My final project focused on the international enforcement of laws against cybercrimes. Specifically, it looked to the successes and failures of existing regimes which deal with cybercrime, and then attempted to posit suggestions for both the existing cybercrime framework, and potential new treaty documents.
Overview of Cybercrimes
A number of difficulties inherent to cybercrimes become apparent upon researching them. Cybercrimes are difficult to define, and there is a lack of international consensus on what does and does not constitute a cybercrime.1 The consequences and perpetrators also vary dramatically, from lone-wolf criminals targeting elderly citizens to organized crime and international terrorist cells.2 Cybercrimes are a growth industry with high returns and low risk, and are on pace to continue to grow in the coming years with the increasing availability of new anonymity and obfuscation technology.3
By way of response to cybercrimes, the main international agreement undertaken by the global community is the Budapest Convention, a document which specifies individual and cooperative goals to be undertaken by signatory states.4 International agencies such as INTERPOL, EUROPOL, and the World Economic Forum are also engaged against cybercrime.
Despite the organized response to cybercrimes, response and conviction rates remain perilously low, with some countries (such as the United States) reporting an approximately 1% rate of arrests for cybercrime, and other countries unable to provide any statistics at all.5 Research shows that the primary driver for these abysmal statistics are enforcement gaps between local and international actors, enforcement barrier, jurisdictional issues, and difficulties with enforcement inherent to the legal system (such as procedural issues, time, and capacity shortcomings).6
So what has actually worked?
A number of common factors emerge when analyzing trends in cybercrime enforcement. Historically, the greatest indicators of success in cybercrime enforcement have been direct sharing of information between states, speed, available contact points, and participation of private and third party groups.7 Conviction rates from case law in multiple jurisdictions point to a similar idea, in addition to standardizing evidentiary procedures.8 These factors are not all that surprising, and in fact are provided for within the text of the Budapest Convention. Yet we know that the Budapest Convention insofar has not been particularly successful. So what can be done to increase the rate of success in enforcing cybercrime laws?
Substance and structure
By looking to more successful frameworks within the international law sphere, we can potentially glean some ideas on how to improve or adapt the Budapest Convention. One such framework is the Convention on International Trade of Endangered Species, or CITES. The circumstances and structure of the two frameworks are quite similar, however the principal different between CITES and the Budapest Convention is that CITES allows for more freedom in undertaking unilateral actions by states to keep with their treaty obligations. By allowing signatory parties a similar freedom to craft their own methods to meet treaty obligations, the Budapest Convention might be improved. These improvements might take the form of an additional agreement on top of the Budapest Convention while using the existing convention as a backstop (similar to PIPEDA in Canada), or changing the writing of the existing convention to be less permissive and more imperative.
Another area that is worth considering is reward diplomacy. The enforcement mechanisms of the current Budapest Convention amount to little more than shaming on an international scale which, while sometimes effective, are not always an ideal enforcement tool. Reward diplomacy, wherein obligations are framed as an opportunity to gain rather than an obligation to avoid punishment, is an attractive alternative. In particular, reward diplomacy is more effective at fostering cooperation and reciprocal action between nations, both of which are indicators of successful cybercrimes enforcement.9 Reward diplomacy can take many forms, including technology-for-compliance exchanges, payment agreements, or investment by both states and private third parties. Reward diplomacy would also be much easier to incorporate into the existing wording of the Budapest convention, avoiding the considerable delay and uncertainty of creating new international legislation.
Conclusion
Cybercrimes are difficult to deal with. The damage they cause is varied and can be significant, yet enforcing them implicates all sorts of jurisdictional and procedural headaches. While it is unlikely that any single piece of legislation or treaty will be able to fully wipe them out, changes that encourage more cooperation, speed, and information sharing will hopefully lead to long lasting positive changes in the international enforcement of cybercrimes.
Sources
[1] Ajayi E.F.G, “Challenges to enforcement of cybercrimes law and policy” (2016) 6:1 J Internet and Information
Systems 1 at 2.
[2] ENISA, “Threat Landscape 2021” (2021) at 7, online (pdf): European Agency for Cybersecurity < www.enisa.europa.eu/publications/enisa-threat-landscape-2021>.
[3] Ajayi, supra note 1.
[4] Convention on Cybercrime, November 23 2001, ETS 185.
[5] Allison Peters & Amy Jordan, “Countering the Cyber Enforcement Gap: Strengthening Global Capacity on
Cybercrime” (2020) 10:487 J Nat Security L & P 487 at 492.
[6]Ibid at 495.
