Editors Note: On occasion I go back and reread some of my earlier articles to guage how my own views are changing. Here is an article I originally posted in 2009.
The decades of conflict exemplified by the escalation of nuclear weapons readiness between the Western nations and the Communist bloc led to what came to be known as the Cold War.[i] Running roughly from 1946 to 1991 the Cold War was characterized by political tension, massive military budgets, proxy wars, and civil society preparations for nuclear disaster.[ii] Now, barely two decades after the end of the Cold War the entire world is faced with what I am calling a Hot War of increasing cyber crime and geopolitical tensions. Cyber crime is only one of the many risks that modern society faces as a result of increasing dependence on the Internet for communications, business transactions, and financial management. Cyber war is another threat that our society faces, but for the purposes of this essay, I’ll only look at the growing threat of cyber crime and its nexus with the explosive growth of information and communications technologies (ICT) in emerging markets. The Hot War does not honor the geopolitical boundaries of the 20th century.
Explosive Growth of Cyber Crime
Norton recently reported that over the past year 431 million adults in 24 countries have become victims of cyber crime. That is over 1 million each day or 14 adults attacked each second (Norton by Symantec, 2011). [iii] The total bill for cyber crime for that time period was estimated to be $388 billion of which $274 billion was attributed to time lost due to cyber crime and $114 billion was attributed to direct costs. According to Richard Clark and Robert Knake in their timely book Cyber War: The Next Threat to National Security and What To Do About It, “on average in 2009, a new type or variant of malware was entering cyberspace every 2.2 seconds” (Clark & Knake, 2010).
Financial Times investigative reporter Joseph Menn conducted a multi-year study to document the rise and growth of cyber crime as it evolved, first as a nuisance for gambling sites through distributed denial of service (DDoS) attacks, and then to the use of extortion and fraud in a wide range of e-Business portals, then to wide-spread consumer-based identity theft and institutional computer systems penetration (Menn, 2010). Interestingly, the period of time that Menn covers is roughly the same as the explosive growth of the global ICT infrastructure (Murray, 2002).
The International Information Systems Security Certification Consortium (ISC)2 recently reported that, according to 10,413 information security professionals in 120 countries that were interviewed, one of the top concerns identified was the vulnerability of mobile devices functioning as part of organizational computer systems. Sixty-six percent of respondents worldwide rated mobile devices as the top or a high concern (Frost & Sullivan, 2011). Interestingly, even above mobile devices was the concern for application vulnerabilities. This goes hand-in-hand with mobile device concerns, especially with the recent release of the iPad, the iPhone and the Android operating systems.
Interestingly, the threat of organized crime in cyberspace (at 38% of the rating for top security threat concerns), was well below the threat of malicious hacker/cracker activities (at 55%). This amorphous, non-state based threat is directed at both public and private sector computer systems. My concern in the Hot War is for the private systems that form the basic infrastructure of civil society in developed countries and emerging market economies. This, in my view, is the hot button of the 21st Century.
This link between the explosive growth of ICT in the developing world and the increasing vulnerabilities of networks and systems due to cyber crime needs to be made. What is being done at the public policy level, both internationally and in the U.S., to protect the public infrastructure, civil society, and civilian populations from this growing menace? How can international organizations and national legislatures help to control the propagation of this growing problem? What can individuals do to curtail the effects of this global surge in criminal activity until systemic safeguards are put into place? The purpose of this essay is to outline the basic framework that is in place today, and make recommendations for additional measures that should be taken without delay.
A short statement on what constitutes cyber crime is in order before launching into a discussion on the legal and regulatory framework. For the purpose of this essay, cyber crime will include: Offences against the confidentiality, integrity and availability of computer data systems, including: 1) illegal access; 2) illegal interception; 3) data interference; 4) system interference; 5) misuse of devices. The next category is computer-related offences which includes: 1) forgery; 2) fraud; and 3) extortion. Then there are content-related offences like child pornography and cyber-stalking. Finally, there are offences related to infringements of copyright and related rights.
A detailed description of each of these categories is beyond the scope of this essay; however, it is important to note that evolving legislative mandates, regulatory controls and case law is contributing to the closer definition of these terms in the cyber security arena.
To date the only binding international instrument is the CETS 185-Convention on Cybercrime of the Council of Europe (Convention). The Convention was signed in Budapest, Hungary on November 23, 2001, but only entered into force on January 7, 2004. Among other things the Convention website serves as a central clearing house for the key international activities currently being undertaken by institutions, law enforcement agencies, non-governmental organizations, and governments to control the proliferation of cyber crime activities, techniques and practices (Council of Europe, 2011). The Convention also serves as a model for other nations and/or regional organizations seeking to establish a framework for coordination between law enforcement agencies and Internet services providers and other institutions and private sector organizations.
One of the first projects the Convention sponsored was an effort to upgrade the institutional infrastructure in the country of Georgia, as a demonstration project. This was implemented from June 1, 2009 to May 31, 2010. The objectives of the project were:
- To bring Georgia’s legislative framework fully into line with the Convention and related European standards on data protection;
- To develop training policies and modules;
- To support the development of proposals for institution building;
- To strengthen law enforcement capability and encourage Internet service provider cooperation.
Since that time the Council of Europe (COE) passed additional Protocol on Xenophobia and Racism (CETS 189), and, with the help of Microsoft and Estonia, launched a Global Project on Cybercrime (Phase 1 and Phase 2). A ratification instrument aimed at regulatory harmonization has now been launched to support the institutional strengthening of: Albania, Bosnia and Herzegovina, Croatia, Montenegro, Serbia, Macedonia, Turkey and Kosovo (as per National Security Council Resolution 1244). Further, a joint regional cooperation project has been launched with the Eastern Partnership of the COE which includes Armenia, Azerbaijan, Belarus, Georgia, Moldova and Ukraine.
Another international requirement that has bearing on computer systems security is the Bank for International Settlements directive known as Basel II. Effective as of November, 2006, Basel II spells out the minimum capital requirements a bank must hold for ongoing operations. Information security is critical to the three ‘pillars’ of Basel II’s requirement for ongoing assessment of risk and exposure; hence any information security specialist must be familiar with this directive.
The European Union (EU) Data Protection Directive regulates the processing of personal data and information within the EU. As a signatory to the European Convention on Human Rights members must respect “private and family life, his home and his correspondence.” Privacy and the protection of personal information is a growing concern, especially as it relates to civil rights and the rule of law (or lack thereof) in unstable countries (e.g., the countries affected by the Arab Spring).
U.S. Legislative and Regulatory Actions
The U.S., as the lender of last resort, even in these rocky times of global economic crises, has a key role to play in providing leadership in the sound governance of the Internet. Freedom of speech arguments will fall flat in the face of a global crisis emerging from pervasive cyber crime, cyber terrorism and a cyber war tipping point that freezes financial and civil society infrastructure around the world.
Growing concerns within the U.S. in the area of privacy have led to the passage of such acts as Sarbanes-Oxley, the Federal Privacy Act, Gramm-Leach-Bliley, the Health Insurance Portability and Accountability Act (HIPAA), California Senate Bill 1386 and others (Harris, 2010).
Sarbanes-Oxley (SOX) was passed shortly after the corporate scandals of 2000 and 2001, most notably, Enron. It was aimed at reducing fraudulent activities by directing how computer systems track, manage and report on financial systems. It also covers storage and archival processes and controls. Dinner and Kolber (2005) provide an insightful analysis on how Basel II and SOX affect international organizations seeking to comply with the security implications of both mandates, specifically with respect to transparency and governance.
The Federal Privacy Act governs privacy provisions of public sector agencies such as the Internal Revenue Service and the U.S. Census Bureau. The Federal Information Security Management Act (FISMA) extends the controls on federal agencies to include requirements for reporting, remedial action, incident response, and continuity of operations. Gramm-Leach-Bliley requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with nonaffiliated third parties. HIPPA performs a similar function for the health care services industry.
Computer fraud is generally covered by the Computer Fraud and Abuse Act, first passed in 1986 and amended in 1996. This act and its implementing regulations have evolved significantly since it was first passed in 1986, most importantly, by the amendments enacted by The Patriot Act of 2001, and the Identity Theft Enforcement and Restitution Act of 2008.[iv] In addition the Wiretap Act provides a framework for law enforcement officials to lawfully engage in interception of “wire, oral or electronic communication” as part of an investigative process. As an adjunct to that the Electronic Communications Privacy Act was passed in 1986. This Act prohibits the unauthorized and unjustified interception, disclosure or use of communications, including electronic communications. Importantly, it differentiates between communications transmissions and stored communications (Wright, 2010).
These are just a few of the key legislative actions that make up the hodge-podge of U.S. law governing Internet issues. In addition, there are other topic-specific federal laws (e.g., for the protection of the privacy for children under the age of 13), and many conflicting state laws. Compliance was cited as one of the most time-consuming activities by 45% of the respondents of the 2011 (ISC)2 survey (Frost & Sullivan, 2011).
Cyber criminals have been so successful because they have recognized the ‘market opportunity’ afforded to them by a piecemeal legislative and regulatory framework. Kshetri argues that cyber criminals engage in a form of “destructive entrepreneurship” that emulates mainstream economic endeavors such as responding to market incentives, aggregating personnel and talent (i.e., hackers and crackers), and externalizing costs (2010). This piecemeal approach to legislative and regulatory frameworks for addressing these risks paves the way for this kind of destructive entrepreneurship.
Market Penetration of ICT in Emerging Markets
The global ICT infrastructure and the rapid market penetration of cellular phone networks is being hailed by the former U.N. Secretary-General, Kofi Annan, among others as one of the greatest boons to reducing poverty in the developing world. The size of the market opportunity in emerging markets in Asia, Africa and the Middle East is projected to reach $200 billion by 2013 (Inveneo, 2011). Cheerleaders of the market opportunities, the investment opportunities, and the upside potential of whole new swaths of geographic telespace abound. The concerns of computer security analysts and security experts barely register in the public dialog around the explosive growth in this area. But as the world’s computer systems become more centralized, and the reliance on technological fixes advances, so too do the vulnerabilities of the World Wide Web.
In my own travels in remote regions of countries of Southeast Asia I have personally witnessed the effects of widespread adoption of cellular technology. For example, in both peninsular and Borneo island parts of Malaysia cellular towers are obvious everywhere, even in the deep jungle villages near the Indonesian border and on the islands in the South China Sea. Similarly, throughout my travels in India the cell towers and use of mobile phone technology is ubiquitous. In Cambodia, even though the road infrastructure was in disrepair, cellular phones were everywhere. Similarly on the island of Bali in Indonesia, the mix of land uses will include rice fields and cell towers and artesian workshops all together. I can recount numerous stories of such market penetration throughout the developing world, but it is not necessary to the key point I am trying to make, and that is that these systems are highly vulnerable.
Both Kshetri and Menn document in great detail how many of the cyber crimes that are being perpetrated against companies and individuals around the world have their origins in developing world countries. Kshetri notes that the stigma of criminal activity is not as strong because of the weak economies, the poor rule of law, and the poorly developed legal and enforcement frameworks (2010). He argues, quite successfully, that these conditions contribute to a form of regulatory arbitrage that is fueling the explosive growth in cyber crime. Menn, on the other hand, focuses on how several organized crime groups based primarily in the former Soviet Union or Eastern European countries have been at the forefront of innovations in the cyber crime industry (2010). Menn’s book should be a wake-up call to policy makers around the world about how insidious and pervasive this problem has become.
Need for International Institutional Framework
At present the International Telecommunications Union (ITU), the COE through its implementation of the Convention, and Interpol are all working together with national agencies such as the U.S. Central Intelligence Agency (CIA) and the U.K’s MI5 agency to coordinate on inter-jurisdictional concerns. COE in particular is focusing on institutional strengthening of the countries in the former Soviet Union to train judges, equip law enforcement officials and support the development of laws and regulations for combating cyber criminals and criminal cartels.
These efforts need to be expanded to include growing criminal networks in Malaysia, China and Iran. National governments, too, should do more to curtail these activities including putting pressure in Internet Service Providers (ISPs) that provide hosting services to criminals or criminal groups. Internet security training should also be widely diffused globally in order to build a new army of soldiers for this Hot War. It is in the interests of civil society to train our youth that it is in their long-term benefit to have a functioning infrastructure and society. Warriors of peace should be the goal for this new cadre of IT security professionals.
I began this essay using the analogy of the Cold War to bring your attention to the significance of this new and growing threat; what I call the Hot War. I took this concept one step further by noting that we are advancing on new territory; that is, one without the traditional geographic boundaries that characterized the Cold War. The global drive to harmonize trade and financial standards has accelerated the development of this nation-less, boundary-less space where cyber crime can flourish. One unintended consequence of the quest for globalization of supply chains and consumer markets has been the facilitation of criminal networks that operate outside of the purview of traditional law enforcement networks. Limited public sector budgets have hamstrung agencies seeking to address these problems along with the lack of intergovernmental frameworks that encourage information and resource sharing.
The COE Convention has made great strides in addressing some of these shortcomings for members of the European Union, but more needs to be done. U.S. law is fragmented and chaotic. Case law is slowly emerging, but, without a coherent guiding principle or framework (Wright, 2010). The U.S. needs to show greater leadership in supporting the development of a centralized entity that will serve as the global clearing house and enforcement agency for cyber crime.
Health Insurance Portability and Accountability Act of 1996 (P.L.104-191) [HIPAA] . (1996).
Clark, R., & Knake, R. (2010). Cyber war: The next threat to national security. New York: HarperCollins.
Computer Fraud and Abuse Act. (n.d.). 18 USC 1030.
Council of Europe. (2011, September 16). Cybercrime. Retrieved September 16, 2011, from www.coe.int: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/default_en.asp
Dinner, W. K., & Kolber, A.B. (2005). Zachman, Basel II and Sarbanes-Oxley. Information Management Magazine.
EU Data Protective Directive (95/46/EC). (n.d.).
Frost & Sullivan. (2011). The 2011 (ISC)2 Global Information Security Workforce Study. Mountain View, CA: International Information Systems Security Certification Consortium, Inc. (ISC)2.
Gramm–Leach–Bliley Act of 1999 (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999). (n.d.).
Harris, S. (2010). CISSP Exam Guide. New York: McGraw-Hill.
Inveneo. (2011, September 16). Emerging Markets Telecom Industry to Reach $200 Billion. Retrieved September 16, 2011, from ICTworks: http://www.ictworks.org/network/ictworks-network
Kshetri, N. (2010). Diffustion and effects of cyber-crime in developing economies. Third World Quarterly, 31:7, 1057-1079.
Menn, J. (2010). Fatal system error: The hunt for the new crime lords who are bringing down the Internet. New York: Public Affairs.
Monnat, D. E., & Ethen, A. (2004, March). A primer on the Federal Wiretap Act and its Fourth Amendment framework. Kansas Trial Lawyers Association.
Murray, J. B. (2002). Wireless nation: The frenzied launch of the cellular revolution in America.Cambridge, MA: Perseus Books Group.
Norton by Symantec. (2011, September 16). The shocking scale of cybercrime. Retrieved September 16, 2011, from us.norton.com: http://us.norton.com/content/en/us/home_homeoffice/html/cybercrimereport/?ocid=FB_091211
Sarbanes–Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002). (n.d.).
Wright, B. (2010). Fundamentals of IT Security Law and Policy. Law of Data Security and Investigations. Bethesda, MD: SANS.
Yunus, M. (2007). Creating a world without poverty: Social business and the future of capitalism.NY, NY: PublicAffairs.
[i] The first use of the term was on April 16th, 1947 by Bernard Baruch, an American financier and advisor to President Truman.
[ii] Although negotiations on the Strategic Arms Limitation (SALT 1) treaty ended in 1972, the dissolution of the Soviet Union did not occur until 1991; hence the characterization of the Cold War as a 4 ½ decade time period.
[iii] Their sample was made up of 19,636 respondents broken down into: 12,704 adults, 4,553 children, 2,379 teachers.
[iv] Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. The law makes it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems.