Document

Transcription

Document
Enforcement of Cyber Laws
By Nikoloz Kokhreidze
Introduction
This document intends to provide information about the enforcement of cyber laws; it
reviews current laws and international treaties relating to cybercrime and provides a comparative
analysis of legislations of several countries. This paper additionally includes a review of
cybercrime investigation methods and shows main issues regarding identification and prosecution
of cyber criminals. “Enforcement of Cyber Laws” relies on personal opinions and publicly
available documents.
An Overview of Cybercrime
The phenomenal development of information technologies facilitated formation of an
entirely new universe. This universe is a vast virtual space, capable of transmitting billions of data
per minute, known as cyberspace.1 Cyberspace is a global communication network consisted of
both hardware and software infrastructure, which uses standard Internet protocol suite to link
smaller computer networks throughout the world. Phenomenal growth of the global information
technology infrastructure has been one of the most decisive factors that distinguishes this century.
In just over the past ten years, the quantity of Internet users has increased five times and this rate
is growing on daily basis.
Today, cyber space is a daily growing virtual realm, populated with its own citizens, the
amount of which reaches 3 billion and you are one of them. As we are able to see virtual life is
becoming more and more popular, but what makes it so attractive? It is uncontrollable, it is huge,
offers you everything that one is unable to find in physical world and the most delicious piece is
that, there are no rules is cyberspace, you open the door and do whatever comes to your mind.
Herewith attraction has also created unparalleled opportunities for cyber criminals; criminal
behaviors that were unimaginable a few years ago have become daily occurrences today and as
well as cybercrime technology is advancing too, in addition to the hard infrastructure presented by
the World Wide Web, soft infrastructure is necessary in terms of regulatory mechanisms and cyber
law.
In order to punish cyber offenders, it is crucial to define their nature correctly. Today every
teenager is able to surf internet and find many tutorials and tools providing proficient knowledge
regarding cyberspace, network security and several hacking techniques. The knowledge is good
by itself, but it might become a nightmare for others if not used in a good faith. People who used
this knowledge in a good faith are today’s notable cyber security experts; they grew up in the same
cradle of cyberspace as cyber criminals. They were both developing their knowledge by staring at
computer screens for hours and digging in the deep of the digital desert. At that period, they all
were hackers. However, not every hacker is an offender; there are two main types of hackers known
to the cyber culture: white hat hackers and black hat hackers. Both of them do the same thing; they
The term ‘cyber space’ first appeared in William Gibson’s novel Neuromancer and it described the virtual world of
interconnected computers.
1
hack their way through the cyber space. Difference is that white hat hackers use their knowledge
to defend the networks from offenders and black hat hackers use several hacking techniques for
stealing a sensitive data or damaging computer systems. In general, a term Hacker represents a
person who modifies the software or hardware of a computer system, to find the new capabilities
of a certain technology. Unfortunately, due to the influence of media on a social life, society refers
a term hacker to only an evil being who wants to destroy or steal a data from our computers.
Now we know that there are two types of hackers, but what do they actually do? There are
more than hundred ways for stealing the data, penetrating network and disrupting services but
some of them are most popular:
 Denial of service
 Privilege escalation
 Malware
 Social engineering
 Phishing
 Session hijacking
 Password cracking
Network administrators are primarily concerned with the methods for perpetrating an
attack so that they may forestall that attack. They are less concerned with the legal aspects of the
act. Cybercrime is mostly broken into types that emphasize the particular criminal activity instead
of the technological procedure used to execute the attack. Such list would be the same as the
following:
 Non-access computer crimes
 Unauthorized access to computer data and systems
 Identity theft
 Cyber stalking/harassment
 Fraud
These are broader types of attacks that comprehend many other activities. However, a
computer crime could also be committed without circumventing the conventional computer
operations. It is entirely possible to have a computer crime without the involvement of a security
breach.
As we are able to see, cybercrime is connected to many different legal and technological
issues. In order to regulate them appropriate regulations are required that emphasize the
international cooperation between states.
Legal Acts and Treaties Regarding Cyber Crime
Due to the complexities presented in cyberspace, the new legislations and international
treaties regulating the activities in cyberspace have emerged. The first international treaty
concerning computer crime is the Convention on Cybercrime2. It is the first treaty to deal with
breaches of law over the internet or other information networks. It demands from participating
The Committee of Ministers of the Council of Europe adopted the Convention on Cybercrime at its 109th Session
on 8 November 2001. The Convention is currently signed by 47 countries and on July 6 of 2012 it was ratified by
Georgia.
