30in30 – Post 10 – Understanding Cybercrime law in Canada.

Daemon Behr

Welcome to the 30-in-30 blog campaign! I’m excited to launch this initiative, which involves publishing a brand new blog post every single day for the next 30 days. I will not mince words about this. It is hard to keep it up, stay engaging, relevant and interactive. More about this campaign is at the end of this article.

The definition of what is a cybercrime may seem a bit blurred as we become more and more connected, and the ease at which attacks are launched (intentional or non-intentional) is becoming trivial. Targeted attacks can be launched in seconds with widely available tools and services.

There are 6 main threat actor groups to look out for:

  • Novice Attackers
  • Insider Threats
  • Organized Cyber Criminal
  • Ransomware as a Service Operator
  • Nation-State Sponsored Actor
  • Black Hat Hackers

For a deep dive on the business of cybercrime, see this link.

A seventh group, would be the inadvertent attacker that commits a crime because of; inexperience, incorrect or poor scoping. client misrepresentation, incorrect information provided, or not getting internal approvals / sign offs, or poor documentation. How can someone commit a crime by accident? Well here are some examples:

  1. An OffSec student running Kali Linux uses Nmap against a public IP range, finds open ports and then uses any number of tools to exploit the service and gain access.
  2. A pentester is told to try to gain access to a company environment, and ends up gaining access to a partner network owned by another organization that has healthcare data.
  3. The cybersecurity director of an organization hires a security contractor to conduct a pentest, but leaves the organization just before the engagement started. No-one else in the organization was informed.
  4. An organization provides an external Red Team with the incorrect public CIDR IP range. The Red Team successfully breaches an unknowing 3rd party.

In this article, I aim to  explore the definition of cybercrime according to the Criminal Code of Canada. Much of the information here was put together by the Cybersecurity & Data Privacy team at Baker McKenzie. The information below is not a comprehensive account of cybercrime in the criminal code of Canada. For a deeper dive see the publication “Cybersecurity Laws and Regulations – Canada 2023”.

Defining Cybercrime:

Cybercrime, as per the Canadian Criminal Code, encompasses a range of illicit activities committed through computer systems or networks. It involves the use of technology as a tool or target for criminal intent. The Criminal Code acknowledges the evolving nature of cyber threats and incorporates various sections to address different types of cybercrimes.

  1. Unauthorized Access (Hacking):

Unauthorized access refers to gaining entry into a computer system, network, or data without proper authorization. This includes hacking, password cracking, or exploiting vulnerabilities to access sensitive information or control systems unlawfully. Individuals involved in unauthorized access can be charged under these sections, which aims to protect the integrity and security of computer systems.

■ Section 184: Any person who knowingly intercepts a private communication, by means of any electro-magnetic, acoustic, mechanical or other device, is guilty of an indictable offence carrying a maximum penalty of five years imprisonment.

■ Section 342.1: Any person who fraudulently obtains any computer services or intercepts any function of a computer system – directly or indirectly – or uses a computer system or computer password with the intent to do either of the foregoing, is guilty of an indictable offence carrying a maximum penalty of 10 years’ imprisonment.

■ Recently, in R. v. Senior, 2021 ONSC 2729, the Ontario Superior Court summarized the essential elements required for the accused to be found guilty of an offence under Section 342.1 of the Criminal Code and found the defendant guilty of unauthorized use of a computer after running a license plate number contrary to York Regional Police directives.

■ Section 380(1): Any person who defrauds another person of any property, money, valuable security or any service is guilty of: (i) an indictable offence carrying a maximum penalty of 14 years’ imprisonment where the value of the subject matter of the offence exceeds $5,000; and (ii) an indictable offence or an offence punishable by summary conviction carrying a maximum penalty of two years’ imprisonment where the value of the subject matter of the
offence is under $5,000.

■ Section 430(1.1): Any person who commits mischief to destroy or alter computer data; render computer data meaningless, useless or ineffective; obstruct, interrupt or interfere with the lawful use of computer data; or obstruct, interrupt or interfere with a person’s lawful use of computer data who is entitled to access it, is guilty of: (i) an indictable offence punishable by imprisonment for life if the mischief causes actual danger to life; (ii) an indictable offence or an offence punishable on summary conviction carrying a maximum penalty of 10 years’ imprisonment where the value of the subject matter of the offence exceeds $5,000; and (iii) an indictable offence or an offence punishable on summary conviction carrying a maximum penalty of two years’ imprisonment where the value of the subject matter of the offence is under $5,000.

■ In R. v. Geller, [2003] O.J. No. 357, the accused was convicted under Section 430(5) after pleading guilty to “hacking” after obtaining 400 credit card numbers, along with other personal data, and accessing the internet 48 times using false identification.

  1. Denial-of-Service attacks

Under Section 430(1.1) of the Criminal Code, it is an offence to obstruct, interrupt or interfere with the lawful use of computer data or to deny access to computer data to a person who is entitled to access it; the maximum penalty for such an offence is 10 years’ imprisonment where the offence relates to property with a value exceeding $5,000.

  1. Possession or use of hardware, software or other tools used to commit cybercrime

It is an offence under Section 342.2 of the Criminal Code to – without lawful excuse – possess, import, obtain for use, distribute, or make available a device that is designed or adapted primarily to commit cybercrime, knowing that the device has been used or is intended to be used to commit a cybercrime that is prohibited under Sections 342.1 or 430 of the Criminal Code (described in more detail above). The maximum penalty is the same as noted above – i.e., two years’ imprisonment and, if a person is convicted of an offence, forfeiture of any device relating to the offence may also be ordered.

