Laws to prosecute malware makers flagged

A senate inquiry into cybercrime has discussed the possibility of extending Australia's Spam Act to specifically prosecute Australians that distribute malware or trick internet users into uploading programs onto their device without consent.

The Spam Act of 2003 currently covers electronic messages sent with a commercial purpose, but under a proposal by Liberal Party Senator Bruce Billson, the Act could be extended to include a set of harsher penalties specifically for the distribution of malware.

Billson told iTnews that the matter had come up for discussion on a couple of occasions during the cybercrime inquiry and was supported by several submissions, including a paper by the Cyberspace Law and Policy Centre at UNSW.

"At the moment we are very much focused on spam itself and not on the consequences of the malware that often comes with it," he said. "I am particularly interested in that. My instincts are that this is the issue."

Billson suggested that the Spam Act could be updated such that it would become unlawful to have software uploaded to any computer without express approval of the user - with penalties that reflect that malware goes "beyond the nuisance value of spam" and "undermines the performance of systems."

Billson stressed that legislation - which the Federal Government would "need to get right" - would only be a small part of the solution to the cybercrime problem. He said that more coordination between industry and government on detecting attacks and protecting systems from infection was also required.

"I have been encouraged by the range of people wanting to be a part of ensuring the integrity of the internet in this country," he said. "Most advocate a collaborative approach, where we take the best knowledge of IT engineers, commercial interests and law enforcement to address the problem."

Billson said he recognises that there is "no point building walls" to enforce security, but that the Government and industry "need to build resilience and responsiveness" to tackle the malware problem.

The cybercrime committee is yet to specifically discuss the inclusion of Billson's idea in any official report to Government, he said. His proposal would first "need consensus among committee members". But he is happy to have the idea pitched to iTnews readers for feedback such that he can "take an informed view to the Government."

No need, says the ALP

A Federal Government spokesperson told iTnews that the distribution of malware is to a large degree already covered under the Spam Act 2003 (in so far as it covers electronic messages with a commercial purpose) and that the creation and distribution of malware is similarly considered a criminal offence (under part 10.7 of the Criminal Code Act 2005), and is thus unlikely to be specifically addressed under the Spam Act as per Billson's idea.

Paul Ducklin, head of technology at security vendor Sophos Asia Pacific told iTnews he agreed with  this assessment, with the disclaimer that he is not a lawyer or member of the judiciary.

Ducklin said his concern would be that adding malware under the Spam Act might dilute or complicate the Spam Act and provide a "silly loophole" for malware distributed by other means.

He also expressed concerns that such changes would create a distinction between 'bad' and 'less bad' spam - the former being spam loaded with malware, the latter being made to appear seemingly less harmless.

"The old-school spammers might suddenly manage to appear less troublesome than they undoubtedly are," he said.

Ducklin said the key to solving the malware problem involved scammers being charged under a variety of laws - whichever were applicable - be it the Spam Act, the Trade Practices Act or the Criminal Code Act.

"That way, you can set not just [telecommunications regulator] ACMA but also the [competition watchdog] ACCC, the various State offices of fair trading and the cops onto them," he said.

What's your view? Is the current legal framework adequate to tackle malware? What do you think of Billson's idea?