CSCI 1800 Cybersecurity and Internaonal Relaons · • 4/10 US aended Garmisch cybersecurity conf.1...

CSCI1800CybersecurityandInterna4onalRela4ons

COEConven4ononCybercrimeJohnE.Savage

BrownUniversity

Outline

•  Background•  ProvisionsoftheConven4on– CybercrimeOffenses–  Inves4ga4veProcedures–  Interna4onalCoopera4on

•  Reac4ontoandEvalua4onoftheConven4on•  Alterna4vestotheConven4on

Lect174/3/17 ©JESavage 2

WhatistheCybercrimeConven4on?

•  Firstinterna4onalcybercrimetreaty.•  Itharmonizesna4onallawsoncybercrimeandimprovesna4onalcapabili4estoinves4gatesuchcrime.Italsoincreasescoopera4on.

•  DraUedbyCouncilofEuropeinStrasbourgin’01•  US,asexperiencedobserver,playedmajorrole.

OriginsofConven4on

•  In1996EuropeanCommi\eeonCrimeProblems(CDPC)setupexpertcommi\eeoncybercrime.

•  Theyrecognized– Trans-bordernatureofsuchcrime,– Conflictwithterritorialityofna4onallaws,&needforconcertedinterna4onalefforttodealwithit

•  Commi\eeofExpertsonCrimeinCyber-spacecreatedinFebruary1997.

Commi\eeCharge

•  TheCommi\eeofExpertswaschargedtodraUabindinglegalinstrumentaddressing:– Cyber-spaceoffensessuchasillegalfundstransfer,services,viola4onofcopyrightsandhumandignity,protec4onofminors,offeringofillegalservices.

– Othersubstan4vecrimesinvolvingcyber-space,requiringinterna4onalcoopera4on(thus,notcybercrime)

Commi\eeCharge

•  TheCommi\eeofExpertswaschargedtodraUabindinglegalinstrumentaddressing:– Useandapplicabilityofcoercivepowers,suchasintercep4onofdata,surveillance,search&seizureofdata,problemscausedbyencryp4on,etc.

– Ques4onsofjurisdic4ononcyberspaceoffenses,e.g.doublejeopardy,whichlawsapply,etc.

–  Interna4onalcoopera4oninves4ga4ngcyberspaceoffenses

EmergenceofConven4on

•  AUerfouryearsofwork,inJune2001finaldraUoftheconven4onwasapprovedbyCDPC.

•  AdoptedbyCouncilofEuropeonNov.8,2001.•  SignedinBudapest,Nov23,2001.•  Conven4onenteredintoforceinUSonNov1,2007•  Conven4onopentoallCOEmemberstates.– Asof4/1/2017563stateshavera4fied,4otherssigned.

•  StatesmaybeinvitedtoaccedetoitaUerobtainingconsentof“contrac4ngstates.”

Addi4onalProtocol

•  AdoptedbyCommi\eeofMinisterson11/7/02•  Requiresstatestocriminalize– Racistorxenophobicacts,threats,etcvianetworks– DenialoftheHolocaustandothergenocides.– Theseallinvolvecriminalizingcontent!

•  UShelpeddraUthisprotocolbutdidnotsignitini4ally.Itsignedin2001,ra4fiedin2006,andenteredintoforcein2007.

ProvisionsoftheConven4on

•  Goals:– Protec4onofsocietyfromcybercrime– Criminaliza4onofsuchconduct– Adop4onofpowerssufficienttocombatabove– Helpotherstateswithcrimedetec4on,inves4ga4on,prosecu4on

– Provideforfastreliableinterna4onalcoopera4on•  Alterna4vevehicleforcybercrime,MutualLegalAssistanceTrea4es(MLATs),areveryslow.

Conven4onHasThreeParts

1.  Lis4ngofsubstan4vecybercrimeoffensesthatra4fyingstatesmustadoptintona4onallaw.

2.  Inves4ga4veproceduresthatstatesmustimplement.

3.  Mechanismstoenhanceinterna4onalcoopera4on.

Conven4onRequirements

•  Ra4fyingstatesmustcreatelawsallowing:– Searchandseizureofcomputersanddata– Wiretapping– Obtainreal-4meandstoredcommunica4onsdata– Thisappliesevenifcrimenotconsidereda“cybercrime”

•  Thus,CybercrimeConven4onisamisnomer.

Defini4onofCriminalOffenses

•  Accesstocomputersystemswithoutright.•  Technicalintercep4onofnon-publicdatatofromorwithincomputersystemswithoutright.–  Includeselectromagne4cemissionsfromcomputer– Doesitincludeaudiorecordingofkeystrokes?

