Legal Structures are a Barrier to Fighting Cybercrime

March 2, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

In recent posts we have documented the incredible growth and impact of cybercrime and the total failure of governments around the world to address, or even truly acknowledge, their responsibility to police the issue.

We have noted that government’s vastly and continually underfund the brave and dedicated law enforcement personnel who are called to on the front lines of the cybercrime pandemic.

We have also described the antiquated, byzantine structures law enforcement endures as it tries to deal with the highly dynamic, innovative, and well-funded cyber-criminal enterprises.

It’s no wonder we are failing so badly to address the cybercrime pandemic.

But, as the late-night TV pitchman always says: “Wait, there’s more!”

On top of all these comparatively easy to address problems (just give them more money and mandate that they work together), there are truly difficult problems.  For example, the international legal structure – the laws themselves – have not been updated to deal with digital crimes.

International jurisdictional disputes often keep law enforcement from effectively operating. What may be legal in one country may not be legal in the U.S. and may be treated differently in a third country. In these instances where cybercriminals are at large internationally, countries require extradition agreements. The U.S. has many of these such agreements, but currently does not have them with China or Russia. 

Brian Benczkowski, Assistant Attorney General for the Department of Justice’s Criminal Division, focusing on developing, supervising, and enforcing U.S. federal law, stated at their 2020 Cybercrime Symposium “one of the most frustrating challenges in bringing offenders to justice has been the willingness of some countries to protect and foster cybercrime committed by their own citizens and within their own borders.”

To arrest cybercriminals that are foreign citizens and reside in other countries, we need diplomatic relations with the people of these countries. We have to rely on countries, such as Russia, to extradite these people to be successfully prosecuted under our laws. The U.S. has attempted cyber diplomatic negotiations through formal state visits and treaties, but these past attempts have not been fruitful.

In an era where cybercrime is essentially borderless, conventional borders, administrative structures and turf battles are further hampering an already under-funded effort. International efforts to combat cybercrime are hindered by antiquated treaties and agreements as well as a lack of adequate structures and resources.

The Budapest Convention is the only major treaty at an international scale that deals specifically on cybercrime. The goal was to gain international cooperation to create a common criminal policy to defend and prosecute against cybercrime. It primarily focuses on copyright infringement, computer fraud, child pornography, and network security. It was first signed in 2001 and was ratified by the United States in 2006. Since it was first signed and ratified, the cyber landscape has changed dramatically, making the treaty outdated. 

Toward the end of the Obama administration, there were several advancements in diplomatic cyber relations and agreements with China. In September 2015, President Obama hosted China’s President, Xi Jinping, for a formal state visit.

Among other things, they came to an agreement to not support theft of intellectual property and commercial hacking. They jointly announced that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”

Later that year in November 2015 at the G20 Summit, several other bilateral agreements between China reaffirmed that the commercial cyber espionage would cease. Following these agreements, the amount of cyber espionage coming from China significantly decreased. However, this success was short lived.

In 2017, the U.S. warned China that they were beginning to stray from the agreement. Then, in early 2018, a report by the U.S. Trade Representative concluded that China had continued “its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.” Cyber policy experts say that these attacks from China fall into a “gray area” of the agreement and other critiques of the agreement also say that it is legally non-binding with little to no penalty against the breaching party

In order to develop a truly functional diplomatic effort that will enable law enforcement, a much higher priority needs to be established on the need to provide for the common defense in the digital age, and that will need to start at the top of government.

Join the Rethink Cybersecurity Community click here