A global treaty on online threats (or the challenges of (inter)national cooperation)

The Council of Europe held its annual Octopus conference on cybercrime from 6 to 8 June 2012, at which participants from around the globe discussed international cooperation on cybercrime from different angles. A large delegation was present from Russia. On the final panel, in very diplomatic wording, Mr Ernest Chernukhin, first secretary of the Ministry of Foreign Affairs of the Russian Federation, dropped a bombshell on the Convention on Cybercrime or Budapest Convention of 2001 [1] (henceforth ‘the Convention’), stating: ‘Russia does not see the Convention as a solution that is acceptable to her’ [2]. In other words, the world needs a new treaty – one that includes cybersecurity and rules on the way in which nations respond to other nations’ online behaviour on the Internet. Implicitly, Mr Chernukhin said: ‘These topics do not belong with the Council of Europe.’

This was not a topic that appeared out of nowhere. In a workshop at the Octopus meeting a Dutch representative suggested that perhaps the world needs a new Mare Liberum for the Internet. Meanwhile, totally independently from these examples, the Netherlands Internet Governance Forum, assisted by De Natris Consult, wrote a workshop proposal [3] for the upcoming 2012 Internet Governance Forum in Azerbaijan. The proposal was for a panel discussion around cross-border incidents involving critical infrastructure incidents, where one of the questions to be addressed is ‘does the world need a kind of UNCLOS treaty to solve cross-border cooperation and the way nation states deal with cyber incidents in general?’ (The full UNCLOS text can be found here. A description can be found at Wikipedia here.)

It seems to me that politics and the everyday workplace are at odds. The latter needs ways to cooperate, ideally a form of coordination and clearly defined ways in which organizations can exchange data among themselves and outside with other agencies, regulators and industry. Such a mechanism is long overdue. Meanwhile, there are (institutions within) nation states that are attacked, hacked, have sensitive, valuable data stolen from them or are otherwise under digital threat. It is for this reason that an encompassing solution in the form of a global treaty is called for. This article looks at this topic from a more down to earth and partially hands-on approach, that could actually inspire and assist those that need to decide on nation-state level diplomacy on the stateless Internet.

The Convention is, if seen in a strict way, regional by nature. The host is the Council of Europe, yet more and more non-European nations are working seriously to ratify the Convention or have already done so, making it a truly global convention. There is no denying that as far as international treaties on cybercrime and cross-border cooperation go, the Convention is state of the art.

It is a valid question as to whether the Convention in its present form can deal with all online threats in an adequate way. In addition, it is my opinion that, by focusing explicitly on crime, the Convention leaves out the possibility of interacting with most civil and administrative bodies who deal with the fraud, spam and violations that are not dealt with by the police and judiciary. More effort could be put into aligning the Convention with these entities. However, the initiative and the effort has to come from the entities themselves.

The Mare Liberum, by Dutch legal scholar Hugo de Groot or Grotius [4], was written in 1609 at a time when the Dutch Republic was becoming the biggest seafaring nation of the world, fought in a war for independence from Spain and was trying to gain a foothold in the East Indies and Americas. It was also a time when the Dutch were great pirates. (In 1628, a Dutch fleet pirated a Spanish bullion fleet in the West Indies, which is still lauded in the song ‘The silver fleet’.) In other words, the ‘free sea’ may just have been a concept that suited the Dutch best at that time. However, the fact is that a book written in 1609 has become the standard and is accepted by all nations as a basis for conduct on the open seas. The Law of the Sea Convention (UNCLOS) defines the rights and responsibilities of nations in their use of the world’s oceans, establishing guidelines for businesses, the environment, and the management of marine natural resources [4].

We see the main difference with the Internet straightaway. The oceans are open and borderless until they hit a shore, at which point rules on territorial waters and continental divides come in, but the open water doesn’t belong to any one nation. Although the Internet is said to be borderless, everything that makes it work, as Mr Chernukhin reminded us, is not. All landlines, access points, routers, compression machines, etc., are on land and within the borders of nation states with their own jurisdictions and variously implemented cyber laws. And, more importantly, so are the devices on which data is stored: computers, hard disks, smart phones, servers, thumb drives, etc. And let’s not forget, data does not flow freely around the world, as several nation states are already blocking or filtering out material that they consider to be unseemly.

No matter what enforcement representatives may claim, there is no denying this aspect to the Internet. At the same time, speedy access to stored data could be of vital importance to prevent the loss of lives, for national security, (individual) safety or plain investigative work as data, i.e. evidence, is erased in the blink of an eye. Whenever I hear a claim that ‘we should be able to hack a server or computer in country X’, I always try to imagine the reaction if country X hacked computers to acquire evidence on actions that violate laws within country X, but which do not constitute violations of laws here – e.g. those of human rights activists or advocates of free speech. I also understand the frustration of enforcement officers, having been one myself.

National sovereignty in an online environment needs to be an integral part of any new treaty, as do the instances in which this sovereignty is allowed to be set aside. Trust will be an important component, whether in the form of duly reported intrusions or in the form of speedy exchange of data. Unfortunately, trust is not easily established between many UN member states, and that’s not to mention the political issues between member states that stand in the way of discussing the content of a treaty in the first place. (By coincidence this very issue was demonstrated while I was writing this article – negotiations started not on a new UN treaty on arms but on a disagreement over who was to be allowed to participate in said negotiations.)

The Russian delegation at the Octopus conference showed, from their point of view, exactly where their problem is focused: US law enforcers accessing servers based in the Russian Federation to obtain data on a Russian spammer who was lured to the US in 2001 [5]. This is seen as unlawful as the FBI made no attempt to use the mutual assistance channels. If this is a clue as to what lies ahead in negotiations involving sovereignty and cross-border access or cooperation, perhaps it’s best I do not hold my breath.

There is another problem added to this puzzle: the fact that recently strong allegations have been made about the existence and deployment of offensive cyber weapons by nation states. Richard Clarke mentions that there have been infections deep within the critical infrastructure grid of the US, most likely since 2000 [6]. Complicated strings of code, like Stuxnet and Flame, were deployed against nation states. Major disruptive acts through the Internet have been used against nation states over the past five years, denying access to critical infrastructure, showing how vulnerable countries have become by going online. Herewith we enter the arena of cyber warfare, online espionage and (potential) major disruption.

History shows that international treaties involving offensive and defensive actions of nation states are years if not decades in the making. At the same time it is not even clear yet what the effect of current actions is, what the possibilities are, nor who actually engages in what. The fact that this is not clearly defined will obviously hinder any initiative towards a treaty in the short run. Even waiting for a decision to start negotiations probably takes a lot of patience [6]. This discussion includes the involvement of the ITU in Internet governance issues.

In the meantime, the average cyber law enforcement officer and cybersecurity personnel are seriously hampered by any border (which includes ‘borders’ between different organizations as much as the national border itself). Even between countries that are intent on close cooperation intentions, like the EU countries, true cross-border cooperation on individual online threat cases seems to be beyond the grasp of most organizations involved in investigating any form of online threat, whether it’s spam, fraud, cybercrime, phishing, botnet infections or online attacks and hacks. An exception appears to exist for enforcing laws against online child pornography. This shows that there are existing and working lines of communication and cooperation. What does this success teach us? That these lines of cooperation are not open for other online threats? Or that there is no true priority for other online threats? That child pornography scores better in the press? Or that other online threats are simply too difficult to deal with?

So what are the main challenges faced by cyber enforcement and cybersecurity organizations? In a survey performed by De Natris Consult in April and May 2012, several questions looked into the level of cooperation between entities on the national and international level. Several responded in a way that can only be interpreted as ‘help me!’ Even the most sophisticated entities, perhaps because of the promised anonymity, admitted to the fact that cooperation beyond their own sphere at the national level, let alone international level, left a lot to be desired. One frankly stated: ‘We gave up on international cooperation.’ (National Cybercrime and Online Threat Analyses Centres. A study into national and international cooperation by De Natris Consult, Leiderdorp, 12 July 2012. The survey was sent to representatives of police, regulatory bodies, national centres, NGOs, telecommunication companies and universities. The study will be publicly available on 17 September 2012.)

The challenges that were mentioned are numerous. All non-police entities that answered a question on national cooperation stated that reciprocal cooperation with the police never happens. More general conclusions were the following:

The conclusion is that all entities seem to focus on national cases, within their own remit, or on mitigating national computer emergencies and infected computers. To all appearances, all things (stemming from) ‘cyber’ are too overwhelming for individual organizations and perhaps even for national states to deal with.

Those who responded to a question asking what they would like to see in the near future, replied:

Some went further and clearly stated that the Europol model should be opened to all entities and that cooperation and coordination at this level is needed to start making progress at the international level. Hopefully, the institution of an EU Cybercrime Centre will provide a chance to take on these topics for all entities concerned. If not, a great opportunity will be missed by the EU.

My conclusion is that it is a necessary step to actively aid national governments in making the right choices and to truly standardize rules and regulations so that cooperation and coordination at the national and international level is possible. Without these interventions it may never happen, as the present generation in charge of governments may not fully understand the challenges presented by the Internet, nor the full implications of its use.

Governments also need convincing that national security is not a primary concern for private companies. There is a trend of involving private companies and giving them the lead here. If cybersecurity is seen as a national concern, then it’s a government that has to lead and make sure that private companies protect themselves properly. By now it is very clear that cybersecurity has little priority for most, with a serious lack of understanding of the issues involved as well. In the end a business needs to make money – that is the primary concern of shareholders, not cybersecurity.

So, as the international treaty Russia called for may be many years in the making, let’s take a look at what we do have.