•  “Damaging,dele4ng,deteriora4ng,altera4onorsuppressingofcomputerdatawithoutright.”

•  Serioushinderingof“func4oningofcomputersystembyinpupng,transmipng,dele4ng,deteriora4ngorsuppressingofcomputerdata.”

AccessingComputerswithoutRight

•  The1986ComputerFraudandAbuseAct(CFAA)appliestothisissue.

•  WhatdoyouthinkaboutCFAA?

CriminalOffenses

•  “Produc4on,sale,procurementforuse,import,distribu4on”orpossessionof“adevice,includingcomputerprogram,designedoradaptedprimarilyforthepurposeofcommipnganyofthe[above].”

•  Thesameappliestoa“password,accesscode,orsimilardata”usedtoaccessacomputersystem.

•  “Causingofalossofpropertytoanother”byac4onsofabovetypewiththeinten4onpersonalbenefitwhendonewithoutright.

CriminalOffenses

•  Produc4on,distribu4on,offering,procurementorpossessionofchildpornographyviacomputerdonewithoutright.

•  Willfulinfringementofcopyrightandrelatedmaterialwhendone“onacommercialscaleandbymeansofacomputersystem.”

•  Allpar4esmustensurethatlistedoffenses“arepunishablebyeffec4ve,propor4onateanddissuasivesanc4onsincludingdepriva4onofliberty.”

WhatCrimesAreMissing?

•  IsIPhijackingacrime(BGP)?•  HowaboutDNSfraud(viola4ngtrustinDNS)?

Inves4ga4veProcedures

•  Par4esmustestablishfollowinglegislatepowers:–  Powertoorderpreserva4onofcomputerdataandtrafficdata(iden4fiespathofpacketsthruISPs).

–  Powertoseizecomputersandstoragemedia–  Powertoorderproduc4onofcomputerdataandsubscriberinforma4on.

–  Powertocollectsuchtrafficdatainreal4me.–  Forseriouscrimes,powertocollectcontentinreal4me.–  Establishjurisdic4onoversubstan4veoffensesinConven4oncommi\edathomeoragainstanother.

Interna4onalCoopera4on

•  AllPar4es“shallco-operatewitheachother…tothewidestextentpossible”onthesema\ers.

•  Coopera4onisthrurelevantinterna4onalagreementsanddomes4claws.– Thus,coopera4onmaybelimitedordelayed

•  Offensespunishabledomes4callybyyearinjailormoreseveremustbeseenasextraditable.– However,limitstoextradi4onmaycomeintoplay.

•  Toextentpermi\edunderdomes4claw,Par4esmustforwardinfoitbelievesmayhelpotherPar4estoinves4gatecybercrime.–  Par4esmayrequestsuchinfobekeptconfiden4al

•  WhenPar4esdon’thavemutuallegalassistancetreatyorarrangement,eachmustdesignateacentralauthoritytosend,answer,requestmutualassistance.–  Par4esagreetoexecuterequestsinaccordancewithprocs.ofreques4ngParty,exceptwhereincompa4ble

•  Par4esmustpreservedataexpedi4ouslyandforatleast60daysatrequestofanother.– APartymayrefusearequestforvarietyofreasons.

•  Partymustrespondtoarequesttosearch,seizeordisclosedatalocatedwithinitsterritory.

•  Par4esmustprovidemutualassistanceinthereal-4mecollec4onorrecordingofcontentdata…totheextentpermi\edunderlawsandtrea4es.

•  EachPartymusthaveapersononcall24/7torespondtoassistancerequestsininves4ga4ons.

•  Conven4onlacksenforcementmechanism.InsteadCPDCisinformedofinterpreta4ons/applica4ons.– Arbitra4onispossiblefordisputesconcerningthela\er.

•  Ar4cle32b*:Partymayaccesswithoutauthoriza4onofanotherPartydataoncomputerinterritoryoftheotheriflawfulandvoluntaryconsentobtainedfrompersonwithauthoritytoprovideit.– Russiasignedtheconven4onbutwithdrewwhenitrealizedimplica4onsofthisprovision.

–  Iftheyweretorejoin,otherna4onswouldaswell!

*Ar4clesareath\p://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf

Compe44onfortheConven4on

•  Interna4onalTelecommunica4onsUnion(ITU),aUNagencyconcernedwithICTissues,challengeduniversaladop4onofConven4on,circa2010.

•  ITUGeneralSecretaryHamadounTorréobjectsbecauseitisEuro-centricand“ali\ledusty.”

