Embed Size (px)
Citation preview
PRIVACY AND CYBER CRIME INSTITUTE
International Comparison of Cyber Crime
by
Avner Levin (Director)
Daria Ilkina (Research Associate)
March 2013
PRIVACY AND CYBER CRIME INSTITUTE
1
Table of Contents
Executive Summary ........................................................................................................................ 2 Introduction ..................................................................................................................................... 3 Background – Unilateral, Bilateral and Multilateral Approaches – A Brief Overview .................. 4
The United Nations (UN)............................................................................................................ 7 The Council of Europe (Budapest Convention).......................................................................... 8
The Organisation for Economic Co-operation and Development (OECD) ................................ 9
The North Atlantic Treaty Organization (NATO) ...................................................................... 9 Asia Pacific Economic Cooperation (APEC) ............................................................................. 9 The Virtual Global Taskforce (VGT) ....................................................................................... 10 Strategic Alliance Cyber Crime Working Group (SACCWG) ................................................. 11
Country-Specific Analysis ............................................................................................................ 12 Australia .................................................................................................................................... 12
New Zealand ............................................................................................................................. 14 United Kingdom........................................................................................................................ 16 United States of America .......................................................................................................... 18
Federal Republic of Germany ................................................................................................... 20 French Republic ........................................................................................................................ 23
Republic of Finland................................................................................................................... 24
Norway ...................................................................................................................................... 27
Russian Federation .................................................................................................................... 30 China ......................................................................................................................................... 33 Summary ................................................................................................................................... 35
Cyber-organizations similar to NAV CANADA .......................................................................... 36 Recommendations and applicability to the Canadian approach ................................................... 36
Conclusions ................................................................................................................................... 37 References ..................................................................................................................................... 39 Appendix 1. Eleven countries covered in this report (including Canada) on the world map. ...... 50
PRIVACY AND CYBER CRIME INSTITUTE
2
Executive Summary
This report compares Canada’s international partners and several other countries on measures
related to cyber-crime. The main findings are as follows:
Countries distinguish in their policy and strategy documents between cyber-crimes,
which are the domain of law enforcement agencies, and cyber-attacks which are
increasingly the domain of the military.
Canada’s international partners have turned their focus from the prevention of cyber-
crime to the protection of critical national infrastructure from cyber-attacks.
In order to cooperate effectively with its allies Canada must also focus on the protection
of critical national infrastructure. However, the risk of this focus is the loss of
cooperation with non-traditional allies, such as Russia and China, on the prevention of
cyber-crimes.
European countries and the US allow for warrant-less access to electronic information in
order to prevent both cyber-crime and cyber-attacks. Other countries do not acknowledge
this possibility publicly.
The need for, and practice of, warrant-less lawful access or warrant-less lawful intercept
is moot in Canada, given recent policy decisions to abandon such legislation.
Countries have not attempted the creation of a ‘Nav-Canada’ type of agency (private-
sector, not-for profit) to implement their cyber-security strategies.
Agencies to combat cyber-crime or cyber-attacks are typically created as an
organizational part of the existing law enforcement or military structure.
PRIVACY AND CYBER CRIME INSTITUTE
3
Introduction
This study is a follow-up to a previous Privacy and Cyber Crime Institute’s research project
“Securing Cyberspace: A Comparative Review of Strategies Worldwide”1 conducted for Public
Safety Canada and carried out in November 2011 – March 2012. The report on that research
identified the general challenges of developing cyber security strategies in various countries and
offered a comparison of the approaches taken around the world to secure cyberspace on national
and international levels. This report focuses more on the applicability of the international
approaches to the Canadian environment and on any best practices that could help Canada
address the issue of combatting cyber crime and securing national cyberspace.
Subject to the project’s timeline this report attempts to address not only Canada’s key partners
but other countries as well. Thus, the research is focused on ten countries, including European
Union (EU) Member States, New Zealand, Australia, Russia, China and the United States. The
primary research method is the review and analysis of public policy documents and other non-
classified materials.
The report is structured by country, and for each country the following research questions are
addressed:
1. Is there, among Canada’s partners, a distinction between cyber-crimes (conducted by
traditional criminal elements) and cyber-warfare (conducted by national or quasi-national
agencies)?
2. Are Canada’s international partners focused on the prevention of cyber crime or are they
focused on cyber warfare?
3. Does the distinction, to the extent that it exists, matter for the formulation of an effective
Canadian strategy?
4. Does the distinction have an impact on the use and formulation of a legal framework for,
and the actual use of, warrant-less law enforcement activity?
5. What are the best practices employed by Canada’s partners in their approach to
combatting cybercrime and how can these be applicable to Canada’s environment.
6. Do cyber organizations similar in scope and mission to Nav Canada exist in other
countries, and would such an organization fit and assist Canada’s cyber-security strategy?
1 Levin, A. (2012). Securing Cyberspace: A Comparative Review of Strategies Worldwide.
http://www.ryerson.ca/tedrogersschool/privacy/documents/Ryerson_cyber_crime_final_report.pdf.
PRIVACY AND CYBER CRIME INSTITUTE
4
Background – Unilateral, Bilateral and Multilateral Approaches – A Brief
Overview
In order to set the stage for the discussion of the individual countries that follow it is important to
note that most countries do not act unilaterally on issues related to cyber-space (and indeed on
any issue with international aspects). However, countries do act traditionally, by definition, on
domestic issues within their jurisdiction. Part of the difficulty of formulating cyber-strategies and
cooperating in cyberspace is that it is not always clear whether a threat to computers or networks
or to personal information is domestic, or international, in origin.
To illustrate this difficulty, consider the following “Origins of Hacks” map, provided by the
NCC Group. The map portrays the top ten countries in the third quarter of 2012 that served as
the point of origin of an attack on another computer (a ‘hack’ or ‘cyber-attack’)2. Some of these
attacks, no doubt are aimed at computers and networks in other countries, but others are aimed at
computers within the country. Each of these countries, and indeed each and every country that
participates in cyberspace, faces the same challenge of attempting to formulate courses of action
that integrate both domestic authority and international cooperation.
Figure 1. Origins of hacks based on the data from the 3
rd quarter of 2012 (from the latest published report
by NCC Group)3.
2 While the positions of the countries on this list change, it is worth noting that United Stated, China and Russia
were consistently reported as the top three countries where the most of the cyber attacks originated every quarter of
2012. 3 NCC Group’s quarterly Origin of Hacks report for the third quarter of 2012 – “Hacking attempts to exceed one
billion in the final quarter of 2012”: http://www.nccgroup.com/media/169256/origin_of_hacks_q3_2012.pdf. The
map is based on intrusion detection logs monitored by DShield.
PRIVACY AND CYBER CRIME INSTITUTE
5
With limited domestic resources,4 lack of inter-jurisdictional cooperation, and lack of regulatory
enforcement in cyberspace,5 countries have attempted to increase cooperation with other
countries and within international treaties. Below is a figure that shows the countries (in scope of
this study) that partnered on a bilateral basis to combat cybercrime.
Figure 2. Bilateral agreements and open dialogs between countries to combat cybercrime.
Some of the notable bilateral engagements in combatting cyber-crime referred to in this figure
include:
United States – Australia: In 1951 the Australia, New Zealand, United States Security
Treaty (ANZUS) was signed to cooperate on military defence matters in the Pacific
Ocean. The Treaty is an alliance of three countries built on separate bilateral bonds – one
between United States and Australia and another between Australia and New Zealand.
Since 1985 New Zealand has been an inactive member of the Treaty and the meetings are
being held only between U.S. and Australia’s officials. In 2011 a new clause was added
to ANZUS, which specifies that it will also apply to the cyberspace.
4 Deloitte. (2010). Cyber Crime: A Clear and Present Danger: Combating the Fastest Growing Cyber Security
Threat. New York: Deloitte Development LLC. 5 Smyth, S.M. (2012). Economic Impact of Cyber Threats and Attacks. Version 2.0, published on January 30
th, 2012.
Simon Fraser University.
PRIVACY AND CYBER CRIME INSTITUTE
6
New Zealand – Australia: New Zealand has recently moved from observer status to
membership in Australia’s Counter-Terrorism and Emergency Management Committees.
In a recent joint statement it was agreed that both countries will work together in the
cyber incident response area to ensure that networks of national importance remain
resilient to cyber intrusions.”6
New Zealand – United Kingdom: New Zealand and the United Kingdom are preparing
an agreement in which the two countries will share intelligence, research and
development on internet offences, and will draw common strategic goals.7
China – France: The China-France Joint Working Committee on Information
Technology and Communications.8
United States – China: bilateral discussions on cooperation in the Cybersecurity China
Institute of Contemporary International Relations (CICIR, China) and the Center for
Strategic and International Studies (CSIS, United States) started in 2009 and the
respected organizations have held six formal meetings on cyber security since that time.
Over the years the parties have reached some areas of agreement and shared views on
issues such as risk of “third-party” non-state actors (i.e., terrorist groups), and views on
cooperation against cyber crimes such as fraud and child pornography. However, there
are still some areas of disputes. For instance, China proposed an agreement on “no-first-
use” (i.e., an agreement not to take the first step in cyber-warfare) between major cyber
powers and a prohibition of cyber attacks against purely civilian targets. Meanwhile, the
U.S. indicated that “the line between civilian and military is blurred, but the concept of
the protection of civilians can be found in the Geneva and Hague conventions, which
CSIS proposes that all nations agree to observe in cyberspace”.9 Furthermore, the parties
discuss what behaviours could be considered cyber attack or cyber war. So far they
agreed that the stakes should be high; however, they still need to define the duration and
effects of cyber actions that could be regarded as cyber attacks. We have yet to observe
what turn the international dialog on cyber security between the two countries will take in
light of the recent report from the U.S.-based cyber threat analysis agency Mandiant that
exposed a series of cyber attacks from China on United States, the accusations that where
later denied by Chinese officials.10
6 Joint Statement by Prime Ministers Key and Gillard: February 2013: http://www.pm.gov.au/press-office/joint-
statement-prime-ministers-key-and-gillard-february-2013 7 ONE News, “UK, NZ to work together on cyber security”: http://tvnz.co.nz/politics-news/uk-nz-work-together-
cyber-security-5318736. 8 Mentioned in “Global Cyber Deterrence: Views from China, the U.S., Russia, India, and Norway” (2010).
http://www.ewi.info/system/files/CyberDeterrenceWeb.pdf 9 CSIS – CICIR Joint Statement from June 15
th, 2012.
10 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
PRIVACY AND CYBER CRIME INSTITUTE
7
Furthermore, there is a bilateral China-US engagement “On Cybersecurity Cooperation
Against Spam” since 2011.11
The objectives of this cooperation include: (1) establishing
a genuine dialogue between the subject matter experts and stakeholders from the two
countries; (2) develop common understanding of each other’s perspectives; (3) agree on
international policy for reducing spam in cyberspace.
United States – Canada: cyber security cooperation is part of the action plan Beyond the
Border: A Shared Vision for Perimeter Security and Economic Competitiveness between
the two countries.12
United Kingdom – India Both countries announced in 2013 that the countries will sign
an agreement on cyber security issues this year, which should improve personal data
protection and increase the stored amount of United Kingdom’s data on Indian servers.13
As to international agreements, there are many international bodies that aim to regulate
cyberspace. Among the prominent initiatives are that of the United Nations (UN) and the
Council of Europe (also known as the Budapest Convention). Most of the European countries are
signatories to the Council of Europe Convention on Cybercrime and assign greater focus on
multilateral regional alliance rather than on establishing bilateral cooperation with some select
countries. The Council of Europe Convention on Cybercrime was the first international treaty
that focused on legal procedures to address the acts of criminal behaviour against computer
systems and networks. Apart from the 45 members of the Council of Europe, the Budapest
Convention has been adopted by Canada, Japan, South Africa and the United States.
The United Nations (UN) The UN attempts to govern cyberspace through the International Telecommunications Union
(ITU) and the regulations created by the ITU (ITRs). The United Nations Office for Drugs and
Crime (UNODC) is also concerned with cybercrime. ITRs concerning cyberspace were adopted
initially in 1988.14
A resolution on computer crime legislation was adopted in 1990, at the 8th
U.N. Congress on the Prevention of Crime and the Treatment of Offenders in Havana, Cuba. In
2000 Resolution 55/63 on combating the criminal misuse of information technologies was
adopted by the General Assembly, and it includes the following statements:
- “States should ensure that their laws and practice eliminate safe havens for those who
criminally misuse information technologies.”
11
EastWest Institute. (2011, February 23). Fighting Spam to Build Trust.
http://www.maawg.org/system/files/China-U.S.%20Bilateral%20Against%20Spam-Rauscher,%20Zhou-2.pdf 12
Government of Canada, Canada’s Economic Action Plan. (2013). Beyond the Border.
http://actionplan.gc.ca/en/content/beyond-border 13
http://www.telegraph.co.uk/news/politics/9879272/David-Cameron-to-strike-cybercrime-deal-with-India.html 14
ITU 2013: http://www.itu.int/en/wcit-12/Pages/overview.aspx
PRIVACY AND CYBER CRIME INSTITUTE
8
- “Legal systems should protect the confidentiality, integrity, and availability of data and
computer systems from unauthorized impairment and ensure that criminal abuse is
penalized.”
This was followed by Resolution 56/121 in 2001, and by the launch in 2007 of the Global
Cybercrime Agenda (GCA) by the ITU.15
In 2010 the General Assembly adopted Resolution
65/230 that proposed to establish “an open-ended intergovernmental expert group to conduct a
comprehensive study of the problem of cybercrime and responses to it by the Member States, the
international community and the private sector, including the exchange of information on
national legislation, best practices, technical assistance and international cooperation, with the
view to examining options to strengthen existing and to propose new national and international
legal or other responses to cybercrime”16
The latest amendments (“Final Acts”) were added to the ITR at the recent World Conference on
International Telecommunication held in Dubai in December 2012 (WCIT-12). 89 countries
were signatories to the Final Acts17
. Among the countries covered in this report, only Russia
signed the amendments, and the Dubai amendments were widely portrayed as attempts by Russia
and its allies to wrest control over the internet from the United States.18
The Council of Europe (Budapest Convention) The Council covers Europe as well as Russia. Canada and the US are Observer States. In 1997
the Council established a Committee of Experts on Crime in Cyber-space, and in 2001 the
Council adopted the Convention on Cybercrime, known as the Budapest Convention. Russia
objects to certain Convention provisions, which allow for what Russia considers extra-
jurisdictional exercises of power that amount to interference in a country’s internal affairs.
