This month (November) marked the 10th anniversary of the launch of the Council of Europe’s Cybercrime Convention. This will not capture the sort of public imagination as commemorations of the anniversary of the “9/11” attacks in the US. But cybercrime actually represents a similar kind of existential threat as international terrorism.
Cybercrime is, according to some estimates, now more profitable than the global market for some types of illicit drugs. Recent cases such as the 2010 investigation and takedown of the Bredolab “bot-net” (a network of remotely controlled computers used to distribute malicious programs) by the Dutch authorities illustrate the increasingly vast capacity for cybercrime – and the need for just such an agreement as the Cybercrime Convention. The Bredolab bot-net had entailed 30 million machines, allegedly bringing in US$139,000 per month to its owners.
The Cybercrime Convention is considered a major international achievement in harmonising substantial and procedural law against cybercrime. It identifies criminal conduct against and by means of attacks against computer data and systems. The convention also establishes a contact network to improve operational co-operation between law enforcement.
Following the UK’s ratification earlier this month, 30 countries, ranging from Albania to the US, will have ratified the Cybercrime Convention, which at its core represents international legal consensus on the criminalisation of certain acts of computer misuse. These include, for example, instances where the computer is the target – of the sort that occurred against Estonia in 2007 – or where the computer is the tool or accessory, such as with the infamous Nigerian 419 emails.
Because of the borderless nature of the Internet, fighting cybercrime requires extensive international co-operation and for each country to establish effective criminal laws (something required of signatories to the Cybercrime Convention). Cybercrime has been variously described as something akin to a modern day scourge – the price we pay for being able to bank or book our holidays online.
In trying to address such problems, policy-makers have considered such remedies as requiring the retention of certain types of Internet data or the blocking of illegal content. These have come in for serious criticism as being potentially a step too far in infringing the freedoms and openness that have made the Internet so valuable.
Establishing international agreement on how to tackle global matters is no easy task. Consider the use of cyberspace in the Arab Spring and the riots in the UK. The contrasting reactions to Facebook and Twitter during these events illustrate the difficulties in determining what is and is not acceptable in cyberspace. One the one hand, the UK Foreign and Commonwealth Office and the US State Department publicly welcomed social networking sites as important tools in the emergent pro-democracy movement in the Middle East. By comparison, months later, when London, alongside many towns and cities across England burned, the police reportedly seriously considered whether to shut down services like Facebook and Twitter that were being used to incite and organise riots. This proposal was promptly rejected by the Home Secretary Theresa May following discussions with industry executives.
Treaties such as the Cybercrime Convention are important in setting a minimum standard of criminality and establishing accountability for nation-states to react to requests for mutual investigative assistance from their peers.
However, those at the front line paint a different story about international co-operation. Here, police become frustrated as their requests for support to other countries remain unanswered for years. Meanwhile, cyber-criminals continue to evolve their stock-in-trade of bot-nets, phishing and credit card scams.
In addressing this dynamic and complex criminal underground, opportunities for operational improvement remain. Governments in Europe and beyond should consider enhancing cross-border intelligence co-operation, and joint training and education of police, prosecutors and judges. That if anything, should be the lasting legacy of the 10th anniversary of the Cybercrime Convention.