•  ITUithad“ITUToolkitforCybercrimeLegisla4on”draUedbyAmericanBarAssocia4oncommi\ee.

•  ITUpromoteditsowncyber-warningorg.,IMPACT.

Evalua4onofConven4on

•  “Mostsubstan4ve,andbroadlysubscribed,mul4lateralagreementoncybercrime”today.

•  Rela4velycomprehensiveapproachtoharmonizingna4onallawsandcoopera4on.

•  USDoJofficialratesimpact:“veryposi4ve.”Coopera4onhasincreasedradicallyrecently.

•  Provisionstofreezedata,“spontaneous”coopera4on,24/7contact,remotesearchesaremostuseful.

•  Shortcomings:– RussiaandChinanotsignatories.NostatesfromAfricaorSouthAmerica.

– Par4esmayrefusetoassistinmanyinstances– Noenforcementmechanisms

•  Shortcomings:– Doesnotaddressespionageoruseofforceunderlawsofwar

– Doesnotdealwithissuesthatarisewhenana4onisundera\ackandcan’taffordtowaitforcoopera4onfromcountriesthatmaybea\acking.

– Doesn’tapplytoDNSfraudorIPhijacking(BGP).

PossibleStepsforImprovement

•  Narrowgroundsforrejec4ngrequestforassistance–  Requirespecificreasonsfordenyingrequestsinwri4ng

•  Addmeaningfulenforcementmechanism–  Requireneutralarbiterwhenrequestdenied

•  Requirerepor4ngofdenialsofassistancetoCDPC•  AuthorizethosePar4esdeniedassistancewithoutlegi4mate,crediblereasontoengageinunilateral,cross-borderinves4ga4ons.– Wouldthisviolatesovereignty?

Alterna4vestotheConven4on

•  MostnotableisRussiancyberarmstreaty–  In‘98itequatedcyberweaponswithweaponsofmassdestruc4on

•  In2000RussiasponsoredUNGeneralAssemblyresolu4ontoexaminewaystostrengthen“securityofglobalinforma4onandtelecommunica4onssystems”and“limitthreatsemerginginthisfield.”

2000RussianProposal•  Statesmustrefrain–  “fromdevelopment,crea4on,anduseofmeansofinfluencingordamaginganotherState’sinforma4onresourcesandsystems,”

–  “deliberateuseofinforma4ontoinfluenceanotherState’svitalStructures,”

–  “unauthorizedinterferenceininforma4onandtelecom-munica4onssystemandinforma4onresources,aswellastheirunlawfuluse,”

–  “encouragingtheac4vi4esofinterna4onalterrorist,extremistorcriminalassocia4ons,organiza4ons,groupsorindividuallawbreakersthatposeathreattotheinforma4onresourcesandvitalstructuresofStates.”

2000RussianProposal

•  Howdoesoneinterpret“influence”?•  Whatis“unauthorizedinterference”?•  Whatare“interna4onalterrorist,extremistorcriminalassocia4ons,organiza4ons,groups”and“vitalstructuresofStates”?

•  AretheRussiansmoreconcernedabout“statesecurity”?

RecentRussianProposal

•  In2008VladislavSherstyuk,deputysecretaryoftheRussianSecurityCouncil,proposedatreatythatwouldprohibitsecretlyembeddingmaliciouscodeinacountry’scomputersforlateruseineventofhos4li4es.– Note:USDoD*nowconsideringthis!

•  Russiaalsoproposedprohibi4nga\acksonnon-combatantsystemsaswellasdecep4onincyberspace.

USResponsetoRussianProposals

•  UShasbeentocooltotheseproposals.•  USstartedmee4ngwithRussiansinlate2009andagreedtotalkatUNDisarmament&Interna4onalSecurityCommi\ee.

•  4/10USa\endedGarmischcybersecurityconf.1•  Gen.K.AlexanderofCybercommand,said“whatRussiaputforwardis,perhaps,thestar4ngpointforinterna4onaldebate.”

1.  FourthInterna.onalForumPartnershipofStateAuthori.es,CivilSocietyandtheBusinessCommunityinEnsuringInforma.onSecurityandComba.ngTerrorism,Garmisch-Partenkirchen,Munich,Germany.

Alterna4ves

•  Gen.Alexander:USshoulddevelopcounter-proposaltoRussia’sproposedtreaty.

•  Russianproposalsdidnotgaintrac4onini4ally.•  SeemsunlikelythatUSwouldagreetobanoffensivecyberweaponssoon.

