As part of this ongoing series (previous parts, in order, here, here, here and here), I have been trying to make the case that differing interests make cooperation on cybersecurity issues virtually impossible. This is not criticism. It’s just reality.
And while it would be easy to look at Brexit or Eastern European and American politics as a push back to the globalist system, which – in theory – could help develop a platform for greater cooperation regarding cybersecurity concerns, it’s just not that simple.
As I explained in my previous article, some wounds cannot be easily healed, and some cultures have longer memories than others. Don’t try to judge whether holding long grudges or not is legitimate, but rather, just accept that it happens and we have to deal with it. And with that backdrop, I point towards to the Convention on Cybercrime, sometimes known as the Budapest Convention, the first international treaty that focuses on crimes that take place on the Internet.
Even if your cyber work does not cross international lines, it would be best if you spend just a few minutes on the Budapest Convention to familiarize yourself what it covers and what it does not.
Briefly, the Budapest Convention started as a Council of Europe project, came into effect in 2004, and as of the end of 2016, 52 countries have ratified the Convention, including the United States, Canada and Australia, just to name a few. You can find the list of all countries participating here.
Some people wonder why is it so hard to get agreement on international treaties, particularly when an issue (say, oh, cybersecurity, for example) is so “obvious” that something must be done about it. And you may have also noticed that doing something about it is easier said than done.
Why is it so hard? Interests, of course. And words.
For example, if you are a software vendor, you may have some very restrictive terms and conditions on usage. You may also request certain privileges to access your client’s data. Relationships like this are very transactional, and depending on your risk acceptance level, you make just click “Accept” or you may sit there with a fine tooth comb and read every single word before you make a decision.
Evidence shows it’s the first of the two choices.
Governments Don’t Click “Accept” Without Reading Every Detail
Since sovereign nations have a little bit more at stake, you can be sure they’ll be reading every single word over and over again. This is hard enough with two parties, particularly when there are cultural differences and opposing interests. It’s even more difficult when there are more players in the game.
Multilateral agreements sometimes – I underscore sometimes – do this funny thing to get everybody to agree (and some people may not like what I’m about to say): they cheat. Before the freak out, let me say this: the “cheating” is well-meaning, done with the intent to try to get everybody, collectively, to move a step closer to something that works. Think along the lines of “perfect is the enemy of good enough” here.
So, how does the Budapest Convention try to keep everybody content? I present my favorite part of the treaty:
“The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”
–Chapter III, Section 1, Title 1, Article 23
Despite my having re-read this section of the Budapest Convention over and over again, for years, the words “to the widest extent possible” keep me chuckling each time. Those five words are code for “I’m not going to eat there!”
In other words, those five words can render the entire treaty meaningless – that’s the problem with these conventions. They end up being more symbolic than anything and as time passes, and they become increasingly inapplicable in addressing the challenges we face, such as those in the cyber world.
If actors had common interest or cause, there would be cooperation. And in rare cases, we do see this type of cooperation on the Internet between sovereign nations. But this type of cooperation is usually reserved for cases where the Internet is used as a tool to carry out some other form of crime going on in the “real” world.
For example, the Budapest Convention may work very well to help bust up some transnational drug syndicate that uses the Dark Web for buying and selling, but the same convention will likely do very little to curb ransomware attacks, slow down economic espionage through data theft, track where APTs are originating from, or prevent a DDoS attack.
Back to why words matter. What is “cybercrime” exactly? If you take the INTERPOL version, it goes like this…
Although there is no single universal definition of cybercrime, law enforcement generally makes a distinction between two main types of Internet-related crime:
- Advanced cybercrime (or high-tech crime) – sophisticated attacks against computer hardware and software;
- Cyber-enabled crime – many ‘traditional’ crimes have taken a new turn with the advent of the Internet, such as crimes against children, financial crimes, and even terrorism.
You see, in the latter “cyber-enabled” crimes, there is likely that common cause that I talked about. In “advance cybercrime,” I’m not sure we have much of that same level of cooperation and common cause.
As it is not self-evident, where would that common cause be? I’m not particularly sure, but one area that comes to mind is data traffic flow, like how do we prevent junk traffic – like spam – from clogging up the pipelines. Another is how to stop the spread of a malicious worm that is infecting multiple nations indiscriminately.
We are not going to solve the world’s problems here, but there are areas where friends and enemies alike may find some common cause. Like I said, you see some of that cooperation happening in areas where the Internet is being used as a tool to carry out a crime in the non-cyber world. And as I have been repeating in each of the previous articles, it’s all about the “human factor” that makes these challenges so hard.
I briefly touched upon risk acceptance in this piece. I will explore that a little bit more closely in the next one and how individual understanding of risk and risk management plays such a crucial role in how we tackle the cybersecurity challenges we face. Again, all about the human factor.
About the Author: George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.