(HLEG) Global Strategic Report

International Telecommunication Union

Place des Nations,

1211 Geneva,

Switzerland.

First printing 2008

Legal Notice

The information contained in this publication has been contributed by members of the High-Level Experts Group (HLEG) on the basis of information that is publicly available. Neither ITU nor any person acting on its behalf is responsible for any use that might be made of the information contained in this Report. ITU is not responsible for the content or the external websites referred to in this Report. The views expressed in this publication are those of the authors only and do not reflect in any way the official views of ITU or its membership or engage the ITU in any way.

Denominations and classifications employed in this publication do not imply any opinion on the part of the ITU concerning the legal or other status of any territory or any endorsement or acceptance of any boundary.

No part of this publication may be reproduced, except as authorized by written permission and provided that the source is acknowledged. Persons interested in quoting this publication should first seek permission from: [email protected]. Acknowledgements

Introduction Contributing authors: GCA Secretariat and all work area leaders.

Chapter 1: Strategic Report WA1 Main author & editor: Stein Schjolberg, Chief Judge, Moss District Court, Norway. Contributing authors: Dr. Marco Gercke, Senior Researcher University of Cologne, Germany: Section 1.6 (except 1.6.1.6. and 1.6.3.3.), Section 1.7 (except 1.7.8.), Section 1.10 (except 1.10.2) and co-author of Section 1.1. Scott Stein: Section 1.9 and Section 1.14. Gillian Murray, Focal Point for Cybercrime, UNODC: Section 1.3 (except 1.3.3). Marc Goodman, Senior Advisor to Interpol’s Steering Committee on Information Technology Crime: Section 1.8. Toomas Viira, Information Security Manager in Estonian Informatics Centre, Estonian Ministry of Economic Affairs and Communications, contributed to Section 1.6.1. Graham Butler, President and CEO, Bitek International Inc: Section 1.7.8. Tony Rutkowski, Vice-President for Regulatory Affairs and Standards at VeriSign, Inc: Section 1.12, Section 1.13 and Section 1.10.2.

Senior Legal Adviser Rajka Vlahovic of UNODC has made comments and updated Section 1.9. Section 1.2.4 was updated based on comments by Jinhyun Cho, senior researcher at the Rep. of Korea’s CERT/ CC and deputy convenor of APECTEL SPSG. Section 1.1.11 was updated based on comments by Yuan Xu, China. Section 1.8.9 was updated based on comments by Noboru Nakatani, Interpol. Jody Westby has provided us with valuable information and additional resources. We enjoyed clarifying discussions with Professor Ulrich Sieber.

Chapter 2: Strategic Report WA2 Contributing authors: Mr. Jaak Tepandi, Professor of Knowledge Based Systems, Institute of Informatics, Tallinn University of Technology, Estonia and Mr. Justin Rattner, Chief Technology Officer, Intel Corp.

Chapter 3: Strategic Report WA3 Contributing authors: Taieb Debbagh, General Secretary of the Ministry of Telecommunications and ICT of Morocco, Solange Ghernaouti Hélie, Professeure Présidente de la Commission Sociale at the University of Lausanne, Business & Economics.

Chapter 4: Strategic Report WA4 Contributing authors: Solange Ghernaouti Hélie, Professeure Présidente de la commission Sociale at the University of Lausanne, Business & Economics, & Ivar Tallo, Senior Programme Officer, UNITAR.

Chapter 5: Strategic Report WA5 Contributing authors: Mr. Shamsul Jafni Shafie, Director, Security, Trust and Governance Department, Content, Consumer and Network Security Division, Malaysian Communications and Multimedia Commission and Mr. Zane Cleophas, Chief Director, Border Control Operational Coordinating Committee (BCOCC), Department of Home Affairs of South Africa. Message from the Secretary - General Dr Hamadoun I. Touré

Building confidence and security in the use of Information and Communication Technologies (ICTs) is one of the most important, and most complex, challenges we face today. Promoting cybersecurity is a top priority, if we are to reap the full benefits of the digital revolution and the new and evolving communication technologies coming onto the market. At the same time, maintaining cybersecurity is a culture, spanning different disciplines, that needs to be built into our approach towards, and our adoption of, these new technologies.

This is why I am convinced that ITU, with its tradition as an international forum for cooperation and its important work in technical standards for security, has a vital contribution to make in promoting cybersecurity. ITU can draw on its expertise in standardization specifications and communications engineering, as well as its experience in direct technical assistance to members, to build a multi-disciplinary approach towards maintaining cybersecurity. ITU’s significant work in the security of IMT (3G) mobile telephony and Public Key Infrastructure, enabling digital signatures, are just a few examples of our work to ensure secure, reliable and user-friendly communications.

And yet, ITU must work alongside other key stakeholders in the field, if modern communication systems are to remain secure. And this is why the work of the High-Level Experts Group is highly significant. ITU’s Global Cybersecurity Agenda has benefited from the advice of a panel of key policy-makers and leading specialists from major private sector firms and academic institutions for debating the pivotal issues in cybersecurity and developing consensus on the way forward. By bringing together the major players, ITU sought to build their ownership and commitment to a cross-disciplinary consensus approach. These leading experts have freely given their time, knowledge and experience to establish a common understanding of the issues involved. I am convinced that their inspiring thought leadership and buy-in will benefit all, with recommendations on key steps forward for legislative frameworks, technical and procedural measures, organizational structures, capacity-building and international cooperation. The work of this High-Level Experts Group has ensured that the Global Cybersecurity Agenda will remain a key framework for international cooperation to promote cybersecurity going forward. I am deeply grateful to all members of the HLEG for their sincere efforts and commitment in advancing this key initiative of the ITU to promote cybsersecurity.

Dr Hamadoun I. Touré Secretary-General, ITU Message from His Excellency the President of Burkina Faso Patron of the Global Cybersecurity Agenda

Information and communication technologies (ICTs) play a decisive role in the development process. In order to take full advantage of all the opportunities, the time has therefore come to establish solid foundations more conducive to bringing about the desired economic growth. In Africa, and indeed worldwide, ever-increasing numbers of people are using ICTs and the services they enable. It is therefore both desirable and necessary to provide them with a safe and secure cyberenvironment. This is the main reason why I am pledging my personal support, and agreeing to serve as a patron, for the Global Cybersecurity Agenda, initiated by the International Telecommunication Union (ITU). Given the interdependencies that are created by information and communication technologies, I appeal to Member States to be unstinting in their commitment to ensuring the success of the Agenda as an appropriate framework for cooperation. Countries must focus their political responsibility and spare no effort on developing agreements that are sufficiently effective and flexible to stem cybercrime. It is in this spirit that Burkina Faso will make its contribution to ensuring full realization of the Global Cybersecurity Agenda in the interests of making the world a safer place. For my part, I will give all the necessary time and support to this undertaking, confident as I am of the backing of my African peers and the international community.

