CrimeFire – Cyber Security Power House

The UN Cybercrime Treaty Has a Cybersecurity Problem In It – Just Security

Written by

rescue@crimefire.in

in

by
October 17, 2022
, , , , , ,
by
October 17, 2022
The United Nations is engaged in a landmark effort to establish a new global cybercrime treaty. The goal is laudable. Cybercrime does not respect borders, nor is it limited by them. And, as we have seen, cyberattacks that begin with one target can quickly spill into the broader digital ecosystem, causing widespread damage.  But this initiative at the U.N. – if not carefully curated – could also serve as a vehicle for countries to criminally prosecute security researchers, technology companies, and others for activities that are essential to the overall security of our global digital community.
The estimated economic cost of cyberattacks is staggering and seems to grow each year.  The expansion of the cyber insurance industry is a natural consequence as more companies look to protect themselves against these attacks.  The damage wrought by cybercrime has a nontrivial human component too. When a cyberattack targets the healthcare industry – a common victim – the impact on individual lives is stark : prescriptions don’t get filled, surgeries are delayed, and an individual’s health can rest in the hands of a cybercriminal thousands of miles away and out of reach of local and allied law enforcement agencies. Innovative approaches to combatting cybercrime, including drawing on all elements of geopolitical power, are needed if the international community hopes to put a dent in the seemingly unbounded growth of this malicious enterprise. But while the goal of increased global cooperation in the prosecution of cybercrime is worthwhile, current proposals from various countries, discussed during the summer’s U.N. Ad Hoc Committee’s Second Session, raise concerns.
As it currently stands, the most influential and important international cybercrime treaty is the Council of Europe Convention on Cybercrime, more commonly referred to as the “Budapest Convention.”  That Convention was the first international cybercrime treaty and has been adopted by 67 countries, including Australia, Canada, the Council of Europe (which includes the European Union as well as other countries), Japan, the U.K., and the U.S..  The goal of the Budapest Convention was to establish a global approach to cybercrime that would involve harmonizing national law, improving investigative abilities, and enabling international cooperation.  Among other things, the Budapest Convention defined criminal offenses for cybercrimes such as illegal access to a computer system, fraud and forgery, and illegal data interception.  While the Budapest Convention has been the subject of controversy over the years, including concerns that it undermines individual privacy rights,  it is generally regarded as a useful instrument setting an international standard for addressing cybercrime.
In 2019, the U.N. General Assembly adopted a resolution that initiated a multi-year process of negotiating what could become a global cybercrime treaty more widely adopted and influential than the Budapest Convention.  Negotiations for this treaty are wide-ranging and illustrate a lack of unanimity concerning what should be defined as “cybercrime.” Where some proposed crimes mirror the language and approach of the Budapest Convention, such as prohibitions against illegal access to a computer system, others include new provisions, such as those that criminalize the receipt of “any stolen computer resource.”  The competing proposals also raise the specter of significant human rights concerns with sweeping concepts of criminalized conduct,  especially since the countries driving the movement toward the new treaty are among those with the most restrictive laws concerning the free and open use of the internet.
While human rights concerns are the most significant danger in some of the proposals, they are not the only problem. Most ironically, one of the potential flaws in many of the proposed crimes is that they may undermine the goal of bolstering global cybersecurity. One of the notable ways this concern manifests is in the number of proposals calling for the criminalization of computer-enabled conduct without a requirement to show some kind of “intent.”
Intent is a common element in many global cybercrime legal frameworks – and criminal law, generally. The crimes outlined in the Budapest Convention, Articles 2-11, specify some element of intent as a prerequisite to the criminal prohibitions, such as illegal access, illegal interception, and data interference.  While some of the parties participating in the negotiation of the new U.N. Cybercrime Treaty have proposed cybercrimes that are consistent with the language of the Budapest Convention, many other countries have proposed crimes without any intent element. That’s ill-advised and dangerous. For instance, with respect to the crime of “[c]omputer interference,” Proposal 5 from India states:
