International Cybercrime Law: Past, Present, Future Perspectives

Abstract

The problem of preventing cybercrime on an international scale has received considerable attention from many different countries. This essay analyzes cybercrime law. It aims to review past legislation and how it affected the present day, current law and its effectiveness, and what potential future problems are, and how current lawmakers can address them. As technology increases in importance and scale, so does the need for effective legislation to deter people from engaging in criminal acts. Some government systems, such as the European Union or the Group of Eight seem to be on similar pages regarding this battle, while others seem not to have any interest. This style of a united front against these types of crimes should be widespread throughout the world. All countries working together to eliminate a common threat would help secure information for all parties involved and also help protect citizens who might be targets for these criminals.

International Cybercrime Legislation of Past, Present, and Future

The definition of cybercrime crimes is directed at computers or other devices where computers or other electronic devices are integral to the offense. Since January 2016, the total volume of events increased almost fourfold between January 2016 and October 2017. These types of attacks can cover a multitude of offenses ranging from credit card fraud to ransomware to DDOS attacks. As cyber-attacks become more and more common against both consumers and companies, the need for government bodies to enact comprehensive legislation to help deter these attacks grows larger and larger. A unified front against cyber-attacks by different Government Bodies could lead to more progress in the battle against threats and secure information from those who should not have access to it.

Legislation of the Past

Traditional penal laws were not written with the online society in Cyberspace in mind. Throughout the world, government bodies were not expecting nor were they prepared for this area of crime to develop at such a rapid pace that in present-day attacks would be occurring daily. Due to low preparedness, the issue of cyber-attacks went unaddressed leading to initial shortcomings for protection from threats and laws to enforce on those caught committing them.

There were many problems and questions that government bodies must ask before enacting laws. The main problem is the applicability of this legislation on cybercrime and to what extent. This problem meant that government bodies needed to develop a system that applied to cybercrime correctly and decide which acts should define cybercrime. While many laws had been enacted to prevent different types of unethical behavior such as fraud, without using precise wording regarding computers it would have been difficult to enforce these laws without specific text. Without the definition of an explicit act, criminals who commit these acts cannot be convicted based on a loose interpretation of current regulations. This undoubtedly stalled development of necessary legislation required to pursue criminal charges.

Initial Movements

The initial introduction of criminalizing certain cyber activities began in the 1970s. In the U.S., the Ribikoff Bill was introduced in 1977 by Senator Ribikoff. This bill made it a Federal crime for a person to directly or indirectly access or cause to be accessed for fraudulent purposes a computer system affecting commerce or having a connection with a Federal agency or financial institution. While this bill failed, it sparked the conversation of the need to define the scope of this problem and address it.

Interpol introduced the problem of cybercrime to the international stage in 1979. At this time, Interpol hosted its Third Interpol Symposium on International Fraud. Here they discussed legislation against computer crime. Interpol continued to make changes and pointed out specific areas where countries' legislation was unsatisfactory and recommended changes. From this meeting came the First Interpol Training Seminar for Investigators of Computer Crime as well as a list identifying areas where there was insufficient legislation such as modification of data with destructive intent or disclosing data without authority. Identifying areas that were lacking was the first big step toward providing protections for people from cybercrime and criminalizing cybercrime.

As computers continued to evolve through the 1980s, governments around the world recognized the problem even more. In 1982, another European organization by the name of The Organization for Economic Co-operation and Development met. From this meeting came to a specially formed committee meant to address needed changes regarding penal codes. The committee made a proposal defining different acts such as computer fraud, computer forgery, damage to computer data and programs, unauthorized infringement of a protected computer program, and unauthorized access to or interception of a computer system.

Enforcement Issues

While the Council of Europe did adopt the recommendations proposed, most law enforcement did not have much insight into digital forensics, or the ability to recover and investigate digital material, which made the implementation of these recommendations difficult. Along with this came a lack of support by agencies. Most individuals who had the desire to learn about computer forensic skills had to do so on their own. Their agencies were not supportive of their efforts, but we owe these individuals a debt of gratitude for the personal and financial investments that they made. All these individuals believed this to the extent that they spent much of their own time and money learning about new computing technologies. With this lack of resources and support, catching these criminals would prove to be very difficult unless law enforcement found them engaging in cybercriminal activity.

