- Email: [email protected]
The world's current legislative efforts against cyber crime
Control of cyber crime The world’s current legislative efforts against cyber crime Dr. Nick Nykodym & Robert Taylor, University of Toledo
As usage of the Internet continues to grow there exists countless individuals with the capacity and intent to use the medium to inflict
We now know and understand the problem; cyber crime. We have experts all over the world developing ways to stop and track it. The problem now becomes: how do we fight this international problem? The very strength of cyber crime is the very weakness of our efforts to control it: being able to cross international lines. A click of a button can digitally transport thieves and terrorists 5 000 miles and across 20 borders. Attempting to monitor and prosecute these type of criminals is possible but requires cooperation across those borders; cooperation that the criminal need not acquire. A system needs to be developed that will allow nation victims of cyber crime to swiftly prosecute these criminals without stepping on the toes of another nation’s sovereignty. Nations must have in place their own domestic cyber laws but must also have a system that allows for collaboration with other countries. Many systems have emerged globally and many of the big pieces may already be in place to harmonize cyber law worldwide.
damage
A. Introduction As usage of the Internet continues to grow, and with it the realization that there exists countless individuals with the capacity and intent to use the medium to inflict damage, the world finds itself racing to secure legislation that will protect the incredible assets that are now stored online. The complexity of creating such legislation is not only domestic; independent nations are also grasping the understanding that it must find a way to collaborate their individual laws globally. Because the sharing of electronic information does not respect international boundaries; attempting to regulate its use requires cooperation amongst world law enforcement. It is not enough that the wealthy and advanced nations of the world have secure and cooperative cyber laws (indeed many of them do). In order to implement security (which has been previously overlooked as the world rushed to join in) upon the Internet, every nation must be united in the effort; every linked computer must be as accountable as every other. At first look, the world-wide legislative in regards to cyber crime seems to be somewhat of a 390
mess. There are numerous international approaches and coalitions around the world all attempting to create a stable online environment both domestically and internationally. While some of these approaches currently conflict and while disputes will arise in the process; a united international bond around the cyber world may not be infeasible and may be closer to our reach than we realize. The keys to creating a united global coalition against cyber crime are: ■ A strong individual entity must take the helm. Whether it is the United Nations (UN), Group of Eight (G-8), The Council of Europe (CoE), The United States (U.S.), or some new body created solely for the purpose of harmonizing international cyber law, a strong world leader needs to step up and spearhead the process. ■ Developing nations must be included in the process and, in fact, play an active role in the development of international law. A very real concern with this issue is the fact that the great percentage of the world connectivity growth and software development will occur in developing nations (“Taking Up Technology”, 2002). This growth, if unguided, may result in creating safe havens for cyber criminals. ■ Individual sovereignty must not be compromised. As in any situation where criminal investigation crosses international lines, the simply idea that independent nations control what happens inside their precincts often becomes the bottleneck. In short, the idea behind creating international guidelines is to facilitate a straightforward and smooth process for conducting criminal investigation in which computers from more than one country are involved and to eliminate those patches of the world where a cyber criminal is beyond the reach of the law (Westby, ed., 2003, p.89). Wealthy and powerful nations such as the United States who perceive themselves to be at higher risk of cyber criminals must be cautious to realize that their intentions of securing their own nations cyber structure are only a piece of the global implications. Those nations and areas of the world where threat is perceived are the same nations which must be most closely worked with to create the ultimate goal.
Computer Law & Security Report Vol. 20 no. 5 2004 ISSN 0267 3649/04 © 2004 Elsevier Science Ltd. All rights reserved
Control of cyber crime They must also be guided in creating their own domestic cyber laws.
B. Current Leaders against cyber crime A main factor in creating an effective worldwide coalition against cyber crime is establishing a leader. A strong candidate must emerge to influence the process. Currently there are only a few groups with strong cyber crime positions and with influence and resource enough to initiate the global movement. The United Nations seems a very logical choice to lead the way. The UN, with its 191 member nations clearly has the international influence and resources to enable it to effectively create involve all nations in this effort. As an authority in the area though, the organization has taken limited action. Short of hearing recommendations from member nations and performing studies the UN has not taken a strong position in the area. The organization has, to the contrary adopted two resolutions (which, should have been written with binding language and intention, would be a nice piece of the puzzle) that attempt to “urge” member states to cooperate with one another while investigating misuse of information technology. Both: Resolution 55/63 and resolution 56/121, state that: States should ensure that their laws and practices eliminate safe havens for those who criminally misuse information technologies; Law enforcement cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies should be coordinated among all concerned States; Information should be exchanged between States regarding the problems that they face in combating he criminal misuse of information technologies; Law enforcement personnel should be trained and equipped to address the criminal misuse of information technologies; Legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized; Legal systems should permit the preservation and quick access to electronic data pertaining to particular criminal investigations;
Mutual assistance regimes should ensure the timely investigation of the criminal misuse of information technologies and the timely gathering and exchange of evidence in such cases; The general public should be made aware of the need to prevent and combat the criminal misuse of information technologies; To the extent practicable, information technologies should be designed to help to prevent and detect criminal misuse, trace criminals and collect evidence; The fight against the criminal misuse of information technologies requires the development of solutions taking into account both the protection of individual freedoms and privacy and the preservation of the capacity of Governments to fight such criminal misuse.