2
countries to update and harmonize their criminal laws against hacking, infringement,
copyright, computer-facilitated fraud, child pornography, and various illicit cyber-activities.
Negotiations on the Convention began in 1997, since then, the rise in hacking incidents,
the spread of harmful computer viruses, and therefore the minimal prosecution of such crimes in
many countries, have spurred on the Council’s efforts. The terrorist attacks of 9/11 provided further
momentum by raising the specter of cyber-attacks on critical infrastructure facilities and by
highlighting the means by which terrorists use computers and the Internet to communicate, recruit,
raise funds and spread propaganda.
The main goal of the Convention is to determine a “common criminal policy” to better
combat computer-related crimes worldwide through harmonizing national legislation, enhancing
enforcement and judicial capabilities, and maximizing international cooperation. Additionally, the
Convention establishes several obligations for signatories.
Signatories ought to establish a fast and effective system for international cooperation. The
Convention suggests cybercrimes to become extraditable offenses, and allows law enforcement
authorities in one country to gather computer-based proofs for those in another. It also calls for
establishing a 24/7 contact network to provide immediate assistance with cross-border
investigations. According to this convention, signatories ought to establish domestic procedures
for detection, investigation, and prosecution of computer crimes, and collection of
electronic evidences on any criminal offense. Such procedures comprise the expedited
preservation of electronic communications and computer data, system checking and seizure, and
real-time interception of data. Countries are required to define criminal offenses and sanctions
under their domestic laws for four types of computer-related crimes: fraud and forgery, copyright
infringements, child pornography, and security breaches like hacking, system interferences and
illegal data interception.
Budapest Convention on Cybercrime is one of the most important international treaties to
be able to combat cybercrime. It is a first document to establish and determine terms describing
actual wrong doings. Some countries did not have such crimes defined in their national legislations
and by ratifying this document, they agreed on international cooperation in regard of cybercrime.
One of the signatories of this document is Georgia, Caucasian country that experienced massive
cyber-attacks from Russia.
Russian cyber-attacks on Georgia, during the conflict of 2008, revealed many
vulnerabilities in Georgian cyberspace.3 Solving of this issue required the presence of regulatory
norms. Because of this reason, Caucasian country found it important to sign the Convention on
Cybercrime, which was ratified in 2012. Ratification demands from signatories to enact proper
legislations on national level, so in February 2012, Data Exchange Agency of Georgia introduced
the new bill called Information Security Act to the parliament, which entered into force on July 1,
aiming to establish legal standards for private and public sector, in order to protect the critical
infrastructure. Information Security Act introduced new approaches and notions for cyber security
of Georgia including penetration testing, security audit, information security officer, computer
security specialist, and duties of CERT in regard of security of critical infrastructure. Information
During the conflict of 2008, Georgia experienced cyber-attacks from Russia, aiming to sabotage the cyberspace and
critical infrastructure, whilst initiating real life armed attacks against this country. Series of cyber-attacks took place
on August 7 and lasted for several days, targeting both public and private sectors.
3
Security Act, requires from subjects of critical infrastructure4 to periodically test and audit
information security systems. Examples of subjects of critical infrastructure include security
services such as police and military, transportation systems, financial services, banking systems,
telecommunications and others.
The Act assigns following additional and important duties to CERT.GOV.GE (CERT of
DEA): giving recommendations for the security of critical information systems, registration of
computer incidents, response on computer incidents, analysis of computer incidents, assisting
critical infrastructure in minimization of damages, rise of cyber awareness, and warning of users
regarding possible dangers.
In 2010, important changes appeared in Georgian Criminal Code, but penalties for some
computer crimes are lighter, compared to other European countries like Estonia, the latter
experienced same types of attacks in 2007 like Georgia and seems to be a nice example for
comparison. For example, Georgian criminal code considers pecuniary punishment, correctional
work, or imprisonment for no more than two years in case of unauthorized access to a computer
system, while Estonian legislation punishes person for such conduct with pecuniary punishment
and imprisonment for up to five years. Another difference between those two legislations is that
the criminal code of Georgia does not consider a term like “critical infrastructure” or “vital sector”
in regard of computer crime.
Despite the fact that some punishments in the criminal code of Georgia are lighter, the latter
foresees cyber terrorism as a separate crime. In whole separation of the article about cyber
terrorism is a positive fact, but in the contrary of the article regarding act of terrorism, it does not
consider criminal offences committed against international security or international organization,
thus it is vague whether latter may be used in regard of the article of cyber terrorism or not.
