Legal Policy on Cybercrime
Legal Policies on Cybercrime
Contents
I. Introduction
In its nascent stages, cybercrime enjoyed a special legal status that belied common practice used in adjudicating crimes. Hacking was commonly perceived as a prank perpetrated by teenagers. Later, the lone, highly skilled attacker working against a high value target was mythologized and revered in some ways. The media and movie industry continued to foster the notion, so that when Kevin Mitnick was arrested in 1995, there was a relative groundswell of support for his release, despite having broken into systems, stolen millions of dollars in proprietary software, “altered information, corrupted system software, and eavesdropped on users, [and] sometimes prevented or impeded legitimate use.”i The idea that cybercrime was “different” from regular crime persisted into the dawn of the Internet age, helped along by an unwillingness among police to get involved in patrolling and investigating cyberspace. Such reluctance may have been due to lack of reference points in law, low rates of successful prosecutions (fewer than 2% of cases resolve with convictions) and international resistance to help track cross-border crimes.ii The perception that cybercriminals are different entities has now been thoroughly discouraged. Indeed, “prosecutors are starting to make aggressive use of the Computer Fraud & Abuse Act, which carries penalties of up to 20 years in prison. The lengthiest sentence so far has been nine years, issued in December [2004].”iii There is no longer any calls to be lenient on a those who use computers to exploit, steal and abuse privileges, such as the California man recently apprehended for controlling 400,000 bots and selling their computing power to the highest bidder for use in denial of service attacks and spamming.iv The change in these commonly held notions happened gradually, but importantly, there is now a strong sense of civic empowerment given to the government to apprehend cybercriminals, which when coupled with the renewed diligence attributed to preventing terrorism, has allowed legislation to evolve rapidly in the past few years. As computers have become more integral to daily life, allowing users to conduct higher value operations, they have naturally become targets for those imbued with the criminal tendency. Most users have recognized the threat and the need for protection, even if they ignore certain precautions, like maintaining the secrecy of passwords (instead of giving them away for chocolate.v)
If users notice that they can no longer effectively use their workstations, legislation has usually been proposed, albeit after a lengthy period of discussion. For example, a few years ago, spam was threatening to overwhelm the usefulness of email. Subsequently, congress passed the CAN-SPAM Act of 2003, which made certain practices, like harvesting email addresses, illegal, while imposing maximum fines of up to one million dollarsvi. Despite flaws that some detractors have brought up, such as continuing to allow email addresses to be sold to third partiesvii, the act has provided a legal threshold to base decisions upon and brought notoriously flagrant spammers to justice.
In a broader sense, the government has reacted to the demand for better enforcement and the need to extend legal jurisdiction over crimes that may have not been crimes before. The Cyber Security Enchancement Act of 2002 (H.R. 5710, Sec. 225), which fell under the Homeland Security Act, and the USA PATRIOT Act both instituted changes to deal with cybercrime. Other, more comprehensive laws, like the Fraud and Related Activity in Connection with Computers, located in the the US Criminal Code (18 U.S.C. § 1030) and Unlawful Access to Store Communications (18 U.S.C. § 2701) have been codified for a longer period of time.
The increase in awareness of cybercriminality has begun to manifest itself with the passage of laws, creation of organizations and advisory committees and powers granted to enforcement agencies. Their application to current cybercrime has found varying degrees of success. What needs to then be examined and discussed with the aforementioned issues in mind are the crafting of laws, enforcement and effectiveness. These have to be multiplexed across national and international settings, while being interpreted within a framework of technology and trends that are rapidly evolving. Only then can a broad understanding of the legal policies surrounding cybercrime be achieved.
II. International Cybercrime
A significant problem that arises when working with cybercrime is that most crimes transit data through a multititude of international borders before reaching the final, intended target. Such circuitousness has a deleterious effect on investigating cybercrimes as well as the application of laws. Although discussed in more detail in the forensics section (Avichal uh..this needs to go. You have given it much better treatment, I'll refer to your work in my section instead.), an illustrative example of the legal hurdles faced with international incidents comes from the “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations” manual for the United State Department of Justice. The manual reports that when seeking assistance from ISPs overseas, officers must work “with the consent of that country,” which means certain formalities need to be resolved before proceeding. First, prior permission of the foreign government must be obtained. Next, approval from the Justice Department's Office of International Affairs, and finally a clear indication that the actions would not be objectionable in the foreign country.viii The process is long and unwieldy, especially since by the time the necessary paper work is filed, ISPs may have already deleted the information. Or in a worse case, after the information is obtained, it will then be discovered that the attacker went through another country, forcing the process to be repeated. Many developing countries are short on the resources and technical knowledge needed to expedite this process, causing the investigation to fail.
