It is not wisdom, but authority, that makes a law, the saying goes. Perhaps that’s why international cybersecurity laws are so lacking, says Danny Bradbury
December 2014 was a big month for cybersecurity in Canada. The country passed legislation allowing it to ratify an international treaty on cybercrime a mere 13 years after it was first unveiled.
Things tend to move like molasses in the world of international law. That’s a sticky problem for those tasked with bringing cyber-criminals to justice. With online thieves and exploiters often operating outside the legal jurisdiction of their victims, countries must work together to protect themselves against global threats. But is international cybersecurity law strong enough to bring criminals to justice? And if not, then what other work needs to be done?
The Law in Europe
There are several European directives that touch on areas of cybersecurity. The 2002 E-Privacy Directive requires European electronic comms companies to report data breaches, while the 2008 European Critical Infrastructures Directive states that critical infrastructure service providers must put electronic protections in place. The 1995 Data Protection Directive decrees that data controllers must adequately protect personal data, but this legislation will be superseded by the General Data Protection Regulation, which is expected to be adopted in 2015.
These directives have created some international consistency in cybersecurity across the EU, but far more work is needed. EU lawmakers admitted this in a preamble to proposed legislation now in the final stages of becoming law, which they hope will tie network information security law together into something more cohesive.
In March 2014, the EU voted through a Network and Information Security (NIS) Directive. Originally proposed a year earlier, the directive was designed to enforce an EU-wide cybersecurity strategy created at the same time. The proposal states that, “Existing NIS capabilities and mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats and to ensure a common high level of protection in all the member states.”
The directive, which at the time of writing was still being thrashed out by stakeholders, would force affected companies to report security breaches with a significant impact. Also included were instructions for national regulators to co-operate by providing early warnings to each other on cybersecurity risks, and for secure channels for sharing sensitive information.
The big debate at the end of 2014 was about whether the directive should affect only operators of critical national infrastructure, or whether providers of information services, such as social network and e-commerce companies, should also be affected.
The Budapest Convention
The directive will move the EU further towards a consolidated approach to cybersecurity, but only one international treaty currently addresses cybercrime more directly. The European Convention on Cybercrime, also known as the Budapest Convention, defines tactical operations for fighting cybercrime on a global basis. It is this legislation that Canada is now able to ratify, which puts the North American country on a list including the US, France, and Germany.
Published in 2001, the Budapest Convention was a long time coming. Its roots date back to 1976, when participants at the Council of Europe Conference on Criminological Aspects of Economic Crime in Strasbourg discussed ways to define cybercrime. This was a forward-thinking crowd: the wooden-cased Apple 1, one of the first home computers with an actual keyboard, shipped that year.
Little happened then until 1989, the year when the fundamental language of the web, HTTP, was created. The Council of Europe created its own list of recommendations for punishable cybercrime acts, which was adopted the following year. Seven years later, the Council began negotiations on the European Convention on Cybercrime. Introduced in 2001, it finally came into effect in 2004.
Assessing the Law
So does the Budapest treaty do its job? There are still notable problems prosecuting cyber-criminals, warns Steve Durbin, managing director of the Information Security Forum (ISF): “If you’re talking about cybercrime, and you talk to Interpol, they’ll describe an immense amount of frustration on their part in tracking perpetrators down, and then doing something with them if they do find them,” he says. “So, it’s about the willingness of nation states to observe and collaborate and prosecute cyber-criminals.”
Countries that ratify the Convention agree to implement its policies in domestic law. These policies span key areas: fraud and forgery, child pornography, copyright infringements, and security breaches. However, neither Russia nor China – two large sources of cyber-criminal activity – have signed or ratified the treaty.
Still, there have been some significant wins, thanks in part to co-operation facilitated by the Budapest treaty. In November, law enforcement units from the US and over a dozen countries arrested 17 individuals in a bust targeting black markets operated via the Tor network.
Ulf Bergström, head of communications and external relations at Eurojust, the judicial co-operation unit, argues that international agreements are crucial when targeting cybercrime with operations like these: ‘’It is paramount in cybercrime to involve the judicial authorities, prosecutors and investigations from the start to ensure that evidence is gathered in a way so that it is admissible later in court.
“You must also sort out where you will prosecute, as this is a cross-border operation; at the same time, you must balance the citizen’s rights,” he continues. “So, clearly, without justice, there will be no success in fighting crime.’’
“Existing NIS capabilities and mechanisms are simply insufficient to keep pace with the fast-changing landscape of threats"Proposal for EU Network and Information Security Directive, 2014
Military Activity
Commercial cybercrime isn’t the only thing that international law must consider, though, according to legal experts. Military attack and defense is becoming an increasingly important part of the equation.
“There is real doubt about whether the Convention reaches sovereign state activity, and as we know, this is the major area of great concern to those of us that want a peaceful, conclusive and fair cyberspace,” argues Mary Ellen O’Connell, professor of international dispute resolution at the University of Notre Dame’s Kroc Institute for International Peace Studies.
O’Connell is particularly concerned about the use of Stuxnet, the virus that disrupted operations at the Iranian Natanz nuclear facility, now believed to have been a US/Israeli project: “I am also concerned about how the Chinese are using the internet for military advantage,” she warns.
If Budapest doesn’t shed legal light on these kinds of state-sponsored cyber-activities, then what does? Robert Clark, an attorney in cybersecurity and privacy law at the US Military Academy’s Army Cyber Institute, says that the Pentagon has mapped laws used in conventional warfare to the cyber domain. He refers to the Law of Armed Conflict (LOAC), which draws on treaties such as the Geneva Convention and Hague Regulations for warfare, and covers basic principles such as proportionality and military necessity.
In a 2011 report to Congress on cybersecurity defense policy, the Pentagon called for the inclusion of LOAC as part of a strategy including “the use of all necessary means” to defend its interests in cyberspace. “LOAC is just as adequate as it is for the other domains: land, air, sea and space. In all these domains, including cyber, LOAC can be easy, hard, and everything in-between,” says Clark.
O’Connell argues for a binding treaty on nation state engagement specifically for cyberspace, governed by an independent body like the International Telecommunications Union (ITU), with its rich understanding of the internet. Clark is unconvinced: “China and Russia were leading the pack to come up with a cyber-treaty convention, and the reason we objected is because it also went to our core basics of freedom of information and freedom of speech. They wanted to include aspects of regulating and suppressing freedom of speech as part of this core cyber convention.”
Instead of a pervasive treaty on cyberspace engagement, the US has moved to bilateral talks, but these have been difficult. Direct discussions with China on cybersecurity recently stalled after five members of the Chinese military were indicted on hacking charges in the US. Meanwhile, Russia and China have been working towards signing a bilateral treaty on cyberspace engagement rules.
State-Sponsored Theft
Part of the problem with China is the high instance of IP theft alleged to be emanating from that country. The five aforementioned Chinese military officers were accused of hacking firms including Westinghouse Electric, US Steel Corp, and SolarWorld, in an effort that US attorney general Eric Holder said was designed to advance the interests of Chinese state-owned firms.
When states sponsor or organize the theft of corporate secrets, that is classed as espionage, Clark points out, arguing that it isn’t illegal internationally. Countries normally prosecute such activities under domestic law. That’s a useful tactic when the spies reside in your cities, he points out, but less so when they’re a continent away, doing it via keyboard.
The only other option is to address it privately, says Gregory Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology: “Sometimes it becomes a diplomatic issue, in which case the relevant officials will be raising the matter with the foreign governments,” he explains. “I would imagine that sometimes the State Department raises it with foreign ambassadors here.”
Like purely commercial online criminal behavior, state-sponsored activities are developing at breakneck speed. Politics moves more slowly, especially when multiple countries with different agendas are all working on the same treaty. For now, it seems that most of the meaningful discussion around state-sponsored cyberspace activity is happening as many hacking operations do: behind closed doors, in secret.
This feature was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users