On April 27 of 2007, Estonia experienced the most sophisticated cybernetic attack,
allegedly executed by Russian hackers.5 These serious attacks became a reason for Europe’s most
IT developed country, to enact new laws and amend regulating documents. Despite of not having
an Information Security Act like Georgia, Estonia has amended several laws and enacted
Emergency Act and Information Security Interoperability Framework in order to suite the
requirements of modern cybernetic world. During the analysis of Estonian law, insufficient nature
of the latter was discovered, thus following legislative acts have been amended: Penal Code,
Electronic Communications Act, Public Information Act, Personal Data Protection Act, and
Information Society Service Act.
The amendments made Estonian Penal Code more severe to cyber criminals, for example:
if before cyber-attacks, some computer crimes required causing of significant damage for
imprisonment, now one may be sentenced to more than 3 years of imprisonment without causing
such damage. Amended legislation additionally considers preparation of computer crime too,
The term critical infrastructure is defined in the Information Security Act as a public organ or legal entity, whose
continuous functioning of information systems is important for defense and/or economical security of country,
preservation of government and/or social life.
5
In 2007 Estonian government decided to relocate the two-meter statue “Bronze Soldier of Tallinn”, soviet monument
to the fallen in the World War II, to the Tallinn military cemetery and this decision served as reason to attack for
Russia. Series of attacks lasted weeks, rather than hours or days, targeting both public and private sector. Cyber-attacks
included following techniques: phishing, email spam, website defacing, SYN /ICMP floods and DDoS, out of which
DDoS was the most widely used. Some experts argue that Russia’s youth movement Nashi co-operated with
transnational cybercriminals and used their botnets for strengthening their attacks, this argument might explain a wide
scale nature of initiated cyber-attacks.
4
which was not available until Penal Code amendment act RT| 2008, 13, 87. Pursuant to the article
2061 regarding preparation of computer-related crime, court is eligible to confiscate an object
which was a direct object of the commission of an offence. Confiscation of an object of the
commission of computer-related crime is the new notion for Estonian legislation. Changes in
legislation influenced the article about terrorism too and therefore now, in some cases, interference
with computer data might be considered as an act of terrorism. This may be evaluated as a step
towards the fight against cyber terrorism, which is one of the most serious types of cybercrimes
nowadays.
In regard of computer crime, compared to the Penal Code of 2001, amended code is more
detailed, includes important terms for modern legislation like “vital sector” and a range of possible
cyber-attacks. According to Emergency Act of 2009 of Estonia, which covers the term “vital
services”, we may conclude that terms “vital sector” and “critical infrastructure” carry the similar
meaning and refer to, but doesn’t limit to the following: state agencies, energy facilities and
networks, financial bodies, healthcare, food, water, communications and information technology.
The careful examination of current laws makes clear that laws regarding cyber security and
cybercrime are becoming actual. However in order to enforce these laws in real life it is required
to improve technologies used for investigations, identification and collection of digital evidences.
The enforcement of cyber laws is a very complicated process and it has several different factors.
Issues Regarding Jurisdiction
Cybercrime is so broad and can be so complex that becomes very difficult to investigate.
Additionally, jurisdiction adds an international legal complexity to the investigation. Normally
there are three levels of authority defined by international jurisdiction:
 The authority to enforce6
 The authority to prescribe7
 The authority to judge8
The Convention on Cybercrime emphasizes international cooperation with respect to
criminalizing certain acts. However is does not provide a solution to the issues of international
jurisdiction and the investigation of a cybercrime has to depend on the good will of the third
country. Convention relies heavily on international cooperation, but sometimes this is not enough
to take the investigation to an end. Therefore, we may conclude that the Convention is short on
giving States the necessary tools to fight this type of crime.
A good example of the complexity of the jurisdiction issues is visible in the Yahoo case.
On May 22, 2000 Tribunal de Grande Instance de Paris, based on the regulation that makes
exhibition or selling of racist objects illegal, ordered Yahoo! Inc. and its subsidiary Yahoo France
to exclude French internet users from sales of Nazi objects and to remove all the concerned files
stored in their servers.
In this concrete case, these files were uploaded from an unknown source and were stored
in a server located in United States. French court asserted jurisdiction over them because they were
visible in France and its contents was illegal in France.
