Although the likelihood of a
cyberterrorist attack is low because of the costs involved; that is not to say
it is impossible.
As you will be aware, cyberterrorism
is defined as one of three possible threats, by the Centre for the Protection
of National Infrastructure[1] (‘CPNI’), faced in the UK. And, the UN believe a “global consensus”[2] is required when
addressing terrorism online. In reality
this is based on the supposition that non-state actors will utilise other
states to facilitate their activities, either through lack of clear boundaries
between a state’s cyberspace and/or taking advantage of a particular state’s
bias toward a group and their beliefs.
Specifically when identifying the international risk posed by terror
networks the CPNI recognise, that it is important to maintain and develop
relationships with both private and public entities abroad to collectively work
to prevent such attacks[3].
When acting in the best interests
of our client’s security, mitigation is key and the CPNI urge businesses to remain
aware of security risks thereby reducing the risk; and by mitigation we mean:
“Businesses can reduce the risk to themselves, their
employees and customers by remaining vigilant, being security minded and having
good security measures in place. A small investment in security measures helps
to protect businesses against crime and make the work of terrorists and hostile
foreign states more difficult.”
Legal cases emanating from the
International Court of Justice (‘ICJ’) demonstrate an obligation is placed on a
state, to positively react to a threat and/or make a fellow state aware of a
threat originating[4]
from within ‘their’ state/cyberspace[5]; reinforcing CPNI’s
position: we should all be aware of cybercrime and act proactively to prevent
it and/or harden targets. When we become
aware of online security issues, we are all obliged to make the relevant authorities
directly aware or follow an employer’s internal reporting protocol. As roving security consultants; your ‘office’
is often ‘in the field’ however, your duties extend to you there (as you will
be aware).
The UK advocates a proactive
stance on cyberterrorism, effectively promoting our national obligation to the
wider global community and in particular, to “our allies”[6]. The ‘UK Cyber Security Strategy’[7] launched in 2011[8], is readily available
online to assist our clients both practically and legally, and you can update
your knowledge with the annual reports.
Some threats may first appear
as benign ‘glitch’; an attacker may hit our client’s systems with a
vulnerability that is not intended to be discovered initially; but as work is
done to rectify the glitch, a repetitive attack may be uncovered - thus demonstrating
that both vigilance and reporting is critical.
There are arguments for and
against an overarching international framework of governance for the Internet,
in the absence of such a treaty we should remain live to the ‘Budapest Convention: The Convention on
Cybercrime’ (‘the Convention’) as it reinforces the importance of fighting
cybercrime for signatories. The
Convention is effectively reconciled against the backdrop of:
“fundamental
human rights as enshrined in the 1950 Council of Europe Convention for the
Protection if Human Rights and Fundamental Freedoms”[9].
The Convention:
- · Applies internationally, where ratified*;
- · Contains helpful instructions and guidance to assist with both practical application of both members and non-members alike.
*those
countries who have ratified the Convention are found easily online for you.
In the absence of clear
virtual boundaries in cyberspace[10], there is an argument to
adopt similar limitations as applied in the case of maritime law. Many of you will be directly familiar with the
United Nations Convention on the Law of
the Sea[11]
(‘UNCLOS’). The idea is a simple
one, conceptual boundaries in cyber-space, agreed by an overarching international
organisation such as the UN. In effect
the notion of international zones depicting areas relating to territorial
cyberspace. This would serve to identify
whether a cyberterrorist act is committed[12] by a state or non-state
actor and allow for prosecution to be based on the boundaries as agreed.
However in contrast, there is
an argument that, as cyberspace exists supranationally, existing legal
frameworks cannot be utilised. Cyberspace,
has borders that are not tangible and cannot be crossed and in addition,
cyberspace is literally – above and beyond current “physical geographic
borders”[13].
The aforementioned Convention,
was launched by the European Community and has many non-member signatories and
accessions; however the Convention does not apply globally and is not binding
on all states. When examining
cyberterrorism and cultural variants[14], some states may be perceived
as ‘soft’ option for certain networks and enable
them to use their soil as a base[15] to launch cyberterrorist
attacks.
With this in mind; a UN treaty
similar to UNCLOS could overcome these challenges by firstly harmonising[16] and consolidating a
plethora of existing national[17] and international laws
and; by creating an almost ‘physical’ set of boundaries/zones making individual
states accountable for cyberterrorist attacks being developed on their
soil.
By growing accountability, both
governance and liability could be effectively proportioned and prosecution of
the same possible. The UK recognise that
prevention of “safe havens”[18] on foreign soils as
crucial in the fight against cyberterrorism.
