A Bill for an Act to Provide for the Establishment of the Cyber-Security and Information Protection Agency charged with the responsibility to secure computer systems and networks and liaison with the relevant Law Enforcement Agency for the Enforcement of Cyber crime Laws and Related Matters, 2008. (HB. 154).
Thank you for asking us, the public and Cyber-Security Professionals, to make inputs on the proposed legislation for the establishment of the Cyber Security and Information Protection Agency (HB. 154). This process, of public discourse, that you are embarking on is one of the beauties of democracy as it is the empowerment of the people to make input on the laws which affect them and which they must comply with. For this we commend the Nigeria House of Representatives.
This draft bill is a welcome initiative which we look forward to enhancing while ensuring that it contributes to the empowerment and improvement of Nigeria and Nigerians. Please accept our input in good faith, and part of our ongoing contribution to the emergence of our nation as a global player. We remain available to contribute further as the need arises. Our comments on the on the proposed legislation for the establishment of the Cyber Security and Information Protection Agency, the Agency, is broken into two parts, namely:
1 Broad issues, and suggestions, which we believe need to be addressed, and
2. Specific issues, and suggestions, arising from and embedded in the draft legislation.
On behalf of myself, and those I represent, I sincerely wish the Honourable Chairman and Honourable members of this Committee as well other Honourable members of the House of Representatives involved in further legislative action on these matters success in these endeavour.
With the expressions of my highest consideration, I remain,
Broad issues and suggestions.
At the top level the proposed Bill needs to incorporate the following:
1. Checks and balances. Cyber-tools are very powerful and can accelerate constructive and destructive tendencies thus we must ensure sure that put in places the requisite checks and balances, including requisite oversight by the legislature, to encourage the positive while discouraging the negative tendencies all situations, organisations and individuals experience. Given Nigerians antecedents political power plays of our nascent democracy, such as the alleged "3rd term" episode, and our history with dictatorship, it is necessary that the legislature have oversight such that it incorporates in the proposed bill the position of Interception Review Commissioner, or similar authoritative nomenclature, as is done in the UK, who reports exclusively to the National Assembly (Parliament in the UK). This person will be charged with the responsibility of post interception reviews to ensure that interceptions authorizations/ warrants are properly obtained and are not abused.
2. It is imperative to consider the underlying need or otherwise for a specialised Cyber Security and Information Protection Agency given that the Economic and Financial Crimes Commission (EFCC), Central bank of Nigeria (CBN) and National Communications Commission (NCC) have already developed some cyber Security Capabilities or have inherent oversight over aspects of information infrastructure. Furthermore, the capacities of the Nigerian Police and National Information Technology Development Agency (NITDA) can be effectively be upgraded to enable them adequately and cost tackle the challenges of cyber-Security. All these entities can and will have to tackle Cyber-Crime and these bodies and initiatives can be coordinated through various means including existing security structures, the proposed Agency, technical working groups, task forces and presidential Advisory committees.
3. The draft legislation must increase accountability of senior officials of all government bodies and especially those entities charged with cyber-security related responsibilities to regularly report cyber-security incidents such that the proposed agency will produce quarterly reviews of the state of Nigeria's cyber-security and related procedures. The appropriate executive and legislative arms of government must be regularly made privy to our cyber-security situation and the general public can receive appropriate publically consumable information updates.
4. The draft legislation should empower the proposed Agency to collaborate with Academia, NITDA and other ICT organisations, law enforcement and ICT and Security professional bodies to create guidelines for identifying information security vulnerabilities and to prescribe ways of alleviating them. We further suggest that bill empower the Agency in collaboration with NITDA, EFCC and other parties' broad based cyber-security standards that would be imposed on the government and critical national information infrastructure. The Agency needs to be empowered to issue fines or other penalties to force compliance.
5. The draft legislation should empower the proposed Agency to work with other bodies like Galaxy Backbone PLC, Nigerian Internet Exchange Points, Nigerian internet Service providers and individuals to optimize number of interconnections between federal organizations and the public Internet called Trusted Internet Connections (TICs) to minimize number of primary points of vulnerability. We recommend that all government entities must to report to the proposed Agency all external ICT connections. The Agency should be empowered to foster initiatives that promote the indigenous development, application and deployment of intrusion detection and related systems and development and adherence to related standards.
6. The Agency should be designated as the Secretariat of a Cyber-Security Advisory Panel to the President. This is because the Executive and all arms of government need to be educated as much as possible on Cyberspace security threats.