By 1997, the problem was being recognized internationally and the G-8 Justice and Interior Ministers noted that to be “consistent with the principles of sovereignty and the protection of human rights, nations must be able to collect and exchange information internationally, especially within the short time frame so often required when investigating international high-tech crimes.“ix To aid this process they created a Point of Contact network which required participating countries to specify a specific group that could assist 24 hours a day, 7 days a week. By 2002, twenty countries were participating. These types of mutual legal assistance treaties (MLATs) have been effective where in the past law enforcement has been stymied. For example, in 1992, the US government required assistance from Switzerland regarding an attack in the U.S., but since Switzerland had no such laws regarding hacking on the books, they refused to help.
In devising MLATs, a country can either create bilateral or multilateral relationships, each having its own benefits and drawbacks. Traditionally, sovereign nations have entered bilateral agreements with countries that they trust and are willing to accept each other's legal characteristics. They are quicker to negotiate, produce more detailed documents, are easier to change and allow nations to feel more comfortable sharing sensitive information.xi In fact, after the 2001 terrorist attacks, the US was eager to more quickly establish such ties and has concluded over 45 such agreements.xii The drawbacks of course are that separate, and perhaps unequal, agreements must be reached, resulting in varying interpretations of crime and legal precedent. Multilateral pacts seem more suited to issues that are global in scale, much like cybercrime. Thus, it was with great fanfare that in November of 2001, thirty countries signed the Council of Europe's Convention on Cybercrime. The convention had been five years in the making and represents the first truly multinational attempt at defining, regulating and providing a framework for the legal issues in relation to cybercrime. Briefly, it established conduct that is prohibited, identified required national legal processes and addressed international cooperation.
At the U.S. Senate hearings on ratifying the treaty, Swartz noted “in the past, if an electronic transmission’s trail led to another country, the chances were slim of successfully tracking the communication to its source or securing the evidence before deletion. With the tools provided for under the Convention, however, the ability of U.S. law enforcement to obtain international cooperation in identifying major offenders and securing evidence of their crimes so that they can be brought to justice will be significantly enhanced.”xiii Although the Senate Foreign Relations Committee approved the treaty, it has stalled in the Senate for nearly two years, as certain groups have opposed it for reasons related to civil liberties.
The current state of multinational legislation thus remains a patchwork of bilateral treaties put together piece by piece. Establishing transnational treaties is a difficult task and remains as an open policy debate. What can be agreed upon is that all nations need multilateral assistance in a global sense, not just a limited group, as cybercriminals can route through any country. Treaties, then, need to harmonize laws, while building capabilities. Most importantly, such treaties can't (Avichal or shouldn't) be used to violate human rights, even though to do so may be legal in some countriesxiv. For example, with the current Convention on Cybercrime, China could ask the U.S. to assist in finding political dissidents and supporters of democracy and the U.S. would be obliged, under the terms of the Convention, to provide assistance.
More often than not, even if a successful conviction can be obtained, extraditing a criminal is still a tough legal battle. For example, in October of 2001, a Pakistani man was charged with defacing an American-Israeli organization's website. The FBI, working with the U.S. Embassy in Pakistan, was able to identify the attacker and get a warrant issued for his arrest in Pakistan, yet three years later he is still at large.xv Clearly, there is a need for a more comprehensive international plan.