The capacity to compel compliance or to punish noncompliance with its laws, regulations, orders, and judgments, as
well as the capacity to investigate suspect behaviors - prerogative of a government
7
The capacity to establish and prescribe criminal and regulatory sanctions - prerogative of a government.
8
The competence to hear disputes - prerogative of courts.
6
Yahoo filed a declaratory judgment action in U.S. District Court, in order to obtain a ruling
that the French court’s order could not be enforced against Yahoo in the United States. Besides
discussing computer technical matters regarding the impossibility of excluding some users of their
site from some of the Web pages, Yahoo maintained in its lawsuit that allowing enforcement of the
foreign court’s order in the United States would violate the First Amendment. As a result, U.S.
District Judge Jeremy Fogel agreed with Yahoo regarding the violation of the First Amendment
and entered a declaratory judgment in the company’s favor.
LICRA and UEJF9 appealed to the ninth Circuit10. Eventually, the majority of the judges
reversed the judgment of the district court, but confirmed that the district court had jurisdiction
over LICRA and UEJF.
Above-mentioned case shows that the Convention on Cybercrime does not provide enough
resources to solve such complex issues and such cases may last for years. Problem with jurisdiction
is not easily solvable and unfortunately, at this time international law does not provide any
obligatory norms that may require from states to obey certain rules.
Investigation and Forensics of Cybercrime
Identification and prosecution of cyber criminals is another important problem faced by
law enforcements in regard of cybercrime, however in order to be found guilty of a criminal offense
under criminal law, the jury or judge must believe, that the offender has committed an offense. The
only solution to this problem is to provide convincing evidences whenever possible.
Cyberspace provides exclusive opportunities to cybercriminals, by allowing them to
become anonymous. Virtual Private Networks and online anonymity services like TOR (The Onion
Router), allows criminals to initiate their attacks through several nodes, thus making an
identification even more complicated. The Criminalization of True Anonymity in Cyberspace by
Georgie du Pont describes the two types of anonymity: true and pseudo-anonymity.
Truly anonymous communication is untraceable. In this case, only coincidence or
purposeful self-exposure will bring the identity of a person to light. Any attempts made to discover
the identity of the sender will result in erased trail of clues. Although some forms of truly
anonymous communication, such as political speech, are valuable in democratic societies, this
form of anonymity has exceptional potential for abuse because the message senders cannot be held
accountable for their actions.
In opposite of truly anonymous communication, pseudo-anonymous communication, may
be traced. Though the identity of the message sender may seem truly anonymous because it is not
easily uncovered or made available, however it is possible to somehow discover the identity of a
person using pseudo-anonymous communication. Despite the utilization of pseudo-anonymity
communication in cybercrime activities, it has significant social benefits; it enables citizens of a
democracy to voice their opinions without fear of retaliation against their personal reputations.
The perfect example of the usage of this type of anonymity was during the revolution in Egypt,
where people used pseudo-anonymity for sharing their opinions against regime of Hosni Mubarak.
LICRA and UEJF are French antiracism associations.
The United States Court of Appeals for the Ninth Circuit is a U.S. federal court with appellate jurisdiction over the
district courts.
9
10
According to Ahmad Kamal11 for anti-anonymity legislation to succeed, it must narrowly
target specific evils. Governments must recognize that within the distinction between true
anonymity and pseudo-anonymity lies the key to legislative restrictions. Because some types of
anonymity, such as political speech, are considered valuable and necessary elements of society,
legislation cannot merely target all true anonymity under the assumption that its existence
promotes anonymous criminal acts. Legislatures must isolate and target only the specific type of
anonymous speech in cyber-space, which has criminal objectives, such as cyber stalking or child
pornography.
Law enforcements cannot change the fact that anonymity exists, however they still can
influence the process of identification by preparing for cyber-attacks. Investigators form an
incident response plan, in order to be ready for any kind of attacks. The incident response plan is
a part of the overall corporate computer security policy. The plan identifies reporting requirements,
guidelines and severity levels for preservation of evidences. The priorities of the investigation may
vary from organization to organization, however the common priority is to minimize any additional
loss and resume business as quickly as possible. In addition, it is important to establish CERT
working 24/7 to respond and identify attacks as soon as possible, until attackers try to cover their
traces. 12
The computer crime investigation starts immediately following the report of any alleged
illegal activity. Analysis and eradication are accomplished as soon as possible after the attack.