7. The proposed Bill should empower the Agency to work with NITDA, Small and Medium Enterprises Development Agency (SMEDAN),CBN, Ministries of Information, Commerce, Labour and other Ministries Departments and Agencies; Academia particularly Universities, Polytechnics and Colleges of Education; and the Private Sector and Non-governmental organisations to facilitate the creating and provide peripheral support for Cyber-Security Centres. The Cyber-Security Centres will be used to enhance the cyber-security of small and medium sized businesses in Nigeria and West Africa, by promoting cyber-security knowledge and technology transfer, wealth creation, employment through synergies derived from cooperative participation of Government, Private Sector/ Industry and Academic Institutions in initiative and efforts to make cyber-security software, hardware and processes usable by micro, small and medium-sized business; active dissemination of information, utilization of research; and make short term loans to micro, small and medium-sized for advanced cyber-security countermeasures. Such financial support must not exceed 25% of the annual operating/ maintenance cost such Academic, Private or non-governmental entities so that such centres are supported through pubic, private partnership and self generated revenue.
8. The Bill should empower the Agency continuously identify the things that should be done to improve our ability to detect, protect against, contain, neutralize, mitigate the effects of, and recover from cyber-terrorist attacks prior to, while they ongoing and after their occurrence. The Agency must position itself to offer the President useful insights on both cyber defence organizational issues and technical capabilities that would be useful for success in dealing with cyber-terror threats.
Specific issues and suggestions.
HOUSE OF REPRESENTATIVES
National Assembly of the Federal Republic of Nigeria
CYBER SECURITY AND INFORMATION PROTECTION AGENCY (ESTABLISHMENT, ETC) BILL 2008
A Bill to provide for the establishment of the Cyber Security and Information Protection Agency charged with the responsibility to secure computer systems and Networks and liaison with the relevant law enforcement agency for the enforcement of cyber crimes laws, and for related matters.
Commencement
Sponsored by: Hon. Bassey Etim
ENACTED by the National Assembly of the Federal Republic of Nigeria:
1. (1) There is hereby established a body to be known as Cyber Security and Information Protection Agency (in this Bill referred to as "the Agency") which shall have such functions as conferred on it by this bill.
(2) The Agency:
(a) Shall be a body corporate with perpetual succession and a common seal;
(b) May sue and be sued in its corporate have and may, for the purpose of its functions, acquire, hold or dispose of property;
2. (1) The Agency shall consist of:
(a) The Chairman of the agency shall be the National Security Adviser;
Note: As Chairman of the Joint Intelligence Board (JIB), Intelligence Community Committee (ICC) and Secretariat of the National Security Council (NSC) the Office of the National Security Adviser (ONSA) maybe better served if the proposed Agency is treated as any of the other agencies that the National Security Adviser (NSA) Coordinates. We suggest that the President, based on the advice of the NSA, appoint a Board Chairman for the proposed Agency.
(b) Executive Vice chairman to be appointed by the president, who shall be:
(i) A retired or serving member in any security agency of the Federation not below the rank of deputy commissioner of police or its equivalent, with cyber-security experience
Note: Cyber-Security is a very young branch of security and its practitioners, perpetrators and those strategise, develop and implement countermeasures, are in the main relatively young, and thus we suggest that the a retired or serving member in any security agency of the Federation not below the rank of assistant commissioner of police or its equivalent, with cyber-security experience.
Note: We further recommend that anyone competent to sit on the board of the agency should be competent to lead it. The implication of this section as presently written are that a past or serving legislator (who made/ make laws), even if they had served on, or chaired, Security, Financial, Foreign Affairs and other key committees would not be qualified to head the proposed Agency, unless they had Legal or Security backgrounds. Furthermore, many players in industry and Academia who develop and implement real world cyber-security initiatives and solutions are eminently qualified to be members of the Agency Board and assume the role of Chief Executive. The legislation should empower the President with the flexibility to appoint and legislature to approve the best candidate from the broadest pool of competency.
Note: Public service rules situate/ equate the heads of most Agencies at a rank below Federal Permanent Secretaries and usually equated to that of a Director or Deputy Director. These conventions must be considered when developing such legislation and the issue of number of years of experience.
(ii) a lawyer with not less than 10 years post call experience, who must be an expert in cyber-security.
Note: This clause is NOT necessary.
(c) a representative each of the following Federal Ministries.
(i) commerce, industry;
(ii) science and technology;
(iii) justice;
Note: We suggest a representative of the Ministry of Information and Communications.
(d) The Executive Vice Chairman and members of the Agency, other than ex-officio shall each hold office for a period of four years and may be re-appointed for one further term.
Note: We suggest a Single 5 year term.
(e) a representative each from the following organizations:
(i) the department of state security services;
Note: We advise that it a not required to be overtly specified in the law but President could appoint as he deems fit.
(ii) the Nigerian police force;
Note: We advise that it is not required to be overtly specified in the law but President could appoint as he deems fit.
(iii) the Nigeria communications commission;
Note: We advise that it is not required to be overtly specified in the law but President could appoint as he deems fit.
(iv) the Nigeria Security & civil Defence Corps and
Note: We advise that it is not required to be overtly specified in the law but President could appoint as he deems fit.