Blaise Compoare President of Burkina Faso Message from the President of Costa-Rica Patron of the Global Cybersecurity Agenda

Like any other technology, Information and Communication Technologies (ICTs) can be put to work for the greater good or for the greater evil. ICTs can be used to spread great knowledge, raise awareness and gain a university degree, but they can also be used to destroy someone’s reputation or create entrenched prejudice, by disseminating false and misleading information. ICTs can be used to the good for long-distance diagnosis and telemedicine in healthcare, but they also propagate dangerous computer viruses that can cause critical computer systems to crash and the loss of vital data. ICTs can allow business entrepreneurs to access new markets and sell goods abroad, but they also enable crooks to swindle trusting would-be customers out of millions of dollars. Like any other technology, ICTs offer bound- less opportunities that we are only just beginning to explore, but also various pitfalls and online dangers.

Information is a vital weapon in war, where it is vital in shaping public perceptions and the will, and ability, of the international community to take action. However, new forms of information warfare are evolving rapidly, breaking new ground in the flow and control of information during conflict. ‘Hacktivism’ is now a recognized form of information warfare, from defacements of commercial websites and the downing of competitors’ sites and systems to attacks on minorities’ cultural and religious presence online. The ability to attack other countries’ critical systems and communication capabilities in times of conflict is the new form of cyber-warfare and may ultimately prove far more damaging, and far more powerful, than a country’s military presence.

Such incidents are difficult to monitor, and even harder to respond to, given the international and borderless nature of the Internet and cyberspace - what are the rules and laws governing these new forms of attack? And who should define these rules? I have spent my life working for education and for peace, and I believe that the answers to these questions can only come through coordinated multilateral action.

The ITU has taken significant steps to address these challenges and has established an international framework for dialogue and coordination to promote cybersecurity, the ITU Global Cybersecurity Agenda. The ITU has assembled a panel of leading experts to advise the ITU Secretary-General on key trends in cybersecurity and cyberthreats online and how these threats can be countered. But cyberpeace cannot be achieved without the awareness and participation of all who venture online – who, by their everyday activities, cast a vote for a safe and secure information society. And this is why I invite you to join with me in supporting ITU’s key initiative to promote cybersecurity, the Global Cybersecurity Agenda, because peace and safety in the virtual world is becoming an ever more essential part of peace and safety in our everyday lives.

Dr. Oscar Arias Sánchez President of the Republic of Costa Rica, Nobel Peace Prize Laureate Message from the Chairman of the HLEG Stein Schjolberg

On 17 May 2007, the ITU Secretary-General launched the Global Cybersecurity Agenda (GCA) as ITU’s leading initiative to promote cybersecurity. To inform ITU’s work on this top priority, the Secretary-General benefited from the advice of the High-Level Experts Group (HLEG), an expert panel of over one hundred leading specialists, policy-makers and practitioners in the field. The Secretary-General sought the guidance of this Group of experts on key trends shaping confidence and security in the use of ICTs, as well as ways in which Member States and Members can respond to emerging challenges to cybersecurity. I was deeply honoured when the Secretary-General personally invited me to chair the work of this important Group. The HLEG held three official Meetings and two ad-hoc Meetings from October 5, 2007, until June 26, 2008. The Report of the Chairman of HLEG was delivered to the Secre- tary- General in August 2008. The HLEG Members acted in their personal capacity and at their own expense. I would like to extend my sincere thanks to the Work Area leaders, and the contributing authors, and all HLEG Members for their active participation and superlative contributions, which have helped make the collaborative efforts of the HLEG a success and have made this Global Strategic Report possible. The work of the HLEG has resulted in proposed recommendations and global strategies and for addressing the wide range of challenges relating to global cybersecurity, including cybercrime, on legal measures, technical and procedural measures, organizational structures, capacity building, and international cooperation. Most of the HLEG Members were in broad agreement on many recommendations, but it did not always prove possible to achieve full consensus on all aspects of the HLEG ´s work. But he HLEG Members were in full agreement that vital action is needed to promote cybersecurity and that ITU has an important role to play. I would like to thank ITU Secretary-General for giving me the opportunity to be the chairman of this illustrious Group and to contribute to the work of the important ITU initiative. I am proud to have been a part of this, and I am pleased to have been able to contribute to its important work and significant achievements. Finally, I wish extend my thanks to the Corporate Strategy Division, Alex Ntoko and his Staff, for their outstanding assistance that made it possible finishing the reports and recommendations as scheduled.

Stein Schjolberg Chief Judge at the Moss District Court, Norway Table of Contents

Chapter 1: Legal Measures 13

1.1. Introduction 14 1.2. Existing regional legislative measures 16 1.2.1. The Council of Europe and the Convention on Cybercrime 16 1.2.2. G8 Group of States 17 1.2.3. European Union 17 1.2.4. Asian Pacific Economic Cooperation (APEC) 18 1.2.5. Organization of American States (OAS) 19 1.2.6. The Commonwealth 19 1.2.7. Association of South East Asian Nations (ASEAN) 19 1.2.8. The Arab League 20 1.2.9. The African Union 20 1.2.10. The Organization for Economic Cooperation and Development (OECD) 20 1.2.11. Shanghai Cooperation Organization (SCO) 21 1.3. Existing United Nations International Provisions 22 1.3.1. The United Nations Convention against Transnational Organized Crime (TOC) 22 1.3.2. United Nations-system decisions, resolutions and recommendations 22 1.3.3. International Telecommunication Union (ITU) 23 1.4. Critical Information Infrastructure Protection (CIIP) 24 1.4.1. Principles for protecting critical information infrastructures 24 1.4.2. Cyberterrorism and terrorist use of the Internet 24 1.5. Definitions/Terminology 27 1.5.1. What is cybersecurity and cybercrime 27 1.5.2. Definitions 27 1.6. Substantive Criminal Law 29 1.6.1. Offences against the confidentiality, integrity and availability of data and computer systems 29 1.6.2. Content-related offences 34 1.6.3. Criminalisation of preparatory acts 38 1.6.4. Computer-related offences 42 1.7. Measures in Procedural Law 44 1.7.1. General principles 44 1.7.2. Expedited preservation of stored computer data 44 1.7.3. Expedited preservation and partial disclosure of traffic data 45 1.7.4. Production order 45 1.7.5. Search and seizure of stored computer data 46 1.7.6. Real-time collection of traffic data 47 1.7.7. Interception of content data 47 1.7.8. Voice over IP 48 1.7.9. Use of key loggers and other software tools 49 1.7.10. Data retention 49 1.7.11. Order to disclose key used for encryption 49 1.7.12. Jurisdiction 50 1.8. Law Enforcement and Investigation 51 1.8.1. The Move from Physical to Electronic Evidence 51 1.8.2. Encryption Challenges 51 1.8.3. Costs of High-Technology Crime Investigation 52 1.8.4. Counting Computer Crime—How Much Is There Anyway? 52 1.8.5. The Underreporting Problem 52 1.8.6. Patrolling cyberspace 53 1.8.7. International law enforcement cooperation 53 1.8.8. Law enforcement capacity building 53 1.8.9. 24/7 Points of contact “Interpol”/G8 54 1.8.10. Law enforcement needs assessment and emerging trends 54 1.9. Prosecution 55 1.9.1 Challenges in Prosecuting Cybercrime 55 1.9.2 Letter Rogatory 57 1.9.3 Multilateral Treaties on Crime 57 1.9.4 Bilateral Mutual Legal Assistance Treaties 58 1.10. Responsibility of Internet Providers 60 1.10.1. Introduction 60 1.10.2. Legal Measures for Trusted Service Provider Identity 61 1.11. Privacy and Human Rights 63 1.11.1. The Principles 63 1.11.2. Prosecution 63 1.11.3. Judicial Courts 63 1.12. Civil Matters: Contractual Service Agreements, Federations & other Civil Law measures 65 1.12.1. Cybersecurity obligations undertaken by the parties 65 1.12.2. Intentional harm 65 1.12.3. Civil remedies and damages 65 1.13. Civil Matters: Regulatory and Administrative Law 66 1.13.1. Critical Information Infrastructure protection; National Security/Emergency Preparedness/ Emergency Telecommunication Service Requirements 66 1.13.2. Assistance to Lawful Authority Requirements 67 1.13.3 Identifier Resource Management Requirements 67 1.13.4 Consumer-Related Requirements 68 1.13.5. Provider-Related Requirements 69 1.14. Civil Matters: Conflict of laws 71 1.15. References 73 Appendix 1: Inventory of relevant instruments 74 Chapter 2: Technical and Procedural Measures for Cybersecurity 75

