Published by The Lawfare Institute
in Cooperation With
Last month, more than 50 countries and over 200 major corporations and organizations came together to agree that the international nature of cyber threats needs a cooperative global response and a common set of principles as a basis for security. This conclusion seems obvious—millions of people have been affected by malicious activity perpetrated through the internet—and yet consensus has proved difficult to obtain until now.
This declaration, known as the “Paris Call For Trust and Stability in Cyberspace,” is an important step in defining common principles to secure cyberspace. But the global norms it attempts to establish will be only as good as their enforcement. As the supporters of this declaration move forward to enforce these principles, they must consider one important question: What can be done to find those who violate these norms and bring them to justice? The Paris Call reflects growing consensus among governments and industry of the rules of the road for their operation in cyberspace. Its commitments include: working to prevent activity that intentionally and considerably damages the general availability or integrity of the “public core” of the internet; strengthening capacity to prevent malign foreign influence operations, such as those conducted by Russia to interfere in the 2016 U.S. presidential election; and preventing and recovering from malicious cyberactivity that threatens or harms people and certain critical infrastructure. These commitments reflect much of the consensus already built on behavior in cyberspace by groups including the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and the Global Commission on the Stability of Cyberspace.
Importantly, the Paris Call gives formal recognition to something many in the international community have long known: Countries around the globe are drowning in a massive, borderless cybercrime wave. From a brazen cyberattack that paralyzed the U.S. city of Atlanta in March 2018 to hacks on ATMs that have stolen millions from banks in Asia and Africa, cybercrime has targeted every sector of global economies. This includes crimes directly sponsored by nation states like North Korea and Russia. McAfee estimates the global cost of cybercrime to be as much as $600 billion, about 0.8 percent of global gross domestic product.
Criminal use of technology is creating entirely new categories of crime that can easily cross borders with taps on a keyboard. A single cybercrime incident can hit countless victims in many different countries independent of the location of the perpetrators. Thanks to technology that has allowed for anonymity on the internet, and the ubiquity of technology, the effectiveness and ease with which cybercriminals can commit attacks only continues to increase.
An agreement on principles is an important step, but what comes next is perhaps equally important. Regrettably, the United States joined with Russia and China in declining to endorse the declaration. But as the Paris Call’s endorsers think about how to move the declaration’s commitments forward, they should prioritize closing the cyber enforcement gap—that is, the disparity in the number of malicious cyber incidents that occur per year in a given context versus the law enforcement actions taken against the actors that perpetrate these crimes and attacks.
In a new report, my colleagues at Third Way and I detail how global cyber criminals operate with near impunity compared to their real-world counterparts. Our assessment of the U.S. government’s data found that, in this country, less than 1 percent of the cyber incidents that occur annually result in an actual arrest. Third Way calculated this cyber enforcement gap by comparing self-reported Department of Justice, FBI and Secret Service data on annual arrests for computer crime calculated over the number of malicious cyber incidents reported to the FBI each year. This data is admittedly not perfect, and it includes incidents and arrests for crimes that are beyond the scope of those that destabilize systems and networks. However, this is the only available dataset with which to begin determining the scale of the U.S. government’s cyber enforcement efforts.
Even the Department of Justice recognizes the difficulty of measuring cyber enforcement efforts. While the department has announced a number of indictments in major cyber crimes the past few years, like those against Chinese People’s Liberation Army officers, Russian military intelligence agents or even against the perpetrators of the ransomware attack known as SamSam, these represent a small percentage of the total number of incidents. At a recent conference, Deputy Attorney General Rod Rosenstein acknowledged that, even though the Justice Department has characterized recent cases as “record setting,” the department doesn’t know how to measure the impact of such efforts on reducing crime.
Beyond the United States, the rate of the global cyber enforcement gap is unknown: Third Way has not found any available dataset that collates such numbers from every country affected by malicious cyber incidents. Law enforcement capabilities on cybercrime vary dramatically by country, and a large number of countries do not collect data on cybercrime arrests and incidents that occur annually. However, while the scale of global cyber enforcement efforts cannot be calculated, a diverse spectrum of law enforcement officials, experts and academics from Nigeria to the United Kingdom have expressed widespread concerns about the capabilities of global law enforcement to even conduct the necessary investigations to be able to identify, stop and punish cybercriminals. A cybercrime wave has risen in recent years, with global incidents “relentlessly” increasing annually in Europe alone and steadily increasing in global costs from $500 billion in 2014 to $600 billion in 2017. Ideally, this would be met with a robust response by law enforcement and diplomats working in partnership around the globe to bring malicious actors to justice. Instead, the lack of global law enforcement capacity to investigate these crimes, and the resulting level of impunity with which cybercriminals are operating, means bad actors can be fairly certain there is little to no chance they will ever be caught.