(2) Four persons whom:
(a) two must be experts in telecommunication with not less than 10 years experience
Note: We advise that it is not required to be overtly specified in the law but President could appoint as he deems fit.
(b) two computer scientists with specialization in cyber crime with not less than 10 years experience
Note: We advise that it is not required to be overtly specified in the law but President could appoint as he deems fit.
(3) The Executive Vice Chairman and four other members of the agency shall be appointed by the president subject to confirmation by the senate.
(4) The Executive Vice Chairman appointed pursuant to sub-section (1) of this section shall be the chief executive of the agency and shall be responsible for the day to day running of its affairs.
Note: It is important that the proposed Agency develop synergies with the EFCC and Office of the Attorney General of the Federation for Prosecution and the Department of State Security and Nigerian Police, NCC and Nigerian Financial Intelligence Unit (NFIU) for Investigation. However, this does not require that any of these bodies be represented on the board. Experience with the EFCC has show that the participation of these entities on an Agency Board does not correlate to greater synergy.
3. (1) A member of the agency may at any time resigns his office in writing addressed to the president and may be removed from office because of:
(a) infirmity of mind or body;
(b) permanent incapacity; or
(c) any other reason subject to confirmation by the senate.
(2) Members of the agency shall be paid such allowances as may be determined by the salary and wages Commission.
4. The Agency shall be responsible for the:
(a) enforcement of the provision of this bill
(b) investigation of all cyber crimes
Note: This may conflict with existing EFCC activities and mandate.
(c) adoption of measures to eradicate the commission of the cyber crimes;
Note: This may conflict with existing EFCC activities and mandate.
(d) examination of all reported cases of cyber crimes with the views to identifying individuals, corporate organization involve in the commission of the crime;
Note: This may conflict with existing EFCC activities and mandate.
(e) registration and regulations of service providers in Nigeria with the views to monitor their activities; organizing and undertaking campaigns and other forms of activities as will lead to increased public awareness on the nature and forms of cyber crimes; and
Note: This may conflict with existing EFCC and NCC activities and mandate.
(g) maintaining a liaison with the office of the Attorney General of the Federation, and inspector General of police on the arrest and subsequent prosecution of the offenders.
Note: This may duplicate or impinge on EFCC existing registration process and cyber-security initiative as well as similar ones at NCC. There needs to be some harmonisation here.
5. (1) In execution of its functions and powers under this Bill, the Agency may appoint:
(a) persons or second officers from government security or law enforcement agencies; and
(b) specialist in the area of communication, computer?
science and technology, law, which will assist the agency in the performance of its functions.
(2) The agency may, make staff regulations relating generally to the conditions of service of the employees, and such regulations may provide for:
(a) the appointment, promotion and disciplinary control; and
(b) appeals by such employees against any disciplinary measures taken against them shall be regulated by the provision of the civil services rules, until such regulations are made.
(3) Service in the agency shall be public service for the purposes of pension Act.
Note: Why only Pension Act why not other Public Service regulations and standards
6. The Agency shall maintain a fund which shall consist of:
(a) money to be received from the federal government for the purposes of take off;
(b) proceeds from all activities, services and operations of the Agency.
(c) grants, gifts and donations made to the Agency.
(d) such other sums as may accrue to the Agency.
7. (1) Any person who without authority or in excess of his authority accesses any computer for the purpose of:
(a) securing access to any program; or
(b) data held in that computer; or
(c) committing any act which constitute an offence under any law for time being in force in Nigeria, commits an offence and shall be liable on conviction:
(i) in the case of offence in paragraph (a) of this subsection, to a fine of not less than N10,000 or imprisonment for a term of not less than 6 months or to both such fine and imprisonment.
(ii) For the offence in paragraph (b), to a fine of not less N100,000 or a term of not less than 1 year or to both such fine and imprisonment.
(2) Where damage or loss is caused to any computer as a result of the commission of an offence under subsection (1) of this section, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.
(3) In pronouncing sentence under this section, the court shall have regard to the extent of damage or loss occasioned by the unlawful act.
8. (1) Any person who, knowingly and without authority or in excess of authority, disclose any:
(a) password;
(b) access code; or
(c) any other means of gaining access to any program data or database held in any computer for any unlawful purpose or gain, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or to imprisonment for a term of not less than 3 years or to both such find and imprisonment, and in the case of a second or subsequent conviction, to a fine not exceeding N1,000,000 or to imprisonment for a term of not less than 5 years or both such fine and imprisonment.
(2) Where the offence under subsection (1) results in damage or loss, the offender shall be liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5years or both such fine and imprisonment.
(3) Any person who with intent to commit any offence under this Act uses any automated means or device or any computer program or software to:
(a) retrieve;
(b) collect; and
(c) store password, access code; or any means of gaining access to any program, date or database held in any computer, commits an offence and shall be liable on conviction to a fine of N1,000,000 or to imprisonment for a term of 5 years or to both such fine and imprisonment.