International Cooperation

Between the 1990s and 2000s, the internet became more global, and from this came the need for countries to cooperate more than ever. Decisions such as the Council of Europe's recommendation to help procedural law. From this came seven areas of focus being search and seizure, technical surveillance, obligation to co-operate with the investigating authorities, electronic evidence, use of encryption, research, statistics and training, and international cooperation. These areas further defined how law enforcement does their job, and enabled working together with other countries to help eliminate cyber threats. With the internet being accessible worldwide, that meant that attackers could be virtually anywhere. Another group of nations known as the Group of 8 was also formed to prevent this problem. The group of eight, consisting of France, Germany, Italy, the United Kingdom, Japan, the United States, Canada, and Russia, wanted to make sure that hackers could not find a place to hide from prosecution. This group of countries enacted laws meant to preserve data stored in their respective state and provide legal support or other forms of assistance that enabled law enforcement to find criminals and bring them to justice effectively. As time progressed through the 2000s, conventions and councils were held to continue addressing cybercrime issues leading up to the modern-day.

Modern Day Cybercrime law

In the present, technology is an integral part of everyday life. As humans, we depend on technology for most basic needs from waking up to an alarm on our phone to using google to find information. With modern technology, we can control our home temperature and monitor children through a wireless connection. All of this helps live simpler more comfortable lives, but that comes with a cost — the threat of cyber-attacks. Most people in the world have some device that can access the internet, and with that comes the danger of attackers breaching that device to take personal information or credentials. Companies with databases full of information including customer credit cards, health information, and employee information are also at risk. In 2016, there were 17.68 billion devices capable of internet connection and with this, there are also 17.68 billion avenues to deliver an attack. With all of this in mind, the need for effective cybercrime legislation is needed now more so than ever.

Modern Struggles

Proper measures are significant regarding preventing cybercrime. Laws help to keep people from doing something unethical and punish them for doing it. This disincentive is seen to help keep some attacks at bay. Studies show that Convention on Cybercrime law enforcement is effective in deterring DDOS attacks and has led to an average reduction of at least 11.8% and could be up to 68.7% of DDOS attacks in enforcing countries.

Along with this, there is a thin line between protection and invasion. While protecting people's information is vital, so too is respecting the privacy and allowing them the right to keep that information to themselves. There is also a discussion about whether corporations should be liable for data breaches resulting in the leaking of customer information. Should corporations behave negligently, and those responsible for a lousy information security plan?

Another problem throughout the world is the concept of law itself. The majority of cyber-crime is reported to be international. If there were an instance where a criminal initiated a cyber-attack in one country against a person in another, this raises multiple questions. Which country has jurisdiction? Are there extradition laws? The global scale of the internet poses these questions and exposes problems that can potentially lead to a lack of justice, and discord between countries if they choose not to cooperate.

The Budapest Convention

One of the leaders in the effort to harmonize cybercrime law throughout the globe is the Council of Europe Convention on Cybercrime, also known as the Budapest Convention. This convention held in 2001, is still applicable to modern-day crime. To start, they defined a computer system as any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data and computer data as any representation of facts, information, or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. These definitions addressed one of the main problems with new cybercrime legislation, the lack of precise wording that clearly defines the laws. The implementation of the recommendations following the convention was to take place in all the countries present. In all, they created 12 bills, their respective governments enacted in each state that is a member of the Council of Europe. Four of these articles stand out more than the others.

Illegal Access

Illegal access made it a criminal offense to access any part of a computer system without right intentionally. Illegal access meant that any form of tampering with a device without the owner's consent is punishable by law. It also covers bad intentions so even if someone is authorized to access a device if they perform an action not approved they are still able to be punished. Despite being written 18 years ago, this recommendation is still relevant in the present. It protects devices in their entirety. With cyber-attacks happening every day, it is necessary for legislators should enact laws to protect a user's device from any inappropriate access. An instance of a measure preventing this is the state of Colorado's Bill SB18-086. SB18-086 requires the state to take steps toward securing state records containing trusted, sensitive and conditional information from unauthorized use.