2.1. Objective 76 2. 2. Definitions 76 2.3. Cybersecurity: Issues, Technologies & Solutions 77 2.3.1. The Growing Importance of Cybersecurity 77 2.3.2. Ongoing Efforts to Promote Cybersecurity and CIP 78 2.3.3. Means of Protection in Today’s Complex Environment 79 2.3.4. Servers, Clients, Diverse Networks 80 2.3.5. Diverse Environments and Levels of Protection 80 2.3.6. Nature of Attacks 81 2.3.7. Categories of Risk 82 2.3.8. Reasonable Use of Cryptography 84 2.3.9. Security and Privacy 84 2.3.10. Incident Response 85 2.3.11. Responsible Disclosure 86 2.3.12. Beyond Technologies: Assurance and Business Models 86 2.3.13. Common Criteria 87 2.3.14. A Lifecycle Approach to Security 87 2.4. Technical and Procedural Measures of Cybersecurity 88 2.4.1. Overview of Measures 88 2.4.2. Measures that enable protection 88 2.4.3. Measures that enable threat detection 88 2.4.4. Measures that enable thwarting cybercrime 88 2.4.5. Measures that enable business continuity 89 2.5 Conclusions 89 2.6. References 89 2.7. Appendices 90 2.7.1. Appendix 1. Survey of Cybersecurity Technical Forums 90 2.7.2. Appendix 2. Software development lifecycle 90

Chapter 3: Organizational Structures 91

3.1 Introduction 92 3.2. Organizational Structures and Policies for Cybersecurity 92 3.2.1. The Role of Benchmarking 93 3.2.2. National Roadmap for Governance in Cybersecurity 93 3.3. A Framework for Organizational Structures 94 3.3.1. National Cybersecurity Council (NCC) 95 3.3.2. National Cybersecurity Authority (NCA) 95 3.3.3. National CERT 96 3.4. Global framework for watch, warning and incident response 98 3.5. NCSec Referential 99 3.5.1. Building Referential 99 3.5.2. NCSec Referential 99 3.6. Conclusions 100

Chapter 4: Capacity-Building 102

4.1. Introduction 103 4.2. Capacity-building and awareness 103 4.3. Capacity-building and resources 105 4.4. Capacity-building at the global level 105 4.5. Capacity-building at the national level 106 4.6. Capacity-building at the end-user level 107 4.7. Capacity-building for an inclusive society 108 4.8. References 110

Chapter 5: International Cooperation for Cybersecurity 112

5.1. Introduction 113 5.2. The Need for International Cooperation 113 5.3. Current Models of International Cooperation 114 5.4. Areas for Potential International Coordination in Legal Efforts 118 5.5. International conventions and recommendations 119 5.6. Promoting a Global Culture of Cybersecurity 120 5.7. Strategies for integration and dialogue 122 5.8. Initiatives by the Private Sector/Industry/Academia/Government 122 5.9. Strategies for multi-stakeholder partnerships 124 5.10. International Public-Private Partnerships 124 5.11. Strategies for Information-Sharing – Cyber Drill Exercises 125 5.12. Conclusions 126

Annex 127

List of Acronyms & Abbreviations 141 CHAPTER 1 Legal Measures International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex the FightagainstCybercrime,CRi2008,Issue1,page7-13. gress.html (lastvisited:January2008); for evidence and investigation and extradition procedures). requests effective (e.g. procedures practical effective requires agencies enforcement law of cooperation investigations have the necessary instruments in place to carry out their investigations. Finally, the effective it is necessary to harmonize investigation instruments to ensure that all countries involved in international yecie investigations. cybercrime country in the world, so international cooperation of law enforcement agencies is essential for international 8 7 January 2008). 2005, page5–availableat: Prevention andControlofComputer-Related Crime,269–availableat 6 European arrestwarrantandthe surrenderproceduresbetweenMemberStates(2002/584/JHA). of internationalconventionsandtreaties.Oneexampleis ficulties thedualcriminalityprinciplecancausewithininternational investigationsarecurrentlyaddressedinanumber 5 documents/0817999825_1.pdf (lastvisited:January2008). Transnational DimensionofCyber Crimeand Terrorism, 2001, page1 January 2008);Sofaer/Goodman,CyberCrimeandSecurity – The Transnational Dimensionin Terrorism, 2001, page35 International ResponsestoCyberCrime,in 4 3 2 1 Net.”the are people billion 1.4 estimated an “oncurrently level,and global a on 290% of rateaverage annual an at expanded has Internet the 2008, toFrom 2000 time. our of frontiers greatlegal the of one Cyberspaceis urnl, h qeto o hw o drs te vlig hlegs oe b cbrrm ad other and cybercrime by posed discussed. actively challenges being is systems evolvinglegal to issues security the network and security address information to how of question the Currently, by provisions for enacted otherpurposes, covering onlyincidentally orperipherally. cybercrimes then be justly can convicted for their offenders explicit acts and not by existing and provisions stretched Perpetratorsin interpretation, or legislation. existing of interpretations vague and extensions on relying ethical standards in cyberspace, penal legislation must be enacted with and clarity specificity, rather than common sense of justice, and penal legislation have all been stretched to keep pace. order In to establish effective harmonization of laws. Based on the common principle of dual criminality, firstly requires a harmonization of substantive criminal law provisions to prevent safe havens. as areas oflaw notincluded intheConvention on Cybercrime. the Council of Europe’s Convention on Cybercrime, recognized by the WSIS as a regional initiative, complianceinternationalwith standards, introducesfollowing the standards legal defined the section by model further of creation the necessitate not ensure to differentorder In approaches. the between preventtoconflict strategiesdeveloped laws,are if should standard single a achieving of importance The intheglobalharmonizationprocess.participate to issues security network and informationsecurity other and cybercrime strategyon national fora need Cybercrime is truly borderless and, potentially, transnational. (national countries single have advantages anddisadvantages. by either solutions, individual geographicbygroupsfromregioncountriesapproaches)a or of (regional approaches approaches). Both and organizations; international through approaches international or solutions general - challenges these answer to which at levels distinct two January 2008). Crime and Terrorism, 2001,page7–availableat: Cyber CrimeandSecurity– The Transnational Dimensionin SeetheCouncil ofEuropeConventiononCybercrime, Regardingthedualcriminality principleininternationalinvestigationssee:UnitedNations Manualonthe Dualcriminalityexistsiftheoffence isacrimeunderboththerequestorandrequestingparty’s laws. The dif Regardingtheneedforinternationalcooperationinfight againstCybercrimesee:Putnam/Elliott, Regardingtheextentoftransnationalattacksinmostdamagingcybersee: Foranoverviewaboutthediscussionsee: ITU World ICT/Telecommunication IndicatorsDatabase.