According to some reports over 100 nations are using the Council of Europe Convention as the
basis for domestic legislation to combat the threat of cybercrime.19
So far 35 countries are a party
to the Convention.
Other prominent organizations include the OECD, NATO and APEC.
15
Schjolberg, S., Cybercrime Law. Global organizations: ICTC. (2013).
http://www.cybercrimelaw.net/documents/ICTC.pdf 16
Schjolberg, S., Cybercrime Law. Global organizations: UN. (2013). http://www.cybercrimelaw.net/un.html 17
Signatories of the Final Acts: 89. http://www.itu.int/osg/wcit-12/highlights/signatories.html 18
See e.g., http://www.theglobeandmail.com/technology/debate-over-internet-regulations-future-rages-at-dubai-
meeting/article6016228/ 19
The Hon Nicola Roxon MP. (2012). New Laws in the Fight Against Cyber Crime.
http://parlinfo.aph.gov.au/parlInfo/download/media/pressrel/1867175/upload_binary/1867175.pdf;fileType=applicat
ion%2Fpdf#search=%22cyber%20crime%22
PRIVACY AND CYBER CRIME INSTITUTE
9
The Organisation for Economic Co-operation and Development (OECD) The OECD was the first international organization that initiated guidelines for computer crime.
20
By its nature the OECD does not establish treaties, and it is devoted to the promotion of a global
coordinated policy approach. The OECD established a Task Force on Spam in 2004 The OECD
Working Party on Information and Privacy (WPISP) develops international guidelines on cyber
security and in 2002 published a document titled “Security of Information Systems and
Networks: Towards a Culture of Security.” In 2008 it released “Scoping paper on online Identity
theft” a report with some recommendations on how to fight identity theft (this document also
suggested to recognise identity theft as a separate offence in criminal laws.) It was followed up
in 2009 by the “OECD Policy Guidance on Online Identity Theft” report.
The North Atlantic Treaty Organization (NATO) By virtue of its mandate NATO focuses more on cyber-attacks carried by countries or national
elements against NATO members. NATO’s Senior Civil Emergency Planning Committee
(SCEPC) assists NATO members in the protection of civilian populations from terrorist attacks
against critical infrastructure and is also responsible for coordinating the civil critical
infrastructure. NATO’s Civil Communication Planning Committee (CCPC) is responsible for the
electronic public and non-public communication infrastructures, and has published several
papers on civil communications infrastructures. NATO’s Civil Protection committee (CPC) has
initiated work on critical infrastructure protection, and developed a Critical Infrastructure
Protection Concept Paper in 2003. NATO’s Industrial Planning Committee (IPC) has also
contributed on preventive measures for the protection of critical infrastructure. NATO
established a Centre of Excellence for Defense against Terrorism in 2008.
Asia Pacific Economic Cooperation (APEC) The deliberations of APEC are important in this and other multinational areas since it brings
together the US, Canada, China and Russia. In 1990 APEC established its Telecommunications
and Information Working Group (TEL) that works in turn through three groups: the
Liberalisation Steering Group (LSG), the ICT Development Steering Group (DSG) and the
Security and Prosperity Steering Group (SPSG). SPSG’s scope covers the promotion of security,
trust and confidence in networks/ infrastructure/ services /technologies / applications / e-
commerce; oversight of Computer Emergency Response Teams (CERTs) and Computer Security
Incident Response Teams (CSIRTs); the issues of Spam, Spyware and Cybercrime prevention;
the development of human resources and capacity in order to combat cybercrime and implement
effective cyber security awareness initiatives; and the facilitation of business through discussions
with the private sector on promoting security, trust and confidence in the use of ICT for business
20
Schjolberg, S., Cybercrime Law. Global organizations: OECD. (2013).
http://www.cybercrimelaw.net/OECD.html
PRIVACY AND CYBER CRIME INSTITUTE
10
and trade.21
Of these, the e-Security Task Group created in 2003 a Cybercrime Legislation &
Enforcement Capacity Building Project.
Two other multinational organizations should also be mentioned. The Organization of American
States (OAS) to which both Canada and the US belong, has a Department of Legal Cooperation
that offers an “Inter-American Cooperation Portal on Cyber-Crime”.22
OAS agreed in 2003 to a
“Comprehensive Inter-American Cyber-security Strategy: A multidimensional and
multidisciplinary approach to creating a culture of Cyber-security.”
The Shanghai Cooperation Organization (SCO) is an organization of Russia, China and several
former Soviet republics. These countries have entered into the Shanghai Convention on
Combating Terrorism, Separatism and Extremism. SCO has also issued several related
statements: The Yekaterinburg Declaration of 2009 mentioned information security as one of the
main priorities in a common system of international security. In 2012 SCO’s Heads of State
Council meeting in Beijing stated: “The SCO will stand firm to fight against terrorism,
separatism and extremism as well as international cybercrime”.23
Sometimes international cooperation against cyber crime is established with a very particular
goal and not just on a national level but between specific governmental agencies. An example of
such organization is The Virtual Global Taskforce (VGT)24
.
The Virtual Global Taskforce (VGT) VGT is an alliance of international law enforcement agencies and private sector partners working
together to combat online child sexual abuse. Specifically, the VGT comprises the Australian
Federal Police as Chair, the Child Exploitation and Online Protection Centre in the UK, the
Royal Canadian Mounted Police, the US Department of Homeland Security, INTERPOL, the
Italian Postal and Communication Police Service, the Ministry of Interior for the United Arab
Emirates, the New Zealand Police and Europol.25
One more particularly notable international organization against cyber crime is Strategic
Alliance Cyber Crime Working Group.
21
APEC Secretariat. (2013). Security and Prosperity Steering Group. http://www.apec.org/Groups/SOM-Steering-
Committee-on-Economic-and-Technical-Cooperation/Working-
Groups/~/link.aspx?_id=9B069F4965064DBCA12D209BCA4E3234&_z=z 22
Inter-American Cooperation Portal on Cyber-Crime. (2011). http://www.oas.org/juridico/english/cyber.htm 23
http://www.fmprc.gov.cn/eng/zxxx/t939149.htm 24
Virtual Global Taskforce Official Website http://www.virtualglobaltaskforce.com/ 25
Australian Federal Police. (2012). Virtual Global Taskforce. http://www.afp.gov.au/policing/cybercrime/virtual-
global-taskforce.aspx
PRIVACY AND CYBER CRIME INSTITUTE
11
Strategic Alliance Cyber Crime Working Group (SACCWG) SACCWG was assembled in 2006. It is a special unit consisting of five law enforcement
agencies (see Fig. 4): The Australian High Tech Crime Centre (AHTCC), FBI (USA), New
Zealand Police, Royal Canadian Mounted Police, and Serious Organised Crime Agency (United
Kingdom).26
Figure 3. The Strategic Alliance Cyber Crime Working Group. (Source: FBI.gov).
Over the last five years several countries repeatedly tried to initiate discussion about the need for
common international Cyberspace Treaty, suggesting that bilateral and regional agreements are
not enough to secure cyberspace and prevent cyber-war.
26
Australian Federal Police. (2007). The fight against transnational cyber crime.
http://www.afp.gov.au/~/media/afp/pdf/6/6-7-the-fight-against.ashx
PRIVACY AND CYBER CRIME INSTITUTE
12
Country-Specific Analysis
This section of the report addresses the country-specific research questions, beginning with
Canada’s traditional partners for international cooperation (the “Anglosphere”) and then moving
to several other countries of significance in cyber-space.
Australia In 2012 Norton claimed that more than 5.4 million Australians were victims of cyber-crime – a
quarter of the country’s total population; those crimes cost Australia $1.65 billion over that year,
and the Australian Government expected cyber-crime costs to stay above $1 billion a year for the
foreseeable future.27
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
Both terms “cyber crime” and “cyber attack” are mentioned in Australian policy documents in
different contexts; thus, the distinction is apparent, even though there is no clear definition
provided for either of the terms.
Where is the Focus?
Australian Government's Cyber Security Strategy was launched on 23 November 2009, as an
outcome of the E-security Review 2008. The strategy articulates a number of strategic priorities,
among which on the first place is “Threat Awareness and Response” set to “improve the
detection, analysis, mitigation and response to sophisticated cyber threats, with a focus on
government, critical infrastructure and other systems of national interest”. Other priorities
include educating the Australians with information and practical tools to protect themselves
online, cooperate with businesses to promote cyber security, promote the development of a
skilled cyber security workforce, model best practice in the protection of government ICT
systems, and promote a secure global electronic operating environment that supports Australia's
national interests. “Legal and Law Enforcement” is one of the last objectives identified in
Australian Cyber Security Strategy, and it is set to “maintain an effective legal framework and
enforcement capabilities to target and prosecute cyber crime”. A new cyber security centre will
be established in Australia by the end of 2013.28
27
The Hon Brendan O'Connor MP, Minister for Home Affairs and Justice. (2011). Media Release on 07/29/2011: A
national protocol for investigating cyber crime.
http://parlinfo.aph.gov.au/parlInfo/download/media/pressrel/985452/upload_binary/985452.pdf;fileType=applicatio
n/pdf#search=%22cyber%20crime%22 28
Packham, B. (2013). Julia Gillard announces cyber security centre, warning a long fight lies ahead.
http://www.theaustralian.com.au/national-affairs/defence/julia-gillard-announces-cyber-security-centre-warning-a-
long-fight-lies-ahead/story-e6frg8yo-1226559907481
PRIVACY AND CYBER CRIME INSTITUTE
13
In our opinion, this order of priorities indicates that the main focus of the Australian Government
is at securing the national critical infrastructure and people from cyber attacks.
The Law and the need for Warrants
The Ministry for Home Affairs and Justice and the Police are the authorities responsible for
cyber-crime. The Ministry released the Protocol for Law Enforcement Agencies on Cybercrime
Investigations in 2011. The protocol provides a cyber-crime investigation matrix that outlines the
most appropriate agencies to deal with particular types of complaints, and provide specific
arrangements for sharing information to cyber crime investigations between jurisdictions.29
The Cybercrime Act states the following offences:
477.2. Unauthorised modification of data to cause impairment: 10 years
imprisonment.
477.3. Unauthorised impairment of electronic communication: 10 years
imprisonment.
478.1. Unauthorised access to, or modification of, restricted data: 2 years
imprisonment.
478.2. Unauthorised impairment of data held a computer disk: 2 years
imprisonment.
478.3. Possession or control of data with intent to commit a computer offence: 3
years imprisonment.
478.4. Producing, supplying or obtaining data with intent to commit a computer
offence: 3 years imprisonment.30
Australia acceded to the Budapest Convention and new law enforcement measures had to be
introduced as part of the joining the Convention, the Cybercrime Legislation Amendment Bill,
which came into force in Fall 2012.31
One of those measures will allow other countries on the
Council to serve notices to Australian ISPs requiring them to store 180 days of web data for
targeted users, and at a later stage the foreign countries can obtain a warrant to take receipt of the
recorded information. Further changes have been proposed but not yet implemented, perhaps for
political reasons.32
29
The Hon Brendan O'Connor MP, Minister for Home Affairs and Justice. (2011). Media Release on 07/29/2011: A
national protocol for investigating cyber crime.
http://parlinfo.aph.gov.au/parlInfo/download/media/pressrel/985452/upload_binary/985452.pdf;fileType=applicatio
n/pdf#search=%22cyber%20crime%22 30
It is worth noting that every computer related crime is punishable by imprisonment; there is no mention of
alternative penalties such as paying a fine. 31
Parliament of Australia: Cybercrime Legislation Amendment Bill 2011.
http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r4575 32
Protect Us, But Respect US! Petition: http://www.getup.org.au/campaigns/privacy/protect-us-but-respect-us-
widget/protect-us-but-respect-us
PRIVACY AND CYBER CRIME INSTITUTE
14
The expected changes include extending the period of time between interception and obtaining a
warrant, mandatory data retention, surveillance of social networks, and criminalization of
encryption. Under the proposed law, ISPs, search engines and social networks, and other
websites are required to store all the information for 2 years, which could be accessed without a
warrant by the Australian Security Intelligence Organization (ASIO). ASIO will have a right to
demand personal passwords to access this data and to deny providing this information would be
illegal. Moreover, ASIO would also have a legal right to access any computer without a warrant
if that computer is somehow connected to the computer of a person who’s being suspected of a
crime.33
New Zealand According to 2010 data, 70% of New Zealand adults have been the targets of some form of
cyber-crime, with the most common complaints being computer scams, fraud and
viruses/malware.34
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
The difference between “cyber-crime” and “cyber-attack” is defined in New Zealand’s Cyber
Security Strategy as follows:
Cyber-attack – An attempt to undermine or compromise the function of a computer-based system,
access information, or attempt to track the online movements of individuals without their
permission.
Cyber-crime (or computer crime) – Any crime where information and communication technology
is: 1) used as a tool in the commission of an offence; 2) the target of an offence; 3) a storage
device in the commission of an offence.
In New Zealand some of the most common examples of cyber-crime include fraud, identity theft
and organised crime.
Where is the Focus?
The distinction between cyber-crime and cyber-attacks was important in formulating the Cyber
Security Strategy. A cyber-attack can be classified as a computer or cyber-crime, yet from New
Zealand’s Cyber Security Strategy it is evident that the following cyber threats require a special
33
Le May, R. (08/02/2012). “Privacy fears as surveillance law reviewed”.
http://www.theaustralian.com.au/news/breaking-news/privacy-fears-as-surveillance-law-reviewed/story-fn3dxiwe-
1226423605766 34
New Zealand’s Cyber Security Strategy 2011, with the reference to Norton Cybercrime Report 2010: The Human
Impact, and New Zealand Police – 2011.
PRIVACY AND CYBER CRIME INSTITUTE
15
response and are more serious than domestic crimes: cyber-espionage, hacktivism and terrorist
use of the Internet. The highlighted difference from regular cyber-crimes is that the targets of
these attacks are not individuals or private organizations, but government systems, critical
national infrastructure and “businesses that have resulted in access to commercially sensitive
information, intellectual property and state or trade secrets”. Therefore, the Cyber Security
Strategy is formulated particularly with the key objectives “to improve the level of cyber-
security across government [and] for critical national infrastructure and other business”.
Protecting government systems and information is one of the main priorities in addition to
increasing awareness about cyber threats and improving incident response and planning.