9. (1) Any person who with intent to defraud send electronic mail message to a recipient, where such electronic mail message materially misrepresents any fact or set of facts upon which reliance the recipient or another person is caused to suffer any damage or loss, commits an offence and shall be liable on conviction to a fine of not less than 5 years or to both such fine and imprisonments.
(2) It shall not operate as a defence for any person charged with an offence under subsection (1) of this section to claim that:
(a) he could not have carried out his intended act; or
(b) it is impossible to execute the ultimate purpose of his intention; or
(c) the object of his deceit is non-existent.
(3) Any person spamming electronic mail messages to receipts with whom he has no previous commercial or transactional relationship commits an offence and shall be liable on conviction to a fine not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
Note: We may need to reflect on this clause as it may stifle the rights of sellers to reach out to potential customers as mass mailing is a globally recognised form of 21st Centaury marketing. It is likely that the intent of the clause is to punish abuse of mass e-mailing opportunities. This raises questions of the civil liberties of the legitimate sellers to reach out to potential clients and that of clients to be informed while not inundated with useless messages. The corollary of this is like making the printing of election leaflets, which might be placed in political constituent's letter boxes illegal. This would negatively impact the political and democratic process.
(4) Any person who with intent to commit any offence under this Bill;
(a) uses any automated means, device; or
(b) any computer program, software; to collect or store electronic mail addresses from any sources whatsoever, commits an offence and shall be liable on conviction to a fine not less than N1,000,000 or to imprisonment for a term not below 5 years or both such fine and imprisonment.
10. (1) Any person who, with the intent to commit an offence, uses any computer program or software to deliberately block being traced or avoid detection, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such find and imprisonment.
(2) Any person who knowingly accesses any computer and inputs, alters, deletes or suppresses any data resulting in unauthentic data with the intention that such inauthentic data be considered or acted upon as if it were authentic or genuine, whether or not such data is readable or intelligible, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment.
(3) Any person who knowingly and without right causes any loss of property to another by altering, erasing, inputting or suppressing any data held in any computer for the purpose of conferring any benefits whether for himself or another person, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or both such fine and imprisonment.
11. (1) Any person who without authority or in excess of authority interferes with any computer network in such a manner as to cause any data or program or software held in any computer within the network to be modified, damaged, suppressed, destroyed, deteriorated or otherwise rendered ineffective, commits an offence and shall be liable on conviction to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.
12. Any person who unlawfully produces, adapts or procures for use, distributes, offers for sale, possesses or uses any devices, including a computer program or a component or performs any of those acts relating to a password, access code or any other similar kind of data, which is designed primarily to overcome security measures with the intent that the devices be utilized for the purpose of violating any provision of this Bill, commits an offence and is liable to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment.
13. Any person who without authority or in excess of authority intentionally interferes with access to any computer or network so as prevent any:
(a) part of the computer from functioning; or
(b) denying or partially denying any legitimate user of any service of such computer or network; commits an offence and shall be liable on conviction to a fine of not less than N2,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment.
14. Any person who with the intent to deceive or defraud, accesses any computer or network and uses or assumes the identity of another person, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
15. (1) Every service provider shall keep all traffic, subscriber information or any specific content on its computer or network for such period of time as the Agency may require.
Note: Who pays for keeping/ storing such traffic and for how long. Can the Agency unpredictably change its mind on the time thus the amount of information to be stored which boils down to the cost of storage which quickly becomes very significant and a form of additional Taxation.
Note: The status of the proposed bill on Lawful Interception remains pending and we suggest that such a law on Lawful interception must be enacted prior to the enforcement of the above. Key issues that any such Lawful Interception legislation must address during its enforcement are sharing the high cost and privacy of such interception, privacy and human rights.
(2) Every service provider shall, at the request of any law enforcement agency:
Note: Any law enforcement Agency can ask for any information multiple times will be time consuming and expensive to the economy. This agency, ONSA, EFCC or NCC should coordinate such requests.
(a) provide the law enforcement agency with any traffic of subscriber information required to be kept under subsection (1) of this section; or
(b) preserve, hold or retain any related content.
Note: This raises complex Privacy and civil liberty issues.
(3) Any law enforcement agency may with warrant issued by a court of competent jurisdiction, request for the release of any information in respect of subsection (2) (b) of this section and it shall be the duty of the service provider to comply.
(4) Any data retained, processed or retrieved by the service provider for the law enforcement agency under this Bill, shall not be utilized except for legitimate purposes either with the consent of individuals to whom the data applies or if authorized by a court of competent jurisdiction.
(5) A person exercising any function under this section shall have due regard to the individual right to privacy under the constitution of the Federal Republic of Nigeria 1999 and shall take appropriate technological and organizational measure to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.