Tunis Agenda fortheInformationSociety, available from www.itu.int/wsis/index.htm 1 The impact of the Internet on societies has been so fast and far-reaching, that codes of ethics, of codes thatfar-reaching, and fast so been has societies on Internet the of impact The et seq.–availableat: www.itu.int/osg/spu/cybersecurity/ presentations/session12_schjolberg.pdf (lastvisited: 4 nentoa ivsiain dpn o rlal mas f oprto and cooperation of means reliable on depend investigations International 1.1. Introduction 1.1. Introduction Schjolberg/Hubbard Sofaer/Goodman, The Transnational DimensionofCyberCrimeand http://media.hoover.org/documents/0817999825_35.pdf (lastvisited: http://media.hoover.org/documents/0817999825_1.pdf (lastvisited: Gercke, National,RegionalandInternationalLegal Approaches in Art. 2oftheEUFrameworkDecision13June2002on the , HarmonizingNationalLegal Sofaer/Goodman, The Transnational Dimensionof Cyber Art. 23– 7 The importance of harmonization reflects the 3 Offenders can, in general, target users in any et seq.–availableat: http://www.uncjin.org/Documents/EighthCon Art. 35. Approaches onCybercrime, http://media.hoover.org/ 5 effective cooperation l. Sofaer/Goodman, Sofaer/Goodman, The 6 Furthermore, 2 There are There 8 as well - - 14 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex (Paragraph 42). in the relevant parts of the Universal Declaration of Human Rights and the Geneva Declaration of Principles” counter spam, must protect and respect the provisions for privacy and freedom of expression as contained to and cybercrime fight security, to and stability Internet ensure to undertaken measures that affirm “We including, butnotlimited to, theCouncil ofEurope’s Convention onCybercrime”(Paragraph 40). 55/63 and 56/121 on “Combating the criminal misuse of information technologies” and regional initiatives investigationframeworks,existing noting prosecutioncybercrime, and of for example, Resolutions UNGA “We call upon governments in cooperation with other stakeholders to develop necessary legislation for the Information the for Agenda Tunis the by adopted Society. goals The Tunis Agenda (paragraphs the 40and42),reads asfollows: to adhere should HLEG the and GCA The threats cybersecurity among countries at allstagesofeconomic of development. understanding common a reach to cybersecurity in cooperation international for framework a on consensus seeking is ICTs”. ITU capacity, of this use In the in security and confidence leaders and governments designated ITU to facilitate the implementation world of WSIS, the WSIS At ICTs. Action of Line C5, use the in “Building security and confidence build to is Conference Plenipotentiary ITU 2006 the and (WSIS) Society Information the on Summit Worldthe following ITU, of role fundamental A 15 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex inherent inthe design ofsystems andnetworks, orlegitimate operating orcommercial practices. activities common and legitimate criminalize to intended not are definitions law.These domestic under authority or conduct not covered by established legal defenses, excuses, justifications or relevant principles curb without undertaken right’, committedto conduct be ‘without to must referring Offences steps threat. serious innovativethis take must governments and issues security network and other and security information cybercrime of prosecution the for necessary are cooperation and coordination International economic benefit. -for offences procuring of intent dishonest or fraudulent of to certain requirement the with fraud,computer-related to instance, apply only elements intentional specific left is Additional this interpretation. but national knowingly, toand/or willfully as understood be may Intention arise. to liability criminal for intentionally be committed must Offences defines. it offences the from misconduct insignificant or petty exclude technology- may States technologies. future and uses current both covers Cybercrimeand applies it that on so language, neutral Convention The crimes. tools such procedural prosecute the and establish investigate and to law, necessary criminal substantive on section the in described conducts the criminalize laws domestic their that ensure toConvention,agree countries the to acceding or ratifying By Convention consists offour chapters: cybercrime. It entered into force on 1 July 2004. By January 2008, twenty-one states had ratified the ratified Agenda for the Information Society, governments had recognized the Convention as a WSIS Tunis regional initiative. states the In Convention. twenty-one the ratified, 2008, yet not but January signed, had By states twenty-two 2004. while Convention, July 1 on force into entered It cybercrime. 10 9 Cybercrime on Convention Europe’s of Council 2001 The 1.2.1. The Council ofEurope’s Convention onCybercrime