The Law and the need for Warrants
The following offences are identified as “crimes involving computers” and are subjected to
punishment according to Crimes Act:
Section 249 – “Accessing computer system for dishonest purpose”:
o Every one is liable to imprisonment for a term not exceeding 7 years for accessing
computer system, dishonestly or by deception, in order to obtain any property,
privilege, service, pecuniary advantage, benefit, or valuable consideration; or to
cause loss to any other person. The intent to access computer system is also
punishable – by imprisonment for up to 5 years.
Section 250 specifies imprisonment for a term not exceeding 10 years to everyone who
intentionally damages or alters any computer system “if he or she knows or ought to
know that danger to life is likely to result”. Any damage to computer system, interference
with data without authorisation, causing computer system to fail or deny service to any
authorised user is punishable by imprisonment for up to 7 years.
Section 251 Making, selling, or distributing or possessing software for committing a
crime – imprisonment for up to 2 years.
Section 252 Accessing computer system without authorisation – punishable by up to 2
years of imprisonment.
Similar to Australian legislation, every computer related crime in New Zealand is punishable by
imprisonment, and there is no mention of any alternative penalties, e.g. paying a fine.
In 2012 New Zealand passed the Search and Surveillance Act.35
The Act unified the powers that
previously were scattered across roughly 70 agencies. The Secret Intelligence Service and the
Government Communications Security Bureau are still governed by their own legislation.36
Under the Act police can complete some forms of surveillance and searches without warrants,
35
The Parliament of New Zealand. (2012). Search and Surveillance Act 2012, reprint from 1st October 2012: full
text available at http://www.legislation.govt.nz/act/public/2012/0024/latest/DLM2136536.html. 36
Garrett-Walker, H. (2012). New police search and surveillance law in force.
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10837641
PRIVACY AND CYBER CRIME INSTITUTE
16
but only in emergency situations where either life could be at risk or there is a risk of destruction
of evidence.37
United Kingdom
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
The policy documents we reviewed do not offer explicit definitions for cyber-crime, cyber-attack
or cyber warfare. However, the distinction is clearly present.
In the Parliamentary Office of Science & Technology’s report “Cyber Security in the UK” two
types of cyber attacks are discussed – attacks on information infrastructure and attacks on
physical infrastructure; it is briefly explained that cyber attacks are “aimed to steal sensitive
information and data from financial, government and utilities infrastructure targets”.38
The Ministry of Defence comments on the emerging discussion about cyber war:
“There is an ongoing and broad debate regarding what ‘cyber warfare’ might entail, but it is a
point of consensus that with a growing dependence upon cyber space, the defence and
exploitation of information systems are increasingly important issues for national security. We
recognise the need to develop military and civil capabilities, both nationally and with allies, to
ensure we can defend against attack, and take steps against adversaries where necessary.”39
Where is the Focus?
The UK’s Cyber Security Strategy 2011 provides the action plan for the country to meet these
objectives by 2015, in the order of importance:
1) The UK to tackle cyber crime and be one of the most secure places in the world to do
business in cyberspace.
2) The UK to be more resilient to cyber attacks and to be better able to protect the UK’s
interests in cyberspace.
3) The UK to have helped shape an open, stable and vibrant cyberspace, which the UK
public can use safely and that supports open societies.
4) The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all
British cyber security objectives.40
37
Tech Liberty NZ. (2009). Search and Surveillance Act Threatens Privacy. http://techliberty.org.nz/search-and-
surveillance-act-threatens-privacy 38
POST Note No 389, 2011 – Cyber Security in the UK. Available for download from
http://www.parliament.uk/mps-lords-and-offices/offices/bicameral/post/publications/postnotes/. 39
Ministry of Defence. (2009). Presentation “National Cybersecurity Strategy (referencing the Cyber Security
Strategy of the United Kingdom of June 2009) 40
The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world. November 2011.
http://www.carlisle.army.mil/dime/documents/UK%20Cyber%20Security%20Strategy.pdf.
PRIVACY AND CYBER CRIME INSTITUTE
17
Therefore, we can see that the British government puts greater emphasis on combatting cyber-
crime, while the objective to protect the country from cyber attacks comes second. It’s been
estimated that the UK economy suffers from a loss of £27 billion (CAD $ 42.11 billion) due to
cyber crime, annually.41
In March 2013, announcing that cyber threat became “more complex”,
the British government created a new cyber-crime unit, that has already made 19 arrests and
frozen about £500,000 in assets.42
The objective to secure the UK from cyber attacks is also taken seriously. In 2010 the
Government invested £650 million in a four-year National Cyber Security Programme (NCSP)
(see Fig.4). Around half of this funding was assigned towards enhancing the UK’s core
capability to detect and counter cyber attacks. This “core capability” is mainly concentrated in
the intelligence agency GCHQ, headquarters in Cheltenham, Gloucestershire43
. The UK Cyber
Security Strategy 2011 reported on this investment: “The details of this work are necessarily
classified, but it will strengthen and upgrade the sovereign capability the UK needs to confront
the high-end threat”.
Figure 4. The UK National Cyber Security Programme Investment 2011-2015.
44
The Law and the need for Warrants
The Computer Misuse Act (1990) describes different computer misuse offences and outlines
penalties for them: (1) unauthorised access to computer material; (2) unauthorised access with
41
HMA Blog, News Roundup of March 15, 2013. http://blog.hidemyass.com/2013/03/15/news-roundup-uk-
toughens-up-on-cyber-crime-china-offers-hacking-cooperation-and-facebook-users-sacrificing-privacy/ 42
Quotes and figures in this and the previous sentences are from the Financial Times article of March 14, 2013,
written by Hannah Kuchler – “UK launches unit to tackle cyber crime”. http://www.ft.com/intl/cms/s/0/86c9631a-
8c9e-11e2-8ee0-00144feabdc0.html#axzz2OIdMqpDc. 43
GCHQ. http://www.gchq.gov.uk/AboutUs/Pages/index.aspx 44
The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world. November 2011.
http://www.carlisle.army.mil/dime/documents/UK%20Cyber%20Security%20Strategy.pdf.
PRIVACY AND CYBER CRIME INSTITUTE
18
intent to commit or facilitate commission of further offences; and (3) unauthorised modification
of computer material. The penalties vary from a fine to imprisonment from six months to ten
years depending on nature of the crime.45
The Act was expanded in 2006.46
The Regulation of Investigatory Powers Act 2000 provides a whole chapter on communications
interception, including the section on “Lawful interception without an interception warrant”
(Chapter I, Section 3).47
According to this section, communication may be intercepted without a
warrant if just one person involved in the communication has consented to the interception;
surveillance by means of this interception is authorized as well; communication interception is
also authorized if it’s related to “the prevention or detection of anything which constitutes
interference with wireless telegraphy”.48
In 2012 the Home Office drafted a new Communications Data Bill, which would authorise the
state to monitor internet communications and require communications companies to store users’
online history data for twelve months.49
Currently, the law allows access to a web user’s private
information that provides the location of a mobile phone or the identity of a user. The UK
government made almost 500,000 requests for access to such information in 2011.50
The
Minister of Security and the police claim that the proposed new bill will be essential in detecting
cyber crime; however, the Liberal Democrats oppose the adoption of the bill, saying that it could
breach civil liberties.51
United States of America The United States ratified the Council of Europe Convention on Cybercrime in 2006.
52
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
In various legal, strategic and academic documents of United States the terms cyber-crime,
cyber-attack, computer attack, electronic attack, and cyber-terrorism are coined and defined.
45
Computer Misuse Act 1990. http://www.cyberlawdb.com/docs/uk/cma.pdf 46
Police and Justice Act 2006. http://www.cyberlawdb.com/docs/uk/police.pdf 47
Regulation of Investigatory Powers Act 2000. http://www.cyberlawdb.com/docs/uk/ripa.pdf 48
Regulation of Investigatory Powers Act 2000. http://www.cyberlawdb.com/docs/uk/ripa.pdf 49
Cookson, R. (2012, December 11). Business backs Clegg on data bill. http://www.ft.com/intl/cms/s/0/033ec642-
438e-11e2-a48c-00144feabdc0.html#axzz2OIdMqpDc 50
Cookson, R. (2012). Business backs Clegg on data bill. Financial Times, December 11, 2012.
http://www.ft.com/intl/cms/s/0/033ec642-438e-11e2-a48c-00144feabdc0.html#axzz2OIdMqpDc 51
Kuchler, H. (2013, March 14). UK launches unit to tackle cyber crime. http://www.ft.com/intl/cms/s/0/86c9631a-
8c9e-11e2-8ee0-00144feabdc0.html#axzz2OIdMqpDc. 52
Council of Europe, Project on Cybercrime. (2007, March 13). Cybercrime legislation – country profile. United
States of America. http://www.cyberlawdb.com/docs/usa/usa.pdf
PRIVACY AND CYBER CRIME INSTITUTE
19
Where is the Focus?
The Department of Homeland Security operates the National Cyber Alert System and the
National Cyber Response Coordination Group – two important programs in protecting U.S. from
cyber threats. In addition, Homeland Security oversees an ongoing security exercise Cyber
Storm.
The National Cyber Security Division (NCSD) is a Department of Homeland Security
responsible for protecting cyber infrastructure. To secure cyberspace, NCSD identified two
objectives:
1) To build and maintain an effective national cyberspace response system.
2) To implement a cyber-risk management program for protection of critical
infrastructure.53
The United States Cyber Command (USCYBERCOM or CYBERCOM) was established in 2009
and is a sub-unified command subordinate to U.S. Strategic Command (USSTRATCOM).
Service Elements include Army Forces Cyber Command (ARFORCYBER); 24th
USAF; Fleet
Cyber Command (FLTCYBERCOM); and Marine Forces Cyber Command
(MARFORCYBER). The Mission Statement of USCYBERCOM states that the Command
“plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations
and defense of specified Department of Defense information networks and; prepare to, and when
directed, conduct full-spectrum military cyberspace operations in order to enable actions in all
domains, ensure US/Allied freedom of action in cyberspace and deny the same to our
adversaries”.54
The Cybersecurity Strategy for the Homeland Security Enterprise identified two strategic focus
areas for the future of cyberspace security: “Protecting Critical Information Infrastructure,” and
“Strengthening the Cyber Ecosystem”.55
Additionally, the Department of Defense (DoD) in its Strategy for Operating in Cyberspace
(adopted in July 2011) described the following five strategic initiatives for U.S. in cyberspace:
Strategic Initiative 1: Treat cyberspace as an operational domain to organize,
train, and equip so that DoD can take full advantage of cyberspace’s potential.
Strategic Initiative 2: Employ new defense operating concepts to protect DoD
networks and systems.
Strategic Initiative 3: Partner with other U.S. government departments and
agencies and the private sector to enable a whole-of-government cybersecurity
strategy.
53
NCSD (2013). http://www.dhs.gov/national-cyber-security-division 54
US Department of Defense fact sheet – 2010:
http://www.defense.gov/home/features/2010/0410_cybersec/docs/CYberFactSheet%20UPDATED%20replaces%20
May%2021%20Fact%20Sheet.pdf 55
Homeland Security. (2011, November). Blueprint for a Secure Cyber Future. The Cybersecurity Strategy for the
Homeland Security Enterprise. http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf
PRIVACY AND CYBER CRIME INSTITUTE
20
Strategic Initiative 4: Build robust relationships with U.S. allies and international
partners to strengthen collective cybersecurity.
Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional
cyber workforce and rapid technological innovation.56
Generally speaking, the main focus of the American Government is to protect the U.S. from
cyber attack, and the responsibility for this is assigned exclusively to the military.
The Law and the need for Warrants
Cybercrime laws are covered in the Title 18 of the United States Code (18 U.S.C.), which is the
Criminal and Penal Code of the United States. 18 U.S.C. sets the penalties for online identity
theft, hacking, intrusion into computer systems, and child pornography.57
The Electronic Communications Privacy Act of 1986 and describes requirements for disclosures
of data, conditions for mobile tracking devices and surveillance, and interception of
communication data.58
It covers interception of wire, oral, or electronic communication and the
preservation and disclosure of stored wire and electronic communication. In 1994 the US further
modernized its lawful intercept capabilities by passing the Communications Assistance for Law
Enforcement Act.
All of the above require judicial supervision. However, since 2001 the US has engaged in
warrantless intercepts under its Foreign Intelligence Surveillance Act. The Act withstood
scrutiny in 2013.59
Federal Republic of Germany Germany ratified the Council of Europe Cybercrime Convention in 2009.
60
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
The penalties for cyber-crimes are highlighted in the Criminal Code, but there is no direct
mention or definition of the term “cyber-crime” there. However, cyber-crime is discussed (but
56
Department of Defense, USA. (2011, July). Department of Defense Strategy for Operating in Cyberspace.
Available at http://www.defense.gov/news/d20110714cyber.pdf. 57
Cybercrime Laws of the United States. Compiled October 2006 by Al Rees, CCIPS. Available at
http://www.oas.org/juridico/spanish/us_cyb_laws.pdf. 58
Department of Justice of the United States. (1986) Electronic Communications Privacy Act of 1986 (P.L. 99-508).
All the documents, amendments and bills of the Act are available at
http://www.justice.gov/jmd/ls/legislative_histories/pl99-508/pl99-508.html 59
http://www.reuters.com/article/2013/02/26/us-usa-court-surveillance-idUSBRE91P0JS20130226 60
Council of Europe. (03/09/2009). Press release 186(2009): Germany ratifies Council of Europe Cybercrime
Convention. https://wcd.coe.int/ViewDoc.jsp?id=1416299&Site=DC
PRIVACY AND CYBER CRIME INSTITUTE
21
not clearly defined) in the German Cyber Security Strategy of 2011. It is mentioned there that
national capabilities to combat cyber-crime “must be strengthened”, and in order to do it the
government “will make a major effort to achieve global harmonization in criminal law based on
the Council of Europe Cyber Crime Convention.”61
“Cyber-attacks” are defined also in the German Cyber Security Strategy:
A cyber-attack is an IT attack in cyberspace directed against one or several other IT systems and
aimed at damaging IT security. The aims of IT security, confidentiality, integrity and availability
may all or individually be compromised. Cyber-attacks directed against the confidentiality of an
IT system, which are launched or managed by foreign intelligence services, are called cyber-
espionage. Cyber-attacks against the integrity and availability of IT systems are termed cyber-
sabotage.”
Where is the Focus?