Illegal Interception

Article 3 of the Budapest Convention defined illegal as intentionally intercepting of non-public transmissions of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data. With privacy as a significant concern for people around the globe, laws to protect that privacy is essential. Attackers may attempt to access private communications to get valuable information regarding people or corporations. Legislation preventing this type of attack is necessary for protecting people's and companies' privacy.

Data Interference

Data Interference is when someone intentionally damages, deletes, deteriorates, alters, or suppresses computer data. A party may require that this action results in serious harm. Data interference can be applicable in many different instances. It may involve activities such as deleting user information stored in a database or altering company data to avoid taxes. These legislations can keep people and corporations liable. Corporations might be tempted to change certain accounting principles to get a higher valuation such as Enron. Deterring actions like this can be helpful to the world considering modern-day businesses can be involved in international economies and therefore have different effects on the way the world operates.

Corporate Liability

The fourth and final article discussed is Corporate liability. Corporate liability is meant to make sure that if a person commits any of the mentioned crimes for their benefit, acting individually or as part of a corporation, who has a leading position based on a power of representation of the legal person; an authority to make decisions on behalf of the legal person; an authority to exercise control within the legal person. In addition to this, each party shall take measures to guarantee that a legal person can be held liable where the lack of supervision or control has made the event possible. This article comes with several implications. It means that if a person is a high-ranking official such as a CEO or CFO commits any of the offenses listed in the convention, then that person may be held liable, and if done for the corporation then it can be held responsible as well.

Along with this, it implies that if it was possible due to a negligent supervisor, the person might still be held accountable. Enacted legislation regarding corporate liability was already in several countries. For example, the United States has already passed laws such as the Health Insurance Portability and Accountability Act, or HIPPA, to ensure corporations, protect data or be held liable. Legislation like this can help prevent cyberattacks from a defensive standpoint, requiring businesses to take necessary steps to safeguard information.

Harmonization

One of the main threats to international Cybercrime legislation and one of the most challenging hurdles is harmonization. Harmonization refers to creating a consistent and compatible plan to combat these threats. Many countries, despite alliances, do not want to cooperate. An example of this is Russia. Russia refused to ratify the recommendations for one of two reasons: either because they view it as infringing on their sovereign rights as a nation or because they were not present in the drafting. Regardless, this type of resistance makes it difficult to pass any form of International law. Another country that has been resistant to the Budapest Convention is China which is not very keen on information or intelligence sharing. While they are not in support of the Budapest Convention, Russia has been in support for a UN cybercrime treaty, which has been opposed by the European Union and the United States of America because they believe the Budapest convention implies there is already a global agreement. Small alliances of countries exist across the world, but without all agreeing on one set of principles, cybercrime legislation will continue to have problems and have specific areas where it is not sufficient. Along with this, negotiating and ratifying a United Nations treaty on cybercrime would take years due to each country has a unique view on the topic.

Problems of the Future

The future of cybercrime is one shrouded in mystery. Cybercrime is the fastest-growing crime in the United States. Accompanying this increase in the popularity of cyber-attacks is the fact that there were nearly 4 billion people with internet access, up from only 2 billion in 2015, and projected to grow to 7.5 billion by 2030. With the intense and rapid evolution of technology alongside its availability, comes different styles of attacking will also change and evolve. Along with this, the world must put thought into certain information-related issues such as who controls the information hardware and who has access, along with how these will be protected. With cybercrime increasing, how can lawmakers look to stay a step ahead of the cybercriminals?

The Future of Cybercrime for People

To address how future legislation can help fight cybercrime, we must first try to see what future attacks are going to appear. To start, we can look at the value of data. In the information age, it is what most people are after. Corporations track spending habits and what you watch to sell to advertisers because data on people is valuable. Data is also useful to a hacker, although not what you are viewing on Netflix. Attackers may try to access personal information such as bank account numbers and passwords. As verifications start to move to a more technological side, they may be able to get different information to pose as you. As data becomes more autonomous and centralized, the attackers can begin to single out locations. The cloud is also a major focal point for the future. One concern is highly distributed denial of service attacks using cloud processing and a move from device-based to cloud-based botnets, hijacking distributed processing power. Along with this, more information is being transported digitally, increasing the threat of a hijacked connection will also continue to grow. Now, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities.