The main purposes of the resolutions are to make recommendations on how to work with other member states while investigating international cyber crime (United Nations Resolution 55/63, 2000). The potential is there for the United Nations to become the leader. As it stands however, the UN seems to be taking the role of (as it often does) an impartial overseer. The Group of Eight (G-8) who’s members (Canada, France, Italy, Germany, Japan, Russia, UK, US), according to a financial survey; hold an incredible 48% influence of the world economy (World Economic and Financial Survey by IMF, 2001), has gone so far as to enact a special task force: The G-8 Subgroup on High-Tech Crime, to enhance the abilities of law enforcement to prevent, investigate, and prosecute high-tech and computer related crime. The subgroup has focused its efforts on: establishing an international network of 24-hour high-tech points of contact; developing computer forensic principles for circumstances where digital evidence retrieved in one country requires authentication in the courts of another country; and making recommendations for tracing terrorist and criminal communications across borders (Westby, ed., 2003,p.103-4). The G-8 clearly has the resources to direct the worldwide effort against cyber crime. The groups Western intentions and the fact that it can barely make a move without international scepticism handcuffs it in a way that may eliminate it as an accepted leader. Its progress however cannot be overlooked as a starting point for any potential leader. The Council of Europe (CoE), which consists of 44 member states (and includes the entire 391
Control of cyber crime European Union), has also made considerable headway in the fight. In late 2001 the Council adopted its Convention on Cybercrime Treaty which defines several activities to be cyber crime offenses: Intentional access without right to the whole or part of any computer system Intentional interception, without right, of non-public transmissions of computer data. Intentional damage, deletions, deterioration, alteration, or suppression of computer data without right.
The CoE Treaty is a strong piece of legislation intended to unite the European region with other world powers in the fight
Intentional and serious hindering of the function of a computer system by inputting, transmitting, damaging, deleting, deterioration, altering, or suppressing computer data. The production, sale, procurement for use, importation, or distribution of devices designed to commit any of the above crimes or of passwords or similar data used to access computer systems, with the intent of committing any of the above crimes. Intentional input, alteration, deletion, or suppression of computer data resulting in inauthentic data with the intent that such data be relied upon as if authentic. Intentional input, alteration, deletion, or suppression of computer data or any interference with the functioning of a computer system with the fraudulent intent of procuring an economic benefit for ones self (Westby, ed., 2003, p.22-33).
The Treaty, which has been signed by 30 of the CoE’s member states and 4 partner countries (U.S., Canada, Japan, and South Africa), then goes on to require signatory countries to adopt domestic procedural laws to investigate computer crimes and calls for international cooperation in investigation international incidents of cyber crime. Once the Treaty is ratified by five of its signatories (3 of which must be CoE members), all signatory countries will become bound by it (Westby, ed., 2003 p. 4-5). The treaty is making noise as a positive representation of the growing international understanding that cooperation will be required to combat cyber crime. The CoE Treaty is a strong piece of legislation intended to unite the European region with other world powers in the fight. Similarly to the G-8’s subgroup, the western roots of the Treaty may limit its ability to attract signatories from outside of Europe and North America. Particularly because once the five required
392
ratifications take place, all signatories will be required to harmonize their domestic cyber laws to promote co-operation, undeveloped nations (who may wish to sign and join the Treaty) may not have the resources to meet the requirements. Attempting to spread the CoE’s jurisdiction world-wide could prove impossible. It is not its intention. Its main purpose outside of strengthening Europe’s stance may be to serve as a model for other world regions (Asia, Africa, South America) in creating similar treaties. Several individual regional treaties could then be harmonized, perhaps more easily than an attempt to unite every global nation individually, to cooperate internationally with one another. This approach may prove to be the answer in uniting the world. Under this approach, international progress would seem to take longer but may prove to be the most feasible and effective in embracing nations of all sizes, politics and wealth. This approach of uniting several regions may appease many nations who doubt the potential success of an immediate attempt to unite to globe. The United States for example has, citing the inability of underdeveloped nations (with various levels of legal and cyber technology) to keep up with enforcement, openly spoken out against an all-inclusive instrument against cyber crime (Westby, ed., 2003, p.111). Another interesting approach to defending the digital world is the Business Software Alliance (BSA). Currently more committed to defending against piracy, the BSA is an international coalition of software companies dedicated to “promoting a safe and legal digital world,” (Business Software Alliance Website, 2003). Such an organization is particularly agreeable because it shows that it is not only law creating nations that are taking up the fight against cybercrime.