(6) A person or service provider, body corporate who wilfully contravenes the provisions of this section commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term not less than 3 years or both fine and imprisonment.
Note: Again, the status of the proposed bill on Lawful Interception remains pending and we suggest that such a law on Lawful interception must be enacted prior to the enforcement of the above. Key issues that any such Lawful Interception legislation must address during its enforcement are sharing the high cost and privacy of such interception, privacy and human rights.
16. (1) A person who intentionally, without authority or in excess of authority intercepts any communication originated, terminated or directed from, at or to any equipment, facilities or services in Nigeria, commits an offence and shall be liable on conviction to;
(a) a fine of not less than N500,000;
(b) imprisonment for a term of not less than 10 years; or
(c) both such fine and imprisonment.
(2) Notwithstanding the provision of subsection (1) of this section, any service provider, its employee or duly authorized agent may, in the normal course of work, carryout the activity mentioned in section 16 of this Bill.
17. Every service provider shall ensure that any of its equipment, facilities or services that provide a communication is capable of:
Note: Who will be liable to ensure that civil liberties are NOT abused.
(a) enabling a law enforcement agency to intercept all communications on its network for the purpose of investigation and prosecution;
Note: All Interceptions must be based on Warrants approved and endorsed by competent Judges. An Intercept Commissioner, appointed and answerable tot the legislature, must periodically review intercepts to ensure that privacy and civil liberties are not abused.
(b) accessing call data or traffic record;
(c) delivering intercepted communications and call data or traffic record in such a format that they may be transmitted by means of equipment, facility or service procured by any law enforcement agency to a location other than the premises of the service provider; and
(d) facilitating authorized communications interceptions and access to call data or traffic records unobtrusively with minimum interference with any subscriber's communication service and in a manner that protects:
(i) the privacy and security of communications and call data or traffic records not authorized to be intercepted.
(ii) information regarding the interception.
(2) A service provider who contravenes the provision of subsection (1) of this section, commits an offence and shall be liable on conviction, in case of;
(a) service provider, a fine of not less than N100,000; and
(b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
18. (1) It shall be the duty of every service provider at the request of any law enforcement agency or at the initiative of the service provider, to provide assistance towards the:
(a) identification, arrest and prosecution of offenders; or
(b) identification, tracing and confiscation of proceeds or any offence or any property, equipment or device used in the commission of any offence; or
(c) freezing, removal, erasure or cancellation of the services of the offender which enables the offender to either commit the offence or hide, preserve the proceeds of any offence or any property, equipment or device used in the commission of the offence.
(2) Any service provider who contravenes the provisions of subsection (1) of this section, commits an offence and shall be liable on conviction, in the case of
(a) service provider, a fine of not less than N5,000,00; and
(b) director, manager or officer of the service provider, a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
19. (1) Any person who on the internet, intentionally takes or makes use of a name, business name, trademark, domain name or other word of phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, state or local government without:
(a) authority or right; or
(b) for the purpose of interfering with their use in the internet by the owner; commits an offence under this Bill and shall be liable on conviction to a fine of not less than N100,000 or imprisonment for a term of not less than 1 year or to both such fine and imprisonment.
(2) In the determination of the case against an offender, a court shall have regard to:
(a) a refusal by the offender to relinquish, upon formal request by the rightful owner of the name, trademark, words or phrase; or
(b) an attempt by the offender to obtain compensation in any form for the release to the rightful owner for use in the internet, of the name, business name, trade mark, or words or phrase registered, owned or in use by any individual, body corporate or belonging to either the Federal, State or Local Government of Nigeria.
(3) In addition to the penalty specified under this section, the court shall make an order directing the offender to relinquish to the rightful owner.
Note: The intent of this section is unclear as many of the issues have already be address through other mechanisms. NITDA through the Nigeria Internet Registration Association (NiRA) already manages the Nigerian's ".ng" domain based on internationally valid and recognised agreements. Government registration ".gov.ng" is adequately handled by NITDA directly. It is impractical, time consuming and a waste of resources to endeavour to monitor all possible naming variations that can also be registered around the world. Government can best inform stakeholders and closely control the registration of ".gov.ng" domain names. Example if a person wishes to register the name "Nnamdi Ashiru Shehu Sola" and Company as "nass.com.ng" will they not have the constitutional and inalienable right to do so? However, "nass.gov.ng" will not be available to the general public. Part of the responsibilities of the proposed Agency, NITDA, NiRA and are to ensure that guidelines for government entities register and use the internet; government bodies only use the .gov.ng domain; and that the public should only liaise with government institutions via the .gov.ng domain.
20. (1) Any person, group or organization that intentionally accesses any computer or network for purposes of terrorism, commits an offence and shall be liable on conviction to a fine of not less than N10,000,000 or a term of imprisonment of not less than 20 years of to both such fine and imprisonment.