The Future of Cybercrime for Business

The future of business is shaping up to be automation. In the present day, we already have distribution centers run by robots, trucks driven automatically, and vehicle manufacturing done by robots. With this increased automation comes two things, risk, and reward. More automated businesses can save money from labor and make more profit; however, being automated comes with a cost. Possible attacks could shut down an entire business from operating. Ransomware could threaten entire manufacturing facilities, and with automated cars, people may be able to reroute and control them directing deliveries to locations they are not supposed to be and potentially stealing objects from them. They may also be able to control distribution centers and send themselves items that are not meant to be sent out. There are limitless possibilities to what a cybercriminal can do. Data from a business is also still valuable. Customer information can be taken and used against them with malware such as ransomware. Cybersecurity spending is projected to reach 1 trillion cumulatively between 2017 and 2021. In the future, businesses must look at how to protect this data and get connections secure.

The Future of Legislation

Device Manufacturers

With the future shrouded in mystery, it is difficult to predict how the government can handle the different types of attacks. The first step in the right direction would be regulation. Despite differing opinions, protecting the people should be the government's priority, and can be ensured by regulating businesses. Technology companies are continuing to advance, and the government should place more regulations on these companies to create a secure form of protection on devices with an internet connection. Even devices that are currently in use by consumers should have some type of firmware update to protect them. Along with this, manufacturers should be held liable if they were negligent with device security. Manufacturers should be held to higher standards and expected only to apply updates when they're proven to work and expected to accept responsibility should they jeopardize their user's security knowingly or negligently.

Corporations

Like Device manufacturers, corporations should also have to face specific regulations. Some rules and regulations have already been implemented such as HIPPA, and Security Breach Notification Laws, have already been implemented in the United States. Similarly, to HIPPA, other laws should be enacted to cover other areas of the business to ensure that customers have a certain level of privacy. Although not legislation, companies should also be encouraged to share different strategies, and a committee could be formed out of information specialists to determine different practices that could be effective in protecting stored information. Applying pressure on businesses to increase security and protect users

Along with this, companies should have to follow a set of rules to protect user data that has been collected and stored in databases. Limiting access to this information will help keep users' personal information safe and secure. While these regulations will certainly not stop all attacks, it can help place more pressure on businesses. Governments should apply more pressure to companies to also put their users first. Governments should also implement more strict penalties for people who commit these crimes.

Conclusion

To conclude the essay, the problem of cybercrime is and always will be a problem so long as the internet exists. However, with the implementation of proper cybercrime laws and a collective effort throughout the world toward the goal of information security can help reduce the impact that cybercrime has. Preventative measures can be taken using regulations on businesses, and the implementation of corporate best practices could potentially lead to a safer environment for everybody involved.

References

1. Council of Europe. (2001, November 23). Convention on Cybercrime.
2. Cyber Coding Cryptology For State Records. (2018, May 30). SB18-086.
3. Cybersecurity Legislation 2018. (2019, February 2). Retrieved from www.ncsl.org: http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2018.aspx
4. Durumeric et al. (2017). The Security Impact of HTTPS Interception.
5. Europol. (2016, November 1). Project 2020 Scenarios for the Future of Cybercrime. Retrieved from www.europol.europa.eu: https://www.europol.europa.eu/publications-documents/project-2020-scenarios-for-future-of-cybercrime
6. Hakmeh, J. (2017, June 6). Building a Stronger International Legal Framework on Cybercrime. Retrieved from chathamhouse.org: https://www.chathamhouse.org/expert/comment/building-stronger-international-legal-framework-cybercrime
7. HUI, K.-L., KIM, S. H., & WANG, Q.-H. (2017, July). Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks.
8. IoT: number of connected devices worldwide 2012-2025. (2016, November). Retrieved from Statista: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
9. Learn about cybercrime. (2015, December 1). Retrieved from www.acorn.gov: https://www.acorn.gov.au/learn-about-cybercrime
10. Morgan, S. (2019). 2019 Official Annual Cybercrime Report.
11. Pollitt, M. (2010). A History of Digital Forensics.
12. Ribicoff, A. (1977). Federal Computer Systems Protection Act of 1977.
13. Schjølberg, S. (2008, December). The History of Global Harmonization on Cybercrime Legislation -The Road to Geneva.
14. States, U. (2004). The Health Insurance Portability and Accountability Act (HIPPA). Washington, D.C.