Cyber laws are more than just the actual statutes themselves. It’s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. “These cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,” says Niel Harper, who’s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.
Organizations need to adopt and ‘live’ the right cybersecurity frameworks. “Policies and cyber insurance alone won’t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,” Harper says.
For CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. “Collaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,” he says.
Many thanks to CSO Online for engaging myself and other privacy and cybersecurity experts to discuss two of my absolute favourite topics – “cyber law” and “cyber policy”. I wanted to further expand on my comments that were quoted in the online article.
There are currently 68 parties to the Budapest Convention and 21 observer countries which are signatories and have been invited to accede. There’s vital international cooperation and collaboration on cybercrime that occurs via mutual legal assistance treaties (MLATs) and through organizations such as INTERPOL, AFRIPOL, ASEANAPOL, EUROPOL, UNODC, and others. But due to the complexity, scale and scope of cybercrime, a lot more can be done. The problem often comes down to the capabilities (or lack thereof) in nation states to effectively participate in international cooperation activities. And frankly, many countries are simply not equipped, hence why we are seeing these safe havens as it pertains to cybercrime. This is the purpose of the Budapest Convention along with several global capacity building initiatives such as GLACY / GLACY+, SIRIUS, EU Cyber Direct, GFCE, and others – To assist nation states in building capacity in areas such as national cyber security strategy, cybercrime legislative reform, computer emergency response teams (CERTs), digital forensics, and access to cross-border electronic evidence (e-evidence), just to name a few.
There’s also the work being done via the UN’s Open Ended Working Group (OEWG) and the Ad Hoc Committee towards a global Cybercrime Convention. The current approach through the Budapest Convention has created a patchwork quilt of cybercrime laws and different levels of maturity across the 195 UN Member States. A global Cybercrime Convention is intended to comprehensively harmonise cyber laws and enable agile multilateralism to better tackle cybercrime and enhance coordination and cooperation among nation states.
The Budapest Convention also has several notable limitations. Besides the areas you mentioned, there are material flaws in that it lacks privacy and civil liberties protections; it’s far too broad in its scope and can often implicate innocent individuals such as researchers, activists, and whistleblowers; it’s missing certain protections to prevent it being deployed for political persecution; it fails to require “dual criminality” as a prerequisite for mutual legal assistance (i.e., acts must be illegal in both countries); it gives law enforcement wide and intrusive surveillance powers; and it distorts existing intellectual property regimes by moving away from fair use and public interest objectives. The new UN Cybercrime Convention must resolve these and other issues – if there’s ever consensus across Member States – especially narrowing of the scope, building capacity across Member States, and the inclusion of human rights safeguards.
Cybercrime prevention requires cooperation at many levels – legal as well as technical and political. Many countries have cybercrime laws in place, but the technical skills required to enforce them are missing, and this is across areas such as operational law enforcement, law enforcement administration, support services, and judicial officers. Additionally, in many nations, law enforcement officers (LEOs), police administrators, politicians, and court officers are corrupt, underpaid/overworked, or simply lack the motivation to properly enforce the laws on the books. They are also often bribed or intimidated by criminals. Remember the famous quote by Peter Drucker, “Culture eats strategy for breakfast?” The same applies to effective cybercrime prevention.
Niel Harper 