C. The United States versus cyber crime The United States, while urging world states to create harmonic cyber law, has focused primarily on creating its own domestic law. Even the government’s National Strategy to Secure Cyberspace contains only a brief section concerning international cooperation and is a mere afterthought in the 60 page document (The White House). While some Asian nations have a higher percentage of households online (“Gartner Predicts 72M”, 2001), the United States sees itself as the most susceptible to cyber attack. A recent article, in fact, presents describes an international warning to the United States that international criminal
Control of cyber crime organizations are recruiting employees of global financial institutes with anti-American views to become data thieves (Conry-Murray, 2003). Coupled with our contagious fear is a very real awareness by would be cyber criminals of the drastic damage potential of an attack. The Federal government has made several drastic thrusts toward securing cyberspace. The issue of constitutional rights has popped up several times along the way. Nationally, the big picture stems from around the Computer Fraud and Abuse Act (CFAA). Which, after September 11, 2001 was amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and obstruct Terrorism Act of 2001 (The USA PATRIOT Act, 2001). The CFAA as amended now calls for the defense of “protected” computers. The United States is one of only a few nations that have adopted this type of system. A protected computer, under the CFAA is one that: is used by a financial institution, is used by the US government, or is used in interstate commerce. The CFAA makes it a federal offence to: Access a computer without authorization or to exceed authorization and, by doing so, access classified information pertaining to foreign relations or national defense. Access a computer either without authorization or by exceeding authorization, and obtain (a) information pertaining to financial institutions or credit agencies, (b) information from a U.S. government department or agency, or (c) information from a protected computer if the conduct involved an interstate or foreign communication. Intentionally access without authorization (a) any non-public computer of the U.S. government, (b) any computer that is not exclusively used by a U.S. government department or agency but is accessed in order to affect its use by the government. Access a protected computer without authorization and knowingly and intentionally commit fraud that is valued at US$5 000 or more for a one year period. (i) Transmit or attempt to transmit a program, information, code, or command, without authorization that intentionally causes damage to a protected computer, (ii) intentionally access or attempt to access a protected computer and recklessly cause damage; or (iii) intentionally access or attempt to access a protected computer
without authorization and cause damage. In these circumstances, damages are the aggregate loss of at least US$5 000 in a one-year period, which considers the value of the actual damages caused by the unauthorized transmission or access (or in the case of an attempted offence, the damages that would have been incurred if the act had been completed) plus the costs of restoring the system and other foreseeable damages. The damages threshold is not required if the act (a) caused or intended to cause a modification or impairment of medical records or treatment information; (b) caused or would have caused a threat to public safety; or (c) caused or would have caused damage to a government computer used in the administration of justice, national defense, or national security. Traffic in passwords or other information that may be used to gain unauthorized access to protected computers, if such trafficking affects interstate or foreign commerce or the computer in question is used to y the U.S. government. Transmit a communication that threatens to cause damage to a protected computer in an attempt to extort payment or something of value.
Each of the above acts (and combinations of them), if prosecuted, comes with prison terms of up to 20 years. A 2000 court ruling: United States v. Middleton interpreted the CFAA to call for the criminal to pay restitution to cover the victims repair costs. Also, and amazingly: Section 814 of the Patriot Act extends US jurisdiction over any computer world-wide that “is used in a manner that affects interstate or foreign commerce or communication of the US (Hulme, 2003). Also of important note is the passing of the Cyber Security Enhancement Act (CSEA). A section of the act: The Computer Crime and Intellectual Property Section, amends the CFAA’s power to allow for life prison sentences to individuals that commit a computer crime that results in death. Much has been made in protest of this new amendment which seems to tip-toe the line between being well-intended and stripping individuals of their privacy. Among other things (that are not specifically related to cybercrime), the CSEA has broadened the “Emergency Disclosure” exception created by the PATRIOT Act. The exception, which was previously limited to law enforcement agencies (this original “exception” also highly questioned and fought against), allows holders of electronic communication information (for the concerns of this paper: email) to share that
393
Control of cyber crime information if they “in good faith” believe that immediate danger exists. The CSEA extends that exception to allow any Federal, State or local governmental entity (for example: Public schools, health agencies, the IRS, Social service agencies, Libraries, etc.) to access this information (Electronic Frontier Foundation, 2002).