•  In‘15theUNGGEandG20adoptedthisnorm:– Nocountryshouldinten4onallydamagethecri4calinfrastructureofanother.

–  ItwasoriginallyaRussianproposal.

Review

•  Background•  Conven4onsProvisions– CybercrimeOffenses–  Inves4ga4veProcedures–  Interna4onalCoopera4on

•  Reac4ontoandEvalua4onoftheConven4on•  Alterna4vestotheConven4on

CSCI 1800 Cybersecurity and Internaonal Relaons · • 4/10 US aended Garmisch cybersecurity conf.1...

Documents

CYBERSECURITY RISK DISCLOSURE AND CYBERSECURITY DISCLOSURE ... · CYBERSECURITY RISK DISCLOSURE AND CYBERSECURITY DISCLOSURE GUIDANCE ABSTRACT Cybersecurity risk disclosure has received

Suppor&ngStudentswithDisability: …learningandsupportconference.weebly.com/uploads/1/4/3/2/14328286/... · (Source:ABS)) THE)LEGAL)CONTEXT) ... Ombudsman) oNSW)Industrial)Relaons)Commission)

CSCI 1800 Cybersecurity and Internaonal Relaons · Top Incidents in 2016 Verizon Report* Incidents represen4ng more than 90% of data breaches: 1. Insider and privilege misuse 2. Cyber-espionage

Cybersecurity Industry Development · 1.000 M€ Cybersecurity local demand 2018 Cybersecurity market situation 2 54.082 79.292 2014 2018 CAGR cybersecurity (M€) 80.000 M€ Global

Cybersecurity Domains: What Comprises a …02f9c3b.netsolhost.com/blog1/wp-content/uploads/Cybersecurity...Cybersecurity Domains: What Comprises a Cybersecurity Suite? ... Tools, Hardware

Improving Critical Infrastructure Cybersecurity … Critical Infrastructure Cybersecurity Executive Order ... for improving critical infrastructure cybersecurity ... process itself,

Cybersecurity Maturity - FFIEC Home Page€¦ · · 2017-06-02FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity: Domain 1 May 2017 20 annual cybersecurity self-assessment

Cybersecurity as People Powered Perpetual Innovation 2 · cybersecurity and innovation. 2.5 Cybersecurity Cybersecurity is another highly misunderstood topic. People associate it

Scaling(Relaons(of(( Early(Type(Galaxies(in(Virgo(

Assessing Cybersecurity Risk - IIA Assessing... · GTAG / Assessing Cybersecurity Risk Key Risks and Threats Related to Cybersecurity Cybersecurity is relevant to the systems that

Club%members%aended%the%GFWC3NC%State%Summer%Mee7ng%on ... · Club%members%aended%the%GFWC3NC%State%Summer%Mee7ng%on%Saturday%(July%16,%2016)% in%Burlington,%NC.%%%Notonly%did%they%learn%alot,%butthey%also%had%some%fun!%

NATIONAL CYBERSECURITY STRATEGY III - gouvernement€¦ · NATIONAL CYBERSECURITY STRATEGY III NATIONAL CYBERSECURITY STRATEGY III MAIN STATE BODIES INVOLVED IN NATIONAL CYBERSECURITY

2015 Cybersecurity Awareness › ... › cdse › cybersecurity-awareness.pdf• Cybersecurity Awareness, CI130.16 • Information Assurance/Computer Network Defense Information Sharing,

Cybersecurity Dynamics - University of Texas at San Antonioshxu/socs/hotsos-poster-cybersecurity-dynamics.… · Cybersecurity Dynamics: A Foundation for the Science of Cybersecurity

Cybersecurity 5 improving cybersecurity

Cybersecurity Test and Evaluation Process Sponsored Documents/Cybersecurity... · Program Office Implementation Plan must include cybersecurity ... – Ensures cybersecurity is part

Critical Cybersecurity Questions Cybersecurity... · Critical Cybersecurity Questions 1 • How do you measure successful cybersecurity efforts? • Who is accountable for cybersecurity?

China's New Cybersecurity Law and U.S-China Cybersecurity

SIFMA Cybersecurity - SMALL FIRMS CYBERSECURITY GUIDANCE ... · CYBERSECURITY SMALL FIRMS CYBERSECURITY GUIDANCE ... the best practices in this guide in a risk-based, ... VULNERABILITY

CSCI 1800 Cybersecurity and Internaonal Relaonscs.brown.edu/courses/csci1800/static/files/lectures/Lect08... · CSCI 1800 Cybersecurity and Internaonal Relaons ... The Onion Router