In the follow-up convenings to the Paris Call, its supporters should get down to brass tacks and begin to discuss how they will work to strengthen international cooperation on identifying, stopping and punishing global criminals. Ideally, this should be met with a road map that identifies the challenges and opportunities for strengthened cooperation on cyber enforcement, along with actionable commitments to address these issues.
In a U.S.-focused assessment, our Third Way report explores a number of issues that governments must address in order to close the cyber enforcement gap. Working together on these issues is a strategic and moral imperative if governments are to protect their citizens against cybercrime and seek justice for victims of these crimes, rather than allowing cybercriminals to operate with impunity. For example, we explore a number of ways to strengthen public and private-sector cooperation on attribution efforts to identify the origins of cyberattacks—a notoriously lengthy and bureaucratic process that often requires cooperation among many different domestic and international government agencies and typically close coordination between governments and private-sector victims in order to make an accurate determination. Ultimately, attribution is a political decision made by nation-state leaders to identify malicious cyber actors. But it can’t be achieved without overcoming the barriers to partnership between governments and industry.
Additionally, governments should assess how to encourage countries to ratify or accede to the Budapest Convention—the only binding international treaty that sets common standards on investigations and criminal justice cooperation on cybercrime and electronic evidence—and promote private-sector cooperation in assisting with its implementation. This is a critical diplomatic tool in pushing member countries to uphold their obligations. Right now, the convention’s members include many of the same like-minded countries that endorsed the Paris Call and not necessarily the worst offenders in cyberspace.
Second, the Paris Call’s supporters must identify how they will work together to build global capacity on closing the cyber enforcement gap. This could include increased commitments by the signatories of the declaration on capacity-building assistance to countries that most need it to strengthen the ability of their criminal-justice sectors to bring cybercriminals to justice. This capacity-building assistance would include, for example, ensuring that the right laws are on the books to criminalize cybercrime and that countries have the personnel, training and expertise to conduct cyber investigations, attribute attacks and locate criminals.
The Paris Call’s supporters can also use this opportunity to look for ways to partner together to create innovative models for tracking and assessing progress in identifying, stopping and bringing to justice malicious cyber actors. From my discussions with international organizations and officials from countries heavily impacted by cybercrime, it is clear that many governments are struggling with how to assess whether they are making progress against the global cybercrime wave. Often, their crime metrics have not kept pace with developments in how criminals operate in cyberspace. Improved success metrics could look beyond the number of arrests made or the significance of these arrests—in terms of the amount of losses they produce or the national security threat they pose—and also examine things such as private-sector and citizen confidence in government’s abilities to bring malicious cyber actors to justice. The organizations, academics and entities in the private sector that signed the Paris Call have tremendous experience to bring to the table in measuring impact.
To be sure, some have expressed concerns about the Paris Call’s requests for cooperation between different stakeholders to combat cybercrime, worrying that might lead to overreach or abuses by law enforcement. These laws may help to strengthen efforts to go after cybercriminals—but if used for nefarious reasons, they also can be powerful tools to stifle dissent and restrict forces for social change. Indeed, some governments have used laws against cybercrime and strengthened cyber capabilities as a tool to crack down on dissidents, journalists and activists. Work on closing the cyber enforcement gap must be matched with a serious effort to ensure respect for privacy and protection of civil liberties and human rights.
The Paris Call is a step in the right direction in bringing stability and security to the borderless cyberspace through public and private-sector cooperation. But the calls in this declaration, aimed at trying to establish a set of cyber norms, must be met with strong enforcement of those norms to make real change. Currently, governments are not meeting their basic obligations to protect their citizens from these attacks, based on what is known about the low number of arrests of cybercriminals and the capacity and capability challenges law enforcement and diplomats face in investigating these crimes and taking action against the perpetrators. Supporters of the Paris Call must focus on matching their words with action.