Monday, October 28, 2013

Lebanon exposed to telecoms security risks by lack of legislation

 The Daily Star - with

BEIRUT: The sheer scope of the United States’ telecommunications surveillance is a hot topic, with recent revelations showing the U.S. was snooping on 35 world leaders and is bulk spying on millions of people around the planet. Yet while the European Union is updating its data protection legislation in the wake of the revelations from the documents leaked by former National Security Agency contractor Edward Snowden, Lebanon is exposed at the internal and external level.
It is an issue for citizens and businesses alike, with no law yet enacted for electronic commerce, e-transactions, cybercrimes such as phishing (stealing of data, account information and money from, say, an online bank account) or data security.
“On the legal side I don’t think we are protected at all,” said Gabriel Deek, vice president of the Internet Society of Lebanon.
One of the pillars of the economy, the banking and financial sector, is also exposed.
“We assume there is banking security, but that doesn’t equal to data security today. For instance, a few months ago a list of 8,000 people’s credit card numbers on a Lebanese internet provider were put on the net,” said Cyrus Salesse, CEO of Krypton Security, an information security consultancy with offices in Beirut. “At one financial institution, a Chinese hacker was sitting inside their system for a year. Most entities in the Middle East don’t know about hacker attacks until it’s too late.”
Financial institutions have yet to adopt the Payment Card Industry Data Security (PCI) Standard that is being utilized worldwide, which enhances payment-card data security at institutions and service providers that deal with client data. While the Central Bank of Jordan has given a deadline to banks to be PCI certified, Lebanon’s central bank, Banque du Liban, has not done so.
“The BDL hasn’t picked up on that and seems to be playing a weaker role in this security environment,” Salesse said. “The infrastructure of Lebanese online banking security is – I want to say old – but it is inadequate. It is an affordability issue, as many banks use homemade software, so to adopt newer, more secure software needs total business re-engineering.”
But according to Salam Yamout, the government’s national e-strategy coordinator, the BDL is working on certain projects, including an e-payment gateway and clearing transactions in real time.
“Security is at the top of their list,” Yamout said.
In the meantime, at the national level, legislation is coming up short.
“You have civil and commercial rights, but against financial institutions? Standards are very low when it comes to transactions with credit cards inside Lebanon, or the technical criteria to allow authentication of commercial factors,” said Riad Bahsoun, chairman of the Policy and Regulatory Committee at the International Telecommunication Council for Lebanon.
What is holding back data security, and the potential for e-commerce to take off, is legislation. Back in 1996, a law was proposed to allow e-signatures, but this was deemed not encompassing enough, and an e-commerce law was proposed in 2004. The draft law was rejected twice as it was considered too draconian by the private sector.
“I worked to lobby against it as it was a bad law,” Deek said.
In 2011, the office of Prime Minister Najib Mikati took control of the draft law, and for the first time in the country’s history, the private sector was involved in the committee.
“I believe we’ve done the right thing, to go back and simplify it, and have freedom of expression on the Internet,” Yamout said. “This legislation is crucial to the e-ecosystem as it covers all aspects of the e-economy: banking, service providers [not telecoms but hosting], data storage and protection, and cybercrime.”
But while the law was passed at the ministerial level, it has not been ratified by the Parliament.
“Anything involving more than one ministry requires cooperation, and that is why it was slow [to be implemented],” Yamout said. “The digital economy, IT and telecom is not a priority given the tough constraints of politics and security in the country. It’s like a house burning down – do you put the fire out, or save the furniture first?”
Even if the law is passed – which could be years away as there is a caretaker government currently in place – e-commerce faces an uphill battle for greater adoption in the country.
“When it comes to e-commerce, there is no trust in credit cards and online transactions,” said Salim Tannous, cluster director at the Beirut Creative Cluster. “Another problem is control, the gatekeepers – the customs – which are not facilitating e-commerce. It is about controlling the ins and outs, especially of books and media. If you only allow a few suppliers, it is easier to control them, and hurt them if they are not compliant. By resisting change, it protects the old guard – government officials, customs and traditional suppliers. We need a solution that bypasses the old system that takes a cut.”