III. Cybercrime in the United States
Legalistically, cybercrime has had a much richer history, as well as more successful application within the U.S. than through treaties. A bevy of criminal codes are defined specifically dealing with computers, and the PATRIOT Act and the Cyber Security Enhancement Act further expand powers, albeit in the name of foiling terrorism. Furthermore, many computer crimes are dealt with by using traditional laws. For example, on November 17th, 2005, the Shadowcrew group, an online organization involved with credit card theft, identity theft and a number of other illegal activities, all plead guilty to conspiracy to commit fraud and identification fraud. The fact that their actions were committed over the Internet was not a legal obstacle, and all will receive up to five years of jail time.xvi
The United States has an interesting legal structure that allows individual states to create and supplement federal statutes. For example, Ohio specifically notes that one cannot “deny access to a computer,” (Ohio § 2913.81), while in Texas they have codified different penalties for the amount of damage caused to a system through “harmful access” (Texas § 33.03). Traditional state laws are generally similar due to the Model Penal Code, which attempts to standardize the separate state legal systems. With the advent of computers, states have been left to their own devices. Attempts have been made to create a Model States Computer Crime Code, but the idea has not advanced greatly as to date. Susan Brenner notes that the perception that cybercrime is a “new” type of crime, conflated with the rapid pace of technology, has caused a confusion amongst state legislatures that has resulted in disparity.xvii She further argues that separate state adoption of laws has created an environment that makes fighting cybercrime, an inherently borderless activity, more difficult to combat. In a further criticism, she asks “if the entities that comprise the United States of America do not, for example, adopt legislation making it a criminal offense to disseminate a computer virus, how can they condemn other nations for their failure to do so?”xviii
With the state levels failing to provide consistency, the federal government has taken the lead, not only in defining cybercrime, but also in its prosecution. Yet, before the Department of Justice and the Federal Bureau of Investigations can investigate and prosecute a crime, there must be evidence of interstate or foreign transmission of data, or the crime must become a matter of national security, a threshold lowered in the wake of the PATRIOT Act passage. One such law included in the PATRIOT Act was the Critical Infrastructures Protection Act of 2001 that defines “critical infrastructure as systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security.”xix Thus, an attack, even originating from within a state, that seems to threaten the security of the whole network can be dealt with from a new perspective, equating it in many ways as terrorism. The law signifies a marked departure from just a few years prior. In 1998, when tension was building in Iraq over weapons inspections, over 500 industry and military computer targets were attacked and compromised. Many were concerned that foreign elements were waging electronic war on the U.S. and that it might be grounds for a physical strike in response. In fact, the perpetrators were teenagers from California and Israel, which subsequently downgraded that threat from war to just a crime committed by “digital outlaws”, as Attorney General Janet Reno said at the Cybercrime Summit in 2000.xx
The national government also plays a crucial role in protecting critical infrastructure through establishing agencies and groups responsible for providing support for the Internet. It is a response that most state governments are not able to pursue. In the National Strategy to Secure Cyberspace, a document within the larger Strategy for Homeland Security, a framework is laid out to create a national cybersecurity threat team. The team is a collaboration between public-private organizations, coordinated through the Department of Homeland Security, that can analyze threats, help with warnings, deal with incidents and effect recovery strategies on a 24 hour, 7 day a week capacity. This organization, within the DHS, superseded the National Infrastructure Protection Center and is now called the National Cyber Security Division. This is the group responsible for protecting the nation's vital virtual resources. In practice, the operating arm is US-CERT.
Of course, there has been criticism that the government has not been doing enough to protect cyberspace. In 2005, the President’s Information Technology Advisory committee recommended a large increase in spending in order to secure the future of Internet reliability and security by increasing funding for the DHS to focus on different areas within cybersecurity. Interestingly, they also note the need to support and recruit more security researchers because the current population is too small to deeply investigate security issues.xxi
Whether the current legal system, along with its mandates to create and fund enforcement agencies, has succeeded is still a matter of fierce debate. Most recognize that there is a strong need to upgrade the abilities of our current agencies, unify and systemize laws across states and strengthen the penalties for those causing grievous harm to networks and businesses over the Internet.
IV. Future Trends in Legislation
The direction of legislation has slowly been proceeding to more severe and serious punishments for cybercrime. As mentioned earlier, November 3rd saw the first prosecution for owning and operating a botnet system. It seems probable as legislatures, federal and state, become aware of threat posed by botnets, and as methods become more advanced in discerning botcontrollers, legislation aimed at the problem will follow. Whether it will become an effective deterrent probably rests with the ability to investigate and prosecute. Another area of concern is identity theft, a process facilitated to a large degree through the Internet. California has been the first to create legislation aimed at companies with lax security regarding the protection of personal information they may store. The California Security Breach Information Act (SB-1386), which went into effect in July of 2003, forces organizations to notify individuals if there is such a security breach. It has been a powerful method for not only making people aware of the issue, but also applying a force for change in policy within many organizations, lest they be branded as uncaring and incompetent. With more sensitive information being stored by a greater number of third parties, more states will come to the conclusion California has and indirectly apply pressure to organizations to reform. In another example, a recent piece of county legislation in Westchester, New York proposed to make it illegal for companies storing personal information to allow insecure access to their networks. In a sense, it would criminalize using a wireless network with no security measures. Although, many have pointed out specific weaknesses in the bill, the idea has been praised as a step in the right direction and an important conduit for educating the public.xxii
Cybercrime presents a challenging position for lawmakers, as they struggle to keep up with changes in technology and in the methods used to exploit those technologies for maliciousness. Unfortunately, legal wrangling leaves the judicial system in a state that can be behind the times. It should be realized that in the end, laws can only do so much to regulate an activity. Proactive security, user education and vigilance, combined with effective forensics and enforcement remain the best remedies for combating cybercrime. Legislation still needs to enact appropriate punishments and establish frameworks, though and in that sense it has a crucial role to play in the mitigation of cybercrime.
