Cybersecurity has become a policy priority of many governments. This is reflected in cybersecurity policies or strategies that have been adopted or that are in preparation in all regions of the world.
Such cybersecurity strategies combine political and technical dimensions:
protection of economic and other national interests and national security
protection of the confidentiality, integrity and availability of information and communication technology to enhance security, resilience, reliability and trust.
Priority is given to public and private sector critical information infrastructure that is to be protected against:
non-intentional incidents (disasters, technical or human failures)
intentional attacks by state and non-state actors.
They focus on technical, procedural and institutional measures, such as risk and vulnerability analyses, early warning and response, incident management, information sharing and other measures to ensure protection, mitigation and recovery.
Measures against cybercrime tend to be one element of cybersecurity strategies.
Cybercrime and cybersecurity strategies are not addressing identical issues nor do they cover the same type of measures, but they intersect and complement each other.
Measures against cybercrime are to provide a criminal justice response to ensure that the rule of law and human rights also apply in cyberspace and that legitimate interests are protected.
Cybercrime is about:
offences against the confidentiality, integrity and availability of computer data and systems
offences by means of computers, in particular the sexual exploitation and abuse of children, fraud, or offences related to infringements of intellectual property rights.
Any offence may involve ICT and thus electronic evidence on a computer system. Not all of these constitute cybercrime, but measures against cybercrime need to address this challenge.
In many countries this includes for example:
cybercrime reporting systems
legislation (substantive and procedural law harmonised with the Budapest Convention on Cybercrime)
high-tech crime and other specialised units
law enforcement and judicial training
public-private (including law enforcement – service provider) cooperation
protection of children
financial investigations and other measures against fraud.
However, only few governments have designed specific and consistent cybercrime strategies.
The workshop will therefore discuss the following:
► Cybercrime and cybersecurity strategies: What concepts? What differences and intersection? How to ensure synergies and complementarity?
► Cybercrime strategies: Is there a need for specific cybercrime strategies? By public and private sectors? What objectives and measures would make up such strategies?
► Stakeholders: Who is responsible for developing, managing, implementing cybercrime strategies? What role for public and private sector organisations?
Pannelilsts and participants discussed:
The difference between cybersecurity and cybercrime and the respective strategies.
While cybercrime has a clear crime prevention and criminal justice focus, cybersecurity is more diffuse and interdisciplinary, combining criminal, administrative, defense and military dimensions. An example is the cyber security strategy of Estonia which was developed in response to the attacks of 2007.
The approach of Sri Lanka which was not developed in response to a specific attack, but in a systematic manner to create an enabling environment for the use of ICT, starting with the financial sector as of 2005. The argument here is that cybersecurity and cybercrime strategies should complement each other.
The need for enhanced public-private cooperation. This includes holistic approaches, promotion of holistic lifecycle and multi-stakeholder approaches, the development of a culture of cybersecurity and cooperation bridging different sectors. The take down of the Rustock is an example for private sector initiated legal action to disrupt cybercrime.
The need for intelligent solutions, that is, safety without over-regulation, security to enhance and not to undermine privacy, change in every country to avoid cyberhavens, focus on priority and avoid attempts to conflate related issues.
The need to focus on capacity building, including technical assistance to support the development of legislation, training of law enforcement, prosecutors and judges, interagency cooperation, public-private and international cooperation, awareness creation and other measures. The Commonwealth Cybercrime Initiative was presented as a new initiative.
Cybercrime strategies and cybersecurity strategies are different but complementary. They can be designed to reinforce each other.
Conclusions and further comments:
Governments should develop specific strategies to address the growing threat of cybercrime. Such strategies should be aimed at strengthening the rule of law and human rights on the Internet and thus protect people and their rights.
Clarification of the distinct but complementary concepts of cybercrime and cybersecurity will help identify the measures to be taken, establish responsibilities and ensure that criminal justice considerations are fully taken into account in the prevention and control of cybercrime.
While the protection of critical information infrastructure and thus the aim of cybersecurity strategies may indeed be an issue of national interest, such a focus carries the risk that cybersecurity is moved from the criminal justice arena - with its rule of law and human rights safeguards – to the national security arena and its exceptions to rule of law and human rights guarantees. Separate cybercrime strategies or strong cybercrime components in cybersecurity strategies may help strengthen rule of law and human rights conditions.
Multi-stakeholder approaches are to be followed when designing and implementing cybercrime strategies.
Standards and tools on cybercrime are already available. These include in particular the Budapest Convention on Cybercrime. The main challenge is capacity building.
Technical assistance is required. Cybercrime strategies may help mobilize such assistance.
Discussions will continue at the Octopus conference of the Council of Europe (Strasbourg, 21-23 November 2011 – www.coe.int/octopus). The working paper that served the IGF workshop in Kenya could finally lead to a guideline on cybercrime strategies for governments and other stakeholders.