Each State party shall adopt such legislative and other measures as are necessary to establish as an offence under its domestic law, if any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network…
Another example is Egypt’s Proposal 1 for an offense relating to “[a]ttack on a site design,” which states:
Each State party shall also adopt such legislative and other measures as are necessary to criminalize the following acts:
The unlawful damaging, disruption, slowing, distortion, concealment or modification of the site design of a company, institution, establishment or natural person.
Where many proposals omit intent, other countries seek to maintain it as an important element of the proposed crimes in the new treaty. For instance, Canada’s Proposal 3 for an offense relating to “data interference” states that countries shall:
Establish as a criminal offence to, intentionally and without right, seriously hinder the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.
When intent is removed from a criminal prohibition, it increases the likelihood that innocent individuals who inadvertently produce certain effects from their conduct will be subjected to the full weight of criminal prosecution and the threat of significant penalties, including, potentially the loss of their freedom. This is a danger that is well-recognized in the field of cybersecurity.  To be sure, security research does not always involve activities that might implicate cybercrime laws as such research does not necessarily involve conduct that might constitute “interfering” with a system or circumventing security measures. Omitting intent as an element of a cybercrime may, however, criminalize such conduct, in those circumstances when the effects of cybersecurity research are less clear.
By maintaining the intent element in cybercrime laws, many jurisdictions can avoid the risk of discouraging or chilling the activities of security researchers such that those researchers, who are legitimately acting in good faith, should generally not worry about being prosecuted for inadvertent effects for which different parties might debate whether they constitute “accessing” or “interfering” with a system. There should be no room for ambiguity.
Through its enforcement of the Computer Fraud and Abuse Act (CFAA), the United States itself has struggled to reconcile the line between legitimate computer research and criminal access to a computer system.  In particular, in the case of vulnerability research, some identification and testing of vulnerabilities could potentially, if inadvertently, cause effects that some might argue constitute “interfering” with a computer system in violation of the CFAA.  This has left many critics claiming that vital cybersecurity research, including vulnerability research, is threatened unnecessarily by the specter of potential federal criminal prosecution.  Many technology companies that offer cybersecurity services or products, as well as corporate security departments, depend on the ability to obtain and use actionable intelligence concerning cybersecurity vulnerabilities to protect their systems, the many consumers they serve, and the broader cybersecurity ecosystem. The importance of insulating “good faith” security researchers from cybercrime laws was recognized recently by the U.S. Department of Justice, which announced a new policy for federal prosecutors investigating potential violations of the CFAA.   That policy explicitly discourages prosecutors from pursuing “good faith” security researchers for violations of the law.
To the extent any of the current cybercrime proposals that do not require intent survive in the final version of the U.N. Cybercrime Treaty, it could significantly alter the landscape for cybersecurity researchers, discouraging their work and even potentially threatening them with criminal prosecution.
A new global cybercrime treaty, especially one that aspires to something closer to universal adoption in countries that are not parties to the Budapest Convention, could have significant positive effects on the fight against global cybercrime. An instrument that enables more extensive international cooperation in cybercrime investigations could mean, among other things, more favorable conditions for the extradition of cybercriminals from countries currently unwilling to do so. It could also shrink the number of “friendly” jurisdictions where cybercriminals can act with relative impunity. But when significant human rights concerns are coupled with blind spots that could endanger cybersecurity research, it is apparent that an international instrument that is not carefully crafted could have unintended consequences, including undermining the very purpose for its existence.
 