4) Chapter IV on final provisions contains the final clauses, mainly in accordance with standard in accordance mainly final clauses, the contains provisions final on IV Chapter 4) international to relating principles general includes cooperation international on III Chapter 3) 2) Chapter II on measures to be taken at the national level includes sections on substantive service criminal law, data, computer systems, computer on definitions includes terms of use the on I Chapter 1) Seehttp://www.conventions.coe.int. for in certain articles. for incertain In accordance with Article 42, any State may declare that it avails itself of the reservations provided avails itself of the possibility of requiring additional elements, as provided for under certain articles. provisions in Council of Europe treaties. In accordance with 40, Article any State may declare that it a provision for a24/7network. regardingassistance provisional measures,regardingassistance mutual investigative powers, and mutual on provisions specific including use, on limitation and confidentiality to and agreements, procedures to requestspertaining for mutual assistance in the absence of applicable international contains chapter The information. spontaneous and assistance mutual extradition, cooperation, data. Provisions are dealtwith inaseparate onjurisdiction section. content of interception and data, traffic of collection searchand real-time data, order, computer stored production on of seizure also provisions includes section partial The data. and traffic preservation of expedited disclosure covering data, computer stored of preservation expedited on provision a is offences. There criminal to relating form electronic in evidence of collection the to and system, computer a of means by committed offences criminal other to and law, criminal procedural law includes common provisions that apply to the Convention’s on substantivearticles pornography, and offences related to infringements of copyright and relatedrights. The Computer- section on devices). to child related offences of are offences Content-related fraud. and misuse forgery include offences related and interference system interference, data interception, illegal access, illegal as (such systems and data computer of availability and confidentiality, integrity the procedural law and jurisdiction. The section on substantive criminal law identifies offences against providers andtraffic data; 1.2. Existingregional legislative measures Tunis Agenda fortheInformationSociety, available from www.itu.int/wsis/index.htm 9 was a historic milestone in the fight against fight the in milestone historic a was l. 10 The 16 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex necessity ofimprovingnecessity effective counter-measures. on discussions the further and issues security held network and security informationMinisters other and cybercrime and Affairs terrorism combating Home and Justice G8 the Meeting, Moscow 2006 their At “to ensure that law enforcement respond to cyber-threats andincidents”. serious agenciescanquickly goal,following the emphasized 2005 in Meeting G8 a from statement Another basis. broad a on it within coming into force, the states should take steps to encourage the adoption of the legal standards contained G8 Ministers issued a joint communiqué stating that, with the Council of Europe Convention of Cybercrime computer tocrime ensure that there were no combat “safeto havens”Principles Ten for anywhere criminals intheworld. adopted countries G8 the year, that in D.C. Washington in meeting 1.2.3. The European Union(EU) for terrorist purposes”. Internet the misusing of forms specific frameworks, legal national within criminalizing, towards work “to At the Meeting of the G8 Justice and Interior Ministers in Munich on 23-25 May 2007, Ministers also agreed Terrorism, includingthefollowing statement: Counter- on Declaration Summit a in culminated and Petersburg St. in held was 2006 in Summit G8 The 13 The G8 Group of States of Group G8 The 1.2.2. G8Group ofStates 12 11 issued thefollowing statement: an important next step forrepresented the EU in implementing which the general policy outlined by 2007, the Commission. Delegates November in Cybercrime on Meeting Expert EU an organized cybercrime”. Commission against The fight the on policy general a “Towardscalled theft, identity against legislation European regarding 2007 May in initiative an considered Commission EU the development, latest the In illegal system interference andillegal data interference. supplements the Convention on Cybercrime and includes on articles illegal access to information systems, Decision Framework Union European The2005. in force into entered which systems, information against The Council of the European Union adopted a proposal in 2003 for a Council Framework Decision on attacks

and therecruitment ofotherillegalactors”. apply all of that to prevent terrorists from using computer and Internet sites for hiring new terrorists will we and work, particular this for base legal international an need will we and criminality, cyber harmful computer programs. We will instruct our experts to generate unified approaches to fighting work against the selling of private data, counterfeit information and application of viruses and other telecommunication.of sphere the in includes That including acts, criminal possible preventtosuch We score. measures of set a thatdevise to necessary technologies.is Forhigh it of that,sphere this in acts terrorist on legislation of and terrorism IT prevent pieces will that countermeasures relevant effective improving of of necessity the discussed analysis comparative a as well as combating terrorism, in experience international accumulated sharing to related issues discussed also “We of terrorists;” to commit terrorist to acts, communicate andplanterrorist aswell acts, asrecruitment andtraining Effectively counteringcyberspace attempts to misuse for terrorist purposes, including incitement andimprovingImplementing the international legalframework oncounter-terrorism; terrorist threat, including: “We reaffirm our commitment to collaborative withour tointernational combat partners, the work,

At a meeting of the G8 Justice and Home Affairs Ministers inMinisters Affairs Home and Justice G8 the of meeting At Washington the a May 2004, 10-11 on D.C. Seewww.g7.utoronto.ca. Seewww.europa.int. G8Information Centre,Universityof Toronto, Canada,see 11 established the Subgroup of High-Tech Crime (the Leon Group) in 1997. At a At 1997. in Group) Leon (the High-Tech Crime of Subgroup the established 13 12 They issuedthefollowing statement: www.g7.utoronto.ca. 17 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex expertise inCSIRTsexpertise anddigital forensics. technical building legislation, on held also were Discussions members. ASEAN and APEC for model legal reference a as introduced was Cybercrime on Convention The cybercrime. and cybersecurity in building workshop on network security was held in Manila in 2007 to APEC-ASEANshare knowledge and experiences in joint capacity- A issues. recurring major are authorities enforcement law between and assistance frameworks mutual legal of consistency The OECD). and ITU ASEAN, (including organizations international other with conjunction in co-organized were workshops Some others. among security, products/services spam, wireless security, malware, exercise,cybersecurity botnets, hand-held mobile device security and ICT as diverse as topics on crime and cyberthreats emerginginformation”)combat of and misuse criminal the (“Combating 55/63 Resolution Assembly General UN implement to workshops many hosted has TELWG legal assistance arrangements”.mutual and procedural substantive, address frameworks policy and legal that ensuring by environment online the of use criminal and use malicious misuse, the by toposed threattaken “addressthe been have actions strategic perspective, legal the Fromsecurity. online promote to economies APEC in stakeholders all among cooperation close promote to areas item Online action seven Sustainable lists strategy and This 2005. in Secure Environment Trusted, A Ensure to Strategy APEC the adopted TELWGstrategy, the to Complementary policies. and laws assistance mutual comprehensivesubstantive,proceduraland their on report and develop to efforts the facilitate adopt, to economies APEC encouraged has It instrument. legal multilateral first the as Cybercrime on Convention the recognized and of cybercrime on importance framework the legal stressed a also has Strategy Cybersecurity APEC the of section development legal The oncybercrime. foris alsounderway APECeconomies to inlegalexpertise assistwithcapacity-building investigative cybercrime Prosecutorand units.Judge A Cybercrime Enforcement ProjectBuilding Capacity and needs in establishing comprehensive legal frameworks and developing effective law enforcement and these conferences, of follow-upsuccess the assistance on was on Building provided laws. tofocusing cybercrime individual comprehensive2005, economies of and to drafting address 2004 legislative their and 2003, specific capacity-building issues in Seoul and Hanoi, Bangkok, in experts of conferences consecutive under TELWG(SPSG) threeGroup sponsored Steering Prosperity and response Security the leaders, from In call this to protection. infrastructure critical and cybercrime on Ministers and leaders by set objectives address to work its continues WG) cybercrime. and cybersecurity TEL adoptedWG CybersecurityAPEC the Strategy to2002 in implement the (TEL Group Working Information and Telecommunications APEC’s 55/63 Resolution Assembly General (2000) andtheConvention onCybercrime. Nations United the including instruments, legal international with and Cybercrime on their Convention renewed the Ministers study endeavor the to to enact a comprehensive set economies of laws when relating to and cybersecurity all cybercrime that are 2005, consistent encourage and they that 2002 stating in commitment, Meetings Ministerial at cybercrime”. Similar made and were cybersecurity to statements relating laws of set comprehensive a enact to “Endeavour to: At a meeting in Mexico in 2002, the leaders of the Asianthe of Pacificleaders the At2002, Mexicoin in meeting a Economic Cooperation (APEC) 1.2.4. Asian Pacific Economic Cooperation (APEC) 14

