Since the 1990s, people have been using the Internet as a tool to commit crimes, support terrorism and, reportedly, even to engage in low-scale cyberwarfare, but this has not gone unnoticed. The international community is responding with laws intended to make it easier to investigate and prosecute these crimes across jurisdictions, decrease the anonymity that their perpetrators hide behind and improve the quality and amount of evidence that can be used in court after an arrest has been made.
♦ What is hacking?
A hack is when a system is accessed through ways that weren’t intended by its designers and/or operators. Not all hacks are bad, but those that are generally involve someone discovering information about a system after accessing it illegally, identifying its vulnerabilities and then exploiting those to compromise the system in some way.
♦ Cybercrime and the law
There is big money to be had in computer crime. An estimated $67 billion was lost through cyber crime in the United States during 2005; and while actual figures are hard to come by, a 2009 report by McAffee suggested worldwide losses of $1 trillion annually from intellectual property theft alone. Other cybercrimes involve stalking and child exploitation, as well as vandalism and cheating. The criminals range from the very young “script kiddies” who are fairly easy to track because of their inexperience (although their age often makes it impossible to prosecute them) to professionals who are very difficult to catch, like “The Analyzer,” an Israeli hacker who, according to an August 2009 article by Kim Zetter at Wired.com, confessed to stealing some $10 million from U.S. banks and also allegedly stole $1.5 million from Canadian banks.
“The Analyzer” could be looking at a 15-year sentence under U.S. Code Title 18, Section 1030, which addresses computer-related fraud and other such activity in the United States. In the United Kingdom, the relevant law is Computer Misuse Act 1990 (particularly Section 3), as amended by the Police and Justice Act 2006; at least 14 people were found guilty under this law between 2004 and 2007.
The U.K. law, like many of the world’s first national cyber crime laws, has been criticized for failing to distinguish between lesser crimes such as vandalism, and very serious ones like disabling emergency response systems or, as in the case of “The Analyzer,” stealing a lot of money. Nonetheless, it has enough good features for Canada and the Republic of Ireland to have modeled their own laws on it.
Some other countries, including Germany, have ratified the Budapest Convention on Cybercrime that entered into force on 2004. This was the first international agreement to address computer crime, especially intellectual property theft, fraud, child pornography and violations of network security. It also establishes procedures and powers for searches of network and lawful interception, and that has led to some friction between countries.
The Budapest Convention allows police to cross national borders without the consent of local authorities to access local servers, as long as they have permission of the owners of the network system. Russia has opposed this since 2000, when U.S. police gained access to computers owned by Russians accused of defrauding U.S. banks. However, an alternative Russian-sponsored United Nations cybercrime treaty failed to pass in 2010.
♦ Cyberterrorist or Hacktivist?
Emotions run high and political and social divides can be insurmountable when it comes to hackers who do their thing for ideological reasons. One person’s “terrorist” may be another’s “activist.”
While there have been some denial-of-service attacks in the name of a cause, as well as many defaced Web pages on either side of various controversies all over the world, one thing everyone can agree on is that the much-anticipated Internet terrorist cyberattacks after 9/11 never materialized. Terrorist groups of all types reportedly use the Internet for many purposes, including recruitment, fund raising, data mining, and communication, but so far none of this has apparently involved hacking.
Any terrorist computer attacks could be addressed through existing anti-terrorism laws. In the United States, that includes the “Patriot Act,” Public Law 107-56. Worldwide, many laws and agreements are on the books. The University of Pittsburgh law school’s Jurist website (http://jurist.law.pitt.edu/terrorism/terrorism3a.htm) has links to many world anti-terrorism laws, including several actions by the United Nations Security Council and General Assembly, 11 related U.N. conventions, and the proceedings of 7 regional conventions, as well as anti-terrorism laws in Australia, France, India, Israel, Japan, Pakistan, and the United Kingdom.
Those terrorist cyber attacks, had they occurred, could actually have been called cyber war. The line is a blurry one between hacking someone’s computer systems to terrorize them and hacking them as a tool of conquest.
The military-interest website Strategy Page, in a January 5, 2008, article, “Cyber War as the Ultimate Weapon,” describes three stages of cyber war. The first stage, which they describe as ‘limited stealth operations,’ happens in the background as espionage, and they say that this is going on now.
In the second stage, called ‘cyber war only,’ a country openly uses computer attacks. Some have said that Russia engaged in this against Estonia in the spring of 2007. Estonia called for a mutual-defense response from NATO, but when NATO’s cyber experts arrived, the attacks stopped, whether coincidentally or because, if responsible for them, the Russian government decided not to risk escalating things into ‘cyber war in support of a conventional war,’ the third and final stage of the Strategy Page classification system.
In any case, international law usually ends where wars begin, and so a complete discussion of cyberwar falls outside the scope of this article.
Making laws regarding hacking is a delicate matter. The balance between human rights and criminal justice is fragile and yet must always be maintained. Hackers can be either good or bad. The bad ones cause of a lot of trouble and loss, and they must be held responsible for their actions somehow, though it isn’t easy in a borderless, electronically interconnected world.
Fortunately, we are building an international legal framework through which civil society everywhere can cooperate in protecting citizens from the predations of computer criminals. With improved communication and access among different jurisdictions and governments, we can tear down the anonymity bad hackers hide behind and collect the evidence needed to convict them, all the while holding the civil rights of our free citizens inviolate.
The system is not perfect, and there is still a long way to go, but we have taken those first, all-important steps toward this goal. That is something to feel very good about, indeed.