CIAO DATE: 04/01

A Proposal for an International Convention on Cyber Crime and Terrorism

Methods of information infrastructure attack are neither mysterious nor difficult to foresee; at the Stanford Conference, Thomas Longstaff of the Carnegie—Mellon Computer Emergency Response Team (“CERT”) predicted that, in late 1999 or early 2000, a new and very harmful distributed form of denial—of—service attack would become prevalent. He based his predictions on observations of public hacker exchanges that shared attack strategies and software to implement those strategies. Longstaff predicted precisely the method that was used by hackers in the subsequent, worldwide, February 2000 attacks on CNN, eBay, Yahoo!, Amazon.com, online investment firms and others. Despite being able to anticipate attacks of this type, law enforcement personnel were unable to prevent them, and security personal employed by the targeted cyber systems were unable to defend against them. These troubling failures stem from serious weaknesses in the capacities of states to protect valuable cyber systems from attacks that pose a rapidly escalating danger. As Longstaff stated, effective methods to protect against distributed denial of service attacks may be best addressed by regional, national and international cooperation.

The open and defiant manner in which attackers currently operate reflects the weakness of the legal, defensive, and investigative capacities of the current system. Some attackers are snared after long, expensive investigations, but most go unpunished. The incapacities stem ultimately from the fact that the information infrastructure is transnational in nature. Attackers deliberately fashion their efforts to exploit the absence of internationally agreed standards of behavior and cooperation. For example, attackers can avoid prosecution or greatly complicate investigations simply by initiating attack packets from countries with inadequate laws, and routing them through countries that with different laws and practices, and no structures for cooperation.

The lack of an adequate international response to these weaknesses is puzzling, given the huge and growing financial impact of cyber attacks and crimes. Even if some estimates of damages are inflated, the problem has grown undeniably expensive to businesses, governments, and individual users around the world. Multilateral action is required to build security into the underlying technical and social architecture. History has shown that when nations agree upon a common malicious threat, be it piracy on the high seas centuries ago or aviation terrorism of the 20th century, a cooperative, treaty—mediated regime can contribute substantially in addressing the problem.

The challenge of controlling cyber crime in its most critical dimensions requires a full range of responses, including both voluntary and legally—mandated cooperation. A consensus exists concerning many forms of conduct that should be treated as cyber crime. Common positions are developing or can be crafted to facilitate cooperation in investigation, the preservation of evidence, and extradition. Cooperation is also essential in the development and implementation of technological solutions and standards to enhance the capacity of states and users effectively to protect computers and systems from future attacks.

The nature and culture of the cyber world demand that these responses be fashioned to maximize private—sector participation and control, as well as to ensure that privacy and other human rights are not adversely affected. Certain elements of an effective program against cyber crime will require state control or approval, however. In addition, to develop and secure the universal adoption of technological and policy standards to defend against, prosecute, and deter cyber crime and terrorism will require an international forum with the necessary authority and capacities. This can be achieved by creating an international Agency for Information Infrastructure Protection (AIIP), an agency designed to reflect the particular needs and nature of the largely self—regulated cyber world and modeled after the International Civil Aviation Organization (ICAO) and the International Telecommunication Union (ITU).

While recent growth and reliance on the information infrastructures has occurred in the absence of substantial government involvement, the notion that voluntary activities alone can create adequate security for cyber activities that now involve 300 million people on the Internet alone is simply untenable. At the national level, cyber crime would likely be even more prevalent and costly than it has been had governments left the area unpoliced. The laws thus far adopted that make cyber attacks criminal have at least provided a vehicle by which to arrest — and thereby to stop, punish, and deter — cyber criminals. The great majority of users — commercial, educational, personal — favor law over anarchy when it comes to cyber attacks designed to steal, defraud, and destroy. The same is true on the international level, where only through government action can laws be passed setting universal standards for misconduct, authorizing investigatory cooperation, extradition, and the adoption of technologically—advanced methods for detecting, blocking, tracking, and deterring prohibited conduct.

Multilateral leadership must not mean the subordination of private leadership and influence over cyber technology and operations. The cyber revolution has been uniquely successful and rapid because it is led and largely controlled by the private sector. Government has, however, played a pivotal role in supporting and giving legal authority to private institutions. This distribution of power and responsibility can continue, and indeed be enhanced, by the continuing support and authority of the AIIP. Governments cannot responsibly expect the private sector to solve the cyber security problem. Business stakeholders in the information infrastructure have made clear that the private sector cannot be expected to perform the roles traditionally performed by law enforcement. But an enhanced government role need not be one that requires significantly greater domestic powers or more intrusive measures; rather, the need is for international cooperation to create common standards and practices. These objectives can be achieved without conferring inappropriate or unnecessary powers on governments to regulate and to intrude upon cyber systems, while at the same time preserving private—sector control of this uniquely productive and dynamic sector.

  Full Text of Paper (pdf)