Two weeks ago I acted as a panelist in a panel discussion at an IT Security conference in Kuala Lumpur. I was asked a question about global cybercrime laws. And I've just read Randy Abrams' blog that he posted here today about the proposed new US legislation that is ultimately aimed at driving other nations into having consistent and complimentary cybercrime laws, along with effective cooperation between those countries to enable successful combat against cybercrime.
This, of course, is the Holy Grail in the fight against cybercrime. To have the same cybercrime laws, with associated punishments, operating and effective in every country in the world. With these countries enabling cooperation in order to bring about successful law enforcement and appropriate prosecutions.
That's the theory.
Unfortunately, I can't see reality allowing that to happen. Not for a long time yet.
Let's look at traditional crime and the laws that govern them. Anti-crime laws and their associated law enforcement agencies are applied and enforced on a national level, with some variations between some states/counties/regions within those nations. And while there are many consistencies in the laws from one country to another, there are still many, many countries that have very different laws due to civil, cultural, religious and historical reasons.
In just about all countries in the world, if I break into someone's house and steal their property or break into their car and steal it, it will be considered a crime and I should be punished if I am caught. But if I get caught being unfaithful to my wife, in some countries there is nothing wrong with that from a legal perspective whereas in other countries it is considered punishable by death.
And let's look at the punishment aspect. In some states of the USA, being found guilty of murder in the first degree may result in the death penalty. Many other countries – Australia included – do not believe in capital punishment. The same crime would most likely result in a life sentence in prison. And even the methods of administering the punishments vary enormously. In some countries lashes, amputation and stoning are considered suitable punishments. In many other countries these punishments are considered barbaric and inhumane.
Now, we all know that cybercrime is largely carried out on a global level, because the Internet makes that possible. A person sitting in Brazil could be using a server in the USA to control servers in Estonia, Russia and the UK to attack systems in South Africa, India & Canada. Yes, this is a simplified example, but you get the picture.
So what we need are cybercrime laws that can be applied and enforced at a global level. One set of laws that all countries can and will adopt regarding cybercrime. Why "all" countries? Well if a few countries do not apply these globally consistent cybercrime laws and their own laws are more lax or their punishments are less serious, they will become a haven for the criminals which would undermine the effectiveness of the laws across the globe.
So what about "International Law" I hear you say? Well International Law is more focused on the relationship between nations and which jurisdiction applies in the case of an international crime, etc. In 1993 the United Nations Security Council set up the International Criminal Court, but this is more focused on crimes such as genocide, crimes against humanity & war crimes. Interestingly, a number of countries, including China, India, Russia and the USA are critical of the court and have not ratified it. There's that difference of opinion and/or philosophy coming out again…
So while a consistent set of cybercrime laws that is applied and enforced globally would definitely be ideal, I can't see us ever reaching that situation. Let's face it – it hasn't been achieved to address any other crimes so far. Maybe it won't happen until we get to the point of scrapping national governments and having one global controlling government. And I can't see that happening in the near future!
The best we can hope for is to have as many countries as possible work together to align their cybercrime laws and set up treaties and alliances between national law enforcement agencies to make cross border law enforcement and prosecution as easy and successful as possible. This is basically what we do now with traditional crime, but with regards to cybercrime we need it more than ever!
Senior Cybercrime Research Analyst
Author ESET Research, ESET