[7] See generally Pedro Verdelho, “The effectiveness of international co-operation against cybercrime: examples of good practice” (2008), online (pdf): Council of Europe < www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/TCY/DOC-567study4-Version7_en.PDF>; Susan Brenner & Joseph Schwerha, “Transnational Evidence Gathering and Local Prosecution of International
Cybercrime” (2002) 20:1 J Marshall J Computer & Info L 347 at 355-357; UNODC, “Obstacles to cybercrime investigations” (March 2019), online : UNODC < www.unodc.org/e4j/en/cybercrime/module-5/key-issues/obstacles-to-cybercrime-investigations.html>; Jan Kleijssen and Pierluigi Perri, “Cybercrime, Evidence and Territoriality: Issues and Options” (2017) 47
Netherlands Yearbook of Intl L 147.
[8] See for example United States v Okeke, No. 4:19-cr-00084 (E.D. Va. Feb. 16, 2021); R v Kalonji, 2019 ONCJ 341; R v ML & Ors CR S 63/19.
[9]Anne van Aaken & Betul Simsek “Rewarding in
International Law” (2021) 115:2 American J Intl L 195 at 196.
1. As you mentioned, the key issues with cybercrime enforcement tends to be jurisdictional in nature. Absent any internationally agreed upon standards for the prosecution of cybercrimes, it is extremely difficult to seek justice for cybercrimes in foreign countries. The problem is exacerbated when the involved parties are from states that are diplomatically isolated from one-another. Reward diplomacy is one solution, but it lends itself to abuse too. One could imagine a scenario where a technologically poor state could seek to gain investment from a technologically advanced state by artificially creating an environment where cybercrimes could thrive, and subsequently reap the benefits of prosecuting those same crimes under a reward diplomacy framework. In any case, I agree that the existing enforcement tools under the Budapest Convention are insufficient and should be expanded.
Interesting post! Unlike other crimes, cyber crimes can be completed entirely from another country, often making it nearly impossible for the victim country to take any action against the perpetrator. It may also be the case that the country harboring the criminal does not care to punish them, making many cyber crimes gone unpunished. I think the point that you brought up about creating some sort of international policy on cyber crimes is a good idea. Although it may be though to create one that every country will accept, it should be done, even if its just as simple as “you are required to investigate hackers regardless of who they hacked” or something of the sort. Nice post!
I agree! Although I doubt any “International Policy” would be able to accomplish much, given that many countries would likely just ignore said international policy. Perhaps a different method would be to give countries the authority to inflict “cyber punishments” against cyber crime. I don’t know much regarding how effective an IP ban can be, or if it would be easy to perform cyberattacks against cybercriminals, but I wonder if people in the cybersecurity business have actually considered this idea. It at least makes sense that it would be easier to find a person’s online address from an online attack than their real life address.
Interesting post! I think with the recent political developments with the war in Ukraine and the cyber attacks on nearby countries we will be seeing more of these cyber security minded alliances. It’s no surprise to see from the current Budapest Convention signees most are part of NATO or allies with NATO. I expect countries like China, Russia, and India will seek their own alliances or remain unsigned to such alliances so that they can gain some benefit somewhere.
I found your paper rather informative since I hadn’t known about the Budapest Convention prior to reading this. It’s true that it’s difficult to prosecute cyber-crime due to the international nature of the issue. I found your proposals for improving the issue by looking at working frameworks like CITES and reward diplomacy rather nice since I often see many articles outlining an issue but leave the task of thinking of any possible solutions up to the reader. Overall a good post!
The article mentioned that cybercrime is an industry with high returns and low risks, which attracts more people to commit cybercrime. However, due to the problems of jurisdiction and procedure, it is difficult for us to completely eliminate cybercrime, especially international. Although international agreements fight against cybercrime, the arrest rate and conviction rate are very low, so the effect of this agreement is not great. If the international community can formulate more effective methods to combat cybercrime and solve the law enforcement difficulties in the legal system in the future, the efficiency of Internet law enforcement in the international community will be improved.
I had recently seen news of Canada and US working on an act that would enable each other to serve warrants in other’s territory in order to obtain data for ongoing investigations. Even though the talk regarding this agreement is quite controversial in the case that it is implemented I wonder if it would help overcome this issue of enforcement borders.
Thanks for sharing the project. This is also what I wondered about. I have read many posts about successful cyberattacks but none of them announced attackers were caught by any government force. It is great that Budapest Convention are taking into actions. There were a news long ago about a hacker who was caught by FBI and then returned back to his home country to work for the government cybersecurity department. He shared that at that time he didn’t fully understand the importance of the users’ information that he hacked and wished there were more educational information about DOs and DONTs. Thus, I think educating developers/ computer students to prevent them from cyberattacking others is as importance as punishing them for cyber-violation.
It’s astounding to learn that arrest rate is less than 1% for cybercrimes. As you mentioned, the challenges lie in the fact that cybercrimes can be conducted internationally easily, and the lack of internationally consensus jurisdictions make it hard to hold cybercriminals accountable. I find your proposal of a CITES framework interesting, but I can see that it will be difficult to implement between countries with not so friendly relations, especially when the attacks are more frequently coming from one side.