The Convention, among many things, allows police organizations around the globe to cooperate on gathering and freezing data alongside the traditional agreements on mutual assistance. Police organizations cooperate within Interpol and Europol – for now they should all keep their traditional function. The fact is that the Convention in its present form does not aid (gov)CERTs, botnet mitigation centres, spam, consumer, fraud and privacy regulators in any way. They may be members of the London Action Plan, ICPEN, FIRST or the article 29 Working Party, but at best these are voluntary organizations, with little or no funding and no obligation to harmonize or cooperate. Even if I set aside the lack of (harmonization of) laws and lack of a level playing field, whether from a technical, procedural, enforcement tools or resources point of view, it is an established fact that for an individual organization tasked with a specific topic in the field of cybersecurity or enforcement, it is impossible to change the present state of affairs. Why? There are no organizations at present tasked with coordination of all entities involved at the national level, let alone at the international level. The result is the investigation of a very, very limited number of cases that involve multiple agencies whether national or international, which are probably the most urgent ones, seen from an online threat point of view.

A much-heard phrase is: ‘It’s international. We can’t do anything!’ That’s just not true. Every online threat is in the end a national case. It takes political will, a proper cyber law, an enforcement agency and technical skills with resources to boot to deal with it.

Looked at from this angle, it is true that the Convention is not delivering solutions for all involved. Perhaps it could do so in the future, but this would take a whole new cycle of negotiations between countries and why not do it globally if ‘we’ have to anyway?

In my opinion there are several layers of problems that need to be tackled. Some are so difficult to solve that it may take decades. Should those that are (I hope) easier to deal with be put on hold to wait for nations to start negotiating the difficult ones? No, they should not.

If (access to the) the Internet is to be declared a human right, as some favour, access to the Internet should come with duties also. To uphold the rule of the law is one of those duties. Those nations that do so, or at least to an agreed upon common ground, will agree that theft, blackmailing, fraud, digital breaking and entering and such are violations of law. I’d say start from there. Those that do not accept basic violations for what they are, set themselves apart instantly. No matter how controversial this comment may seem, perhaps countries may want to ask themselves whether they really want full and uncontrolled Internet connections with such countries.

The basis for the first round of discussions could be a standard form of information and data exchange between those involved in cyber enforcement and cybersecurity, so they can exchange data, handle data requests and have the tools and knowledge to act upon them. Standard training sessions could also be included for those involved.

At the same time, the Internet can be looked into from a national angle and made more secure there. For example, global rules on registration of Internet resources, access, disruption, etc. can be implemented at a national level. The way in which this can be harmonized determines the success of making the Internet a safer environment for its users.

At a national level measures can be taken such as creating botnet mitigation centres and making sure there are harmonized national laws on online threats, including rules on exchanging data between the entities involved in fighting online threats. Awareness campaigns should be aimed at ‘civilians’ as well as those in executive functions that decide on resources for cybersecurity. But who will convince the executives in government that to lag behind in online threat awareness and protection is a threat to a nation’s economy as well its inhabitants’ wellbeing?

The Convention offers several examples on how this could work. These should be used as a basis, in close cooperation with the Council of Europe, but making sure not just to focus on crime as crime alone. Cybercrime comes in more guises than just penal code violations. Here, a starting point could be to make an inventory of the different powers and best practices available and make that the basis for treaty negotiations. Only then will enforcement of any ilk and security be able to work together to the best of their abilities. Only then will it become possible for several different entities from different countries to actually work together on an international case. These are the most difficult ones, but also the most neglected by almost all entities as the incumbent challenges appear to be too huge for an individual entity to take on.

If countries can make this basis of cooperation work, it will become easier to discuss the harder stuff involving sovereignty, as trust will have been built between entities and their representatives that give advice to their policy makers and politicians. To wait for an all-encompassing solution at the global level is dangerous, perhaps even foolish. Grass roots cooperation, based on national sovereignty, should be dealt with first.

At present the Convention on Cybercrime is all the world has. Abandoning it at this moment would mean stepping back in time, and unnecessarily so. It should be used to the utmost. At the same time we’ve seen over the past few years a development such that cybercrime is not only a major threat in a personal and economic way but also to national security. Instruments once developed for cybercrime could just as easily be used for attacks on the critical infrastructure of nation states. The Convention does not primarily deal with this.

If the call for a new, all-encompassing treaty under the UN is to be followed up, the representatives of countries are advised to negotiate on different levels. First provide a level playing field for (the different) enforcement and security entities, create laws that allow for data requests and for the exchange of data nationally and internationally. Secondly create (or extend) a body that can actually coordinate between all entities so that the most prominent online threats are taken on in the most efficient way, still based on national jurisdictions.

After this, look into the more difficult topics. These no doubt will be a lot easier to discuss when cooperation at the hands-on level is already happening in a satisfactory way. If governments are not able to solve the cross-border cooperation and coordination issues around cybercrime and cybersecurity, they fail to protect their citizens.

The Internet is a major growth factor in the economy of the whole world. Not securing that environment means the trust levels of organizations and private persons alike will decline and economies will be hurt. If governments of nation states cannot agree on assisting each other, they may have to take the blame for the faltering of economic growth. But if they can’t cope with this problem, who can? Microsoft, Apple, Google and Facebook? Now that’s another, very interesting question!