The clear definition of cyber-attacks is important in the formulation of Germany’s Cyber
Security Strategy, according to which, the government of Germany recognizes that cyber-attacks
“may have a considerable negative impact on the performance of technology, businesses and the
administration and hence on Germany’s social lifelines” and acknowledge that the threat may
come not only from abroad (foreign/external cyber threat) but also from within the country
(internal threat), and that it is very difficult to track the origin of a cyber-attack.
Cyber security is a part of Germany’s preventative security strategy, while the main priority is
the protection of critical information infrastructures. The German strategic approach is focused
on coordination and information sharing between private and public sectors of the country, and
also on coordination with foreign and international security policies – in particular, cooperation
with the United Nations, EU, the Council of Europe, NATO, the G8, the OSCE and other
multinational organizations.
In general, both Criminal Code and the Cyber Security Strategy pay special attention to
espionage and sabotage, which are identified as types of cyber-attacks in the Cyber Security
Strategy. Based on these documents, we can infer that Germany is more focused on protecting
the country from cyber attacks than on preventing cyber crime.
The Law and the need for Warrants
The German Criminal Code (as amended in 2009) lists the following:62
61
Here and further in Part 4.5 of this report the quotes are from Germany’s latest Cyber Security Strategy (edition
February 2011), available for download from Federal Ministry of Interior webpage:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CyberSecurity/Cyber_Security_Strategy_for
_Germany.pdf?__blob=publicationFile, or from ENISA: http://www.enisa.europa.eu/media/news-items/german-
cyber-security-strategy-2011-1 62
Translation of the German Criminal Code to English provided by Prof. Dr. Michael Bohlander for the German
Federal Ministry of Justice, and available via this link: http://www.gesetze-im-internet.de/englisch_stgb/index.html.
PRIVACY AND CYBER CRIME INSTITUTE
22
Section 202a – Data espionage: Imprisonment not exceeding three years or a fine for
unlawfully obtaining data or for unauthorised access to data (Subsection 202a(2)
specifies in this and further presented in this report Sections from the Criminal Code that
the implied data is “stored or transmitted electronically or magnetically or otherwise in a
manner not immediately perceivable”).
Section 202b – Phishing: Imprisonment not exceeding two years or a fine for data
interception.
Section 202c – Acts preparatory to data espionage and phishing: Imprisonment not
exceeding one year or a fine.
Section 303a – Data tampering (unlawfully deleting, suppressing, rendering unusable or
altering data): imprisonment not exceeding two years or a fine. The attempt is punishable
too.
Section 303b – Computer sabotage: imprisonment not exceeding three years or a fine if
the damage is done to another person; imprisonment not exceeding five years or a fine if
the damage is done to another business, enterprise or a public authority. In especially
serious cases (if offender causes major financial loss, acts on a commercial basis or as a
member of a gang whose purpose is the continued commission of computer sabotage, or
through the offence jeopardises the population’s supply with vital goods or services or
the national security of the Federal Republic of Germany) penalty is imprisonment from
six months to ten years.
In 2010 the Constitutional court of Germany overturned a law from 2008 that required telecom
companies to keep communications data (logs of calls, faxes, SMS messages, e-mails and history
of internet use) for six months. The law was based on the European Union Anti-terrorism
Directive, and the discussion to overturn it occurred because many German citizens were against
this legislation fearing that their privacy would be invaded.63
The law wasn’t overturned
completely though, despite that it’s not allowed anymore to record telephone calls or read
electronic communication messages, the retention of data is still permitted. The records would
include evidence of who got in touch with whom, for how long and how often – without
requiring any evidence of wrongdoing.
A new amendment to Telecommunication Act will oblige service providers with more than
100,000 customers to allow the Federal Network Agency to automatically access data on behalf
of investigative agencies without the knowledge of providers, while smaller providers will have
to answer such requests within six hours.64
The amended has been criticized that it is not
63
BBC News. (2010, March 2). German court orders stored telecoms data deletion.
http://news.bbc.co.uk/2/hi/europe/8545772.stm 64
Private and Secure Web Surfing Blog. (2012, December 19). Lawful access to user-related telecommunication
data in Germany. http://anonymous-proxy-servers.net/blog/index.php?/archives/361-Lawful-access-to-user-related-
telecommunication-data-in-Germany.html&user_language=en
PRIVACY AND CYBER CRIME INSTITUTE
23
supported by the German constitution, and it also may undermine the rights of people to privacy
and the protection of personal data that are defined under international EU legislation.65
French Republic The increase of cybercrime in France is most often explained with the constant increase of
internet users and with the observable fact that cybercriminals are continuously evolving from
being single individuals to becoming a complex interconnected network, forming communities to
exchange expertise and knowledge on how to conduct cybercrimes and attacks efficiently.
France ratified the Council of Europe Convention on Cybercrime on January 10, 2006.
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
Cybercrime is defined in France’s Information Systems Defence and Security Strategy (2011) as
“Acts contravening international treaties and national laws, targeting networks or information
systems, or using them to commit an offence or crime.”
“Cyber-attack” is defined in the 2008 French White Paper on Defence and National Security as a
major attack, external or internal, against information systems. Cyberterrorism and cyberwarfare
are also mentioned in the White Paper as major threats that need to be not only prevented, but
also a response to such actions should be designed.66
Where is the Focus?
France’s Information Systems Defence and Security Strategy lists and explains four strategic
objectives of the county in cyberspace:
1) Become a cyber-defence world power in cyber-defence.
2) Safeguard France’s ability to make decisions through the protection of information
related to its sovereignty.
3) Strengthen the cyber-security of critical national infrastructures.
4) Ensure security in cyberspace (this involves raising public awareness and understanding
of cyber threats, improving policies, detect and block cyber attacks, and develop
international collaboration initiatives).
The strategic focus of the country is clearly directed on retaining France’s areas of sovereignty,
protecting important businesses and government from espionage on the scientific, economic and
commercial assets, protecting the nation from computer attacks. The 2008 French White Paper
65
Albertazzle, S. (2012, March 17). German high court delivers mixed verdict on lawful access rules. Steptoe &
Johnson LLP. 66
Présidence de la République. (2008). The French White Paper on defence and national security. Available at
http://www.ambafrance-ca.org/IMG/pdf/Livre_blanc_Press_kit_english_version.pdf.
PRIVACY AND CYBER CRIME INSTITUTE
24
on Defence and National Security explains that “large-scale cyber-attacks on national
infrastructures” is the biggest threat France would face over the next 15 years, which led to the
development of the Information Systems Defence and Security Strategy specifically focused on
the national defence capabilities and measures to be taken to strengthen cyber-defence.
The Law and the need for Warrants
The Penal Code of France (amended 2005) outlines the following crimes:67
Unauthorised Access to Automated Data Processing Systems – Article 323.
Violations of Personal Rights Resulting from Computer Files or Processes – Article 226.
Child pornography – Article 227.68
In 2011 France adopted a law that obliges ISPs and social networks to store personal data of the
internet users for a period of one year. The information includes “who people are, where and
when they go on the Internet, and what they are doing”69
.
Similar to the other European Member States, France is in compliance with the EU Directive on
Lawful Intercept,70
and has entered into a dispute with Skype over that company’s compliance.71
Republic of Finland Because of its inability to “respond to a large-scale cyber-attack against several vitally important
targets at the same time,”72
Finland saw a need to establish a cyber-security centre that will
improve this situation. The new Cyber Security Strategy that was adopted in early 2013 declares
that a Security Committee “will be set up to play an active role in the field of comprehensive
security [and] will act as a permanent cooperation body for contingency planning”.73
In 2012 Finland was assessed and ranked as being one of the top three countries that are most
resilient to cyber attacks, alongside with Israel and Sweden.74
The Defence Minister of Finland
67
Cybercrime Laws: France. http://www.cybercrimelaw.net/France.html 68
Chawki, M. (2005). Cybercrime in France: An overview. http://www.crime-research.org/articles/cybercrime-in-
france-overview/. 69
Manach, J.M. (2011). How France placed the internet of permanent surveillance. http://owni.eu/2011/03/18/how-
france-placed-the-internet-on-permanent-surveillance/ 70
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31996G1104:EN:HTML 71
http://www.infosecurity-magazine.com/view/31246/france-skype-go-ttette-over-lawful-intercept/ 72
Helsingin Sanomat, news report from 10/01/2012 – “Finland plans to set up national cyber security centre”:
http://www.hs.fi/english/article/Finland+plans+to+set+up+national+cyber+security+centre/1329104867405 73
Finland’s Cyber Security Strategy 2013. Available at http://www.yhteiskunnanturvallisuus.fi/. 74
Blitz, J. (2012). Israel, Finland and Sweden top for computer security. News report in Financial Times from
01/30/2012.
PRIVACY AND CYBER CRIME INSTITUTE
25
announced that the country aims “to become a global forerunner in cyber-security by 2016.”75
Following this statement, the country’s first cyber security strategy was prepared. Prior to this
document, the basic strategic goals and security measures of Finland in cyberspace were outlined
in Security Strategy for Society (2010). The new Cyber Security Strategy sets cyber security
guidelines and management approach, and stresses on the role of government and that the
cooperation with private sector is essential, because most of the Finnish critical infrastructure is
privately owned.
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
In the Criminal Code of Finland neither the term “cyber-crime” nor “cyber-attack” are used,
however there are “data and communications offences”. Payment card fraud and identity theft
are a separate criminal offence. Foreign organised crime groups specialising in payment card
fraud have been detected in Finland on a monthly basis since 2009 – either using stolen cards or
stealing data from payment cards.76
The new Cyber Security Strategy explains that a “cyber-attack can be used as a means of
political and economic pressure; in a serious crisis pressure can be exerted as an instrument of
influence alongside traditional means of military force,”77
and clearly states that securing
cyberspace against cyber-attacks is the responsibility of the military (Finnish Defence Forces),
whereas “the police are the competent authority for carrying out investigations related to cyber-
crime”.
Lukin (2012) suggested re-examining Finnish legislation to provide the country with an option to
engage in cyber-war – to use cyber attack in case of cyber conflict; some concerns where
expressed about the fact that current legislation doesn’t permit the usage of cyber attack against
other countries as part of national protection.78
Where is the Focus?
It is clear from the new Cyber Security Strategy that the Finnish government attributes a great
importance on securing the key businesses, crucial governmental institutions and critical
infrastructure providers from cyber-attacks that pose political or economic threat than on solving
cyber-crime or enforcing legislation.79
The main priority is to prepare for exceptional
75
Wallin, S. (2012). Finland aims to become a global forerunner in cyber-security by 2016.
http://www.europesworld.org/NewEnglish/Home_old/Article/tabid/191/ArticleType/ArticleView/ArticleID/21935/l
anguage/en-US/Default.aspx 76
Finnish Police, National Bureau of Investigation. (2013). Organised Crime in Finland.
https://www.poliisi.fi/poliisi/krp/home.nsf/pages/948D7C0222AFF54EC225779D003132C1?opendocument 77
Finland’s Cyber Security Strategy 2013. Available at http://www.yhteiskunnanturvallisuus.fi/. 78
Lukin, K. (2012). Requirements for Finland’s National Cyber Security Strategy. TUCS Technical Report No
1037, February 2012. Turku Centre for Computer Science. 79
Finland’s Cyber Security Strategy 2013. Available at http://www.yhteiskunnanturvallisuus.fi/.
PRIVACY AND CYBER CRIME INSTITUTE
26
circumstances such as a nation-wide cyber-crisis. The Cyber Security Strategy outlines the
responsibilities of current and to-be-established legislative authorities and emphasizes the co-
operation between different private and public sectors to secure cyberspace and prepare for
effective crisis management. However, the Cyber Security Strategy is not meant to establish laws
or set any legal framework; its purpose is to outline the national strategic vision. The Strategy
defines the key goals and guidelines, which are used in responding to the threats against the
cyber domain and ensure that the Strategy’s objectives are being met.80
The Government Resolution on National Information Security Strategy (2008) says that ‘by 2015
Finland will be the leading country in the world in terms of information security’ and defines the
following priorities:
Priority 1: Basic skills in the ubiquitous information society.
Priority 2: Information risk management and process reliability.
Priority 3: Competitiveness and international network cooperation.
There is a criticism among Finnish academics that Finland cannot develop uniform objectives in
IT security, because IT security leading is decentralized.81
Prior to the 2013 Strategy document
the only document comparable in scope was the 2008 Information Security Strategy, which
didn’t set an objective to protect national infrastructure from potential cyber-attacks or provide
any guidelines on how to respond to one or what authorities should be responsible for national
cyber security.
Finland doesn’t have methods developed that would be able to recognize large scale attacks
against critical infrastructure, which is probably why over the past year the focus of the
government shifted from combatting cybercrime to making an effort in planning how to protect
the country from cyber-attacks.
The Law and the need for Warrants
In Finland’s Criminal Code criminal offences committed to computers or using computer
technology are outlined as follows:
Chapter 34 – Endangerment
o Section 9a – Endangerment of data processing
o Section 9b – Possession of a data system offence device
Chapter 38 – Data and communications offences
o Aggravated message interception (imprisonment for at most three years)
o Aggravated interference with communications (imprisonment for at least four
months and at most four years)
80
Ministry of Defence of Finland – Press Release of 01/24/2013. 81
Lukin, K. (2012). Requirements for Finland’s National Cyber Security Strategy. TUCS Technical Report No
1037, February 2012. Turku Centre for Computer Science.
PRIVACY AND CYBER CRIME INSTITUTE
27
o Aggravated interference in a computer system (imprisonment for at least four
months and at most four years)
Chapter 49 – Violation of certain incorporeal rights.82
Online surveillance in Finland was increased shortly after the tragic Breivik shooting in Norway.
Police were ordered to actively monitor the Internet for evidence of extremist plots. Following an
earlier 2008 shooting in Finland a special program was launched in 2009 to put a so-called “blue
button” on any webpage – a sign that should alert authorities that a possible criminal behaviour
(or rather intention of such behaviour) has been detected on that page.
The relevant legislation is the Police Act (2005), the Act on the Processing of Personal Data by
the Border Guard (2005), the Customs Act (1994), and the Coercive Measures Act (2008).
