In 2014 I wrote an award winning article about enforcement of cyber laws. On November 4th I was awarded a prize for Winning in Cyber Law Essay Competition and Enforcement of Cyber Laws was recognized as the best article by GITI. GITI is a major annual IT conference, held in Georgia, attended by hundreds of security and IT specialists from around the world.
You can read the article below.
This post intends to provide information about the enforcement of cyber laws; it reviews current laws and international treaties relating to cybercrime and provides a comparative analysis of legislations of several countries. This paper additionally includes a review of cybercrime investigation methods and shows main issues regarding identification and prosecution of cyber criminals. “Enforcement of Cyber Laws” relies on personal opinions and publicly available documents.
An Overview of Cybercrime
The phenomenal development of information technologies facilitated formation of an entirely new universe. This universe is a vast virtual space, capable of transmitting billions of data per minute, known as cyberspace. Cyberspace is a global communication network consisted of both hardware and software infrastructure, which uses standard Internet protocol suite to link smaller computer networks throughout the world. Phenomenal growth of the global information technology infrastructure has been one of the most decisive factors that distinguishes this century. In just over the past ten years, the quantity of Internet users has increased five times and this rate is growing on daily basis.
Today, cyber space is a daily growing virtual realm, populated with its own citizens, the amount of which reaches 3 billion and you are one of them. As we are able to see virtual life is becoming more and more popular, but what makes it so attractive? It is uncontrollable, it is huge, offers you everything that one is unable to find in physical world and the most delicious piece is that, there are no rules is cyberspace, you open the door and do whatever comes to your mind. Herewith attraction has also created unparalleled opportunities for cyber criminals; criminal behaviors that were unimaginable a few years ago have become daily occurrences today and as well as cybercrime technology is advancing too, in addition to the hard infrastructure presented by the World Wide Web, soft infrastructure is necessary in terms of regulatory mechanisms and cyber law.
In order to punish cyber offenders, it is crucial to define their nature correctly. Today every teenager is able to surf internet and find many tutorials and tools providing proficient knowledge regarding cyberspace, network security and several hacking techniques. The knowledge is good by itself, but it might become a nightmare for others if not used in a good faith. People who used this knowledge in a good faith are today’s notable cyber security experts; they grew up in the same cradle of cyberspace as cyber criminals. They were both developing their knowledge by staring at computer screens for hours and digging in the deep of the digital desert. At that period, they all were hackers. However, not every hacker is an offender; there are two main types of hackers known to the cyber culture: white hat hackers and black hat hackers. Both of them do the same thing; they hack their way through the cyber space. Difference is that white hat hackers use their knowledge to defend the networks from offenders and black hat hackers use several hacking techniques for stealing a sensitive data or damaging computer systems. In general, a term Hacker represents a person who modifies the software or hardware of a computer system, to find the new capabilities of a certain technology. Unfortunately, due to the influence of media on a social life, society refers a term hacker to only an evil being who wants to destroy or steal a data from our computers.
Now we know that there are two types of hackers, but what do they actually do? There are more than hundred ways for stealing the data, penetrating network and disrupting services but some of them are most popular:
- Denial of service
- Privilege escalation
- Social engineering
- Session hijacking
- Password cracking
Network administrators are primarily concerned with the methods for perpetrating an attack so that they may forestall that attack. They are less concerned with the legal aspects of the act. Cyber crime is mostly broken into types that emphasize the particular criminal activity instead of the technological procedure used to execute the attack. Such list would be the same as the following:
- Non-access computer crimes
- Unauthorized access to computer data and systems
- Identity theft
- Cyber stalking/harassment
These are broader types of attacks that comprehend many other activities. However, a computer crime could also be committed without circumventing the conventional computer operations. It is entirely possible to have a computer crime without the involvement of a security breach.
As we are able to see, cybercrime is connected to many different legal and technological issues. In order to regulate them appropriate regulations are required that emphasize the international cooperation between states.
Legal Acts and Treaties Concerning Cyber Crime
Due to the complexities presented in cyberspace, the new legislations and international treaties regulating the activities in cyberspace have emerged. The first international treaty concerning computer crime is the Convention on Cybercrime. It is the first treaty to deal with breaches of law over the internet or other information networks. It demands from participating countries to update and harmonize their criminal laws against hacking, infringement, copyright, computer-facilitated fraud, child pornography, and various illicit cyber-activities.