  1. Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)

Unsolicited penetration testing may be considered an offence under Section 342.1 of the Criminal Code. Under Section 342.1, individuals are prohibited from fraudulently, and without colour of right, obtaining, directly or indirectly, any computer service, or intercepting or causing to be intercepted, directly or indirectly, any function of a computer system. Unsolicited penetration testing may also be considered mischief under Section 430(1.1) of the Criminal Code, as detailed above.

  1. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

Pursuant to Section 184 of the Criminal Code, it is an offence for any person to knowingly intercept a private communication by means of any electro-magnetic, acoustic, mechanical, or other device, which is punishable by a maximum penalty of five years’ imprisonment. although the concept of “intercepting” generally requires the listening or recording of contemporaneous communication, in R. v. TELUS Communications Co., [2013] 2 SCR 3, unlawful interception also applied to the seizing of text messages that were stored on a telecommunication provider’s computer. Moreover, under Section 83.2 of the Criminal Code, any person who commits an indictable offence under this or any other Act of Parliament for the benefit of, at the direction of or in association with a terrorist group is guilty of an indictable offence and liable to imprisonment for life. The definition of a “terrorist activity”
under Section 83.01 includes an act that causes serious interference with or serious disruption of an essential service, facility or system, whether public or private, other than as a result of non-violent advocacy, protest, dissent or stoppage of work; this may include
“cyberterrorism”. Under Section 19 of the Security of Information Act (R.S.C., 1985,
c. O-5), it is also an offence for any person to fraudulently, and without colour of right, communicate a trade secret to another person, or obtain, retain, alter or destroy a trade secret to the detriment of Canada’s economic interests, international relations or national defence /national security. The maximum penalty under Section 19 is 10 years’ imprisonment.

Consequences and Challenges:

The Criminal Code of Canada recognizes the gravity of cybercrimes and imposes penalties to deter offenders. Individuals found guilty of cybercrime offenses can face imprisonment, fines, or both, depending on the severity of the offense. However, bringing cybercriminals to justice can be complex due to the global nature of cyber threats, anonymization techniques, and jurisdictional challenges.

Collaborative Efforts:

Addressing the multifaceted challenges posed by cybercrime requires collaborative efforts among government agencies, law enforcement, cybersecurity professionals, and the general public. In Canada, organizations such as the National Cybercrime Coordination Centre (NC3) and the Canadian Centre for Cyber Security work tirelessly to combat cyber threats and raise awareness about cybersecurity best practices.

Partnerships with the Private Sector:

Collaboration between the public and private sectors is crucial to tackle cybercrime effectively. Private companies, particularly those operating in the technology and cybersecurity sectors, play a vital role in developing innovative solutions, sharing threat intelligence, and assisting law enforcement agencies in investigations. By fostering strong partnerships, information sharing, and joint initiatives, the collective resilience against cyber threats can be strengthened.

International Cooperation:

Cybercrime knows no boundaries, making international cooperation imperative. Canada actively participates in international efforts to combat cybercrime, collaborating with other countries through initiatives such as the International Multilateral Partnership Against Cyber Threats (IMPACT) and Interpol. Sharing intelligence, harmonizing laws, and coordinating efforts on a global scale are essential for apprehending cybercriminals who exploit the interconnectedness of the digital world.

Conclusion:

Understanding the definition of cybercrime as outlined in the Criminal Code of Canada is crucial in protecting organizations from threat actors internally and externally. By recognizing unauthorized access, data interference, system interference, unauthorized use of computer services, possession of devices for unauthorized use, identity theft and fraud, and the emerging threat of phishing and online scams, we can begin to address these issues effectively.

By fostering partnerships with private sector, government, law enforcement, and promoting education and awareness, and strengthening international cooperation, we can enhance our collective defenses and build a safer digital environment for all Canadians.

Thanks for reading this far.

Now my aim with this campaign is to provide readers with valuable content, insights, and inspiration that can help in their personal and professional lives. Whether you’re looking to improve your productivity, enhance your creative strategies, or simply stay up-to-date with the latest news and ideas in cybersecurity, I’ve got something for you.

But this campaign isn’t just about sharing our knowledge and expertise with you. It’s also about building a community of like-minded IT and security focused individuals who are passionate about learning, growing, and collaborating. By subscribing to the blog and reading every day, you’ll have the opportunity to engage with other readers, share your own insights and experiences, and connect with people in the industry.

So why should you read every day and subscribe? Well, for starters, you’ll be getting access to some great content that you won’t find anywhere else. From practical tips and strategies to thought-provoking insights and analysis, the blog has something for everyone that wants to get current and topical cybersecurity information. Plus, by subscribing, you’ll never miss a post, so you can stay on top of the latest trends and ideas in the field.

But perhaps the biggest reason to join the 30-in-30 campaign is that it’s a chance to be part of something bigger than yourself. By engaging with the community, sharing your thoughts and ideas, and learning from others, you’ll be able to grow both personally and professionally. So what are you waiting for? Subscribe, and for the next 30 days and beyond, let’s learn, grow, and achieve our goals together!

One thought on “30in30 – Post 10 – Understanding Cybercrime law in Canada.

  1. Pingback: I wrote a cybersecurity article every day for 30 days – Here is what I learned. – Designing Risk in IT Infrastructure

Comments are closed.