CyberCrime

  Chapter 4 : 4. Anti-cybercrime strategies

  4.1 Cybercrime legislation as an integral part of a cybersecurity strategy

  As pointed out previously, cybersecurity plays an important role in the ongoing development of information

  technology, as well as Internet services. Making the Internet safer (and protecting Internet users) has become

  integral to the development of new services as well as governmental policy.Cybersecurity strategies – for example,

  the development of technical protection systems or the education of users to prevent them from becoming victims of

  cybercrime – can help to reduce the risk of cybercrime. An anti-cybercrime strategy should be an integral element of

  a cybersecurity strategy. The ITU Global Cybersecurity Agenda, as a global framework for dialogue and

  international cooperation to coordinate the international response to the growing challenges to cybersecurity and to

  enhance confidence and security in the information society, builds on existing work, initiatives and partnerships

  with the objective of proposing global strategies to address these related challenges. All the required measures

  highlighted in the five pillars of Global Cybersecurity Agenda are relevant to any cybersecurity strategy.

  Furthermore, the ability to effectively fight against cybercrime requires measures to be undertaken within all of the

  five pillars.

  4.1.1 Implementation of existing strategies

  One possibility is that anti-cybercrime strategies developed in industrialized countries could be introduced in

  developing countries, offering advantages of reduced cost and time for development. The implementation of existing

  strategies could enable developing countries to benefit from existing insights and experience.

  Nevertheless, the implementation of an existing anti-cybercrime strategy poses a number of difficulties. Although

  similar challenges confront both developing and developed countries, the optimal solutions that might be adopted

  depend on the resources and capabilities of each country. Industrialized countries may be able to promote

  cybersecurity in different and more flexible ways, e.g. by focusing on more cost- intensive technical protection

  issues.

  There are several other issues that need to be taken into account by developing countries adopting existing anticybercrime

  strategies. They include compatibility of respective legal systems, the status of supporting initiatives

  (e.g. education of the society), the extent of self-protection measures in place as well as the extent of private sector

  support (e.g. through public-private partnerships).

  4.1.2 Regional differences

  Given the international nature of cybercrime, the harmonization of national laws and techniques is vital in the fight

  against cybercrime. However, harmonization must take into account regional demand and capacity. The importance

  of regional aspects in the implementation of anti-cybercrime strategies is underlined by the fact that many legal and

  technical standards were agreed among industrialized countries and do not include various aspects important for

  developing countries. Therefore, regional factors and differences need to be included within their implementation

  elsewhere.

  4.1.3 Relevance of cybercrime issues within the pillars of cybersecurity

  The Global Cybersecurity Agenda has seven main strategic goals, built on five work areas: 1) Legal measures;

  2)Technical and procedural measures; 3)Organizational structures; 4)Capacity building; and 5) International

  cooperation. As pointed out above, issues related to cybercrime play an important role in all five pillars of the Global

  Cybersecurity Agenda. Among these work areas, the “Legal measures” work areas focuses on how to address the

  legislative challenges posed by criminal activities committed over ICT networks in an internationally compatible

  manner.

  4.2 A cybercrime policy as starting point

  Developing legislation to criminalize certain conduct or introduce investigation instruments is a rather unusual

  process for most countries. The regular procedure is first of all to introduce a policy. A policy is comparable to a

  strategy that defines the different instruments used to address the issue. Unlike a more general cybercrime strategy

  that may address various stakeholders, the role of policy is to define the government’s public response to a certain

  issue. This response is not necessarily limited to legislation as governments have various instruments that can be

  used to achieve policy goals. And even if the decision is made that there is a need to implement legislation, it does

  not necessarily need to focus on criminal law but could also include legislation more focussed on crime prevention.

  In this regard, developing a policy enables a government to comprehensively define the government response to a

  problem. As the fight against cybercrime can never solely be limited to introducing legislation, but contains various

  Cyber Crime

  13

  strategies with different measures, the policy can ensure that those different measures don’t cause conflicts.

  Within different approaches to harmonize cybercrime legislation too little priority has been given to not only

  integrating the legislation in the national legal framework but also including it into an existing policy, or developing

  such policy for the first time. As a consequence some countries that merely introduced cybercrime legislation

  without having developed an anti-cybercrime strategy as well as policies on the government level faced severe

  difficulties. They were mainly a result of a lack of crime prevention measures as well as an overlapping between

  different measures.

  4.3 The role of regulators in fighting cybercrime

  In decades gone by, the focus of solutions discussed to address cybercrime was on legislation. As already pointed

  out in the chapter dealing with an anti-cybercrime strategy, however, the necessary components of a comprehensive

  approach to address cybercrime are more complex. Recently, the spotlight has fallen on the role of regulators in the

  fight of cybercrime.

  4.3.1 From telecommunication regulation to ICT regulation

  The role of regulators in the context of telecommunications is widely recognized. As Internet has eroded the old

  models of the division of responsibilities between government and private sector, a transformation of the traditional

  role of ICT regulators and a change in the focus of ICT regulation can be observed. Already today ICT regulatory

  authorities find themselves involved in a range of activities linked to addressing cybercrime. This is especially

  relevant for areas like content regulation, network safety and consumer protection, as users have become

  vulnerable. The involvement of regulators is therefore the result of the fact that cybercrime undermines the

  development of the ICT industry and related products and services.

