Peter Yapp, our regular contributor on cybersecurity, reviews how international laws have attempted to curb cybercrime and points out what still needs to be done.
In the mid and late 1990’s I was part of the UK delegation to the G8 high tech crime working group that laid some of the groundwork for the Budapest Convention (the Council of Europe Convention on Cybercrime) in 2001. It was, like many similar international gatherings, slow moving with plenty of simultaneous translation and huge levels of scrutiny over every word used in the resulting declarations. But there was a sense of coming together to tackle a recognised global problem and that no one country could tackle it on their own. There was a realisation that having a named contact (or contact mechanism) in each of the G8 countries who could be called 24/7, 365 days a year was essential if we were to have any chance of tracking down cyber criminals. In fact, we were the group that started using the term cybercrime to describe a wide range of crime being perpetrated on the internet or on new telecommunications networks. However, one member of the G8, Russia, took a rather different view of the world. While they were open to sharing contact details, they considered the “Russian Internet” to be sovereign space. In fact, they went so far as to state that if, while in “hot pursuit” of a cybercriminal, we (non-Russian law enforcement) entered their cyberspace, they would track us down and attempt to prosecute us. I believe that this idea of sovereign cyberspace still exists today in a handful of countries around the world.
The Budapest Convention was drafted to provide a coordinated international response to Cybercrime. At its heart are provisions on mutual assistance and international cooperation. It is the only binding international instrument addressing this issue. As a framework it has let hundreds of practitioners from all over the world share experience and create relationships so that investigation of cases, especially in emergency situations, have been as effective as they could be. This network of contacts was what we realised was so important when meeting as the G8 subgroup. However, I do not think that it has been effective in cybercrime prevention. If being caught and sentenced is meant to act as a deterrent, it is clearly not working. There are too few cases getting to court and when they do, the sentences are too low. Cybercrime has monetised Distributed Denial of Service, Ransomware and Bank Transfer Frauds amongst others and there are huge amounts of money to be made with a very small risk of being caught. The use of anonymisation, The Onion Ring and Virtual private Networks make it extremely difficult (if not impossible) to identify the culprits. The best chance of tracking someone down is if a real time investigation can be carried out, and for that, the convention provides a good framework of contacts that can be utilised quickly. However, there will never be total worldwide coverage and certain countries’ position that their internet is sovereign space has not changed since those early conversations between law enforcement agencies in the 1990’s.
One of the ways to try and improve cybersecurity and increase the number of prosecutions is by raising awareness of the scale of the problem. A way to do that is by increased reporting of incidents. In the UK there are a few laws and regulations that require an organisation to report a breach. The Financial Conduct Authority and the Prudential Regulation Authority both require notification of cyber security breaches from the finance sector. From the most recent figures available, financial services firms reported 819 cyber incidents to the FCA in 2018, an increase on the 69 incidents reported in 2017. Retail banks had the highest number of reports (486), 59% of the total. Next were the wholesale financial markets with 115 reports (14%) with retail investment and retail lending firms at 6%. The FCA principle 15.3.1 is that a firm must notify the FCA immediately it becomes aware, or has information which reasonably suggests, that any of the following has occurred, may have occurred or may occur in the foreseeable future: (i) the firm is failing to satisfy one or more of the threshold conditions; (ii) any matter which could have a significant adverse impact on the firm’s reputation; (iii) any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm; or (iv) any matter in respect of the firm which could result in serious financial consequences to the UK financial system or to other firms.
The PRA has eight Fundamental Rules that are similar to the FCA’s Principles for Businesses. In particular: Fundamental Rule 7: a firm must deal with its regulators in an open and cooperative way and must disclose to the PRA appropriately anything relating to the firm of which the PRA would reasonably expect notice (which is a rather a wide-ranging obligation).
And of course, the Information Commissioner’s Office requires data breaches to be notified within 72 hours of you becoming aware of them, unless you can demonstrate that it’s unlikely to result in a risk to individuals’ rights and freedoms. If you have suffered a cyber-attack or related incident you will need to report it to the ICO if there is a personal data breach. This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The most recent piece of legislation requiring breach notification comes from the Network and Information Systems Regulations 2018 (NIS) which implements the European Directive 2016/1148, the ‘NIS Directive’. NIS applies to two groups of organisations: ‘operators of essential services’ (OES’s) and ‘relevant digital service providers’. The Directive establishes security and notification requirements (which in Europe include banks and financial market infrastructures) meeting the criteria in Article 5(2) of the Directive:
OES’s are required to notify their Regulator of any incident that has a substantial impact on the provision of services. When assessing whether to notify, they have to take into account a number of factors, including the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact.
All this is good, but regulators should carefully look at what they are asking for and why. While the 72-hour reporting window is a good target to aim for, you don’t have to wait for 72 hours – the sooner you contact the Regulator the better. Consider reporting in instalments and give updates when you get more information. Give as much detail as possible and be as accurate as you can. We need to make it as easy as possible to report incidents so that government and the public realise the scale of the problem, assign the appropriate resources and take the appropriate action.
Globally, although many countries have laws that mandate data breach reporting, data breach notifications are not mandatory in many other countries (e.g., Argentina, Belarus, Costa Rica, Egypt, Japan, Macau, Malaysia, Madagascar, Mauritius, Panama, Russia, and Saudi Arabia). These countries effectively become “data havens” by default.
Some countries such as Canada and the USA have data breach notification laws that go further than reporting and require implementation of security measures to protect data and for the breached entity to rectify the situation and/or remediate the harm. In fact, the USA is also discussing further privacy legislation and is likely to develop more stringent federal privacy laws. It might be argued that sometimes the USA goes too far. In the case of the former CISO of Uber, a 1789 law, misprision of a felony, was used to claim that his actions of paying off ransomware attackers to retrieve data are a crime as he saw a crime and didn’t report it.
Despite this jump back to the 18th century, we are still 20 years behind where we need to be today. In 1998 some of us knew that there was going to be an explosion in cybercrime and that recruitment and training would be required worldwide and on a massive scale. [1998 was the year Google and PayPal came into being]. We saw the need for 24/7 contacts in each of the G8 countries. But international initiatives by their very nature move slowly. We need more countries signed up to the Budapest Convention (there were 65 at October 2020). However, I do think myself and the Group pioneered something significant in the field of cybercrime. The network has gone from the 8 countries in the working group to about 1/3rd of countries in the world.
This is a global problem and the UK cannot solve it in isolation. The UK government can and is helping to educate businesses on the critical need to protect themselves. We need to stop making it so easy for the criminals. We also need to track down more of the perpetrators and for that we need more training and investment (or transfer of resources) for law enforcement. As I have mentioned in an earlier article, we need to re-write the Computer Misuse Act and finally we need to educate our prosecutors and judges to ensure the punishment fits the crime. A cyber heist of £100,000 is not a victimless crime – it is more akin to robbing a bank and should have a penalty to match to discourage others and tip the balance back the other way.
Author's Note: Thank you to Professor Andrew Murray of the Law Department at the London School of Economics and Political Science for inspiring me to write this piece after inviting me to talk about the need for a stronger and more coherent international response on his Technological Disruption Module podcast.
Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.