(2) For the purpose of this section, terrorism means any act which:
(a) may seriously damage a country or an international organization; or
(b) is intended or can reasonably be regarded as having been intended to:
(i) intimidate a population;
(ii) compel a government or international organization to performance abstain from performing any act;
(iii) destabilize or destroy the fundamental political, constitutional; economic or social structures of a country or any internal organization, or;
(iv) otherwise influence such government or international organization.
(c) Involves or causes, as the case may be to:
(i) attaches upon a person is life which may cause death,
(ii) attacks upon the integrity of a person;
(iii) kidnapping of a person,
(iv) destruction of a Government or public facility, including; an information system, private property, likely to endanger human life or result in major economic loss.
(v) the manufacture, possession, acquisition, transport, supply, or use of weapons, explosive nuclear, biological or chemical as well as research into their development without lawful authority;
(vi) the release of dangerous substance or causing of fires, explosions of flood the effect of which is to endanger human life;
(vii) interference with or disruption of the supply of water, power or any other fundamental natural resource, the effect of which is to endanger life; or
(viii) propagation of information or information materials whether true or false, calculated to cause immediate panic, evolve violence.
NOTE: Definitions which can be used to fine tune the above definition of "terrorism."
"Terror" comes from a Latin word meaning "to frighten." The Encyclopaedia Britannica defines terrorism as the "the systematic use of violence to create a general climate of fear in a population and thereby to bring about a particular political objective. Terrorism has been practiced by political organizations with both rightist and leftist objectives, by nationalistic and religious groups, by revolutionaries, and even by state institutions such as armies, intelligence services, and police. http://www.britannica.com/EBchecked/topic/588371/terrorism
NOTE: The EU in its Article 1 of the Framework Decision on combating terrorism (13 June 2002) defines terrorist acts 'as offences under national law, which given their nature or context, may seriously damage a country or an international organization where committed with the aim of seriously intimidating a population or unduly compelling a Government or international organization to perform or abstain from performing any act, or seriously destabilizing or destroying the fundamental political, constitutional, economic or social structures of a country or an international organization'.
21. Any person who uses any computer to violate any intellectual property rights protected under any law or treaty applicable in Nigeria, commits an offence under this Bill and shall be liable on conviction to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or to both such fine and imprisonment, in addition to any penalty or relief provided under laws.
22. Any person who use any computer to:
(a) engage or solicits or entices or compels any minor in any sexual or related act; or
(b) engage in, or facilitates any indecent exposure of a minor or creates, possesses or distributes child pornography; or
(c) facilitates the commission of a sexual or related act which constitutes an offence under any law for the time being in force in Nigeria, commits an offence and shall be liable on conviction:
(i) in case of paragraph (a), to a time of not less than N3,000,000 or imprisonment for a term of not less than 7 years or to both such fine and imprisonment.
ii) in case of paragraph ( b, and (c), to a fine of not less than N1,000,000 or imprisonment for a term of not less than 5 years or both such fine and imprisonment.
23. Any person who:
(a) attempts to commit any offence under this Bill; or
(b) does any act preparatory to or in furtherance of the commission of an offence under this Bill; and
(c) abets or engages in a conspiracy to commit any offence, commits an offence and shall be liable on conviction to the punishment provided for such an offence, under this Bill.
24. (1) The President may on the recommendation of the Agency, by order published in the Federal Gazette, designate certain computer systems, networks and information infrastructure vital to the national security of Nigeria of the economic and social well being of its citizens, as constituting critical information infrastructure.
(2) The President order in subsection (1) of this section may prescribe standards, guidelines, rules or procedures in respect of:
(a) the registration, protection or presentation of critical information infrastructure;
NOTE: NCC and EFCC already require the registration of information infrastructure. Such duplication must be avoided.
(b) the general management of critical information infrastructure;
(c) access to, transfer and control of data in any critical information infrastructure;
(d) procedural rules and requirements for securing the integrity and authenticity of data or information contained in any of the information;
(e) procedures or methods to be used in the storage of data or information in critical information infrastructure;
(f) disaster recovery plans in the event of loss of the critical information infrastructure or any part thereof; and
(g) any other matter required for the adequate protection, management and control of data and other resources in any critical information infrastructure.
25. The President order in section 23 of this Bill may require audits and inspection to be carried out on any critical information infrastructure to evaluate compliance with the provisions of this Bill.
26. (1) Any person who violates any provision as to the critical information infrastructure designated under section 23 of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N15,000,000 or imprisonment of a term of not less than 25 years or both such find and imprisonment.
(2) where the offence committed under subsection (1) of this section results in serious bodily injury, the offender shall be liable on conviction to a fine of not less than N20,000,000 or to imprisonment for a term of 30 years or to both such fine and imprisonment.