Effective defense against cyber attack will depend
While the CFAA is a national legislation intended to protect the aforementioned “protected computers”, a new state law in California sends a whole new message not to criminals but to holders of personal information. The Security Breach Information Act, which became effective in July of 2003, requires that any global business (and some California state agencies) to encrypt all stored personal information or notify any California resident who’s personal information has been compromised to another party (probably a hacker) in “bad faith”(Salkever, 2002). The law is being noted as the first of its kind anywhere in the world (Treglia, 2003). A senator from California has recently proposed a national bill that would create a similar law nationwide (“Senator Introduces”, 2003).
on a global capability to co-operate
D. The big picture against cyber crime It is generally accepted that cyber crime is a problem; potentially a huge problem. As of yet, the world has been able to avoid the “Big” cyber attack. It must be assumed though that someone is out there trying to develop it. Effective defense against cyber attack will depend on a global capability to co-operate. However, the world currently stands in somewhat of a “cyber mess”. The good news is that laws are incessantly being developed around the world to fight against this new means of crime. Nations around the globe of all shapes and sizes are beginning to see the risk and responding with the passing of domestic laws (Evans, 2000). The bad news, and perhaps the “real” problem, is the world’s inability to harmonize these laws. Without being able to easily cross borders to catch cyber-criminals, the world will always be susceptible to attack. If one connected computer goes unaccounted for, the network will always be a place where crime can go unpunished. There is hope though. Realizing the necessity of international cooperation is the first step. Many nations including the US, Japan, Canada, Singapore, and Australia have adopted there own domestic cyber laws (Westby, ed.,2003, p 16-26).
394
Additionally, many international organizations, including the Council of Europe; the United Nations; and the G-8, have taken steps to pull the regions of the world together with treaties and conferences. Perhaps the greatest progress has been made by the Council of Europe’s Convention on Cyber crime. The Treaty, when it becomes effective, will require its European and North American signatories to harmonize their cyber laws. Perhaps the most feasible approach to creating global cooperation is for 3 or 4 more regional treaties (Asian and South American Treaties for example) to be initiated. Those treaties can then be combined with the existing Council of Europe Treaty. Cyber crime is a very real difficulty facing the world today. The success and expansion of the Internet has caused created a new arena for criminals. The simplicity of logging on, the increasing understanding of how information is transmitted, and the potential for damage has made eliminating cyber crime an impossibility. The world can only hope to make catching criminals as easy as possible by dissolving existing pockets of criminal safe haven and by creating a system of international cooperation that crosses borders as easily as cyber criminals can. Nick Nykodym, PhD., and Robert Taylor M.B.A. College of Business Administration, The University of Toledo, Ohio [email protected] REFERENCES Business Software Alliance. (2003). Business Software Alliance [Online]. Available: http://www.bsa.org/ [2003, October 28]. Conry-Murray, Andrew. (May 2003). Criminal Syndicates Use Anti-Americanism to Recruit Data Thieves. 20. Council of Europe. (2003). Convention on Cybercrime [signatory nations]. Council of Europe [online], Available: http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=185 &CM=&DF= [24 October 2003]. Electronic Frontier Foundation. (August 2, 2002). EFF Analysis of the Cyber Security Enhancement Act. Electronic Frontier Foundation [online]. Available: www.eff.org/Privacy/Surveillance/20020802_eff_csea_anal yiss.html [22 October 2003]. Evans, James. (July 5, 2000). Cyber-crime laws emerge, but slowly. IDG net, Available: http://www.cnn.com/2000/TECH/computing/07/05/cyber.la ws.idg/ [2003, October 30] Gartner Predicts 72M users in Asia. (January 10, 2001). Computergram Weekly. Hulme, George. (December 3, 2002). Antiterrorism Law Targets Hackers around the World. Information Week, 22. Salkever, Alex. (November 11, 2002). Computer Break-Ins; Your Right to Know. Business Week Online, Senator Introduces Promised Hacker Bill. (June 27, 2003). Computergram Weekly. 3.
Control of cyber crime Taking Up Technology. (April 2, 2002). Financial Times 8.
1400/sb_1386_bill_20020926_chaptered.html
The White House. (2003) National Strategy to Secure Cyberspace. Washington DC: US Government Printing Office.
Computer Fraud and Abuse Act, 18 U.S.C Section 1030 et seq. http://www.usdoj.gov/criminal/cybercrime/1030_ new.html.
Treglia, Stephen V. (July 15, 2003). Computer crime. New York Law Journal.
Council of Europe Convention on Cyber Crime,
Westby, Jody R., ed. (2003) International Guide to Combating Cybercrime. Chicago: American Bar Association Publishing. World Economic and financial Surveys. (October 2001). World Economic Outlook: The Information Technology Revolution. World Economic and Financial Surveys [Online]. Available: http://www.imf.org/external/pubs/ft/weo/2001/02/index.ht m [28 October, 2003].
