Joyce Hakmeh
Academy Fellow, International Security Department (2016-17)
By their very nature, cybercrime investigations require extensive cross-border coordination. The international legal framework needs to catch up with this reality.
A lock screen from the WannaCry ransomware attack. Photo: Getty Images.A lock screen from the WannaCry ransomware attack. Photo: Getty Images.

A few weeks ago, organizations in more than 150 countries were victims of an unprecedented cyberattack which used the ransomware Wannacry, disrupting thousands of businesses and public institutions around the world. The global scope of the attack meant that in order to identify and catch the culprits a complex international investigation is needed. However, the existing international legal framework for cooperation on cybercrime is a fragmented one, with no single governance architecture, which complicates investigations and risks leaving the perpetrators at large.

Normally, perpetrators seek refuge in countries that provide safe havens where there are no, or insufficient, cybercrime laws to implement an extradition request. And because the extradition treaties of many countries have a ‘double criminality’ requirement, it means that country A will only extradite a suspect to stand trial in country B for breaking its law when there is a similar law criminalizing that offence in the extraditing country. So if cybercrimes are not criminalized in certain countries, or if the relevant laws are not in harmony with the investigating states, perpetrators can roam free.

In addition, jurisdictional limitations can hamper one of the most challenging aspects of a cybercrime investigation – attribution. Every time a law enforcement agency needs to undertake a cross-border investigation, it has do so through official, and at times bureaucratic, legal channels to request assistance which makes investigations more complicated to navigate. Not only is this process lengthy and convoluted but it also jeopardizes the global evidence gathering process. This is due to the volatile and fragile nature of the electronic evidence which requires agility in its collection while protecting its integrity and maintaining the chain of custody.

These challenges can be met – public-private partnerships in particular can help use the flexibility of the private sector to overcome some of the jurisdictional challenges and provide access to evidence held by private industry. But a better international framework is still needed.

The Council of Europe Convention on Cybercrime (also known as the Budapest Convention) is at present the main international instrument on cybercrime. It aims to help its state parties harmonize their national laws, improve their investigative techniques and increase cooperation. In addition to most EU countries, the US, Japan, Australia, Canada and others have ratified the convention. Indeed, the EU’s law enforcement agency, Europol, and its Joint Cybercrime Action Taskforce, which also includes the FBI and the US secret service, have been cooperating together and have been playing an important role in the investigation of the latest attack. In addition, INTERPOL, through its National Central Bureaus in 190 countries, has been providing coordination efforts, primarily through supporting national police, facilitating information exchange and providing updates on investigations.

However, Russia, China, India and other big countries have refused to ratify the Budapest Convention, giving two main reasons: either because they have not participated in its drafting process or because it infringes on their sovereignty. Russia has traditionally had a far from straightforward cooperation relationship with EU states on cybercrime. and similarly, China has been less than keen on information and intelligence sharing with other countries.  For several years, Russia has been backing a proposal for a UN global treaty on cybercrime, a position reconfirmed recently again by the government and by Putin after the recent attack. However, this proposal has been blocked for years, mainly by EU states and the US, who argue that there is already a cybercrime international convention in place – the Budapest Convention.

Practically speaking, negotiating a new UN treaty on cybercrime will take years of intense diplomatic effort and fruitful results are not guaranteed. Even if it sees the light, implementing a new global treaty properly takes many years.  In contrast, the Budapest Convention has been in place for more than 15 years. It provides a global legal framework for cooperation and has proven to be reasonably effective in creating more synergies between its signatories. Its state parties have harmonized their domestic laws accordingly and non-state parties have been using it as a model for their cybercrime legislation.

Hence, dismissing it and starting from scratch seems like a wasted opportunity, especially given how difficult it is to achieve a global consensus on how to deal with cybercrime. But by the same token, imposing it on the rest of the countries as the global treaty on cybercrime, without addressing the concerns of the non-members, and without engaging with them in a structured dialogue, seems to be a non-starter too. It seems sensible that more diplomatic efforts should be exerted by the Secretariat of the Convention, and importantly by its state parties, to engage more countries in the Convention and make it truly international.

To comment on this article, please contact Chatham House Feedback