(3) where the offence committed resulted in death, the offender shall be liable on conviction to imprisonment for life with no option of fine.
27. Nothing in this Bill shall preclude the institution of a civil suit against a person liable under this Bill by any interested party.
28. (1) The Federal High Court or state High Court shall have jurisdiction to try offender under this Bill.
(2) Notwithstanding anything to the contrary, the court shall ensure that all matter brought before it under this Bill against any person or body corporate are conducted with dispatch and given accelerated hearing.
NOTE: We must assume that the Courts naturally desire to dispose of cases in an "accelerated" manner and thus such a clause many be misconstrued by the Judiciary, unless the legislature desires to set up specialised courts to try Cyber-Security cases.
(3) for the purposes of this Bill, a person shall be subject to prosecution in Nigeria for an offence committed while the offender is physically located either within or outside, if by the conduct of the offender or that of another acting for him;
(a) the offence is committed either wholly or partly within Nigeria;
(b) the act of the offender committed wholly outside Nigeria constitutes a conspiracy to commit an offence under this Bill within Nigeria; and an act in furtherance of the conspiracy was committed within Nigeria, either directly by the offender or at his instigation; or
(c) the act of the offender committed wholly or partly within Nigeria constitutes an attempt, solicitation or conspiracy to commit offence in another jurisdiction under the laws of both Nigeria and such other jurisdiction.
(4) For the purpose of this section:
(a) an offence or element of the offence is presumed to have been committed in Nigeria if the offence or any of its elements substantially affects person of interest in Nigeria;
(b) where any other country claims jurisdiction over an alleged offence which is subject to prosecution in Nigeria as established by this section, the Attorney General of the Federation may consult with such other country with a view to determine the most appropriate jurisdiction for prosecution.
29. (1) Pursuant Section (2) of this section, any authorized officer entitled to enforce any provision of this Bill shall have the power to search any premises or computer or network and arrest any person in connection with the offence.
(2) Subject to National Security Agency Act, an authorized officer of any law enforcement agency, upon a reasonable suspicion that an offence has been committed or likely to be committed by any person or body corporate, shall have power to:
(a) access and inspect or check the operation of any computer to which this act applies; or
(b) use or cause to use a computer or any device to search any data contained in or available to any computer or network; or
(c) use any technology to re-transform or decrypt any encrypted data contained in a computer into readable text or comprehensible format; or
(d) seize or take possession of any computer used in connection with an offence under this Bill, or
(e) require any person having charge of or otherwise concerned with the operation of any computer in connection with an offence to produce such computer; or
(f) require any person in possession of encrypted data to provide access to any information necessary to decrypt such data;
(g) require any person in authority to release any subscriber or traffic information or any related content; and
(h) relate with any international law enforcement agencies for the purpose of giving or receiving on information or exchanging any data or database for the purpose or investigation and prosecution under this Bill.
(i) The Agency shall have power to cause or direct investigation by any law enforcement agency.
Note: Again, all Interceptions and Searches must be based on Warrants approved and endorsed by competent Judges. An Intercept Commissioner, appointed and answerable tot the legislature, must periodically review intercepts to ensure that privacy and civil liberties are not abused.
30. Any person who:
(a) wilfully obstructs any law enforcement agency in the exercise of any power under this Bill; or
(b) fails to comply with any lawful inquiry or request made by any authorized officer in accordance with the provisions of this Bill, commits an offence and shall be liable on conviction to a fine of not less than N500,000 or imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
31. Notwithstanding anything contained in any enactment or law in Nigeria, an information contained in any computer which is printed out on paper, stored, recorded or copied on any media, shall be deemed to be primary evidence under this Bill.
Note: We suggest that the National Assembly appropriately modify the existing Evidence Act in place of this clause.
32. (1) Any person who tampers with any evidence in relation to any proceeding under this Bill by intentionally:
(a) creating, destroying, (mutilating, removing or modifying data or program or any other form of information existing within or outside a computer or network; or
(b) activating or installing or downloading or transmitting a program that is designed to create, destroy, mutilate, remove or modify data, program or any other form of information existing within or outside a computer or network; or
(c) creating, altering, or destroying a password, personal identification number, code or method used to access a computer or network.
Commits an offence and shall be liable on conviction to affine of not less than N500,000 or to imprisonment for a term of not less than 3 years or to both such fine and imprisonment.
33. Criminal proceedings under this Bill shall be instituted by the Agency.
Note: The Office of the Attorney general should have the authority to direct who can and should institute criminal proceedings under this proposed bill as circumstances requires.
34. (1) The court imposing sentence on any person who is convicted of an offences under this Bill may also order that the convicted person forfeits to the federal republic of Nigeria:
(a) any assets, money or property (real or personal) constituting of traceable to gross proceeds of such offence; and
(b) any computer, equipment, software or other technology used or intended to be used to commit or to facilitate the commission of such offence.