The next step after the identification of an attack is to gather digital evidences for later
presentation at court. Digital evidences represent the main factor based on which a court makes a
decision. Digital evidence is information or data of an evidential value that is stored on or
transmitted by a computer or digital device. According to SANS institute digital evidences may be
retrieved from: (a) CPU, cache and register content; (b) Routing table, ARP cache, process table,
kernel statistics; (c) Data contained on archival media; (d) Remotely logged data; (e) Data on hard
disk; (f) Temporary file system / swap space; (g) Memory.13
The process of collection of digital evidences consists of five steps:
1. Policy and procedure development
2. Evidence assessment
3. Evidence acquisition
4. Evidence examination & analysis
5. Documenting and reporting
Last step is the most important, as it documents everything that has happened in previous
steps including files found and techniques used. These documents are gathered and presented to
the court as an evidence. Depending on the quality of evidences, court checks them for
admissibility.
In order to enable the admission of an electronic document as an evidence, it should be
able to answer on following questions:
 Are we able to authenticate document properly in regard of authorship and integrity
of the document?
Ahmad Kamal is a Pakistani diplomat, most noted for his work at the United Nations. Author of the book “the Law
of the Cyberspace”.
12
The CERT team itself is a technically astute group, which is knowledgeable in the area of legal investigations, the
corporate security policy (especially the incident response plan), the severity levels of various attacks, and the
company position on information dissemination and disclosure.
13
The SANS Institute is a private US company that specializes in internet security training.
11
 Are the record and original version different in any way?
 Is it reliable and necessary?
 Is the program that created the document reliable?
The authentication of electronic evidence poses several problems, because by its very
insubstantial nature, electronic evidence may easily be altered and that would be difficult if not
impossible to detect, even by an expert.
Due to the transitory nature of information stored on computer systems, there are a number
of additional legal obstacles that have to be clarified:
 Computer evidence may easily and undetectably be changed or removed
 Computer proof may be stored in a different format to that when it is displayed
 It is hard for nonprofessionals to truly evaluate computer evidence.
Role of International Organizations in Cybercrime Regulation
As we may see, a whole process from commitment of cybercrime to the conviction of the
accused is taking too long because of many legal, political and technological complexities. In this
case rises the significance of participation of international organizations in regulation of
cybercrime.
International organizations are focusing on international harmonization, which is one of
the most important steps for solving international crimes like cybercrime. Harmonization of
national laws will definitely solve some issues regarding extraditions. Many countries have
extradition treaties with others. However, extradition is more like a political decision rather than a
legal obligation. Many countries have extradition treaties with others, however they do not allow
extradition of their citizens to countries where they may become subjects of death penalty or any
other punishment irrelevant to national legislations. However when national laws are harmonized
states have no basis for refusing extradition and they are more likely to transfer a person to victim
state.
International cooperation is also another important role of international organizations.
United Nations, NATO, the Council of Europe, the Organization of American States, and the
Shanghai Cooperation Organization have created mechanisms that directly regulate cyber-attacks
and enhance international cooperation. For example Council of Europe’s Convention on
Cybercrime requires from states to designate a point of contact available on a twenty-four hour,
seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose
of investigations or proceedings concerning criminal offences related to computer systems and
data, or for the collection of evidence in electronic form of a criminal offence. Some states have
established 24/7 departments and agencies, which monitor data in cyberspace and preserve it for
some period until it is shared and analyzed with other states.
Cybercrime is a new phenomenon for international legal community and years may be
required to properly regulate cyberspace and enforce cyber laws. However each state and
organization should realize that regulation of this issue is vital for international security and peace.
Bibliography
Amoroso, E. G. (2011). Cyber Attacks - Protecting National Infrastructure.
Archick, K. (2006). CRS Report for Congress.
Chuck Easttom, D. J. (2011). Computer Crime, Investigation, and The Law.
Gibson, W. (1984). Neuromancer.
Handbook on Information Security Management: Law, Investigation and Ethics. (n.d.). Retrieved
from CCERT.EDU.CN: http://www.ccert.edu.cn/education/cissp/hism/555-558.html
Joubert, V. (2012). Five years after Estonia's cyber attacks: lessons learned for NATO?
Kamal, A. (2005). The Law of Cyber-Space.
Kokhreidze, N., & Bodzashvili, L. (2012). The Law of Cyberspace. Bona Causa.
Richardson, J. (2008). An Analysis of the Cyber Security Strategy of Estonia.
Zeinab Karake-Shalhoub, L. A. (2010). Cyber Law and Cyber Security in Developing
Economies.