According to the Act on the Processing of Personal Data by the Police, the Police may obtain and
record (in the special Data System for Police Matters) some personal data without a warrant in
the immediate course of an investigation, or in case of a missing or deceased person. There is no
mention of surveillance and access to communication data without a warrant if a person is not
suspected of a crime or there is no emergency/urgency or danger at stake.83
Police are entitled to receive from a telecommunications operator:
1) identification data on transmissions to a particular subscriber connection, with the consent of
the injured party and the possessor of the subscriber connection, necessary for the purpose of
investigating a violation of a restraining order or breach of domestic peace; and
2) identification data on messages transmitted from a particular mobile communications device,
with the consent of the subscriber or owner of the device, insofar as necessary for investigating a
crime where the mobile communications device or the subscriber connection used therein has
been unlawfully in the possession of another party.84
Norway The Budapest Convention on Cybercrime was ratified by Norway in 2006.
85
45,000 cyber-crimes were committed in Norway during 2012. The most targeted sectors in 2012
were military defence, oil and gas, energy, government and hi-tech industry. It’s been estimated
that Norwegian companies lost about NOK 20 billion (CAD $3.53 billion) because of cyber-
82
The information is from the Unofficial English translation of The Criminal Code of Finland. The Ministry of
Justice of Finland is using this translation and the document was retrieved from the Ministry’s website. Full text
available for download via link: http://www.finlex.fi/en/laki/kaannokset/1889/en18890039.pdf. 83
Ojala (2010) 84
Act on the Protection of Privacy in Electronic Communications (516/2004), page 26.
http://www.cyberlawdb.com/docs/finland/privacy.pdf 85
Council of Europe, Committee of Experts on Terrorism (CODEXTER): Norway.
http://www.coe.int/t/dlapil/codexter/Source/cyberterrorism/Norway.pdf
PRIVACY AND CYBER CRIME INSTITUTE
28
crimes. However, not all of the cyber-crimes are being reported, because companies are often
unaware of the attacks on their businesses.86
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
The terms “cyber-crime” and “cyber-attack” are not defined in Norwegian law or in Norway’s
National Strategy for Information Security (Nasjonal strategi for informasjonssikkerhet).
However, the term “computer crime” appears in the National Strategy for Information Security,
and “warfare against critical infrastructure” is discussed. The Strategy was adopted in 2012.
Where is the Focus?
The second chapter of the Strategy discusses the importance of ICT infrastructure and the
challenges in protecting ICT systems from breaches and unlawful use. One of the paragraphs
mentions that “warfare against critical infrastructure” is being developed in many countries, and
that it must be assumed that this warfare is sophisticated enough to pose a major threat to the
national critical infrastructure. It must be assumed that the attack will be directed against
information resources, including computer systems that control critical infrastructure and
industrial processes. While emphasizing that international cooperation on information security is
essential, it is also accentuated in the document that a country must safeguard its own national
interests in the ICT area.
To protect the country from cyber threat, the main recommendation in the Strategy for
Information Security is to continuously raise awareness among businesses and individuals that
such threat exists, and increase competence on how individuals and businesses can secure their
computer systems.
Other measures include continuing support for the Norwegian National Security Authority
(Nasjonal sikkerhetsmyndighet or NSM), which is a “cross-sectorial professional and
supervisory authority within the protective security services in Norway” that defines protective
security as actions that are aimed “to counter threats to the independence and security of the
realm and other vital national security interests, primarily espionage, sabotage or acts of
terrorism”.87
The NSM was established in 2003 and is responsible for the Security Act; Defence
Secrets Act; Defence Inventions Act; the certification of information systems and products
(SERTIT); coordinating role in preventative work and responses against IT security breaches
aimed at vital infrastructure in Norway (NorCERT); and, developing the Norwegian Computer
Network Defence (CND) strategy.
86
The Foreigner – Norwegian News in English, March 17, 2013: “Norway security officials warn of dramatic cyber
espionage increase”. http://theforeigner.no/pages/news/norway-security-officials-warn-of-dramatic-cyber-
espionage-increase/ 87
Norwegian National Security Authority (NSM). (2013). About NSM. https://www.nsm.stat.no/Engelsk-start-
side/About-NSM/
PRIVACY AND CYBER CRIME INSTITUTE
29
The Law and the need for Warrants
The Norwegian General Civil Penal Code (2005) does not define cyber or computer crimes and
the word “computer” does not even appear in the Code. Instead, the terms “electronic means”,
“technical devices” and “technical equipment or software” are used. Below are the sections from
the Civil Penal Code that can be interpreted as applying to cyber crime:
Chapter 13 – Felonies Against the General Order and Peace
o Section 145. Unlawfully obtaining data or software (fines and/or imprisonment
for up to 6 months)
o Section 145b. Making available to others someone else’s passwords or other data
that can provide access to a data system (fines and/or imprisonment for up to 6
months)
o Section 151b. Any person who by destroying, damaging, or putting out of action
any data collection or any installation for supplying power, broadcasting,
electronic communication, or transport causes comprehensive disturbance in the
public administration or in community life in general shall be liable to
imprisonment for a term not exceeding 10 years.88
Chapter 24 – Embezzlement, Theft, and Unlawful Use
o Section 262 creating, distributing, possessing, installing, or attempting these
actions with a decoding device for unauthorized access to a protected
[telecommunications] service.
Chapter 26 – Fraud, Breach of Trust and Corruption
o Section 270 – altering data or software or the result of automatic data-processing
(fines or imprisonment for up to 3 years)
A Bill was suggested as an amendment in 2009, introducing a passage on “Identity
Infringements”, and indicating that identity theft shall be punishable with a fine or imprisonment
for a term not exceeding 2 years.89
This Bill is not part of the Code yet.
According to the Criminal Procedure Act (1981), communications surveillance requires a court
order. If there is a great risk that the investigation will be impaired by delay, an order from the
prosecuting authority may take the place of a court order (Section 216 d).90
88
Note that some countries classify such offences as cyber-attacks. 89
Cybercrimelaw.net. (2013). Latest news on Cybercrime legislation from around the world:
http://www.cybercrimelaw.net/Cybercrimelaw.html 90
Council of Europe’s Committee of Experts on Terrorism (CODEXTER), 2007.
PRIVACY AND CYBER CRIME INSTITUTE
30
Russian Federation The authority in charge of solving cyber-crimes in Russia is Department “K” of the Ministry of
Internal Affairs of the Russian Federation (Russian: Ministerstvo Vnutrennikh Del or MVD). In
late 2012 MVD published their latest report with statistical data on crimes in high technologies
(covering the first half of the 2012).91
The data indicates that for that period 5696 cyber-crimes
were detected in Russia, up by almost 11% compared to the same period from 2011.92
The leading Russian computer security company Group-IB states two reasons for the rapid and
continuous increase in cyber crimes in Russia. First, the legislative system to combat cyber-
crimes is ineffective and the punishment for cyber-crimes in Russia is very mild: the sentences
for computer related crimes are either very short or suspended. Second, different hacker
organizations try to cooperate with each other to get higher profits and support their criminal
enterprises.
The most popular cyber-crimes in Russia are:
1) various online fraud activities (stealing funds from bank accounts, phishing, SMS text
messages scams, stealing payroll records using viruses, etc.),
2) spam distribution
3) DDoS-attacks.
Cyber-crime related to child pornography is a topic of special attention in Russia. In 2011 the
government launched a nationwide program “Sornyak”93
to combat with this particular type of
crime. The program is still ongoing; as a result of the investigations conducted within this
program, by September 2012 the authorities instituted 131 criminal proceedings on the basis of
material obtained in the course of the operation “Sornyak”. Based on the efforts of the “Sornyak”
program the international cooperation of 24 countries, including Russia, has been established to
fight child pornography. Canada is among the participating countries alongside with the US, UK,
Australia, Germany, Belgium, and Netherlands.94
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
91
Fontanka.ru: Technologies. (2012, September 18). В день Интернета МВД сообщает о росте
киберпреступлений (On the Internet Day MVD reported that the number of cyber crimes are increasing). Media
release, in Russian: http://www.fontanka.ru/2012/09/30/015/. 92
Открытые Системы, Новости (Open Systems Publications, News). (10/02/2012). МВД: Интернет-
мошенничество является одним из самых популярных киберпреступлений.
http://www.osp.ru/news/2012/1002/13015095/. 93
From the Russian “cорняк” – weed. 94
Fontanka.ru: Technologies. (2012, September 18). В день Интернета МВД сообщает о росте
киберпреступлений (On the Internet Day MVD reported that the number of cyber crimes are increasing). Media
release, in Russian: http://www.fontanka.ru/2012/09/30/015/.
PRIVACY AND CYBER CRIME INSTITUTE
31
Russian and Chinese authorities often use the term informationization in their strategic and
policy documents, which means “the intensive exploration and use of information resources for
social and economic development”.95
In Russia, the word “cyber” is generally used only in
media and academic publications. In the official policy documents the words “information” or
“informational” are most often used instead as in information security, informational resistance,
information space (instead of cyberspace), etc.
Even though the terms “cyber-crime” and “cyber-warfare” or “cyber-attack” do not appear in
any of the official public documents, the use of terms such as “information security”, “computer
information crime” or “computer crime”, and “informational resistance” (discussed below),
makes it clear that the government distinguishes between regular cybercrimes and cyber-warfare
(“information warfare”).96
Where is the Focus?
The Doctrine on Information Security of the Russian Federation (2000) is the main document
that outlines Russia’s national interests in the information area, which are:
1) Protection of the individual constitutional rights and freedoms related to obtaining and
use of information.
2) Raising awareness (international and within the country) about Russia’s information
policy.
3) Development of modern information technologies and information industry in the
country.
4) Protection of information resources from unauthorized access, ensuring the security of
information and telecommunication systems that are already deployed or just being set up
in Russia.97
It is clear that the main focus of this document is the digital disparity in Russia, or the
accessibility of ICT infrastructure.
In 2010 a new Military Doctrine was published in which great importance was assigned to
information security (securing the objects of informational infrastructure and strengthening
informational resistance).98
From this Doctrine it is clear that ensuring national cyber security is
the responsibility of the military. The Military Doctrine defines different types of the modern
military conflicts and states that information resistance is one of the characteristics of such
conflicts. It also explains that attacks on the objects of informational infrastructure are major
95
Levin, A. (2012). Securing Cyberspace: A Comparative Review of Strategies Worldwide. Available at
http://www.ryerson.ca/tedrogersschool/privacy/documents/Ryerson_cyber_crime_final_report.pdf 96
Information warfare is discussed in the Military Doctrine of the Russian Federation, 2010.
http://news.kremlin.ru/ref_notes/461 97
Doctrine on Information Security of the Russian Federation, 2000.
http://dehack.ru/zak_akt/npa_prezidentarf/doktrina_ib/?all 98
Military Doctrine of the Russian Federation, 2010. http://news.kremlin.ru/ref_notes/461
PRIVACY AND CYBER CRIME INSTITUTE
32
military threats to the country. According to the Doctrine, development of the information forces
and information resistance means is one of the tasks of the Russian armed forces, alongside with
the improvement of the information communication technologies across the country and in the
military, the creation of basic information management systems, and integrating these systems
with weapons control systems and automation and control networks.
In general, the emphasis put on information warfare in the Military Doctrine 2010 indicates that
the Government of the Russian Federation assigns greater focus to cyber-warfare than to cyber-
crimes. The Doctrine also informs that international cooperation is essential in the prevention of
“information war”, and that Russia is dedicated to establish international partnerships in order to
protect its information space.
The Law and the need for Warrants
The laws related to criminal offences in cyberspace are outlined in the Criminal Code (1996) and
in the Criminal-Procedural Code (2001). Chapter 28, “Computer Information Offences”, of the
Criminal Code includes:
Article 272. Illegal access to computer information.
Article 273. The creation, use and distribution of malicious software.
Article 274. Misuse of means of storage, processing or transmission of computer
information and telecommunications networks.
The internet has become a domestic political issue in Russia. In 2012 then-President Dmitry
Medvedev (now Prime Minister) suggested to create a special cyber-police force, for the
investigation of particularly technically complex crimes. This new authority is supposed to be
formed as a subdivision of the national police force and is intended to replace Department “K”,
but such an agency has not been formed yet.
The Minister of Internal Affairs, General Rashid Nurgaliyev, stated that one of the new areas of
priority for this new agency should be to combat extremism, and that MVD was developing a
legislative framework for the cyber-police to address issues of extremism on the internet.99
However, there are concerns over this initiative, voiced by human rights activists, that instead of
investigating hacker attacks and internet fraud the cyber-police will exceed its authority and
persecute ‘extremists’ who are the current government’s political opponents.100
99
According to the article in Moskovskie Novosti (Moscow News) published on February 10, 2012, by Kozlov V. –
“Authorities increase pressure on the internet”. URL: http://mn.ru/society/20120210/311282419.html. 100
By background information, ‘Police’ (or Politsiya – “полиция” in Russian) is the new law enforcement authority
in Russia; it was formed in 2011 to replace the ‘Militia’ (or Militsiya – Russian: “милиция”), which was the former
civilian police authority. One of the main objectives of the reform was to improve the public image of the law
enforcement authorities, and increase trust and confidence in the police.
PRIVACY AND CYBER CRIME INSTITUTE
33
China Recent reports by UK and US-based private information security companies and government
intelligence agencies suggest that China and Russia invest their resources in industrial espionage,
and that the risks of cyber-attacks from these two countries are very high. Law firms have been
identified as high-risk targets…101
Indeed, the international fear about the threat of cyber attacks
from People’s Republic of China is growing rapidly; meanwhile, however, China also has its
own internal concerns about protecting their cyberspace and fighting cyber crimes within the
country.
Cyber-crime v. Cyber-warfare
Does the Distinction Exist?
Chinese laws and policies do not provide a clear distinction between cyber-crime and cyber-
warfare, or clear definitions. Over the past few years, a heated discussion has been raised
between academics, private organizations and the public regarding the impact of cyber-warfare
in China. In 2009, the state journal People’s Tribune surveyed the public awareness of cyber-
warfare.102
According to the survey almost 60% of respondents believed the possibility of cyber-
warfare was very high.
Similar to Russia, China’s public policy documents use the terms “information” and
“information security” as well as “computer security.” The terms “cyber-crime” and “cyber-
attacks” are not used. Further, China’s public documents on information security and related
issues mostly date back to the 1990s and early 2000s.103
We have not been able to uncover more
recent public Chinese documents, although there have been 2011 cyber-crime amendments to the
Chinese Criminal Law, with more amendments forthcoming.104
The emphasis of the older
documents is on issues that can be classified as regular cyber-crime concerns, such as computer
viruses, as well as political concerns about ensuring the stability of the Chinese party system.105
Where is the Focus?
The Chinese government appears to pay more attention to cyber-crimes that involve damaging
the political stability and state unity rather than other cyber-criminal behaviours, such as online
101
MicroScope News, 06/07/2012. http://www.microscope.co.uk/news/2240158206/UK-legal-sector-ripe-for-cyber-
attack-warn-experts 102
People’s Tribune Journal. (2011, August 19). The survey regarding the public awareness of Cyber-warfare.
http://www.rmlt.com.cn/News/201108/201108191715587534.html. 103
No.33 Decree, Ministry of Public Security, Policy on Protecting Computer Information Network (1997; Chinese,
English translation on file); No. 63 Decree, Ministry of Public Security, Interim Policy on Financial Institutions’
Computer Information System Security (1998; Chinese, English translation on file) 104
Yong, PI New China Criminal Legislation in the Progress of Harmonization of Criminal Legislation against
Cybercrime (2011) 105
No. 51 Decree, Ministry of Public Security, Policy on Computer Virus (2000; Chinese, English translation on
file); Decision Regarding the Maintenance of Internet Security, Standing Committee of the National People’s
Congress (2000; Chinese, English translation on file)
PRIVACY AND CYBER CRIME INSTITUTE
34
fraud. We have not uncovered public documents that discuss cyber-warfare or cyber-attacks by
foreign interests.
The Law and the need for Warrants
Several Ministries regulate cyber-crime and cyber-security in China. Among them are the
Ministry of Information Industry, the Ministry of Public Security, responsible for internal
security, and the Ministry of State Security, which handles external security.
In 1999 China created the National Computer Network Emergency Response Technical
Team/Coordination Center of China (CNCERT/CC.) CNCERT/CC operates under the
administration of the Ministry of Information Industry and its main responsibilities include a
national cyber security monitoring center, operation center, assessment center, and media center,
and support for the government so it can meet relevant social and public responsibilities
regarding cyber security.
China’s Criminal Law was amended in 1997, 2000, 2009 and 2011 to refer to cyber-crimes.106
The main provisions are as follows:
Article 285a – Accessing [hacking] of computer systems in the areas of State affairs,
national defense or sophisticated science and technology
Article 285b – Obtaining of computer data and controlling of computer systems
Article 285c – Provision of programs or tools used to access or control computer systems
Article 286 – Sabotaging computer systems or data, that results in systems failure.
Chinese regulations stipulate that ISPs must record data and provide them to the authorities upon
request.107
There are no clear provisions on real-time surveillance in the regulations.108
China has not joined any of the international treaties for cyber security, although it considers
itself as having standards equal or superior to the Budapest Convention standards. China has
long viewed to Council of Europe Treaty as “regional”, and has called, with Russia, for the UN
to play a leading role in the creation of an international governance framework for the internet
and its security.
106
Yong, PI New China Criminal Legislation in the Progress of Harmonization of Criminal Legislation against
Cybercrime (2011) 107
Yong, PI New China Criminal Legislation in the Progress of Harmonization of Criminal Legislation against
Cybercrime (2011) 108
Yong, PI New China Criminal Legislation in the Progress of Harmonization of Criminal Legislation against
Cybercrime (2011)
PRIVACY AND CYBER CRIME INSTITUTE
35
Summary The table below summarizes the findings from our review of the countries above.
# Country
Is there a clear distinction
between ‘cyber-crime’ &
‘cyber-attack’ in national
legal/strategic documents?
National focus
on combatting
cyber-crimes
National focus
on securing from
cyber-attacks
Compatibility
with Canadian
goals
1 Australia YES X Significant
2 New Zealand YES X Significant
3 UK YES X Significant
4 USA YES X Significant
5 Germany YES X Significant
6 France YES X Significant
7 Finland YES X Moderate
8 Norway YES X Moderate
9 Russia YES X Moderate
10 China NO X Minimal
Table 1. Do countries differentiate the terms “cyber-crime” and “cyber-attack” and does it affect their
cyberspace security approach: do they pose greater focus on combatting cyber crimes or on protecting
from cyber attacks?
Interestingly, we have observed that most often the terms “cyber-crime” or “computer crime” are
not defined, but only inferred in the laws of some countries. However, these terms, as well as the
more explicit definitions of “cyber-attack” as an act distinct and more serious than a cyber-crime,
can be found in the national strategic documents that usually serve as guidelines for government
and sometimes the private sector.
Based on the reviewed legal documents, governments are particularly concerned with such
cyber-crimes as financial fraud, child pornography and illegal access to computer data – every
country reviewed in this report has introduced penalties for these offences. All of the countries
covered in this report are currently drafting or discussing some changes in their legislation
against cyber-crime and developing new units or agencies to address the issue of cyber-attacks.
From the reviewed policies, strategic acts and agreements, we observed a striking correlation that
once a country’s government starts to differentiate cyber-attacks from cyber-crimes, the strategic
focus in cyber security approach shifts from simply detecting and combating criminal offences in
cyberspace locally to a more complex efforts including protecting the national infrastructure
from cyber attacks, either foreign or within the country. A related shift occurs from law
enforcement agencies to the military forces in many countries.
PRIVACY AND CYBER CRIME INSTITUTE
36
Cyber-organizations similar to NAV CANADA
Our research has not uncovered private sector, not-for-profit, cyber-organizations similar in
scope and mission to the Nav Canada air traffic mission; however, a number of countries have
established (New Zealand, USA, Netherlands, Korea, China) or are in the process of establishing
(Australia109
, Germany110
, Finland111
) National Cyber Security Centres as governmental
departments that co-ordinate cooperation between private and public sectors, assist in defending
against cyber threats and raise cyber threat awareness.
Further research and policy work must be conducted to determine the viability of the Nav
Canada concept to cyber-space.
Recommendations and applicability to the Canadian approach
Canada’s Cyber Security Strategy 2010 suggests the following definition of a cyber-attack:
“Cyber-attacks include the unintentional or unauthorized access, use, manipulation, interruption
or destruction (via electronic means) of electronic information and/or the electronic and
physical infrastructure used to process, communicate and/or store that information. The severity
of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e.,
cyber security.”
According to the Canadian Strategy, cyber attacks are often inexpensive, effective, low-risk, and
require only basic skills from an attacker to cause significant damage. At the same time, the
document states that sophisticated cyber criminals are turning to skilled cyber attackers to
conduct identity theft and financial fraud via cyberspace. Meanwhile, most of the other countries
reviewed in this report classify the aforementioned offences as cyber crimes, whereas cyber
attacks are considered to be only actions directed against critical national infrastructure and not
against individuals or businesses that have no significant affect on a national security.
Nevertheless, even though it seems as if the Canadian Government calls any criminal offence in
cyberspace a “cyber-attack”, there is still a clear classification of the types of cyber-crimes such
as identity theft, money laundering and extortion, child sexual abuse, cyber espionage, and
“military activities”.
A centralized Integrated Cyber Crime Fusion Centre, established by the Royal Canadian
Mounted Police, is in charge of raising the ability of the Royal Canadian Mounted Police to
109
Media release from Australian Prime Minister, Julia Gillard, from 01/24/2013: http://www.pm.gov.au/press-
office/australian-cyber-security-centre 110
Cyber Security Strategy for Germany – February 2011. 111
Finland’s Cyber Security Strategy 2013.
PRIVACY AND CYBER CRIME INSTITUTE
37
respond, using a risk-based analysis approach, to requests from the Canadian Cyber Incident
Response Centre regarding cyber attacks against Government or Canada’s critical
infrastructure.112
There appears, as yet, to be no international cyber-equivalent to a Nav Canada
which Canada may look to emulate.
With the 2013 Canadian Government decision to abandon lawful access legislation the
comparative review of other countries and their approaches is largely moot.113
Conclusions
The risks of cyber threats have proliferated in recent years due to technological advances, the
increase in prospective gains from committing cyber-crime, and the lower likelihood of
enforcement of judicial sentences. It is close to impossible to fight cybercrime exclusively on a
national level, and the lack of inter-jurisdictional and international cooperation does not facilitate
governments in their objective of securing cyberspace. As critical national infrastructures are
upgraded and brought online they become more vulnerable and exposed to malicious attacks,
which is why securing the internet is becoming a key component of Canada’s and our partners’
national security and critical infrastructure strategy.
Not all the countries reviewed in this report have established their national strategic priorities in
cyberspace and made their vision and objectives transparent and publicly available. China is
notable for its obfuscation. Some of the reasons for this are inconsistencies in cyber crime
legislation, incoherence and confusion about the responsibilities of the government agencies in
their combat against cyber crime, unclear definition of cyber crime, undefined cyber threats and
risks, and the state of ICT infrastructure development in general.
Considering the hardship in detecting cyber-crime or estimating the damage of cyber-attacks,
some countries may still have some illusions about the extent of cyber risks and possible threat to
the national infrastructure, businesses and individuals. However, there has certainly been an
increased public perception of cyber-attacks as increasing in sophistication and scope, beginning
with the cyber-attacks against Estonia and Georgia in 2007 and 2008 respectively, and
continuing with the Flame and Stuxnet malware exposure in 2011 and 2012. This increased
public concern, coupled with public accounts of classified cyber-attacks on businesses and
corporations worldwide, has led Western governments to become more concerned with
cyberspace security and to increasingly militarize their cyber-responses.
Ten years ago the discussion about international cooperation in cyberspace meant establishing
laws and agreeing on common goals to protect cyberspace from the attacks of the “third parties”
112
Canada’s Cyber Security Strategy 2010. 113
http://www.cbc.ca/news/politics/story/2013/02/11/pol-rob-nicholson-criminal-code-changes.html
PRIVACY AND CYBER CRIME INSTITUTE
38
(terrorist groups, activists, or any other nation that is not a signatory to an agreement between
parties.) Now there is heated international discussion about the need to create a global cyber
treaty much like The Treaty on the Non-Proliferation of Nuclear Weapons that will prevent
cyber-powers from engaging in cyber-war and from developing technologies for cyber warfare,
or at the very least will lead to development of “cyber war rules of engagement.”114
114
Watts, S. (2011). Proposal for cyber war rules of engagement.
http://news.bbc.co.uk/2/hi/programmes/newsnight/9386445.stm
PRIVACY AND CYBER CRIME INSTITUTE
39
References
Agence France-Presse. (2011, July 25). Finland to boost web surveillance after Norway
attacks. The Raw Story. URL: http://www.rawstory.com/rs/2011/07/25/finland-to-boost-web-
surveillance-after-norway-attacks/. Last accessed 02/15/2013.
Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). / French Network
and Information Security Agency. (2011). Information systems defence and security: France’s
Strategy. February 2011. Available in pdf in English at http://www.enisa.europa.eu/media/news-
items/Information_system_security_France_strategy.pdf. Last accessed 02/20/2013.
Albertazzle, S. (2012, March 17). German high court delivers mixed verdict on lawful
access rules. Steptoe & Johnson LLP. URL:
http://www.lexology.com/library/detail.aspx?g=877074b0-c380-4fa6-bc57-9633f3312031. Last
accessed 02/19/2013.
Altapress.ru News (03/16/2013). Операция "Сорняк": управление "К" МВД будет
активно выявлять нарушителей в Рунете в сотрудничестве с зарубежными коллегами.
URL: http://altapress.ru/story/104154. Last accessed 03/18/2013.
Anonymous Proxy Servers Blog. (2012, December 19). Lawful access to user-related
telecommunication data in Germany. URL: http://anonymous-proxy-
servers.net/blog/index.php?/archives/361-Lawful-access-to-user-related-telecommunication-
data-in-Germany.html&user_language=en. Last accessed 02/19/2013.
APEC Secretariat. (2013). Security and Prosperity Steering Group. URL:
http://www.apec.org/Groups/SOM-Steering-Committee-on-Economic-and-Technical-
Cooperation/Working-
Groups/~/link.aspx?_id=9B069F4965064DBCA12D209BCA4E3234&_z=z. Last accessed on
03/17/2013.
Asia-Pacific Economic Cooperation website. (2013). http://www.apec.org/
Australia. Cybercrime Legislation Amendment Act 2012. No. 120, 2012. Available for
download at http://www.comlaw.gov.au/Details/C2012A00120.
Australian Crime Commission. (2011). Crime Profile Series – Cyber Crime.
Commonwealth of Australia April 2011. Australian Government. Attorney-General’s
Department. Australian Customs and Border Protection Service. URL:
http://www.crimecommission.gov.au/sites/default/files/files/cyber-crime.pdf. Last accessed on
01/27/2013.
Australian Federal Police, Commonwealth of Australia. (2012). Cybercrime: Computer
forensics. Crime prevention. High tech crime. Internet fraud and scams. Virtual Global
Taskforce. URL: http://www.afp.gov.au/policing/cybercrime.aspx. Last accessed on 02/22/2013.
Australian Federal Police. (2007). The fight against transnational cyber crime. Platypus
Magazine. Edition 96, September 2007. URL: http://www.afp.gov.au/~/media/afp/pdf/6/6-7-the-
fight-against.ashx. Last accessed on 12/29/2012.
Australian Government, Attorney-General’s Department. (2013). Cyber security. URL:
http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx. Last accessed
02/22/2013.
PRIVACY AND CYBER CRIME INSTITUTE
40
Australian Government. (2009). Cyber security strategy. Available in pdf at
http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Documents/AG%20Cyber%20Secur
ity%20Strategy%20-%20for%20website.pdf. Last accessed 02/22/2013.
BBC News – Wales. (2011, March 24). Cyber security summit signs UK-US university
deal. URL: http://www.bbc.co.uk/news/uk-wales-12854531. Last accessed on 02/21/2013.
BBC News. (2010, March 2). German court orders stored telecoms data deletion. URL:
http://news.bbc.co.uk/2/hi/europe/8545772.stm. Last accessed 02/19/2013.
Blitz, J. (2012). Israel, Finland and Sweden top for computer security. News report in
Financial Times from 01/30/2012. URL: http://www.ft.com/intl/cms/s/0/0e626614-4ab5-11e1-
a11e-00144feabdc0.html#axzz2LmTzV3No. Last accessed on 02/13/2013.
Bowe, R., Electronic Frontier Foundation. (2012, July 17). Australian Government Moves
to Expand Surveillance Powers. URL: https://www.eff.org/deeplinks/2012/07/australian-
government-moves-expand-surveillance-powers. Last accessed 02/20/2013.
Cabinet Office, UK. (2011, November). The UK Cyber Security Strategy: Protecting and
promoting the UK in a digital world. Available at
http://www.carlisle.army.mil/dime/documents/UK%20Cyber%20Security%20Strategy.pdf. Last
accessed on 03/13/2013.