Cyber Security and Enhancement Act effecting Title 18 of The United States Code, www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm. United Nations Resolution A/RES/55/63, “Combating the criminal Misuse of Information Technologies,” UN General Assembly, 81st plenary meeting, Dec. 4, 2000, at 1(a-J), http://www.undcp.org/pdf/crime/a_res_55/ res5563e.pdf. USA PATRIOT Act, 2001 http://thomas.loc.gov/cgibin/query/D?c107:1:./temp/~c107fMZYJa
Legislation
Cases
California Security Breach Information Act, 2002 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
United States v. Middleton, 231 F.2d 1207, 1210-1211 (9th cir. 2000)
395
As usage of the Internet continues to grow there exists countless individuals with the capacity and intent to use the medium to inflict
We now know and understand the problem; cyber crime. We have experts all over the world developing ways to stop and track it. The problem now becomes: how do we fight this international problem? The very strength of cyber crime is the very weakness of our efforts to control it: being able to cross international lines. A click of a button can digitally transport thieves and terrorists 5 000 miles and across 20 borders. Attempting to monitor and prosecute these type of criminals is possible but requires cooperation across those borders; cooperation that the criminal need not acquire. A system needs to be developed that will allow nation victims of cyber crime to swiftly prosecute these criminals without stepping on the toes of another nation’s sovereignty. Nations must have in place their own domestic cyber laws but must also have a system that allows for collaboration with other countries. Many systems have emerged globally and many of the big pieces may already be in place to harmonize cyber law worldwide.
damage
A. Introduction As usage of the Internet continues to grow, and with it the realization that there exists countless individuals with the capacity and intent to use the medium to inflict damage, the world finds itself racing to secure legislation that will protect the incredible assets that are now stored online. The complexity of creating such legislation is not only domestic; independent nations are also grasping the understanding that it must find a way to collaborate their individual laws globally. Because the sharing of electronic information does not respect international boundaries; attempting to regulate its use requires cooperation amongst world law enforcement. It is not enough that the wealthy and advanced nations of the world have secure and cooperative cyber laws (indeed many of them do). In order to implement security (which has been previously overlooked as the world rushed to join in) upon the Internet, every nation must be united in the effort; every linked computer must be as accountable as every other. At first look, the world-wide legislative in regards to cyber crime seems to be somewhat of a 390
mess. There are numerous international approaches and coalitions around the world all attempting to create a stable online environment both domestically and internationally. While some of these approaches currently conflict and while disputes will arise in the process; a united international bond around the cyber world may not be infeasible and may be closer to our reach than we realize. The keys to creating a united global coalition against cyber crime are: ■ A strong individual entity must take the helm. Whether it is the United Nations (UN), Group of Eight (G-8), The Council of Europe (CoE), The United States (U.S.), or some new body created solely for the purpose of harmonizing international cyber law, a strong world leader needs to step up and spearhead the process. ■ Developing nations must be included in the process and, in fact, play an active role in the development of international law. A very real concern with this issue is the fact that the great percentage of the world connectivity growth and software development will occur in developing nations (“Taking Up Technology”, 2002). This growth, if unguided, may result in creating safe havens for cyber criminals. ■ Individual sovereignty must not be compromised. As in any situation where criminal investigation crosses international lines, the simply idea that independent nations control what happens inside their precincts often becomes the bottleneck. In short, the idea behind creating international guidelines is to facilitate a straightforward and smooth process for conducting criminal investigation in which computers from more than one country are involved and to eliminate those patches of the world where a cyber criminal is beyond the reach of the law (Westby, ed., 2003, p.89). Wealthy and powerful nations such as the United States who perceive themselves to be at higher risk of cyber criminals must be cautious to realize that their intentions of securing their own nations cyber structure are only a piece of the global implications. Those nations and areas of the world where threat is perceived are the same nations which must be most closely worked with to create the ultimate goal.
Computer Law & Security Report Vol. 20 no. 5 2004 ISSN 0267 3649/04 © 2004 Elsevier Science Ltd. All rights reserved
Control of cyber crime They must also be guided in creating their own domestic cyber laws.
B. Current Leaders against cyber crime A main factor in creating an effective worldwide coalition against cyber crime is establishing a leader. A strong candidate must emerge to influence the process. Currently there are only a few groups with strong cyber crime positions and with influence and resource enough to initiate the global movement. The United Nations seems a very logical choice to lead the way. The UN, with its 191 member nations clearly has the international influence and resources to enable it to effectively create involve all nations in this effort. As an authority in the area though, the organization has taken limited action. Short of hearing recommendations from member nations and performing studies the UN has not taken a strong position in the area. The organization has, to the contrary adopted two resolutions (which, should have been written with binding language and intention, would be a nice piece of the puzzle) that attempt to “urge” member states to cooperate with one another while investigating misuse of information technology. Both: Resolution 55/63 and resolution 56/121, state that: States should ensure that their laws and practices eliminate safe havens for those who criminally misuse information technologies; Law enforcement cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies should be coordinated among all concerned States; Information should be exchanged between States regarding the problems that they face in combating he criminal misuse of information technologies; Law enforcement personnel should be trained and equipped to address the criminal misuse of information technologies; Legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized; Legal systems should permit the preservation and quick access to electronic data pertaining to particular criminal investigations;
Mutual assistance regimes should ensure the timely investigation of the criminal misuse of information technologies and the timely gathering and exchange of evidence in such cases; The general public should be made aware of the need to prevent and combat the criminal misuse of information technologies; To the extent practicable, information technologies should be designed to help to prevent and detect criminal misuse, trace criminals and collect evidence; The fight against the criminal misuse of information technologies requires the development of solutions taking into account both the protection of individual freedoms and privacy and the preservation of the capacity of Governments to fight such criminal misuse.