to establishthecooperative linksuponwhichsuchsuccess isbuilt.” international cooperation. The conclusions of today’s and meeting represent regionalan important step by on the EU depends “Vico”the paedophile for Austria, in hunt global the Koala”and “Operationas incidents such abuse operations successful child Indeed action. concerted online for need the high-profile highlights UK, the and and Italy Germany, content illegal Spain, in Estonia, in theft attacks identity large-scale spanning Europe, across cybercrime of prevalence increasing “The Seewww.apectelwg.org. 14

committed 18 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex effective legal cooperation to fight transnationalcrime. for need the recognized that cybercrime on statement a issued Bangkok in 2004 in Meeting Ministerial A China Strategic Partnership for Peace andProsperity, withadeclaration that expressed theirjoint intent: The Association of South East Asian Nations (ASEAN) 1.2.7. Association EastAsian ofSouth Nations (ASEAN) terrorism andmoney-laundering. combat to laws address to 2007 October in held was Ministers Law Commonwealth of Officials Senior of Meeting further A countries. Commonwealth other with compatible legislation framework adapt to use to guidance. limit conflicting can as an The model lawexample of each common serves principles country the entitled law, The 2002. in Ministers Computer of and Computer ConferenceRelated Crimes Act, Commonwealthshares the same the framework as the to Convention on law Cybercrime model a present to In In an effort to harmonize computer-related criminal law in the Commonwealth countries, 1.2.6. The Commonwealth 18 17 16 15 States (OAS) Organization American the of in Americas Attorneysthe or of General Ministers Justiceor of TheMinisters 1.2.5. Organization States ofAmerican (OAS) and aresolution was adopted. The conclusions and recommendations of the Meeting were followed up atsession in a June plenary 2007 ofJustice ofMinisters (REMJA) Meeting inJune2006issuedthefollowingThe Sixth statement: 2005, whichculminated inthefollowing conference statement: December in conference OASorganizedMadrid a Spain, in Europeand of Council the cooperationwith In (REMJA) in Washington D.C. approved conclusions andrecommendations including: in 1999. 2004, In the Fifth of Meeting of Ministers Justice or or Ministers Attorneys General of the Americas

increased, rapid legalandotherforms andwell states ofcooperation, functioning ARFparticipating requires cyberspace of misuse terrorist and cyber-attacks against fight effective an that “Believing and enhancing cybersecurity, and preventing andcombating cybercrime.”maintaining of purposes for procedures response emergency and cooperative formulate “to Interpol, in order for theOAS States Member to take advantage ofprogress inthoseforums”. the Forum, Co-operation Economic Pacific Asia Organisation for the Economic Cooperation and Development Union, (OECD), the G-8, European the Commonwealth, and the Nations, United such cybercrime, the of as area the and in agencies of information and organizations international the exchange other for with cooperation mechanisms strengthen to continue efforts that Similarly, implementation.requiredmeasures forits other and legal accedingthereto,the to adopting to and give consideration to applying the principles of the Council of Europe’s Convention “…continueon Cybercrime to and strengthen cooperation with the Council of Europe so that the OAS Member States can and onbehalfofinternational cooperation”. in level domestic at cybercrime, Convention fight to tools and laws compatible this and effective of use make toto order Parties becoming of possibility the consider to States encourage “Strongly that to acceding of possibility the consider convention”. and Council (2001), the Cybercrime of on principles Convention the Europe’s implementing of of advisability the evaluate should States “Member A statement from theASEANRegional Forum (ARF) inJuly2006emphasized that: Seewww.aseansec.org. Seewww.thecommonwealth.org. SeeResolution (AG/RES.2266(XXXVII-o/07)). Seewww.oas.org/juridico/english/cyber.htm. 15 recommended the establishment of a group of governmental on experts cybercrime in Peru 16

18 agreed with China in 2003 to implement an ASEAN- 17 experts gathered 19 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 1.2.8. The Arab League made thefollowing statement: Korea of Republic the and Japan China, from Communiqué Joint A revised. and reviewed be to needed challenges and increasing scope of transnational crime, the ASEAN-China Memorandum of Understanding Novemberin 2007. Darussalam Brunei in China, togetherwith met, Theyagreed that,givenemerging the Ministers of ASEAN member countries with responsibility for cooperation in combating transnational crime 21 20 19 (OECD)Development and CooperationEconomic for Organisation The 1.2.10. The Organisation for Economic Cooperation andDevelopment (OECD) a Third inthenearfuture, Reading before itissigned into law. Bill passed its Second Reading in the Parliament of Botswana in December 2007, and is expected to go for cybercrime - Mauritius, South Africa and Zambia address have to legislation all with adoptedahead forged such and initiative cybercrime the legislation.taken have A countries African Cybercrime individual Some infrastructure inAfrica. ICT secure andreliable high-quality developmentpromotingatthe of aimed partnership multi-stakeholder global a launch to 2007,I October laws Africancybercrime region. in the Southern The in AfricaConnect Rwanda, Summit was held in Kigali, the to similar be should legislation started. their that has so efforts, processtheir coordinate to legislative trying are its states African and East Bill Misuse Computer a drafted has Uganda although Uganda), (including regionTanzania, Africa and KenyaEast the in slower been generally has legislation adopting cybercrime in Progress Africa, 2005. in laws South cybercrime Zimbabwe, harmonize to efforts Zambia, initiated Mozambique) (including and Malawi (SADC) Community Development African Southern The 1.2.9. The African Union legislation to address threats anddevelop appropriate incyberspace tools to combat cyber-attacks. Forensics was held in Doha in February 2008 and stressed the importance of reviewing national cybercrime An ITU Regional Workshop for Cybersecurity and Critical Infrastructure Protection (CIIP) and Cybersecurity the GCC countriesatreaty oncybercrime. draft includes (which (GCC) Council Cooperation Bahrain, Kuwait, Oman, Qatar, Gulf Saudi Arabia and the UAE) The ,recommended at a conference 2006. in June 2007 that February in its enacted Arabia with No.2, legislation, Saudi Law adopt to Cybercrime Pakistan,region the in as country first such the was legislation, UAE (UAE). Emirates cybercrime Arabic United adopted and have region the in countries Several critical informationcritical infrastructure protection are notbindingfor States. Member on Networks: TowardsSecurity.guidelines and Systemsof TheseCulture Information a of Security the on

and encourage theformulation ofsuchaframework”. space cyber of misuse terrorist, including criminal, addressing in collaboration and cooperationfor ARF countriesparticipating and organization acknowledge the of importance a national framework detection, Technologies’.Information of Misuse Criminal the prevention, ‘Combatingon 55/63 Resolution Assembly General the UN the in recommendations ten for the including party, are they which to recommendations/guidelines attacks of mitigation and reduction, and instruments relevant to referring international by and conditions cybercrime national implement their and with accordance so, in done laws yet cybersecurity and not have they if enact, to endeavor organizations and