, , , , , ,
All-source, public repository of congressional hearing transcripts, government agency documents, digital forensics, social media analysis, public opinion surveys, empirical research, more.
by , and
Mar 3rd, 2023
by
Mar 2nd, 2023
by
Mar 1st, 2023
by
Feb 28th, 2023
by and
Feb 27th, 2023
by
Feb 24th, 2023
by
Feb 23rd, 2023
by
Feb 23rd, 2023
by
Feb 22nd, 2023
by
Feb 22nd, 2023
by and
Feb 21st, 2023
by
Feb 21st, 2023
by and
Feb 17th, 2023
by
Feb 15th, 2023
by
Feb 14th, 2023
by
Feb 13th, 2023
by
Feb 10th, 2023
by and
Feb 9th, 2023
by
Feb 8th, 2023
by , and
Feb 7th, 2023
by
Feb 7th, 2023
by and
Feb 6th, 2023
by
Jan 31st, 2023
by and
Jan 30th, 2023
by
Jan 27th, 2023
by and
Jan 26th, 2023
by
Jan 25th, 2023
by
Jan 24th, 2023
by and
Jan 19th, 2023
by and
Jan 19th, 2023
by , and
Jan 17th, 2023
by
Jan 13th, 2023
by
Jan 12th, 2023
by and
Jan 9th, 2023
by and
Jan 6th, 2023
by , and
Jan 5th, 2023
by and
Jan 4th, 2023
by
Jan 3rd, 2023
by
Jan 3rd, 2023
by and
Dec 26th, 2022
by and
Dec 23rd, 2022
by , and
Dec 22nd, 2022
by and
Dec 21st, 2022
by and
Dec 21st, 2022
by
Dec 19th, 2022
by
Dec 19th, 2022
by
Dec 15th, 2022
by
Dec 12th, 2022
by
Dec 9th, 2022
by
Dec 8th, 2022
by
Dec 8th, 2022
by
Dec 8th, 2022
by
Dec 6th, 2022
by and
Dec 5th, 2022
by
Dec 2nd, 2022
by
Dec 1st, 2022
by and
Nov 30th, 2022
by and
Nov 23rd, 2022
by
Nov 22nd, 2022
by
Nov 21st, 2022
by and
Nov 18th, 2022
by , , , , , , , , and
Nov 17th, 2022
by , , and
Nov 16th, 2022
by , , and
Nov 16th, 2022
by
Nov 15th, 2022
by and
Nov 15th, 2022
by and
Nov 14th, 2022
by
Nov 11th, 2022
by
Nov 10th, 2022
by
Nov 9th, 2022
by
Nov 9th, 2022
by
Nov 8th, 2022
by and
Nov 7th, 2022
by
Nov 4th, 2022
by
Nov 3rd, 2022
by
Nov 2nd, 2022
by
Oct 31st, 2022
by
Oct 27th, 2022
by
Oct 25th, 2022
by
Oct 24th, 2022
by
Oct 21st, 2022
by
Oct 20th, 2022
by
Oct 18th, 2022
by
Oct 17th, 2022
by
Oct 14th, 2022
by
Oct 11th, 2022
by
Oct 10th, 2022
by
Oct 7th, 2022
by and
Oct 6th, 2022
by and
Oct 6th, 2022
by
Oct 5th, 2022
by
Oct 5th, 2022
by
Oct 4th, 2022
by
Sep 26th, 2022
by
Sep 26th, 2022
by and
Sep 26th, 2022
by
Sep 24th, 2022
by
Sep 23rd, 2022
by
Sep 23rd, 2022
by and
Sep 23rd, 2022
by , and
Jan 30th, 2023
by and
Nov 18th, 2022
by
Feb 14th, 2023
by , , , , , , and
Oct 27th, 2022
by and
Mar 24th, 2022
by
Feb 18th, 2022
by
Jan 24th, 2022
by , , , and
Jan 20th, 2022
by , and
Oct 29th, 2021
by
Sep 13th, 2021
by , and
Sep 7th, 2021
by
Jul 19th, 2021
by
Jun 30th, 2021
by and
Jun 14th, 2021
by and
Jun 1st, 2021
by
May 29th, 2021
by
Feb 1st, 2021
by and
Nov 16th, 2020
by , , and
Nov 10th, 2020
by , , and
Oct 14th, 2020
by and
Oct 12th, 2020
by , and
Sep 11th, 2020
by
Jul 13th, 2020
by
Oct 21st, 2020
by and
May 27th, 2020
by and
Sep 12th, 2019
by
Jan 28th, 2019
by
Oct 25th, 2018
by
Jun 7th, 2022
by , and
Aug 29th, 2021
by and
Aug 8th, 2021
by and
May 11th, 2021
by
Feb 10th, 2021
by , and
Jan 11th, 2021
by and
Nov 3rd, 2020
by
Aug 24th, 2020
by and
Jul 27th, 2020
by and
Mar 11th, 2020
Christian Ohanian (@CGOhanian) is Senior Counsel for Privacy and Cybersecurity for Cyber & Intelligence Solutions at Mastercard and a Senior Fellow in the Tech, Law & Security program at American University. He previously served as an Assistant General Counsel with the National Security Agency (NSA).
Send A Letter To The Editor
by , and
Mar 3rd, 2023
by and
Mar 2nd, 2023
by , and
Feb 28th, 2023
by
Feb 24th, 2023
by
Feb 24th, 2023
by
Feb 24th, 2023
by
Feb 23rd, 2023
by
Feb 21st, 2023
by
Feb 14th, 2023
by
Feb 14th, 2023
by
Feb 13th, 2023
by , and
Feb 7th, 2023
Just Security is based at the Reiss Center on Law and Security at New York University School of Law.

source

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

Свежие материалы