CERT Australia. (2012). Cyber Crime & Security Survey Report 2012.
Chawki, M. (2005). Cybercrime in France: An Overview. Computer Crime Research
Center. URL: http://www.crime-research.org/articles/cybercrime-in-france-overview/. Last
accessed on 03/18/2013.
CNCERT/CC. (2013). Introduction of CNCERT/CC. URL:
http://www.cert.org.cn/publish/main/34/index.html. Last accessed on 03/19/2013.
Cohn, C. (2012). UK Mass Surveillance Bill: The Return of a Bad Idea. Electronic
Frontier Foundation. URL: https://www.eff.org/deeplinks/2012/06/uk-mass-surveillance-bill-
return-bad-idea. Last accessed on 03/14/2013.
Connely, C. (2012, September 6). How cyber crimes cost Australia $1.65bn as criminals
target smartphones and social networking. News Limited Network. URL:
http://www.news.com.au/technology/how-cyber-crimes-cost-australia-165bn-as-criminals-target-
smartphones-and-social-networking/story-e6frfro0-1226466425276. Last accessed on
01/18/2013.
Cookson, R. (12/11/2012). Business backs Clegg on data bill. URL:
http://www.ft.com/intl/cms/s/0/033ec642-438e-11e2-a48c-
00144feabdc0.html#axzz2OIdMqpDc. Last accessed on 03/21/2013.
Cookson, R. (2012). Business backs Clegg on data bill. Financial Times, December 11,
2012. URL: http://www.ft.com/intl/cms/s/0/033ec642-438e-11e2-a48c-
00144feabdc0.html#axzz2OIdMqpDc. Last accessed on 03/20/2013.
Copyright.ru. (2012, February 12). На смену Управлению «К» в Интернет идет
киберполиция. Cyberpolice will replace Department “K”. Press release. URL:
http://www.copyright.ru/news/main/2012/2/13/internet_policiya_prava/. Last accessed on
01/17/2013.
PRIVACY AND CYBER CRIME INSTITUTE
41
Council of Europe. (03/09/2009). Press release 186(2009): Germany ratifies Council of
Europe Cybercrime Convention. URL: https://wcd.coe.int/ViewDoc.jsp?id=1416299&Site=DC.
Last accessed on 03/17/2013.
Council of Europe. Committee of Experts On Terrorism (CODEXTER). (2007, October).
Cyberterrorism – The Use of the Internet for Terrorist Purposes. Norway. URL:
http://www.coe.int/t/dlapil/codexter/Source/cyberterrorism/Norway.pdf. Last accessed on
01/10/2013.
Council of Europe, Project on Cybercrime. (03/13/2007). Cybercrime legislation –
country profile. United States of America. URL: http://www.cyberlawdb.com/docs/usa/usa.pdf.
Last accessed on 01/17/2013.
CSIS – CICIR (2012, June 15). CSIS – CICIR Joint Statement. Available in pdf at
http://csis.org/files/attachments/120615_JointStatement_CICIR.pdf. Last accessed on
02/22/2013.
CybercrimeData AS. (2013). Cybercrime laws from around the world. Edited by Judge
Stein Schjolberg, Norway. URL: http://www.cybercrimelaw.net/Cybercrimelaws.html. Last
accessed on 01/19/2013.
Deloitte. (2010). Cyber Crime: A Clear and Present Danger: Combating the Fastest
Growing Cyber Security Threat. New York: Deloitte Development LLC.
Departementene. (2012). Nasjonal strategi for informasjonssikkerhet – National strategy
for information security (the document is in Norwegian). URL:
http://www.regjeringen.no/upload/FAD/Vedlegg/IKT-
politikk/Nasjonal_strategi_infosikkerhet.pdf. Last accessed on 01/26/2013.
Department of Defense, USA. (2011, July). Department of Defense Strategy for
Operating in Cyberspace. Available at http://www.defense.gov/news/d20110714cyber.pdf. Last
accessed on 03/04/2013.
Department of Justice of the United States. (1986) Electronic Communications Privacy
Act of 1986 (P.L. 99-508). All the documents, amendments and bills of the Act are available at
http://www.justice.gov/jmd/ls/legislative_histories/pl99-508/pl99-508.html. Last accessed
2/25/2013.
Det kongelige justis- og politidepartement – Ministry of Justice and the Police, Norway.
(2006). The General Civil Penal Code (Straffeloven 1902), Act of 22 May 1902 No. 10 with
subsequent amendments, the latest made by Act of 21 December 2005 No. 131. Available for
download: http://www.ub.uio.no/ujur/ulovdata/lov-19020522-010-eng.pdf. Last accessed
1/21/2013.
Deutsche Welle. (2011, July 26). More online surveillance needed, officials in Europe
say. URL: http://www.dw.de/more-online-surveillance-needed-officials-in-europe-say/a-
15267792. Last accessed 02/22/2013.
Dorling, P. (2012, August 10). Roxon puts web surveillance plans on ice. The Sydney
Morning Herald, Technology News. URL: http://www.smh.com.au/technology/technology-
news/roxon-puts-web-surveillance-plans-on-ice-20120809-23x9l.html. Last accessed
02/15/2013.
PRIVACY AND CYBER CRIME INSTITUTE
42
EastWest Institute. (2011, April). Global Cyber Deterrence: Views from China, the U.S.,
Russia, India, and Norway. Edited by Andrew Nagorski. URL:
http://www.ewi.info/system/files/CyberDeterrenceWeb.pdf. Last accessed on 03/21/2013.
EastWest Institute. (02/23/2011). Fighting Spam to Build Trust. URL:
http://www.maawg.org/system/files/China-U.S.%20Bilateral%20Against%20Spam-
Rauscher,%20Zhou-2.pdf. Last accessed on 03/21/2013.
Electronic Communications, 2003, No. 2426. The Privacy and Electronic
Communications (EC Directive) Regulations 2003. URL:
http://www.legislation.gov.uk/uksi/2003/2426/pdfs/uksi_20032426_en.pdf. Last accessed on
03/20/2013.
Elizabeth II. (2000). Regulation of Investigatory Powers Act 2000. Available at Global
Cyber Law Database: http://www.cyberlawdb.com/docs/uk/ripa.pdf. Last accessed on
02/15/2013.
Elizabeth II. (2006). Police and Justice Act 2006. Available at Global Cyber Law
Database: http://www.cyberlawdb.com/docs/uk/police.pdf. Last accessed on 03/20/2013.
Emm, D. (2009). Cybercrime and the law: a review of UK computer crime legislation.
URL:
http://www.securelist.com/en/analysis/204792064/Cybercrime_and_the_law_a_review_of_UK_
computer_crime_legislation. Last accessed on 03/11/2013.
Emspak, J. (2012). 10 Reasons to Fear a 'Cyber Pearl Harbor'. Tech News Daily,
November 28, 2012. URL: http://www.technewsdaily.com/15636-10-reasons-to-fear-a-cyber-
pearl-harbor.html. Last accessed on 03/17/2013.
Falconer, J. (2012, August 22). Australian government passes controversial cybercrime
data retention bill. URL: http://thenextweb.com/au/2012/08/22/australian-government-passes-
controversial-cybercrime-data-retention-bill. Last accessed on 01/19/2013.
FBI.gov, Stories. (2008). Cyber Solidarity: Five Nations, One Mission. URL:
http://www.fbi.gov/news/stories/2008/march/cybergroup_031708. Last accessed on 02/11/2013.
Federal Ministry of Justice, Germany. (2009). German Criminal Code. URL:
http://www.gesetze-im-internet.de/englisch_stgb/index.html. Last accessed on 01/19/2013.
Federal Ministry of the Interior, Germany. (2011). Cyber Security Strategy for Germany.
URL:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CyberSecurity/Cyber_Se
curity_Strategy_for_Germany.pdf?__blob=publicationFile. Last accessed on 01/19/2013.
FindLaw Australia. (2013). Cybercrime. URL:
http://www.findlaw.com.au/articles/4177/cybercrime.aspx. Last accessed 02/20/2013.
Finnish Police, National Bureau of Investigation. (2013). Organised Crime in Finland.
URL:
https://www.poliisi.fi/poliisi/krp/home.nsf/pages/948D7C0222AFF54EC225779D003132C1?op
endocument. Last accessed on 03/17/2013.
Fontanka.ru: Technologies. (2012, September 18). В день Интернета МВД сообщает
о росте киберпреступлений (On the Internet Day MVD reported that the number of cyber
PRIVACY AND CYBER CRIME INSTITUTE
43
crimes are increasing). Media release. URL: http://www.fontanka.ru/2012/09/30/015/. Last
accessed 01/18/2013.
French Penal Code 2005. English translation by Professor John R Spencer, QC (honoris
causa).
Gabriel, D. (2012). U.S.-Canada Integrated Cybersecurity Agenda. Be Your Own Leader
Blog post. URL: http://beyourownleader.blogspot.ca/2012/11/us-canada-integrated-
cybersecurity_7564.html. Last accessed on 02/20/2013.
Garrett-Walker, H. (2012). New police search and surveillance law in force. The New
Zealand Herald. URL:
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10837641. Last accessed
02/20/2013.
GCHQ. (2013). About GCHQ. URL:
http://www.gchq.gov.uk/AboutUs/Pages/index.aspx. Last accessed on 03/18/2013.
Government of Canada, Canada’s Economic Action Plan. (2013). Beyond the Border.
URL: http://actionplan.gc.ca/en/content/beyond-border. Last accessed on 02/20/2013.
Government of Canada. (2010). Canada’s Cyber Security Strategy: For a Stronger and
More Prosperous Canada. Her Majesty the Queen in Right of Canada. URL:
http://www.publicsafety.gc.ca/prg/ns/cybr-scrty/_fl/ccss-scc-eng.pdf. Last accessed 02/19/2013.
Greene, B. (2012, October 7). There’s nothing virtual about cyber attacks. CNN Opinion.
URL: http://www.cnn.com/2012/10/07/opinion/greene-cyber-real/index.html. Last accessed
11/29/2012.
Gregory, M. (2012). Cybercrime bill makes it through – but what does that mean for
you? URL: http://theconversation.edu.au/cybercrime-bill-makes-it-through-but-what-does-that-
mean-for-you-8953. Last accessed 02/20/2013.
Group-IB. (2013). Cyber Crimes Investigations company Group-IB. Official website.
http://group-ib.ru/
Helsingin Sanomat – International edition. (2012, January 20). Finland plans to set up
national cyber security centre. URL:
http://www.hs.fi/english/article/Finland+plans+to+set+up+national+cyber+security+centre/1329
104867405. Last accessed on 01/25/2013.
HMA Blog. (03/15/2013). News Roundup: UK toughens up on cyber crime, China offers
hacking cooperation and Facebook users sacrificing privacy. URL:
http://blog.hidemyass.com/2013/03/15/news-roundup-uk-toughens-up-on-cyber-crime-china-
offers-hacking-cooperation-and-facebook-users-sacrificing-privacy/. Last accessed on
03/18/2013.
Homeland Security. (2011, November). Blueprint for a Secure Cyber Future. The
Cybersecurity Strategy for the Homeland Security Enterprise. URL:
http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf. Last accessed
on 03/01/2013.
Homeland Security. (2013). National Cyber Security Division. URL:
http://www.dhs.gov/national-cyber-security-division. Last accessed on 01/18/2013.
PRIVACY AND CYBER CRIME INSTITUTE
44
Kovacs, E. (2013, February 19). UK Prime Minister to Sign Cybersecurity Agreement
with India. Softpedia News, Security Blog. URL: http://news.softpedia.com/news/UK-Prime-
Minister-to-Sign-Cybersecurity-Agreement-With-India-330712.shtml. Last accessed on
02/21/2013.
Kozlov, V. (2012, February 10). Authorities increase pressure on the internet.
Moskovskie Novosti (Moscow News). URL: http://mn.ru/society/20120210/311282419.html.
Last accessed on 01/19/2013.
Kuchler, H. (03/14/2013). UK launches unit to tackle cyber crime. Financial Times –
Politics and Policy. URL: http://www.ft.com/intl/cms/s/0/86c9631a-8c9e-11e2-8ee0-
00144feabdc0.html. Last accessed on 03/18/2013.
Le May, R. (2012, August 2). From agencies and News Limited publications: Privacy
fears as surveillance law reviewed. The Australian. URL:
http://www.theaustralian.com.au/news/breaking-news/privacy-fears-as-surveillance-law-
reviewed/story-fn3dxiwe-1226423605766. Last accessed 02/11/2013.
Legislationonline.org (2013). Criminal Codes. Online legislative database. URL:
http://www.legislationline.org/documents/section/criminal-codes. Last accessed on 01/27/2013.
Levin, A. (2012). Securing Cyberspace: A Comparative Review of Strategies Worldwide.
Available at
http://www.ryerson.ca/tedrogersschool/privacy/documents/Ryerson_cyber_crime_final_report.p
df. Last accessed on 03/22/2013.
Liang, B., & Lu, H. (2010, February). Internet Development, Censorship, and Cyber
Crimes in China. Journal of Contemporary Criminal Justice, pp. 103-120.
Liikenne- ja viestintäministeriö. (2008). Valtioneuvoston periaatepäätös kansalliseksi
tietoturvastrategiaksi. Government Resolution on National Information Security Strategy. URL:
http://www.lvm.fi/c/document_library/get_file?folderId=57092&name=DLFE-
5405.pdf&title=Valtioneuvoston%20periaatep%C3%A4%C3%A4t%C3%B6s%20kansalliseksi
%20tietoturvastrategiaksi%20%28su/ru/eng%20LVM62/2008%29. Last accessed 02/24/2013.
Lukin, K. (2012). Requirements for Finland’s National Cyber Security Strategy. TUCS
Technical Report No 1037, February 2012. Turku Centre for Computer Science.
Magistrats Européens Pour la Démocratie et les Libertés. News. (2012, December 12).
On the draft legislation of the Federal Republic of Germany on amending the
Telecommunication Act and the provisions on providing telecommunication customers data.
URL: http://medelnet.org/index.php?option=com_content&view=article&id=194%3Aon-the-
draft-legislation-of-the-federal-republic-of-germany-on-amending-the-telecommunication-act-
and-the-provisions-on-providing-telecommunication-customers-
data&catid=57%3Aeurope&Itemid=179&lang=en. Last accessed 02/19/2013.