The main purposes of the resolutions are to make recommendations on how to work with other member states while investigating international cyber crime (United Nations Resolution 55/63, 2000). The potential is there for the United Nations to become the leader. As it stands however, the UN seems to be taking the role of (as it often does) an impartial overseer. The Group of Eight (G-8) who’s members (Canada, France, Italy, Germany, Japan, Russia, UK, US), according to a financial survey; hold an incredible 48% influence of the world economy (World Economic and Financial Survey by IMF, 2001), has gone so far as to enact a special task force: The G-8 Subgroup on High-Tech Crime, to enhance the abilities of law enforcement to prevent, investigate, and prosecute high-tech and computer related crime. The subgroup has focused its efforts on: establishing an international network of 24-hour high-tech points of contact; developing computer forensic principles for circumstances where digital evidence retrieved in one country requires authentication in the courts of another country; and making recommendations for tracing terrorist and criminal communications across borders (Westby, ed., 2003,p.103-4). The G-8 clearly has the resources to direct the worldwide effort against cyber crime. The groups Western intentions and the fact that it can barely make a move without international scepticism handcuffs it in a way that may eliminate it as an accepted leader. Its progress however cannot be overlooked as a starting point for any potential leader. The Council of Europe (CoE), which consists of 44 member states (and includes the entire 391
Control of cyber crime European Union), has also made considerable headway in the fight. In late 2001 the Council adopted its Convention on Cybercrime Treaty which defines several activities to be cyber crime offenses: Intentional access without right to the whole or part of any computer system Intentional interception, without right, of non-public transmissions of computer data. Intentional damage, deletions, deterioration, alteration, or suppression of computer data without right.
The CoE Treaty is a strong piece of legislation intended to unite the European region with other world powers in the fight
Intentional and serious hindering of the function of a computer system by inputting, transmitting, damaging, deleting, deterioration, altering, or suppressing computer data. The production, sale, procurement for use, importation, or distribution of devices designed to commit any of the above crimes or of passwords or similar data used to access computer systems, with the intent of committing any of the above crimes. Intentional input, alteration, deletion, or suppression of computer data resulting in inauthentic data with the intent that such data be relied upon as if authentic. Intentional input, alteration, deletion, or suppression of computer data or any interference with the functioning of a computer system with the fraudulent intent of procuring an economic benefit for ones self (Westby, ed., 2003, p.22-33).
The Treaty, which has been signed by 30 of the CoE’s member states and 4 partner countries (U.S., Canada, Japan, and South Africa), then goes on to require signatory countries to adopt domestic procedural laws to investigate computer crimes and calls for international cooperation in investigation international incidents of cyber crime. Once the Treaty is ratified by five of its signatories (3 of which must be CoE members), all signatory countries will become bound by it (Westby, ed., 2003 p. 4-5). The treaty is making noise as a positive representation of the growing international understanding that cooperation will be required to combat cyber crime. The CoE Treaty is a strong piece of legislation intended to unite the European region with other world powers in the fight. Similarly to the G-8’s subgroup, the western roots of the Treaty may limit its ability to attract signatories from outside of Europe and North America. Particularly because once the five required
392
ratifications take place, all signatories will be required to harmonize their domestic cyber laws to promote co-operation, undeveloped nations (who may wish to sign and join the Treaty) may not have the resources to meet the requirements. Attempting to spread the CoE’s jurisdiction world-wide could prove impossible. It is not its intention. Its main purpose outside of strengthening Europe’s stance may be to serve as a model for other world regions (Asia, Africa, South America) in creating similar treaties. Several individual regional treaties could then be harmonized, perhaps more easily than an attempt to unite every global nation individually, to cooperate internationally with one another. This approach may prove to be the answer in uniting the world. Under this approach, international progress would seem to take longer but may prove to be the most feasible and effective in embracing nations of all sizes, politics and wealth. This approach of uniting several regions may appease many nations who doubt the potential success of an immediate attempt to unite to globe. The United States for example has, citing the inability of underdeveloped nations (with various levels of legal and cyber technology) to keep up with enforcement, openly spoken out against an all-inclusive instrument against cyber crime (Westby, ed., 2003, p.111). Another interesting approach to defending the digital world is the Business Software Alliance (BSA). Currently more committed to defending against piracy, the BSA is an international coalition of software companies dedicated to “promoting a safe and legal digital world,” (Business Software Alliance Website, 2003). Such an organization is particularly agreeable because it shows that it is not only law creating nations that are taking up the fight against cybercrime.