Negotiations on the Convention began in 1997, since then, the rise in hacking incidents, the spread of harmful computer viruses, and therefore the minimal prosecution of such crimes in many countries, have spurred on the Council’s efforts. The terrorist attacks of 9/11 provided further momentum by raising the specter of cyber-attacks on critical infrastructure facilities and by highlighting the means by which terrorists use computers and the Internet to communicate, recruit, raise funds and spread propaganda.
The main goal of the Convention is to determine a “common criminal policy” to better combat computer-related crimes worldwide through harmonizing national legislation, enhancing enforcement and judicial capabilities, and maximizing international cooperation. Additionally, the Convention establishes several obligations for signatories.
Signatories ought to establish a fast and effective system for international cooperation. The Convention suggests cybercrimes to become extraditable offenses, and allows law enforcement authorities in one country to gather computer-based proofs for those in another. It also calls for establishing a 24/7 contact network to provide immediate assistance with cross-border investigations. According to this convention, signatories ought to establish domestic procedures for detection, investigation, and prosecution of computer crimes, and collection of electronic evidences on any criminal offense. Such procedures comprise the expedited preservation of electronic communications and computer data, system checking and seizure, and real-time interception of data. Countries are required to define criminal offenses and sanctions under their domestic laws for four types of computer-related crimes: fraud and forgery, copyright infringements, child pornography, and security breaches like hacking, system interferences and illegal data interception.
Budapest Convention on Cybercrime is one of the most important international treaties to be able to combat cybercrime. It is a first document to establish and determine terms describing actual wrong doings. Some countries did not have such crimes defined in their national legislations and by ratifying this document, they agreed on international cooperation in regard of cybercrime. One of the signatories of this document is Georgia, Caucasian country that experienced massive cyber-attacks from Russia.
Russian cyber-attacks on Georgia, during the conflict of 2008, revealed many vulnerabilities in Georgian cyberspace. Solving of this issue required the presence of regulatory norms. Because of this reason, Caucasian country found it important to sign the Convention on Cybercrime, which was ratified in 2012. Ratification demands from signatories to enact proper legislations on national level, so in February 2012, Data Exchange Agency of Georgia introduced the new bill called Information Security Act to the parliament, which entered into force on July 1, aiming to establish legal standards for private and public sector, in order to protect the critical infrastructure. Information Security Act introduced new approaches and notions for cyber security of Georgia including penetration testing, security audit, information security officer, computer security specialist, and duties of CERT in regard of security of critical infrastructure. Information Security Act, requires from subjects of critical infrastructure4 to periodically test and audit information security systems. Examples of subjects of critical infrastructure include security services such as police and military, transportation systems, financial services, banking systems, telecommunications and others.
The Act assigns following additional and important duties to CERT.GOV.GE (CERT of DEA): giving recommendations for the security of critical information systems, registration of computer incidents, response on computer incidents, analysis of computer incidents, assisting critical infrastructure in minimization of damages, rise of cyber awareness, and warning of users regarding possible dangers.
In 2010, important changes appeared in Georgian Criminal Code, but penalties for some computer crimes are lighter, compared to other European countries like Estonia, the latter experienced same types of attacks in 2007 like Georgia and seems to be a nice example for comparison. For example, Georgian criminal code considers pecuniary punishment, correctional work, or imprisonment for no more than two years in case of unauthorized access to a computer system, while Estonian legislation punishes person for such conduct with pecuniary punishment and imprisonment for up to five years. Another difference between those two legislations is that the criminal code of Georgia does not consider a term like “critical infrastructure” or “vital sector” in regard of computer crime.
Despite the fact that some punishments in the criminal code of Georgia are lighter, the latter foresees cyber terrorism as a separate crime. In whole separation of the article about cyber terrorism is a positive fact, but in the contrary of the article regarding act of terrorism, it does not consider criminal offences committed against international security or international organization, thus it is vague whether latter may be used in regard of the article of cyber terrorism or not.
On April 27 of 2007, Estonia experienced the most sophisticated cybernetic attack, allegedly executed by Russian hackers.These serious attacks became a reason for Europe’s most IT developed country, to enact new laws and amend regulating documents. Despite of not having an Information Security Act like Georgia, Estonia has amended several laws and enacted Emergency Act and Information Security Interoperability Framework in order to suite the requirements of modern cybernetic world. During the analysis of Estonian law, insufficient nature of the latter was discovered, thus following legislative acts have been amended: Penal Code, Electronic Communications Act, Public Information Act, Personal Data Protection Act, and Information Society Service Act.