A treaty could establish governance and introduce a tribunal system as
in the UNCLOS tribunal[19], acting as a mediator
with international disputes regarding cyberspace and in an advisory capacity[20]. The ultimate challenge to overcome is
drafting a constitution for the activities of cyberspace that is applicable to
all cultures and legal jurisdictions[21]. This is overcome by ensuring that the
framework[22]
is reconciled against the existing international human rights law[23].
In conclusion, the fact that a
number of non-member states’ signed up to the European Convention on
cybercrime, would suggest that there is a requirement for such a global UN
treaty. Thus a pragmatic approach is
recommended for policymakers to both pressurise the legislatures at
international organisations and heed the inferences to be drawn from the
ratification of the European Convention on cybercrime.
Those of you also working in
this arena may be in the privileged position of speaking directly to the powers
that be and, potentially lobbying for some advancement on this security
concern. Should further legal advice be
required, please contact me directly at WHS Legal Consulting Ltd.
[1]
Centre for the Protection of National Infrastructure. (2010)
Protecting Against Terrorism
(3rd ed). England: Crown
Copyright. Retrieved: http://www.cpni.gov.uk/threats/terrorism/
[2]
United Nations Security Council. (2015).
Implementation of Security Council
Resolution 2178 (2014) by States affected by foreign terrorist fighters. (S/2015/683).
Retrieved: http://www.un.org/en/sc/ctc/docs/2015/N1527297_EN.pdf
[3]
Centre for the Protection of National Infrastructure. (2010). Who
We Work With. England: Crown Copyright.
http://www.cpni.gov.uk/about/Who-we-work-with/
[4] This would also include data
clouds being located within a jurisdiction, see relevant case law (made
available on request).
[5] Corfu Channel (United
Kingdom of Great Britain and Northern Ireland v. Albania)
[1949]
(Summary) 1949/3 Judgment of 15 Dec 1949.
[6]
Ibid.
[7] Cabinet
Office. (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a
digital world report 2010. London:
Crown copyright. Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
[8]
Following the NATO summit, Lisbon 2010 at para: 40 of the Declaration of the
North Atlantic Treaty Organisation (NATO).
(2010). Lisbon Summit
Declaration. Lisbon: Public
Diplomacy Division. Retrieved: http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_11/2010_11_11DE1DB9B73C4F9BBFB52B2C94722EAC_PR_CP_2010_0155_ENG-Summit_LISBON.pdf
[9] Budapest Convention: The Convention on
Cybercrime 2001 [CETS No. 185] see Preamble.
[10]
The “borderless and anonymous nature of the internet” prevents attributable
liability see: Cabinet Office. (2011). UK Cyber Security Strategy: Protecting and
promoting the UK in a digital world report 2010. London: Crown copyright. Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
[11] United Nations Convention on the Law of the
Sea 1982 [Office of Legal Affairs, UN]. Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf
[12]
Op. cit. 9 at Section 3, Art 22 ‘Jurisdiction’.
[13]
K. M. Rogers., The Internet and the Law. (2011; Palgrave Macmillan: Basingstoke).
[14] The
importance of remaining respectful of cultural differences see Cabinet
Office. (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a
digital world report 2010. London:
Crown copyright. Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
[15]
This is due to different jurisdictions possessing varying thresholds for
interception by authorities see United Nations Security Council. (2015). Implementation
of Security Council Resolution 2178 (2014) by States affected by foreign
terrorist fighters. (S/2015/683).
Retrieved: http://www.un.org/en/sc/ctc/docs/2015/N1527297_EN.pdf
[16]
‘An
integral and challenging component of any national Cybersecurity strategy is
the adoption of regionally and internationally harmonized, appropriate
legislations against the misuse of ICTs for criminal or other mischievous
purposes’ found on International
Telecommunications Unit. (2016) Legal Measures: Legislation. Retrieved: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/Legal-Measures.aspx
[17]
There are a number of statutes in the UK overarching the conduct of individuals’
when online see: The Computer Misuse Act 1990; Serious Crime Act 2015 and
Serious Crime Act 2007.
[18]
Op. cit. 14.
[19]
Statute of the International Tribunal for the Law of the Sea at Section 1, Art
1 onwards of Annex VI of the United
Nations Convention on the Law of the Sea 1982 [Office of Legal Affairs,
UN]. Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf
[20]
In particular, the Seabed Disputes Chamber acts in an advisory capacity see
Section 5, Arts 186 – 191 of United
Nations Convention on the Law of the Sea 1982 [Office of Legal Affairs,
UN]. Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf
[21]
The UN believe that any “global commons” be regulated in a united manner and
that includes “global communications” found: United Nations. (2016). Global Issues: International Law. Retrieved: http://www.un.org/en/globalissues/internationallaw/
[22]
Cabinet Office. (2011). UK Cyber Security Strategy: Protecting and
promoting the UK in a digital world report 2010. London: Crown copyright. Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
No comments:
Post a Comment