Seewww.oecd.org. Seewww.africa-union.org. Seewww.arableagueonline.org. in persons”. fortrafficking- example, transnationalcrime: terrorismand other to stronglinkages its in cooperation 3 + ASEAN combating transnational strengthening crime focusing on on the views emerging challenges exchangeof cybercrime and to retreat a held “We 19 20 21 adopted new guidelines in 2002 in guidelines new adopted 20 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex The Shanghai Cooperation Organization (SCO) 1.2.11. The ShanghaiCooperation Organization (SCO) For oftheConvention, thepurposes “terrorism” isdefinedasincluding: Terrorism, Separatismstates andExtremism that memberstates are: June 2001 by the Declaration of Shanghai Cooperation Organization. The Shanghai Convention on Combating of 15 Kyrgyz on Republic the the Republic,Federation, TajikistanUzbekistan of Kazakhstan, Republic the and and informationthreats. security network growing address jointly to together work will members SCO security, information of field the in threats and challenges Facingnew security.information security”,to informationdevoted international is safeguard to plan action countries member document, “SCO the which among documents, important of series a signed China and of Uzbekistan Tajikistan,city Kyrgyzstan, capital Kazakhstan, the Russia, in meeting, 2007, the AugustAt Kyrgyz.16 on held was State of Heads SCO of Meeting Council Seventh The crime, computer for guidelines initiate to organization international first the was OECD The OECD Malware Workshop was heldinManila. APEC- an 2007 April In response. incidents governmental global promoting including discussed, were topics Several2005. in Seoul in held was Information of Security on workshop APEC-OECD joint A 2006. in report its on Workshop and Security Network Cybercrime and held in SystemsOslo, Norway, Information in 2003. on The Forum OECD Task Global Force OECD on Spam an was established in including 2004 and crime, delivered computer and cybersecurity of aspects different on workshops and meetings numerous held has OECD The 24 23 22 coordinated policy approach building trust and confidence. The OECD Working Party on Information and on Information hasdeveloped international guidelinesto promote cybersecurity. (WPISP) Privacy Party Working OECD The confidence. and trust building approach policy coordinated global a promotes and cybersecurity, on more focuses it Rather, such. as cybercrime on directly today work

this Convention (hereinafter referred to as “the Annex”) and as defined in this Treaty; this in defined as and Annex”) “the as to referred (hereinafter Convention this of their motives, cannot be justified under any circumstances, and that the perpetrators of such acts should beprosecuted acts underthelaw”. such of perpetrators the that and circumstances, any under justified be cannot motives, their of regardless Convention, this in defined as extremism, and separatism terrorism, that convinced “firmly

Seewww.sectsco.org. Seewww.oecd.org/sti/security-privacy. SeeComputer-related Criminality: “a. any act recognized as an offence in one of the treaties listed in the Annex to the in listed the treaties of one in offence an as recognized act any “a. b. intended…, otheracts aswell asto organize, plan,aidandabetsuchact”. Analysis ofLegal PoliticsintheOECD-Area (1986). 24 was established by the People’s Republic of China, the Russian 23