What concerns the private sector is that whenever the law is passed, it will have become outdated compared to other jurisdictions, which could lead to another round of debate and the potential for redrafting. Already the law is not seen as encompassing enough.
“The law will not solve whatever issues are related to industrial espionage or financial transaction traffic,” Deek said.
When it comes to external surveillance, the public and private sectors are fully aware that Lebanon is exposed to some of the highest rates of surveillance in the world. The country is being spied on by Israel, Jordan, NATO, the NSA, and via the British signals intelligence base in Cyprus, which is partly funded by the NSA.
With bureaucracy in general not automated, and government websites information orientated, the more archaic method of data gathering means there is not much chance of any mass data leaks or electronic data for external agencies to spy on.
“Some ministers don’t even have official email addresses – – but use their own email, so that is not safe, meaning Hotmail has access to a government official,” Tannous said.
Domestically, there is no specific legislation in place to ensure privacy. But this principle is mentioned in the Constitution through adherence to the Universal Declaration of Human Rights, which states the right to privacy in communications. Law 140 (1999), enacted in 2009, protects the right to privacy in telecommunications.
“It is unconstitutional to eavesdrop on people. There is no specific code, but a general text that protects privacy and personal information, which is the penal code of 1943. Also there is no text regarding e-records as the Constitution was issued in 1923 and amended in 1990,” said Paul Morcos, founder of the Justicia law firm. “The penal code includes text concerning privacy and correspondence that might be applicable to other communication means, but as Law 140 is enacted, it is more specific than the penal code. That said, we need a complete reform of the criminal code.”
The exception to Law 140 is the intelligence agencies in order to gather information aimed at combating terrorism, organized crime and crimes against the security of the state. The issue though is that while agencies must get juridical authorization and give the reason for monitoring, the type of communication to be monitored (email, telephone), the region and a time period, there is no effective governmental oversight.
“We don’t have the slightest guarantee our privacy is not violated,” Bahsoun said.
Law 140 has been controversial, and it is still provoking debate as to which ministry should be in charge.
“From a legal point of view, this Law 140 about interception is badly drafted. Besides, the decision to host it in the Telecoms Ministry makes sense, but the request that the data transmission is sent to the Minister of Telecommunications, and up to him to implement it is ridiculous. It should be with the Interior Ministry or the Defense Ministry, and be under control of the Council of Ministers with direct reporting procedures,” Bahsoun said.
There was a Defense Ministry-Telecoms Ministry liaison team to oversee interception that was headed up by six officials, but it was disbanded.
“I worked with them, and recommended to the president and the prime minister this team should be expanded to 50 people, at least, and have autonomy,” Bahsoun said.
“There is a lot of work to do to have security, but the government canceled the liaison team, which shows that behind the scenes there are forces that want data manipulation.”
The country does not have the financial or technical capabilities for total spectrum surveillance of telecommunications on par with, say the NSA, but the intelligence agencies are not without capabilities.
Furthermore, intelligence agencies activities are being widened, with a cyberunit at the Information Branch and interception able to be carried out by Military Intelligence, while the former head of the latter, Abbas Ibrahim, is now the head of General Security and is reorganizing its capabilities.
“The Information Branch has the software to intercept [smart phone communication application] WhatsApp, the metadata and data. It is given by certain countries, such as Germany,” Bahsoun said.
Getting legislation in place that protects citizens, businesses and consumers is going to take time, and the debate will continue in Lebanon as in the rest of the world about data protection.
“The balance of power concerns me. The question is, how do you make justice prevail? We are still fighting for the freedom of the Internet and we want no restrictions,” Deek said.

Photo credit - (The Daily Star/Mohammad Azakir)

No comments: