22 May, 2017

Towards a Holistic Legislative Framework for the Criminalization of Cyber Terrorism

On 15 and 16 of May, I took part in The International Conference for the Criminalization of Cyber Terrorism, organized in Abu Dhabi by The United Arab Emirates Minister of Foreign Affairs and International Cooperation.

It was a great opportunity to get together and discuss the Cyber Terrorism issue for top international experts, political figures, representatives of international organizations and institutions, and activists in counter terrorism and counter cyber terrorism affairs, in addition to legal experts, researchers, practitioners, and other figures from the international community.

Part of the Fourth Session, dedicated to “A Holistic Legislative Framework for the Criminalization of Cyber Terrorism”, I held an intervention about the Legally-Binding Agreements for the Criminalization of Cyber Terrorism.

The following material is the transcript of my speech:

 

The United Arab Emirates Minister of Foreign Affairs and International Cooperation gathered these days in Abu Dhabi a valuable and extremely diverse panel of specialists to discuss countering cyber terrorism solutions.

I see this fourth session as a perfect match before the end conclusions.

I am honored to be here, among so many experts in this domain which became such a hot topic these days.

I represent here the European Parliament, where I am a member of the Foreign Affairs Committee, but also Romania, an EU, and NATO member, which already proved its capabilities in the cyber realm. Romania has become one of the top European countries in combating cyber crime and cyber war-related operations – 20% of EUROPOL’s cyber security experts are Romanian police officers.

And it is not by chance that NATO has turned to Romania to defend Ukraine from Russia’s cyber espionage and Romanian experts are currently working with Ukrainian IT specialists and help the Ukrainian government institutions.

But to go further – the time is our enemy – let’s open today’s topic by saying that all we already discussed and debated here, in terms of measures and solutions, relies on a cornerstone:

what are the legally-binding tools that we have now and need further?”

DEFINITION:

Because we are discussing “Legally-Binding Agreement” and “Criminalization”, we should probably start with the definition of what we are talking about. Unfortunately, beyond “CyberTerrorism is a controversial term”, the international community couldn’t agree till now.

Cyberterrorism overlaps with cybercrime and cyberwar and sometimes is just a tool for the ordinary terrorism. There is no common definition yet!

I consider that this struggle is the direct effect of another problem: We also don’t have a consensus on the term ‘terrorism’! There are 17 different international conventions, each of them addressing different aspects of terrorist activities and even more definitions.

I believe that, firstly, we urgently need to compromise and agree upon a common understanding of these terms. The ones that are taking advantage of our different opinions are the very ones we try to incriminate. This will continue to happen no matter if we are talking about states, international organizations, local leaders or just brain-troubled individuals.

Till an agreement will be reached, we can start from a broader definition, like the one used by EU and UN. The two see the “cyber terrorism” as the use of the Internet for terrorist purposes.

JURIDICAL FRAMEWORK:

Despite the differences, we can all agree that there is a common line of our understandings of cyber terrorism: it is an international crime!

This is why the response to such crime must be international. Any attacked country must be able to invoke international law to seek justice for damage caused.

Also, this universal jurisdiction must be implemented through international organizations and their tribunals.

For these purposes, we already have the International Criminal Court and International Court of Justice which have been set up by the Rome Statute and the United Nations, respectively. In other words, international organizations provide a legitimate basis, through treaties, for exercising universal jurisdiction over cyber terrorism.

WHAT HAS BEEN DONE AT INTERNATIONAL LEVEL:

To reach our goal, we must start from what we have and, even more important, what proved to be successful among our laws, institutions, and practices.

In terms of achievements, I will start by mentioning the Council of Europe (CoE) Convention on Cybercrime from 2001. This is the first and only international binding treaty which tries to harmonize laws across countries as to what constitutes criminal activity in the cyber realm. 59 states signed the Convention so far. All EU Member States have signed, together with several non-European countries, including the US, Canada, Australia, Israel, and Japan.

Unfortunately, two countries which are crucial for the success (or failure) of cyber offenses criminalization, Russia and China, did not sign this Convention. This is why, the critics of this Convention warn that if falls short on the enforcement side, and lacks jurisdiction in countries where cyber criminals operate freely.

EU AS A GOOD PRACTICES EXAMPLE:

EU took the Council of Europe initiative and brought it much further. In my opinion, today, EU offers the broadest collection of legislation, institutions, and practices which address the issue of cyber terrorism. EU has the capacity to be a normative global actor, capable of creating an effective and constructive culture of cybersecurity within and beyond.

It started in 2005 with the Directive on attacks against information systems, Inspired by Council’s Convention. Later one, a European Cyber Security Strategy and a European Agenda on Security have been added.

In its Strategy, EU underlines 3 basic principles:

  • the same core values, laws and norms that apply in the physical world apply also in the cyber domain;
  • the Internet is a public or collective good that should be available and accessible to all;
  • the governance model for Internet should be democratic and cyber security policy should be a shared and multi-stakeholder responsibility.

EU and other western countries are favoring of a multi-stakeholder Internet governance model. A number of other countries, such as Russia, China, Iran, and India, defend a centralized and inter-governmental approach. We are all aware that a compromise must be reached and efforts on all sides must be done.

In addition to Strategies EU also has more specific legal instruments on cybersecurity and cyberterrorism. They are already giving results!

Let me mention just:

  • the EU-US Terrorist Finance Tracking Program (TFTP) – functional since 2010
  • the Directive on security of network and information systems (NIS Directive) – 2016
  • the EU Data Protection Regulation and Directive – 2016
  • the EU-Passenger Name Record Directive – 2016

In terms of institutions, EU can offer a couple of good examples also. European Union Agency for Network and Information Security (ENISA), functional since 2004, conceived as a center of expertise for cyber security in Europe. Europol’s European Cybercrime Centre (EC3), functional from 2013, built to strengthen the law enforcement response to cybercrime in the EU. In addition to this one, there is Cybercrime Centers of Excellence Network for Training Research and Education, which coordinates 10 national centers all over EU – on of them in Romania.

We also developed and implemented, starting with 2012, a permanent Computer Emergency Response Team (CERT-EU). This one covers all the EU institution, agencies and bodies have. Its role can be better understood in the light of last week huge ransomware attack. Computer Emergency Response Teams are also available for each Member State, according to the Digital Agenda recommendations.

HOW EU EXTENDED ITS CYBER PROTECTION AND REACH BEYOND ITS BORDERS:

Cyber crimes and cyber terrorism are borderless. In its response, EU reached out beyond borders and got connected with the similar capacities of its partners and allies. The first, natural connections are the ones with US and NATO.

NATO is a major partner for the European Union in the area of security and defense. The recently established Helsinki Centre of Excellence for countering hybrid threats (April 2017) is just one of the many examples of EU-NATO cooperation which also touches the cyber threats issue. This Center brings together EU and NATO countries, including the US, and follows the line of previous strategic documents like:

  • the EU-NATO Joint Communication on countering hybrid threats that were adopted in April 2016
  • and the Warsaw Joint Declaration from July 2016 which, establishes through its follow-up measures, 7 areas of cooperation, including countering hybrid threats and cyber security and defense.

The same goes with EU-US relations in terms of cooperation and countering cyber threats. The EU-US Cyber Dialogue is a good, functional example in this regard. Also, the recently launched Transatlantic Cyber Policy Research Initiative brings together European and U.S. civil society, academic, industry, and think-tank experts to address key cyber policy challenges and increase policy research capacity on cyber issues. EU and US strongly support the Convention on Cybercrime in the fight against cybercrime.

THE THREAT AND ITS IMPLICATIONS:

The Internet is critical for our way of living today. Internet is the space for all. We have all the amazing benefits from spreading democracy to easy access to information. Unfortunately, it is also used as a cross-border platform for criminals and traffickers.

The maleficent use of the internet evolved even faster than the protection methods. Now there are a huge array of internet dedicated ways and tools, built to threat and induce harm to both individuals and institutions.

The Internet allowed terrorist groups to reach internationally, sometimes from locations where they are unreachable to effective prosecution. Cyber terrorism poses a huge to all due to its capacity to touch any corner of the world and its fast development. Cyber terrorism is a weapon which can penetrate any system and is the first threat in the world which can target both a country and a regime.

Sometimes, it is very difficult to detect the attackers in time. Most of the times it is impossible to identify the real perpetrators. The reaction times are so much different than in the case of a rocket launch. In a classical situation, we can detect almost immediately a threat. In the case of cyber-attacks, too many times we identify the attack just after it already produces effects. This also means that the reaction times are too long.

From this perspective, we must agree that cyber terrorism is a huge threat to the security of any country, especially if we think of possible and potential attacks to critical infrastructure. The threat is even greater if we think that, in the case of cyber vulnerabilities, no matter how well we close a door, it can be open from inside. Rogue elements are always possible and it can take as little as inserting a memory stick into the back of a computer to take down a whole network!

The terrorists are showing us how “useful” is the Internet in recruiting or spreading the fear. Our youth is the easiest target. Also, the institutions are vulnerable. We need to strengthen the Internet security.

There are two levels:

  1. The internet is used by terrorists to proliferate hate speech, incite to violence, recruit, and spread fear. This requests from us dedicated tools and sufficient resources to address it efficiently. Also, we can’t rely on traditional ways in counter fighting propaganda and manipulation. We must bear in mind that youth is the main target and most exposed population segment.
  2. We see that institutions and governmental networks are targeted. The effects of targeted attacks can create great disturbances for any govern. The critical infrastructure, like the healthcare system, energy networks, water supply or transport are prone to become the main target.

The response of law enforcement agencies is traditionally bound by territoriality or nationality. But both levels can be addressed way much better by cooperation. First among countries and then regions. Therefore, formal and informal international cooperation is essential in the investigation and prosecution of terrorist behavior on the Internet.

Sharing information, and best practices, acting together in a coordinated manner – this is the only way forward to fight this threat. We already have functional examples (PNR, TFTP, UE-NATO partnership on cyber threats, etc.). Within each country, there also must be a horizontal approach.

Today, there are countries that feel secure for not being the main target for cyber terrorism. Maybe this is why they are not so much supportive in reaching a legally-binding and fully functional international agreement for the criminalization of cyber terrorism.

As the last week situation showed us, when more than 100 countries experienced the biggest ransomware attack in history, such an attitude is not wise and obviously not reflecting the interests of the citizens or the business community of any country. Russia seems to be the most affected country, with over 1.000 computers infected, according to the country’s Interior Ministry. Also in top 10, there is China. Both countries did not sign The Convention on Cybercrime.

As a leader, how do you respond to your worried citizens and to the affected business community when you can’t reach the responsible ones because of the lack of juridical coverage?

And I am afraid that the worst is still yet to come! With the emergence of ‘sabotage’ as a new frontier for cyber criminality, in particular with the emergence of Intelligent Transport Systems, eHealth, smart grids or the Internet of Things, our livelihood gets better but also more vulnerable.

It is already possible to get control of Internet-connected gadgets or to disrupt elements of electricity distribution networks, water treatment plants, emergency services, and so forth. Banks, institutions, infrastructure networks, companies, defense systems, even simply households are all vulnerable to a certain degree. Moreover, terrorists and jihadist organizations have swiftly recognized the benefits of using the Internet as a part of their arsenal. So far, however, despite scenarios in which sophisticated cyberterrorists break into critical infrastructures, they have not inflicted the kind of damage that would qualify them as cyber terrorism.

Till now, we’ve been mostly reactive and not pro-active. Again, will we wait for something bad to happen till we get convinced that we need to act?

We need to urgently criminalize this threat! Specific legislation is a must, together with preemptive and resilience measures.

WHAT CAN WE DO?

United Nations is the organization which must coordinate and seeks cooperation in dealing with the problem of international terrorism, including cyber terrorism. Countries and the international community should develop the tools to address this credible threat. The main goal of the United Nations is to keep maintaining international peace and security.

Unfortunately, we are all witnessing the incapacity of the Security Council to act on issues which already counted for the loss of hundreds of thousands of lives, like the war in Syria.

When you are talking about cyber threats, time is a crucial factor. And for the moment, UN is incapable of moving fast and decisive enough. The best example is the UN Group of Governmental Experts (GGE), which meets since 2004. Still, it did not succeed in bringing up a legally binding document.

If it is just about the question “Security vs. Human Rights”, the answer is simple: both of them are important! We must protect the life and personal data of any individual. But I feel that it is more than that and UN needs our help!

If the top-down approach has failed to produce the desired results, I think it is time to consider a bottom-up approach. I believe that we can all learn from EU’s experience and expertise, and its successful approach in strengthening internal security through partnerships and alliances.

What the EU has initiated in reinforcing its cyber security through relations with NATO and US can be extended by replicating with other regional and international actors like the Arab League or the African Union

Using the “good practices” experience and the results the EU has managed to bring forward, also its good relations with so many neighboring countries and international actors, I believe we can make important steps together. We must limit the terrorist cyber threats and all the other cyber-related vulnerabilities before it becomes much more dramatic.

I must add that Media should play its responsible role in spreading awareness and informing the general public about this real threat. It must be considered and included as an active stakeholder if we wish to have an efficient approach to the problem.

Also, the intelligence community must cooperate with the government on a horizontal level to ensure the security of the critical infrastructures. Sharing intelligence and expertise is a must!

Together, I am convinced that our voice is strong enough to help the United Nations in delivering the same security instruments for all its members and, most importantly, for the billions of citizens which find themselves today so vulnerable. This is our duty as leaders, experts or representatives of international organizations!

One response to “Towards a Holistic Legislative Framework for the Criminalization of Cyber Terrorism”