The amendments made Estonian Penal Code more severe to cyber criminals, for example: if before cyber-attacks, some computer crimes required causing of significant damage for imprisonment, now one may be sentenced to more than 3 years of imprisonment without causing such damage. Amended legislation additionally considers preparation of computer crime too, which was not available until Penal Code amendment act RT| 2008, 13, 87. Pursuant to the article 2061 regarding preparation of computer-related crime, court is eligible to confiscate an object which was a direct object of the commission of an offence. Confiscation of an object of the commission of computer-related crime is the new notion for Estonian legislation. Changes in legislation influenced the article about terrorism too and therefore now, in some cases, interference with computer data might be considered as an act of terrorism. This may be evaluated as a step towards the fight against cyber terrorism, which is one of the most serious types of cybercrimes nowadays.
In regard of computer crime, compared to the Penal Code of 2001, amended code is more detailed, includes important terms for modern legislation like “vital sector” and a range of possible cyber-attacks. According to Emergency Act of 2009 of Estonia, which covers the term “vital services”, we may conclude that terms “vital sector” and “critical infrastructure” carry the similar meaning and refer to, but doesn’t limit to the following: state agencies, energy facilities and networks, financial bodies, healthcare, food, water, communications and information technology.
The careful examination of current laws makes clear that laws regarding cyber security and cybercrime are becoming actual. However in order to enforce these laws in real life it is required to improve technologies used for investigations, identification and collection of digital evidences. The enforcement of cyber laws is a very complicated process and it has several different factors.
Issues Regarding Jurisdiction
Cybercrime is so broad and can be so complex that becomes very difficult to investigate. Additionally, jurisdiction adds an international legal complexity to the investigation. Normally there are three levels of authority defined by international jurisdiction:
- The authority to enforce
- The authority to prescribe
- The authority to judge
The Convention on Cybercrime emphasizes international cooperation with respect to criminalizing certain acts. However is does not provide a solution to the issues of international jurisdiction and the investigation of a cybercrime has to depend on the good will of the third country. Convention relies heavily on international cooperation, but sometimes this is not enough to take the investigation to an end. Therefore, we may conclude that the Convention is short on giving States the necessary tools to fight this type of crime.
A good example of the complexity of the jurisdiction issues is visible in the Yahoo case. On May 22, 2000 Tribunal de Grande Instance de Paris, based on the regulation that makes exhibition or selling of racist objects illegal, ordered Yahoo! Inc. and its subsidiary Yahoo France to exclude French internet users from sales of Nazi objects and to remove all the concerned files stored in their servers.
In this concrete case, these files were uploaded from an unknown source and were stored in a server located in United States. French court asserted jurisdiction over them because they were visible in France and its contents was illegal in France.
Yahoo filed a declaratory judgment action in U.S. District Court, in order to obtain a ruling that the French court’s order could not be enforced against Yahoo in the United States. Besides discussing computer technical matters regarding the impossibility of excluding some users of their site from some of the Web pages, Yahoo maintained in its lawsuit that allowing enforcement of the foreign court’s order in the United States would violate the First Amendment. As a result, U.S. District Judge Jeremy Fogel agreed with Yahoo regarding the violation of the First Amendment and entered a declaratory judgment in the company’s favor.
LICRA and UEJF appealed to the ninth Circuit. Eventually, the majority of the judges reversed the judgment of the district court, but confirmed that the district court had jurisdiction over LICRA and UEJF.
Above-mentioned case shows that the Convention on Cybercrime does not provide enough resources to solve such complex issues and such cases may last for years. Problem with jurisdiction is not easily solvable and unfortunately, at this time international law does not provide any obligatory norms that may require from states to obey certain rules.
Investigation and Forensics of Cybercrime
Identification and prosecution of cyber criminals is another important problem faced by law enforcements in regard of cybercrime, however in order to be found guilty of a criminal offense under criminal law, the jury or judge must believe, that the offender has committed an offense. The only solution to this problem is to provide convincing evidences whenever possible.
Cyberspace provides exclusive opportunities to cybercriminals, by allowing them to become anonymous. Virtual Private Networks and online anonymity services like TOR (The Onion Router), allows criminals to initiate their attacks through several nodes, thus making an identification even more complicated. The Criminalization of True Anonymity in Cyberspace by Georgie du Pont describes the two types of anonymity: true and pseudo-anonymity.
Truly anonymous communication is untraceable. In this case, only coincidence or purposeful self-exposure will bring the identity of a person to light. Any attempts made to discover the identity of the sender will result in erased trail of clues. Although some forms of truly anonymous communication, such as political speech, are valuable in democratic societies, this form of anonymity has exceptional potential for abuse because the message senders cannot be held accountable for their actions.
In opposite of truly anonymous communication, pseudo-anonymous communication, may be traced. Though the identity of the message sender may seem truly anonymous because it is not easily uncovered or made available, however it is possible to somehow discover the identity of a person using pseudo-anonymous communication. Despite the utilization of pseudo-anonymity communication in cybercrime activities, it has significant social benefits; it enables citizens of a democracy to voice their opinions without fear of retaliation against their personal reputations. The perfect example of the usage of this type of anonymity was during the revolution in Egypt, where people used pseudo-anonymity for sharing their opinions against regime of Hosni Mubarak.
According to Ahmad Kamal for anti-anonymity legislation to succeed, it must narrowly target specific evils. Governments must recognize that within the distinction between true anonymity and pseudo-anonymity lies the key to legislative restrictions. Because some types of anonymity, such as political speech, are considered valuable and necessary elements of society, legislation cannot merely target all true anonymity under the assumption that its existence promotes anonymous criminal acts. Legislatures must isolate and target only the specific type of anonymous speech in cyber-space, which has criminal objectives, such as cyber stalking or child pornography.
Law enforcements cannot change the fact that anonymity exists, however they still can influence the process of identification by preparing for cyber-attacks. Investigators form an incident response plan, in order to be ready for any kind of attacks. The incident response plan is a part of the overall corporate computer security policy. The plan identifies reporting requirements, guidelines and severity levels for preservation of evidences. The priorities of the investigation may vary from organization to organization, however the common priority is to minimize any additional loss and resume business as quickly as possible. In addition, it is important to establish CERT working 24/7 to respond and identify attacks as soon as possible, until attackers try to cover their traces.
The computer crime investigation starts immediately following the report of any alleged illegal activity. Analysis and eradication are accomplished as soon as possible after the attack.
The next step after the identification of an attack is to gather digital evidences for later presentation at court. Digital evidences represent the main factor based on which a court makes a decision. Digital evidence is information or data of an evidential value that is stored on or transmitted by a computer or digital device. According to SANS institute digital evidences may be retrieved from: (a) CPU, cache and register content; (b) Routing table, ARP cache, process table, kernel statistics; (c) Data contained on archival media; (d) Remotely logged data; (e) Data on hard disk; (f) Temporary file system / swap space; (g) Memory.13
The process of collection of digital evidences consists of five steps:
- Policy and procedure development
- Evidence assessment
- Evidence acquisition
- Evidence examination & analysis
- Documenting and reporting
Last step is the most important, as it documents everything that has happened in previous steps including files found and techniques used. These documents are gathered and presented to the court as an evidence. Depending on the quality of evidences, court checks them for admissibility.
In order to enable the admission of an electronic document as an evidence, it should be able to answer on following questions:
- Are we able to authenticate document properly in regard of authorship and integrity of the document?
- Are the record and original version different in any way?
- Is it reliable and necessary?
- Is the program that created the document reliable?
- The authentication of electronic evidence poses several problems, because by its very insubstantial nature, electronic evidence may easily be altered and that would be difficult if not impossible to detect, even by an expert.
Due to the transitory nature of information stored on computer systems, there are a number of additional legal obstacles that have to be clarified:
- Computer evidence may easily and undetectably be changed or removed
- Computer proof may be stored in a different format to that when it is displayed
- It is hard for nonprofessionals to truly evaluate computer evidence.
Role of International Organizations in Cybercrime Regulation
As we may see, a whole process from commitment of cybercrime to the conviction of the accused is taking too long because of many legal, political and technological complexities. In this case rises the significance of participation of international organizations in regulation of cybercrime.
International organizations are focusing on international harmonization, which is one of the most important steps for solving international crimes like cybercrime. Harmonization of national laws will definitely solve some issues regarding extraditions. Many countries have extradition treaties with others. However, extradition is more like a political decision rather than a legal obligation. Many countrieshave extradition treaties with others, however they do not allow extradition of their citizens to countries where they may become subjects of death penalty or any other punishment irrelevant to national legislations. However when national laws are harmonized states have no basis for refusing extradition and they are more likely to transfer a person to victim state.
International cooperation is also another important role of international organizations. United Nations, NATO, the Council of Europe, the Organization of American States, and the Shanghai Cooperation Organization have created mechanisms that directly regulate cyber-attacksand enhance international cooperation.For exampleCouncil of Europe’s Convention on Cybercrime requires from states to designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provisionof immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Some states have established 24/7 departments and agencies, which monitor data in cyberspace and preserve it for some period until it is shared and analyzed with other states.
Cybercrime is a phenomenon for international legal community and years may be required to properly regulate cyberspace and enforce cyber laws. However each state and organization should realize that regulation of this issue is vital for international security and peace.