(2) Any person convicted of an offence under this Bill shall forfeit his passport or international travelling documents to the Federal Republic of Nigeria until he has paid the fines or served the sentence imposed on him
(3) Notwithstanding subsection (2) of this section, the court may;
(a) upon the grant of pardon by the president to the convicted person; or
(b) the purposes of allowing the convicted person to travel abroad for medical treatment, having made formal application before the court on that regard; or
(c) in the public interest, direct that the passport or travelling document of the convicted person be released to him.
35. (1) Without prejudice to section 174 of the constitution of the Federal Republic of Nigeria, 1999, the Attorney General may, subject to voluntary admission of the commission of the offence, compound any offence punishable under this Bill by accepting such amount specified as fine to which the offender would have been liable if he had been convicted of that offence.
(2) Notwithstanding the provision of subjection (1) of this section, the court may order the payment of compensation to any person or body corporate, who suffers damages, injury, or loss as a result of the offence committed.
36. Where a person is charged with an attempt to commit an offence under this Bill but the evidence establishes the commission of the full offence, the offender shall not be entitled to acquittal and shall be convicted for the offence and punished under the relevant penalty.
Note: We suggest modifications to enable opportunities for Plea bargaining.
37. The president may by order published in the Gazette make such rules and regulations as in his opinion and on the recommendation of the Agency are necessary to give full effect to the provisions of this Bill.
38. In this Bill,
"access" includes to gain entry to, instruct, make use of any resources of a computer, computer system or network.
Note: The definition of access is subject to ongoing debate by various ICT and Cyber-Security professionals. Most importantly the definition should go beyond computer, computer system or network as cyber space which Cyber-Security addresses includes matrices of data as described by UNESCO as "the virtual shared universe of the world's computer networks, it has come to describe the global information space" www.unesco.org/education/educprog/lwf/doc/portfolio/definitions.htm
"Agency" means Cyber Security and Data Protection Agency.
"Authorized officer" means a person authorized by law to exercise a power this Bill
"Authority" means express or implied consent to access a computer network, program, data or database, software.
"Computer" includes any electronic device or computational machinery programmed instruction which has the capabilities of storage, retrieval memory, logic, arithmetic or communication and includes all input, output, processing, storage, communication facilities which are connected or related to such a device in a system or network or control of functions by the manipulation of signals whether electronic, magnetic or optical.
"computer network" includes the interconnection of computers or computer system
"Computer program" means data or a set of instructions or statements that when executed in a computer causes computer to perform function.
"damage" means an impairment to the integrity or availability of data, program or network.
"data" includes a representation of information, knowledge, facts, concepts or instructions intended to be processed, being processed or has been processed in a network.
"database name" includes any designation or name registered with the domain registrar as part of an electronic address.
"intellectual property rights" include any right conferred or granted under any of the following laws or treaties to which Nigeria is a signatory:
(a) Copyright Act, CAP 68. LFN (as amended);
(b) Patents and Designs Act CAP 344, LFN;
(c) Trade Marks Act, CAP LFN;
(d) Berne Connection;
(e) World Intellectual Property Organization (WIPO) Treaty;
(f) Trade-Related Aspects of Intellectual Property Rights (TRIPs);
(g) Universal Copyright Convention (UCC); and
(h) Paris Convention (Lisbon Text).
"internet" means global information system linked by a unique address space base on the internet protocol or its subsequent extensions.
"intercept" includes the aural or acquisition of the contents of any wire, electronic or oral communication through the use of technical means so as to make some or all the contents of a communication available to a person other than whom it was intended, and includes;
(a) monitoring of such communication by any device;
(b) viewing, examination or inspection of the contents of any communication; and
(c) diversion of any communication from its intended destination.
"Law enforcement" agency means any institution created by law and charged with the responsibility of enforcing obedience to our written law.
"loss" means any reasonable lost to a victim, including the cost of responding to an offence, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offences and any revenue lost, cost incurred and other consequential damages incurred because of the interruption of service.
"Minor" means a person under 18 years.
"Modification" means (a) alteration or erasure of the content of any program, data and data base;
(b) any event which occurs to impair the normal operation of a computer;
(c) modification is unauthorized if:
(i) the person that causes the act is not himself entitled to determine whether the modification should be made; and
(ii) he does not have consent from anybody to modify.
"Service provider" includes but not limited to;
(a) internet service provider;
(b) communications service provide; and
(c) application service provider.
"Software" includes any program, data, database, procedure and associated documentation concerned with the operation of a computer system.
"Spamming" means unsolicited electronic mail message having false headers, address and lines.
"Minister" means minister of information and communication.
Note: This is a carry over from an earlier proposed Cyber-Crime bill.
39. This Bill may be cited as Cyber Security and Data Protection Agency (Establishment etc) Bill, 2008.
Posts
