front page’, and Creative Commons.
He even went to Stanford. But Swartz was arrested when he was 24 for
hacking into the website JSTOR and downloading academic articles that he
felt should be freely available to the public.
Swartz was charged in 2011 by US law enforcement for computer crimes
under the Computer Fraud and Abuse Act, with a maximum punishment of one
million USD in fines and 35 years in prison.
Swartz committed suicide in January 2013 and was posthumously
inducted into the Internet Hall of Fame. Similar are the stories of
Julian Assange and Edward Snowdon, on the run from litany of charges,
including espionage, for releasing information using their computer
skills. It is clear that even in the face of moral reasoning, public
outcryand civil society sympathy, the rule of law must prevail.
However, when this issue was raised with the President during a
breakfast meeting with media heads and newspaper editors at the
President’s House, on Friday, the President, responding to the question
if he would pardon the teenager involved in the hacking incident said:
“It is still too early to comment on the matter. But, I will make a
decision, as a father, who has children,” he said, not ruling out the
possibility of a pardon upon conviction.
On Friday, the schoolboy and the youth were granted bail by Colombo
Chief Magistrate. While ordering the release of the suspects on bail,
the Chief Magistrate Gihan Pilapitiya advised the parents of the
schoolboy to be more vigilant about the online activities of their
child. The schoolboy was ordered released on two sureties of one million
rupees. The other suspect was ordered released on a cash bail of Rs.25,
000 with four sureties of one million rupees.
President meets editors
President Maithripala Sirisena seemed jubilant when he walked into
the main meeting room at the President’s official residence, on Friday
morning, for a meeting with media heads and newspaper editors.
It was clear that the President had convened the meeting to brief the
media about the successful meeting he had with the UN Secretary-General,
on Thursday. In addition, the President wanted to make the media heads
aware of the government’s plan for poverty alleviation and the SLFP’s
65th convention.
Commenting on his interaction with UN Secretary-General Ban Ki moon,
the President said the UN Chief seemed happy about the progress achieved
by the government, over the past 16 months.
“The UN Secretary General didn’t dictate terms to us nor did he
impose any time-frame. He appreciated the new reforms we introduced
after coming to power, including the 19th Amendment, the Office of
Missing Persons Bill and the Right to Information bill. Apart from the
official discussion, I had a closed-door meeting the UN chief for nearly
10 minutes.
“I explained to him the need to give more time and space for the
government to conclude the reconciliation process. He responded
positively to our request,” the President told the media heads.”
The UN chief, the President said, agreed to give his fullest support
to the government to proceed with the reform process it initiated after
January 08, 2015. “There is no unnecessary pressure on the government.
We have everyone’s blessings to proceed with what we are already doing,”
he said.
“Under the previous government, the relations between Sri Lanka and
the UN were strained. A minister of the previous government launched
fast unto death campaigns opposite the UN office in Colombo and the
former President also visited him, sanctioning the minister’s act.
“Their behaviour resembled that of a hooligan in a village. With a
new government coming to power, the situation has changed for the better
and the government has repaired ties with the UN. The UN
Secretary-General’s congenial approach spoke volumes of the goodwill
between Sri Lanka and the UN,” the President said.
“The UN chief said he was highly impressed by the natural beauty of
our country. He had visited the country a few times before and his last
visit was in 2009, a few days after the end of war. I asked him if he
noticed any change in the country, under the new government. He said,
now there is more freedom, democracy, and human rights in the country,”
he said.
The President then talked about unresolved issues in the Northern
province and said the extremist elements in the North and the South were
misleading the public on many matters.
“Some in the North,” the President said, “exert pressure on the
government to resolve long-drawn issues, overnight. They want us to
implement miraculous solutions. It doesn’t work that way!”
The journalists present at the event also asked questions about
ongoing protests in the North demanding land rights. The President, in
response, quipped that he had expected more protests in the North after
the UN General-Secretary announced his visit to Sri Lanka.
“Some sections just want to show the world that they have so many
unresolved issues. But, they don’t support us to implement solutions,”
he added, directing his criticism at some groups that staged protests in
the Northern province, over the past few days.
“Some of their demands were fair. But, they do not support our
attempts to resolve their problems. They prevent government officials
from surveying their lands. I identify this as a well-organised campaign
to hamper any possible solution. It is quite clear that a certain group
wants to keep IDPs in their camps forever. They want to perpetuate this
issue and capitalize on the grievances of the helpless,” he stressed.
“However,” he added, “it doesn’t make the demands of the ordinary
people dismissible”
“We, as a government, should understand the grievances of the people
in the North. They don’t need lands owned by the military. They ask for
their own lands. It is not unfair,”the President said.
“We have achieved remarkable progress on resettlement. But, there are
some problems that need to be resolved. However, at this point, we have
informed all IDPS in writing about the status of their lands. We have to
admit that there is a delay on the part of the Survey Department as they
do not have sufficient human capital to fast track the process,” the
President added, saying that the government intended to resolve all land
issues in the North, in three months.
During his interaction with media heads, the President diplomatically
avoided queries about the power struggle within the SLFP. Dismissing the
claims by the rebel group, the President said, the 65th anniversary of
the Sri Lanka Freedom Party (SLFP) would strengthen the party’s will to
remain in the national unity government.
“We have to forget our greed for power and remain united to create a
better country for the nest generation,” the President said, stressing
the need for protecting the unity government to address key issues faced
by the country.
The national unity government, he said, should be strengthened to
resolve several key issues, including the repayment of foreign debts
amounting to Rs. 9,000 billion.
He said the national unity government, in which the two main
political parties function as the key stakeholders, lays the perfect
foundation to find solutions to long-drawn socio-economic issues.
While the President was addressing media heads and editors at the
President’s House, some members of the Joint Opposition group made an
interesting move at former President Rajapaksa’s political office, in
Battaramulla.
They gathered at the office to celebrate the anniversary of the SLFP.
Interestingly, this was the same group who threatened to split the SLFP,
to contest separately at the Local Government election, under the former
President’s leadership.
Dullas Alahapperuma, Bandula Gunawardena, Prasanna Ranatunga and
Renuka Perera cut a cake to celebrate the party’s 65th birthday, which
fell on Friday. The cake was decorated with a message congratulating the
party, and in the message they identified themselves as ‘Mahinda and
Sons’ (Mahinda samaga daru kela).
However, the rebel group’s anniversary celebration shows that they
now have a love-hate relationship with the party, especially in the wake
of the President’s recent decision to remove 13 Rajapaksa supporters
from their electoral organiser positions. |