Words MatterSome people wonder why is it so hard to get agreement on international treaties, particularly when an issue (say, oh, cybersecurity, for example) is so “obvious” that something must be done about it. And you may have also noticed that doing something about it is easier said than done. Why is it so hard? Interests, of course. And words. For example, if you are a software vendor, you may have some very restrictive terms and conditions on usage. You may also request certain privileges to access your client’s data. Relationships like this are very transactional, and depending on your risk acceptance level, you make just click “Accept” or you may sit there with a fine tooth comb and read every single word before you make a decision. Evidence shows it’s the first of the two choices.
Governments Don’t Click “Accept” Without Reading Every DetailSince sovereign nations have a little bit more at stake, you can be sure they’ll be reading every single word over and over again. This is hard enough with two parties, particularly when there are cultural differences and opposing interests. It's even more difficult when there are more players in the game. Multilateral agreements sometimes – I underscore sometimes – do this funny thing to get everybody to agree (and some people may not like what I’m about to say): they cheat. Before the freak out, let me say this: the “cheating” is well-meaning, done with the intent to try to get everybody, collectively, to move a step closer to something that works. Think along the lines of “perfect is the enemy of good enough” here. So, how does the Budapest Convention try to keep everybody content? I present my favorite part of the treaty:
"The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence." –Chapter III, Section 1, Title 1, Article 23Despite my having re-read this section of the Budapest Convention over and over again, for years, the words “to the widest extent possible” keep me chuckling each time. Those five words are code for “I’m not going to eat there!” In other words, those five words can render the entire treaty meaningless – that’s the problem with these conventions. They end up being more symbolic than anything and as time passes, and they become increasingly inapplicable in addressing the challenges we face, such as those in the cyber world. If actors had common interest or cause, there would be cooperation. And in rare cases, we do see this type of cooperation on the Internet between sovereign nations. But this type of cooperation is usually reserved for cases where the Internet is used as a tool to carry out some other form of crime going on in the “real” world. For example, the Budapest Convention may work very well to help bust up some transnational drug syndicate that uses the Dark Web for buying and selling, but the same convention will likely do very little to curb ransomware attacks, slow down economic espionage through data theft, track where APTs are originating from, or prevent a DDoS attack. Back to why words matter. What is “cybercrime” exactly? If you take the INTERPOL version, it goes like this... Although there is no single universal definition of cybercrime, law enforcement generally makes a distinction between two main types of Internet-related crime:
- Advanced cybercrime (or high-tech crime) – sophisticated attacks against computer hardware and software;
- Cyber-enabled crime – many ‘traditional’ crimes have taken a new turn with the advent of the Internet, such as crimes against children, financial crimes, and even terrorism.