  The new duties and responsibilities of the ICT regulator in combating cybercrime can be seen as part of the wider

  trend towards the conversion of centralized models of cybercrime regulation into flexible structures. In some

  countries, ICT regulators have already explored the possibility of transferring the scope of regulatory duties from

  competition and authorization issues within the telecom industry to broader consumer protection, industry

  development,cybersafety, participation in cybercrime policy- making and implementation, which includes the wider

  use of ICTs and as a consequence cybercrime- related issues. While some new reg
ulatory authorities have been

  created with mandates and responsibilities that include cybercrime, older established ICT regulators have extended

  their existing tasks to include various activities aimed at tackling cyber-related threats. However, the extent and

  limitations of such involvement are still under discussion.

  4.3.2 Models for extension of regulator responsibility

  There are two different models for establishing the mandate of regulators in combating cybercrime, namely:

  extensively interpreting the existing mandate, or creating new mandates.

  Two traditional areas of involvement of regulators are consumer protection and network safety. With the shift from

  telecommunication services to Internet-related services, the focus of consumer protection has changed. In addition

  to the traditional threats, the impact of Spam, malicious software and botnets need to be taken into consideration.

  One example of extending a mandate comes from the Dutch Independent Post and Telecommunication Authority

  (OPTA). The mandate of the regulator includes Spam

  prohibition and preventing the dissemination of malware. During the debate on the mandate of OPTA, the

  organization expressed the view that a bridge should be built between cybersecurity as a traditional field of activity

  and cybercrime in order to effectively address both issues. If cybercrime is seen as a failure of cybersecurity, the

  mandate of regulators is consequently automatically expanded.

  The possibility of extending the regulator’s mandate to include cybercrime issues also depends on the institutional

  design of the regulator, and whether it is a multisector regulator (like utility commissions), a sector-specific telecom

  regulator or a converged regulator. While every model of institutional design has its advantages and disadvantages

  from the perspective of ICT industry regulation, the type of institutional design should be taken into account when

  assessing how and in what areas the ICT regulator should be involved. Converged regulators, with responsibility for

  media and content as well as ICT services, generally face a challenge in terms of complexity of workloads. However,

  their comprehensive mandate can constitute an advantage in dealing with content-related issues, such as child

  pornography or other illegal or harmful content. In a converged environment where traditional telecommunication

  regulators may struggle to resolve certain issues, such as consolidation between media content and

  telecommunication service providers, the converged regulator appears to be in a better position to address contentnetwork

  issues. Furthermore, the converged regulator can help to avoid inconsistency and uncertainty of regulation

  and unequal regulatory intervention in respect of the different content delivered over various platforms.

  Nevertheless, the discussion of the advantages of a converged regulator should not undermine the importance of

  the activities of single-sector regulators. While, for instance, up to the end of 2009 the European Union had only

  Cyber Crime

  14

  four converged ICT regulators, many more were involved in addressing cybercrime.

  When thinking of extending the interpretation of existing mandates, account must be taken of the capacity of the

  regulator and the need to avoid overlap with the mandates of other organizations. Such potential conflicts can be

  solved more easily if new mandates are clearly defined.

  The second approach is the creation of new mandates. In view of the potential for conflicts, countries such as

  Malaysia have decided to redefine mandates to avoid confusion and overlap. The Malaysian Communications and

  Multimedia Commission (MCMC), as a converged regulator, has established a special department dealing with

  information security and network reliability, the integrity of communications and critical communication

  infrastructure.A similar approach can be observed in South Korea, where in 2008 the Korea Communications

  Commission (KCC) was created by consolidating the former Ministry of Information and Communication and the

  Korean Broadcasting Commission. Among other duties, KCC is responsible for the protection of Internet users from

  harmful or illegal content.

  Cyber Crime

  15

  References

  1) Clarke/Sandberg/Wiley/Hong, Freenet: a distributed anonymous information storage and retrieval system, 2001;

  Chothia/Chatzikokolakis, A Survey of Anonymous Peer-to-Peer File-Sharing, available at: www.spinellis.gr/pubs/jrnl/

  2004-ACMCS-p2p/html/AS04.pdf; Han/Liu/Xiao/Xiao, A Mutual Anonymous Peer- to-Peer Protocol Design, 2005.

  2) Autronic v. Switzerland, Application No. 12726/87, Judgement of 22 May 1990, para. 47. Summary available at:

  https://sim.law.uu.nl/sim/caselaw/Hof.nsf/

  2422ec00f1ace923c1256681002b47f1/cd1bcbf61104580ec1256640004c1d0 b? OpenDocument.

  3) The Internet Systems Consortium identified 490 million Domains (not webpages). See the Internet Domain

  Survey, July 2007, available at: www.isc.org/index.pl?/ ops/ds/reports/2007-07/; The Internet monitoring company

  Netcraft reported in August 2007 a total of nearly 130 million websites at: https://news.netcraft.com/

  archives/2007/08/06/august_2007_web_server_survey.html.

  4) Gordon/Ford, On the Definition and Classification of Cybercrime, Journal in Computer Virology, Vol. 2, No. 1,

  2006, page 13-20; Chawki, Cybercrime in France: An Overview, 2005, available at: www.crimeresearch.

  org/articles/cybercrime-in- france-overview; Gordon/Hosmer/Siedsma/Rebovich,

  5) Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, 2003, available

  at: www.ncjrs.gov/pdffiles1/nij/grants/198421.pdf.

  6) Kabay, A Brief History of Computer Crime: An Introduction for Students, 2008, page 23, available at:

  www.mekabay.com/overviews/history.pdf.

  7) CRS Report for Congress on the Economic Impact of Cyber-Attacks, April 2004, page 10, available at:

  www.cisco.com/warp/public/779/govtaffairs/images/ CRS_Cyber_Attacks.pdf

  Thank you for reading books on BookFrom.Net
Share this book with friends