Manach, J.M. (2011). How France placed the internet of permanent surveillance. URL:
http://owni.eu/2011/03/18/how-france-placed-the-internet-on-permanent-surveillance/. Last
accessed on 03/18/2013.
MicroScope News (06/07/2012). UK legal sector ripe for cyber-attack, warn experts.
URL: http://www.microscope.co.uk/news/2240158206/UK-legal-sector-ripe-for-cyber-attack-
warn-experts. Last accessed on 03/18/2013.
PRIVACY AND CYBER CRIME INSTITUTE
45
Ministry of Defence. (2009). Presentation “National Cybersecurity Strategy. With the
reference to the Cyber Security Strategy of the United Kingdom of June 2009.
Ministry of Justice, Finland. (2008). The Criminal Code of Finland. Unofficial translation
into English. URL: http://www.finlex.fi/en/laki/kaannokset/1889/en18890039.pdf. Last accessed
on 01/20/2013.
Ministry of the Interior, Finland. (2003). Act on the Processing of Personal Data by the
Police (761/2003). Unofficial English translation available at
http://www.cyberlawdb.com/docs/finland/data-police.pdf. Last accessed on 03/18/2013.
Ministry of the Interior, Finland. (2009). Act on the Protection of Privacy in Electronic
Communications (516/2004; amendments up to 125/2009 included). Unofficial English
translation available at http://www.cyberlawdb.com/docs/finland/privacy.pdf. Last accessed on
03/20/2013.
NATO Cooperative Cyber Defence Centre of Excellence. (2013). National Strategies and
Policies. URL: http://www.ccdcoe.org/328.html. Last accessed on 01/28/2013.
Nazer, D. (2012, August 28). Australia moves to massively expand Internet surveillance.
The Center for Internet and Society. Stanford Law School. URL:
http://cyberlaw.stanford.edu/blog/2012/08/australia-moves-massively-expand-internet-
surveillance. Last accessed 02/19/2013.
NCC Group. (2012). Origin of Hacks. Report on the 3rd
quarter of 2012. URL:
http://www.nccgroup.com/media/169256/origin_of_hacks_q3_2012.pdf. Last accessed on
01/18/2013.
New Zealand Government. (2011). New Zealand’s Cyber Security Strategy of June 7th
,
2011. URL: http://www.dpmc.govt.nz/sites/all/files/publications/nz-cyber-security-strategy-june-
2011_0.pdf. Last accessed on 01/20/2013.
New Zealand Ministry of Foreign Affairs and Trade. (2012). Annual Report 30 June
2012. URL: http://www.mfat.govt.nz/Media-and-publications/Publications/Annual-report/0-
outcome-contributions.php. Last accessed 02/19/2013.
Norwegian National Security Authority (NSM). (2013). About NSM. URL:
https://www.nsm.stat.no/Engelsk-start-side/About-NSM/. Last accessed 02/19/2013.
OAS: Inter-American Cooperation Portal on Cyber-Crime. (2011). URL:
http://www.oas.org/juridico/english/cyber_security.htm. Last accessed 03/18/2013.
OECD (2006). OECD Studies in Risk Management: Norway. Information Security. URL:
http://www.oecd.org/norway/36100106.pdf. Last accessed on 02/25/2013.
Ojala, J. (2010). Tekninen seuranta poliisin salaisena pakkakeinona. Master Thesis,
Program in Security Management. Laurea- ammattikorkeakoulu (Laurea University of Applied
Sciences), Leppävaara. Available at https://publications.theseus.fi/handle/10024/23252.
Retrieved 02/25/2013.
ONE News, TVNZ.co.nz. (2012, September 30). New police surveillance law takes force.
URL: http://tvnz.co.nz/national-news/new-police-surveillance-law-takes-force-5108670. Last
accessed 02/20/2013.
PRIVACY AND CYBER CRIME INSTITUTE
46
ONE News, TVNZ.co.nz. (2013, January 15). UK, NZ to work together on cyber security.
http://tvnz.co.nz/politics-news/uk-nz-work-together-cyber-security-5318736. Last accessed
01/16/2013.
Open Systems Publications. (2012, October 2). МВД: Интернет-мошенничество
является одним из самых популярных киберпреступлений (MVD: Internet fraud is the most
popular crime). URL: http://www.osp.ru/news/2012/1002/13015095/. Last accessed on
01/20/2013.
Organization of American States, Department of Legal Cooperation. (2011). A
Comprehensive Inter-American Cybersecurity Strategy. URL:
http://www.oas.org/juridico/english/cyb_pry_strategy.pdf. Last accessed on 01/28/2013.
Packham, B. (2013). Julia Gillard announces cyber security centre, warning a long fight
lies ahead. The Australian, National Affairs. http://www.theaustralian.com.au/national-
affairs/defence/julia-gillard-announces-cyber-security-centre-warning-a-long-fight-lies-
ahead/story-e6frg8yo-1226559907481. Last accessed on 01/24/2013.
Parliament of Australia, Bills and Legislation. (2013). Cybercrime Legislation
Amendment Bill 2011. URL:
http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?b
Id=r4575. Last accessed 02/11/2013.
Parliament of Australia, House of Representatives Committees, Joint Select Committee
on Cyber-Safety (2013). URL:
http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Commi
ttees?url=jscc/index.htm. Last accessed on 03/18/2013.
Parliamentary Counsel Office: New Zealand Legislation. (2012). Crimes Act 1961.
Reprint as at 1 October 2012. Available as HTML and pdf at:
http://www.legislation.govt.nz/act/public/1961/0043/latest/DLM327382.html. Last accessed on
01/20/2013.
People’s Tribune Journal. (2011, August 19). The survey regarding the public awareness
of Cyber-warfare. People’s Tribune Journal website. URL:
http://www.rmlt.com.cn/News/201108/201108191715587534.html. Last accessed on
02/24/2013.
Pi, Y. (2011). Research Report of Chinese Criminal Legislation for Cyber Crime.
Criminal Law Review, 204-263.
Présidence de la République. (2008). The French White Paper on defence and national
security. Available at http://www.ambafrance-
ca.org/IMG/pdf/Livre_blanc_Press_kit_english_version.pdf. Last accessed on 02/22/2013.
President of the Russian Federation. (09/09/2000). Doctrine on Information Security of
the Russian Federation. Доктрина информационной безопасности Российской Федерации
(утверждена Президентом РФ 9.09.2000г. №Пр-1895). Available in Russian at
http://dehack.ru/zak_akt/npa_prezidentarf/doktrina_ib/?all. Last accessed 03/20/2013.
President of the Russian Federation. (02/10/2010). Military Doctrine of the Russian
Federation, 2010. Военная доктрина Российской Федерации. URL:
http://news.kremlin.ru/ref_notes/461. Last accessed on 03/21/2013.
PRIVACY AND CYBER CRIME INSTITUTE
47
Protect Us, But Respect US! Petition. URL:
http://www.getup.org.au/campaigns/privacy/protect-us-but-respect-us-widget/protect-us-but-
respect-us. Last accessed on 02/22/2013.
Public Safety Canada. (2011). Cybersecurity Action Plan Between Public Safety Canada
and the Department of Homeland Security. Available at
http://www.publicsafety.gc.ca/prg/ns/cybr-scrty/_fl/ctn-pln-eng.pdf. Last accessed on
02/20/2013.
PublicService.co.uk News Report. (2013, February 19). Cameron to sign UK-India cyber
security deal. URL: http://www.publicservice.co.uk/news_story.asp?id=22187. Last accessed on
02/21/2013.
Puolustusninisteriö (Ministry of Defence – Finland). (2013, January 24). Press release:
Finland’s Cyber Security Strategy is adopted. URL:
http://www.defmin.fi/en/topical/press_releases/finland_s_cyber_security_strategy_is_adopted.53
70.news. Last accessed on 01/24/2013.
RT TV (Question More). (2012, December 3). Australian surveillance ‘out of control’:
20% increase in 1 year. News Article. URL: http://rt.com/news/australia-surveillance-phone-
internet-145/. Last accessed 02/15/2013.
Secretariat of the Security and Defence Committee. (2013, December 24). Finland’s
Cyber security Strategy. Government Resolution.
Security Lab News. (2011, September 15). Соглашение США и Австралии о
совместной защите будет распространяться на киберпространство. URL:
http://www.securitylab.ru/news/407290.php. Last accessed on 02/22/2013.
Smyth, S.M. (2012, January 30). Economic Impact of Cyber Threats and Attacks. Version
2.0. Simon Fraser University.
Sovetunion.ru Internet Review. (2012, May 3). Crime news: Russia as a stronghold of
cyber crime. URL: http://sovetunion.ru/kriminal/rossiya-kak-oplot-kiberprestupnosti. Last
accessed on 02/24/2013.
TAdviser.ru. (2012, June 6). Киберпреступность (Cybercrime). URL:
http://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%
D0%9A%D0%B8%D0%B1%D0%B5%D1%80%D0%BF%D1%80%D0%B5%D1%81%D1%8
2%D1%83%D0%BF%D0%BD%D0%BE%D1%81%D1%82%D1%8C. Last accessed on
01/18/2013.
Tech Liberty NZ. (2009). Search and Surveillance Act Threatens Privacy. URL:
http://techliberty.org.nz/search-and-surveillance-act-threatens-privacy. Last accessed
02/13/2013.
Tech Liberty NZ. (2010). Surveillance: current law. URL:
http://techliberty.org.nz/surveillance-current-law/. Last accessed 02/13/2013.
The Australian – National Affairs. (2012). Australian governments increase internet
surveillance. URL: http://www.theaustralian.com.au/national-affairs/australian-governments-
increase-internet-surveillance/story-fn59niix-1226516541141. Last accessed 02/15/2013.
The Hin Jilia Gillard MP, Prime Minister of Australia. Press Office. (2013, September 9).
Joint Statement by Prime Ministers Key and Gillard: February 2013. URL:
PRIVACY AND CYBER CRIME INSTITUTE
48
http://www.pm.gov.au/press-office/joint-statement-prime-ministers-key-and-gillard-february-
2013. Last accessed 02/12/2013.
The Hin Jilia Gillard MP, Prime Minister of Australia. Press Office. (2013, January 24).
Australian Cyber Security Centre. URL: http://www.pm.gov.au/press-office/australian-cyber-
security-centre. Last accessed 02/12/2013.
The Hon Brendan O'Connor MP, Minister for Home Affairs and Justice. (2011, July 29).
A national protocol for investigating cyber crime. Media Release. URL:
http://parlinfo.aph.gov.au/parlInfo/download/media/pressrel/985452/upload_binary/985452.pdf;f
ileType=application/pdf#search=%22cyber%20crime%22. Last accessed on 01/18/2013.
The Hon Nicola Roxon MP, Attorney-General. Minister for Emergency Management,
Australia. (2012, August 22). New Laws in the Fight Against Cyber Crime. Media Release. URL:
http://parlinfo.aph.gov.au/parlInfo/download/media/pressrel/1867175/upload_binary/1867175.pd
f;fileType=application%2Fpdf#search=%22cyber%20crime%22. Last accessed on 01/18/2013.
The Parliament of New Zealand. (2012). Search and Surveillance Act 2012. Reprint from
1st October 2012. Full text available at
http://www.legislation.govt.nz/act/public/2012/0024/latest/DLM2136536.html. Last accessed on
02/21/2013.
The Parliament of the Commonwealth of Australia. House of Representatives. (2010-
2011). Cybercrime Legislation Amendment Bill 2011. Available online at
http://www.comlaw.gov.au/Details/C2011B00116. Last accessed on 03/17/2013.
The Parliamentary Office of Science and Technology. (2011). POSTnote No 389, 2011 –
Cyber Security in the UK. Available for download from http://www.parliament.uk/mps-lords-
and-offices/offices/bicameral/post/publications/postnotes/. Retrieved on 01/18/2013.
Ueland, A. (03/04/2013). Norway security officials warn of dramatic cyber espionage
increase. The Foreigner – Norwegian News in English. URL:
http://theforeigner.no/pages/news/norway-security-officials-warn-of-dramatic-cyber-espionage-
increase/. Last accessed on 03/18/2013.
United Kingdom, Computer Misuse Act 1990. Global Cyber Law Database.
http://www.cyberlawdb.com/docs/uk/cma.pdf. Last accessed on 03/20/2013.
Vashopros.ru: Interview with Konstantin Machabeli. (2012, February 23). News:
Interview with Major-General of the police Konstantin Machabeli. URL:
http://vashopros.ru/se/itnews/?s=551&o=1&i=art. Last accessed on 01/23/2013.
Virtual Global Taskforce Official Website. (2013).
http://www.virtualglobaltaskforce.com/
Wallin, S. (2012). News: Finland aims to become a global forerunner in cyber-security
by 2016. URL:
http://www.europesworld.org/NewEnglish/Home_old/Article/tabid/191/ArticleType/ArticleView
/ArticleID/21935/language/en-US/Default.aspx. Last accessed on 01/25/2013.
Watts, S. (2011). Proposal for cyber war rules of engagement. BBC News. URL:
http://news.bbc.co.uk/2/hi/programmes/newsnight/9386445.stm. Last accessed on 02/15/2013.
WCIT2012: Signatories of the Final Acts: 89. (2012). URL: http://www.itu.int/osg/wcit-
12/highlights/signatories.html. Last accessed on 01/19/2013.
PRIVACY AND CYBER CRIME INSTITUTE
49
Wilson, C. (2005). Computer Attack and Cyberterrorism: Vulnerabilities and Policy
Issues for Congress. Congressional Research Service Report for Congress. The Navy
Department Library, Order Code RL32114. URL:
http://www.history.navy.mil/library/online/computerattack.htm. Last accessed 01/15/2013.
Владивостокский центр исследования организованной преступности (Vladivostok
Organized Crime Research Center). (2012, February 10). В МВД России состоялось
расширенное заседание Коллегии, на котором были подведены итоги деятельности в
2011 году и обсуждены задачи на ближайшую перспективу. URL:
http://www.crime.vl.ru/index.php?p=3845&more=1&c=1&tb=1&pb=1. Last accessed on
01/18/2013.
Открытые Системы, Новости (Open Systems Publications, News). (10/02/2012). МВД:
Интернет-мошенничество является одним из самых популярных киберпреступлений.
Issue No 10, 2012. URL: http://www.osp.ru/news/2012/1002/13015095/. Last accessed on
02/25/2013.
PRIVACY AND CYBER CRIME INSTITUTE
50
Appendix 1. Eleven countries covered in this report (including Canada) on the
world map.