C. The United States versus cyber crime The United States, while urging world states to create harmonic cyber law, has focused primarily on creating its own domestic law. Even the government’s National Strategy to Secure Cyberspace contains only a brief section concerning international cooperation and is a mere afterthought in the 60 page document (The White House). While some Asian nations have a higher percentage of households online (“Gartner Predicts 72M”, 2001), the United States sees itself as the most susceptible to cyber attack. A recent article, in fact, presents describes an international warning to the United States that international criminal
Control of cyber crime organizations are recruiting employees of global financial institutes with anti-American views to become data thieves (Conry-Murray, 2003). Coupled with our contagious fear is a very real awareness by would be cyber criminals of the drastic damage potential of an attack. The Federal government has made several drastic thrusts toward securing cyberspace. The issue of constitutional rights has popped up several times along the way. Nationally, the big picture stems from around the Computer Fraud and Abuse Act (CFAA). Which, after September 11, 2001 was amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and obstruct Terrorism Act of 2001 (The USA PATRIOT Act, 2001). The CFAA as amended now calls for the defense of “protected” computers. The United States is one of only a few nations that have adopted this type of system. A protected computer, under the CFAA is one that: is used by a financial institution, is used by the US government, or is used in interstate commerce. The CFAA makes it a federal offence to: Access a computer without authorization or to exceed authorization and, by doing so, access classified information pertaining to foreign relations or national defense. Access a computer either without authorization or by exceeding authorization, and obtain (a) information pertaining to financial institutions or credit agencies, (b) information from a U.S. government department or agency, or (c) information from a protected computer if the conduct involved an interstate or foreign communication. Intentionally access without authorization (a) any non-public computer of the U.S. government, (b) any computer that is not exclusively used by a U.S. government department or agency but is accessed in order to affect its use by the government. Access a protected computer without authorization and knowingly and intentionally commit fraud that is valued at US$5 000 or more for a one year period. (i) Transmit or attempt to transmit a program, information, code, or command, without authorization that intentionally causes damage to a protected computer, (ii) intentionally access or attempt to access a protected computer and recklessly cause damage; or (iii) intentionally access or attempt to access a protected computer
without authorization and cause damage. In these circumstances, damages are the aggregate loss of at least US$5 000 in a one-year period, which considers the value of the actual damages caused by the unauthorized transmission or access (or in the case of an attempted offence, the damages that would have been incurred if the act had been completed) plus the costs of restoring the system and other foreseeable damages. The damages threshold is not required if the act (a) caused or intended to cause a modification or impairment of medical records or treatment information; (b) caused or would have caused a threat to public safety; or (c) caused or would have caused damage to a government computer used in the administration of justice, national defense, or national security. Traffic in passwords or other information that may be used to gain unauthorized access to protected computers, if such trafficking affects interstate or foreign commerce or the computer in question is used to y the U.S. government. Transmit a communication that threatens to cause damage to a protected computer in an attempt to extort payment or something of value.
Each of the above acts (and combinations of them), if prosecuted, comes with prison terms of up to 20 years. A 2000 court ruling: United States v. Middleton interpreted the CFAA to call for the criminal to pay restitution to cover the victims repair costs. Also, and amazingly: Section 814 of the Patriot Act extends US jurisdiction over any computer world-wide that “is used in a manner that affects interstate or foreign commerce or communication of the US (Hulme, 2003). Also of important note is the passing of the Cyber Security Enhancement Act (CSEA). A section of the act: The Computer Crime and Intellectual Property Section, amends the CFAA’s power to allow for life prison sentences to individuals that commit a computer crime that results in death. Much has been made in protest of this new amendment which seems to tip-toe the line between being well-intended and stripping individuals of their privacy. Among other things (that are not specifically related to cybercrime), the CSEA has broadened the “Emergency Disclosure” exception created by the PATRIOT Act. The exception, which was previously limited to law enforcement agencies (this original “exception” also highly questioned and fought against), allows holders of electronic communication information (for the concerns of this paper: email) to share that
393
Control of cyber crime information if they “in good faith” believe that immediate danger exists. The CSEA extends that exception to allow any Federal, State or local governmental entity (for example: Public schools, health agencies, the IRS, Social service agencies, Libraries, etc.) to access this information (Electronic Frontier Foundation, 2002).
