The need for IT legislation at an International Level

Liviu Arsene

October 19, 2015

The need for IT legislation at an International Level

The internet is without boundaries, borders, and rules, making it a perfect freedom of speech tool. It removes the physical distance between us to allow sharing of ideas between like-minded people, or exchanges of ideas between those who may not agree.

Looking at the internet from this perspective can be both scary and amazingly fun, as it somewhat resembles the Wild West, where it’s every man for himself. The freedom we enjoy by using the internet does not come without cost, and sometimes we pay for it by giving up some (or all) of our privacy.

The inability of any legal authority to regulate internet-enabled activities has opened up a world of possibilities for what we nowadays call “cybercrime.” Although pretty vague and broad, the term has been defined by as an “illegal activity that uses a computer as its primary means of commission,” meaning that any action performed via a computer (or likewise device) that can be associated with some form of fraud falls under this definition.


Each Country has Legislation and Sanctions

Various acts criminalize and penalize a number of cyber activities, including everything from data espionage and child pornography to cyber bullying and violation of intellectual property rights.

A recent Cybercrimes Act 2015 proposal by the United Republic of Tanzania aims to provide the proper context for investigating and collecting evidence in persecuting individuals charged with cybercrime-related activities.

“The Bill proposes the enactment of a law which will make provisions for criminalizing offences related to computer systems and Information Communication Technologies; to provide for investigation, collection, and use of electronic evidence,” reads the bill.

The typical sentence proposed by the act is seven years in prison or 20 million shillings.

“A person who contravenes subsection (1) commits an offence and is liable on conviction to a fine of not less than twenty million shillings or three times the value of undue advantage received, whichever is greater, or to imprisonment for a term of not less than seven years or to both,” reads the Cybercrime Act.

The United Kingdom has its own Computer Misuse Act 1990, which has been amended this year in Part 2 of the Serious Crime Act 2015 to include a sentence of life in prison for crimes related to “serious damage” and “national security.”

“Where an offence under this section is committed as a result of an act causing or creating a significant risk of serious damage to human welfare [..], or serious damage to national security, a person guilty of the offence is liable, on conviction on indictment, to imprisonment for life, or to a fine, or to both,” reads the Serious Crime Act 2015.

The same bill extends the court’s jurisdiction outside the UK, and allows prosecution of UK citizens that have procured cyber-crime tools, even if they’re physically outside the country.

The United States has the Computer Fraud and Abuse Act which stipulates fines or prison terms for intentionally accessing a computer “without authorization or exceeding authorized access” with the purpose of causing fraud or data corruption or exfiltration.

During the Obama administration, a bill was proposed to compel companies that have suffered breaches to report the issue to its customers in less than 30 days since of the occurrence, if the breach concerned “sensitive personally identifiable information.”

“Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual,” reads the Personal Data Notification & Protection Act.

Germany recently passed a bill ordering essential service providers to implement minimum security standards within two years or face fines of up to €100,000. The IT security law obliges companies and federal agencies to obtain Federal Office of Information Security (BSI) clearance and notify the BSI if they suspect cyber-attacks on their infrastructures.

“The aim of the law is to improve protection of IT security companies, enhance protection of citizens on the Internet, the strengthening of BSI and Bundeskriminalamt (BKA),” reads the IT Security Act. “The protection of IT systems, such critical infrastructures and of Infrastructure operations necessary is therefore of the utmost importance.”


Identifying culprits

What all these laws have in common is that they all specify various procedures for performing forensic analysis involving continuous cooperation of law enforcement and the private sector. Internet service providers are “encouraged” to record information about their customers that could be used for prosecution in court.

Other measures have been deemed more privacy intrusive, such as tapping into private user conversations without the need of a court order to do so.

The fine line between privacy and the gathering tools and information required to identify culprits blurs even more if legal frameworks take into account acts of terrorism and national security. Because these are considered acts that can affect a nation’s security, global cybersecurity laws need to take into consideration when it is necessary to apply the global framework and when to apply to state/national security laws.


A Comprehensive Response to Cybercrime

Although the abovementioned countries have their own regional laws that cover various cybersecurity aspects and sanctions, a comprehensive global response to cybercrime is still needed. Multinational cooperation has been achieved to some degree with the Budapest Convention on Cybercrime in 2001, when several European countries agreed on criminalizing various hacking activities and implement the legal procedures necessary within their laws.

The United States has also made some ratifications in 2006, becoming the 16th nation to agree with the stipulations in the Budapest Convention on Cybercrime.

However, creating a unanimously accepted legal framework that can be accepted globally might prove more difficult than expected. Although authorities do cooperate to some degree to investigating cybercrimes, discrepancies in how each country’s legal system defines cybercrime and unlawful legal activities mean criminal investigations can sometimes burdened or blocked by procedures and lack of legal reference.

International legislation would pose significant advantages, as it would empower law enforcement to pursue and prosecute criminals outside the nation where they committed the cybercrimes. However, this would require a global legal framework that would not only uniformly define cybercrimes, but also universally accept the same convictions and forensic procedures. 




Liviu Arsene

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact in critical public and private business infrastructures. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact.

View all posts

You might also like