Effective defense against cyber attack will depend
While the CFAA is a national legislation intended to protect the aforementioned “protected computers”, a new state law in California sends a whole new message not to criminals but to holders of personal information. The Security Breach Information Act, which became effective in July of 2003, requires that any global business (and some California state agencies) to encrypt all stored personal information or notify any California resident who’s personal information has been compromised to another party (probably a hacker) in “bad faith”(Salkever, 2002). The law is being noted as the first of its kind anywhere in the world (Treglia, 2003). A senator from California has recently proposed a national bill that would create a similar law nationwide (“Senator Introduces”, 2003).
on a global capability to co-operate
D. The big picture against cyber crime It is generally accepted that cyber crime is a problem; potentially a huge problem. As of yet, the world has been able to avoid the “Big” cyber attack. It must be assumed though that someone is out there trying to develop it. Effective defense against cyber attack will depend on a global capability to co-operate. However, the world currently stands in somewhat of a “cyber mess”. The good news is that laws are incessantly being developed around the world to fight against this new means of crime. Nations around the globe of all shapes and sizes are beginning to see the risk and responding with the passing of domestic laws (Evans, 2000). The bad news, and perhaps the “real” problem, is the world’s inability to harmonize these laws. Without being able to easily cross borders to catch cyber-criminals, the world will always be susceptible to attack. If one connected computer goes unaccounted for, the network will always be a place where crime can go unpunished. There is hope though. Realizing the necessity of international cooperation is the first step. Many nations including the US, Japan, Canada, Singapore, and Australia have adopted there own domestic cyber laws (Westby, ed.,2003, p 16-26).
394
Additionally, many international organizations, including the Council of Europe; the United Nations; and the G-8, have taken steps to pull the regions of the world together with treaties and conferences. Perhaps the greatest progress has been made by the Council of Europe’s Convention on Cyber crime. The Treaty, when it becomes effective, will require its European and North American signatories to harmonize their cyber laws. Perhaps the most feasible approach to creating global cooperation is for 3 or 4 more regional treaties (Asian and South American Treaties for example) to be initiated. Those treaties can then be combined with the existing Council of Europe Treaty. Cyber crime is a very real difficulty facing the world today. The success and expansion of the Internet has caused created a new arena for criminals. The simplicity of logging on, the increasing understanding of how information is transmitted, and the potential for damage has made eliminating cyber crime an impossibility. The world can only hope to make catching criminals as easy as possible by dissolving existing pockets of criminal safe haven and by creating a system of international cooperation that crosses borders as easily as cyber criminals can. Nick Nykodym, PhD., and Robert Taylor M.B.A. College of Business Administration, The University of Toledo, Ohio [email protected] REFERENCES Business Software Alliance. (2003). Business Software Alliance [Online]. Available: http://www.bsa.org/ [2003, October 28]. Conry-Murray, Andrew. (May 2003). Criminal Syndicates Use Anti-Americanism to Recruit Data Thieves. 20. Council of Europe. (2003). Convention on Cybercrime [signatory nations]. Council of Europe [online], Available: http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=185 &CM=&DF= [24 October 2003]. Electronic Frontier Foundation. (August 2, 2002). EFF Analysis of the Cyber Security Enhancement Act. Electronic Frontier Foundation [online]. Available: www.eff.org/Privacy/Surveillance/20020802_eff_csea_anal yiss.html [22 October 2003]. Evans, James. (July 5, 2000). Cyber-crime laws emerge, but slowly. IDG net, Available: http://www.cnn.com/2000/TECH/computing/07/05/cyber.la ws.idg/ [2003, October 30] Gartner Predicts 72M users in Asia. (January 10, 2001). Computergram Weekly. Hulme, George. (December 3, 2002). Antiterrorism Law Targets Hackers around the World. Information Week, 22. Salkever, Alex. (November 11, 2002). Computer Break-Ins; Your Right to Know. Business Week Online, Senator Introduces Promised Hacker Bill. (June 27, 2003). Computergram Weekly. 3.
Control of cyber crime Taking Up Technology. (April 2, 2002). Financial Times 8.
1400/sb_1386_bill_20020926_chaptered.html
The White House. (2003) National Strategy to Secure Cyberspace. Washington DC: US Government Printing Office.
Computer Fraud and Abuse Act, 18 U.S.C Section 1030 et seq. http://www.usdoj.gov/criminal/cybercrime/1030_ new.html.
Treglia, Stephen V. (July 15, 2003). Computer crime. New York Law Journal.
Council of Europe Convention on Cyber Crime,
Westby, Jody R., ed. (2003) International Guide to Combating Cybercrime. Chicago: American Bar Association Publishing. World Economic and financial Surveys. (October 2001). World Economic Outlook: The Information Technology Revolution. World Economic and Financial Surveys [Online]. Available: http://www.imf.org/external/pubs/ft/weo/2001/02/index.ht m [28 October, 2003].
Cyber Security and Enhancement Act effecting Title 18 of The United States Code, www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm. United Nations Resolution A/RES/55/63, “Combating the criminal Misuse of Information Technologies,” UN General Assembly, 81st plenary meeting, Dec. 4, 2000, at 1(a-J), http://www.undcp.org/pdf/crime/a_res_55/ res5563e.pdf. USA PATRIOT Act, 2001 http://thomas.loc.gov/cgibin/query/D?c107:1:./temp/~c107fMZYJa
Legislation
Cases
California Security Breach Information Act, 2002 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
United States v. Middleton, 231 F.2d 1207, 1210-1211 (9th cir. 2000)
395