22 but it does not does it but

21 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex exhaustive list): relevantSome United Nations system decisions, resolutions andrecommendations include(inanon- 1.3.2. United Nations system decisions, resolutions andrecommendations orthegroupsthe crimes whocommit themhave someelement oftransnational involvement. either where groups criminal organized by committed crimes punishing and prosecuting investigating, b) ofjustice); 23 (criminalizationofobstruction group), 6 (criminalization of the laundering of the proceeds of crime); 8 (criminalization of corruption) and a) The Convention appliesto theprevention, investigation andprosecution of: Scope ofapplication provisions doprovide elements ofaconcept oforganized crime. For instance: Although theConvention doesnotprovide asingle, agreed definitionoforganized perse, crime its against fight the in instrument transnational organized more crime effectively. combat international and prevent main to cooperation international the promote to is seeks and crime, It organized transnational 2000. November 15 in 55/25 Resolution The 1.3.1. The United Nations Convention against Transnational Organized (TOC) Crime Offences established in accordance with Articles 5 (criminalization of participation in an organized crime (article 2 - see definition above). States’ Parties shall be able to rely on one another in another one on rely to able be shall States’ Parties above). definition see - 2 (article crime Serious • • • • • United Nations Convention against Transnational Organized Crime was adopted by General Assembly December 2005. 16 of 60/177 Resolution Assembly General by endorsed 16), Justice”and Criminal 15 (paragraphs The Bangkok Declaration on “Synergies and Responses: Strategic Alliances in Crime Prevention and 2002. Assembly 56/261of31January Resolution General by, noted and and to, annexed century” 2000 Twenty-first the of December Challenges the Meeting 4 Justice: and of Crime on Declaration Vienna 55/59 the of implementation the Resolution for action of Assembly of “Plan 36 paragraph General by endorsed 18), (paragraph The “Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-first century” and related crimes”. prevention, the in cooperation “International on investigation, prosecution 2004 and punishment of July fraud, the criminal 21 misuse crime and falsification of of identity 2004/26 identity-related Resolution ECOSOC and fraud economic of (E/2007/30 andE/2007/SR.45)”. punishment and prosecution prevention, investigation, the in cooperation “International on 2007 July 26 of E/2007/20 Resolution ECOSOC responses to combat sexual exploitation ofchildren” (notably, paragraphs 7&16). CCPCJ 2007on 16/2ofApril 2007Resolution “Effective prevention crime justice andcriminal • • • 1.3. ExistingUnited Nations International deprivation of liberty ofat leastfour years oramoredeprivation ofliberty penalty. serious constituting anoffence isdefinedas crime conduct Serious punishable byamaximum - offences committed inone State, buthaving substantial effectsinanother State. inmore thanoneState; activities criminal - offences committed inone State, butinvolving anorganized criminal group that engagesin or control takesplace inanother; - offences committed inone State, ofpreparation, planning, butasubstantial part direction - offences committed inmore thanone State; Transnational are crimes definedas: commit oneormore inorder crimes serious to obtainfinancialorothermaterial benefit. An organized group criminal isdefinedasthree ormoretogether persons to working Provisions 22 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex in theInformation Society. security enhance to strategiesproposing at aimed cooperation internationalglobal and dialogue for frameworka as by 2007 May in (GCA) Agenda Cybersecurity Global the launched General Secretary ITU The of information andcommunication technologies (ICTs)”. facilitatorforsole the C5: as Line lead Action the WSIS use take to the in security confidence and “Building Agenda for the Information Society. Under the Tunis Agenda for the Information Society,Tunisthe ITU and was CommitmentTunisthe entrusted Action; of Plan Geneva contained the Principles, of are Declaration Geneva Summit the in the of outputs The laws. and standards compatible development the including society, information global a of development the of with associated issues emerging the address to best Governments, fromand policy-makers experts around the world shared ideas and experiences about how the Information Society held (WSIS) with other partners in two phases, in Geneva in 2003 and Tunis in 2005. Held in conjunction with other tThepartners, ITU took the leading role in organizing the World Summit on 1.3.3. The International Telecommunication Union(ITU) guidelines onthismatter. substances over controlled pharmaceuticalthe Internet, preparations. particularly of The Board is also sales finalizing a set of illicit of spread the curb to 2005 for report annual its in recommendations published published also have meetings) HONLEA relevant conclusions and recommendations. regionalAdditionally, the International Narcotics and Control Board (INCB) East Middle and Near the in Matters Related and TrafficDrug Illicit on Sub-commission the (e.g., Drugs Narcotic on Commission the of bodies Subsidiary • • • • • the Internet”. via individuals tothe drugs on controlledlicit 2004/42 internationally ECOSOC of Resolution “Sale cooperation againsttheworld drugproblem”. on “International 2005 December 16 of 60/178 Resolution Assembly General the of 17 Paragraph licit drugs to individualsviatheInternet”.controlled internationally of “Sale the addresses on also 2004/42 Resolution 48/5 ECOSOC Internet. Resolution including the on 2000 March Drugs, 15 of 43/8 Resolution Drugs Narcotic crime”on drug-relatedCommission and commit Narcotic to Internet the of on use the prevent to order Commission in cooperation international “Strengthening the by resolutions Various of Commission Prevention onCrime misuse Justice. andCriminal criminal the of achievements the and work the combat alia, inter account, to into take to practice, and technologies information and policy law, national developing when States, on 2001 “CombatingDecember the criminal 19 misuse of informationof technologies”.56/121 and This2000 latter resolution December invites Member 4 of 55/63 Resolutions Assembly General the recommendations adopted by theEleventh Congress. Crime”. Paragraph 2 of General Assembly Resolution 60/177 invited Governments to implement all Computer-Related Combat to on CongressWorkshop“Measures hoc ad an of Recommendations 23 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex “cyberterrorism” usedto thisphenomenon. isoften describe Convention on the Prevention of Terrorism.of Prevention the on Convention Europe’sof Council the by supplemented 2005 in was treatytreaty. multilateralThe a as Terrorism”,1977 in of adopted was Suppression the on Convention European treaty,“The Europe of Council a Europe, In generally acceptable definition could beagreed upon. Criminal Court, Criminal the final United Nations diplomatic conference of plenipotentiaries on the establishment of anInternational yetnot agreeduniversal has a definition During upon for terrorism. society time,forglobal long but a acts such of prevention the in involved been have organizations International developed. were technologies Terrorismbeforelong conduct computercriminal communicationtonetwork describe used and been has to generate fear. Serious attacks against critical infrastructures could constitute acts of cyberterrorism, cyberterrorism, of acts constitutedepending ontheirimpact. could infrastructures critical against harm attacks sufficient Serious cause fear.or generate property to or persons to damage in result should attack An objectives. social or political specific of furtherance in people its or government a coerce or intimidate to information stored Cyberterrorism has been defined as unlawful attacks and threats of attack against computers, networks, and ofcrime. to understandthat thisisnotanewcategory important Panel 31 Cyberterrorism inthe21stCentury; Testimony beforetheUSSenate CommitteeontheJudiciary, 24February2004. 29 28 tional 26 25 principles 11 adopted Interior and Justice of Ministers G8 the 2003, In countries. of Group G8 the by developed been have (CIIP) Protection Infrastructure Information Critical for Principles 1.4.1. Principles for information protecting critical infrastructure represent a category of cybercrime and a criminal misuseofinformation andacriminal represent technologies. ofcybercrime acategory Terrorism andterrorism. comprises bothcybercrime incyberspace Terrorist attacks incyberspace terrorist offences are inthe described Convention asoffences that aim: of intent or purpose 1. The Appendix in contained treaties ten of list attached the in defined offences the 30 space (June2006). 27 crimelaw.net. 1.4.2. Cyberterrorism andterrorist useoftheInternet well strategies. asnational security critical protecting for information of infrastructuresociety’s as are a vital part and cyberterrorism, protection against cybercrime Principles principles. such implementing for need the demonstrated clearly 2007 infrastructure”.information critical of protection the April/May in and Estonia in coordinated Thecyber-attacks cybersecurity of culture global a the “creationof on 2004 in adopted principles UN the for basis the 1.4. CriticalInformation Infrastructure Protection

international organization.” an or country a of structures political,social constitutional,destroyfundamental or economicor the destabilize seriously or anyact fromperforming abstain or perform internationalorganizationto an or government a compel unduly or population a intimidate seriously to context or nature their “by

on Criminal

Final Act oftheUnitedNationsdiplomaticconferenceplenipotentiaries ontheestablishmentofanInterna See Terrorism, The Dorothy John See Source:

ASEAN www.g7.utoronto.c Council

Malcolm,

Court, 27

E. Stein serious crimes such as terrorism were discussed, but the conference regretted that no that regretted conference the but discussed, were terrorism as such crimes serious

Committee

Denning,

of Regional Rome

Schjolberg:

Deputy Europe

July

Professor, 31

on Forum

a Assistant Convention

17,

, Armed

see “Terrorism

1998

Statement also

Naval

Services, Attorney

(U.N.

Dunn

in Postgraduate the

Doc.

on 28 and Cyberspace

General, In this Convention, a terrorist offence is defined as any of any as defined is offence terrorist a Convention, this In Prevention U.S.

cooperation (CIIP)

Mauer: A/CONF.183/10).

House 26

School,

International -

of Myth

Department in

Terrorism

Representatives,

fighting 30

USA: However, inusingsuchaterm, itis or

Reality?”

CIIP

Testimony cyber will

Justice:

enter Handbook

attack (2007),

May ed into force on 1June, 2007.

before

Virtual

2000. and

available

2006

terrorist

the

Threat, 25

, which also formed also which , Vol. 29 Special The term

from:

misuse I,

Real

page

Oversight

www.cyber

Terror:

of 358-360.

cyber

- - - 24 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex required to adopt as criminal offences certain preparatory conducts with the potential to lead to terrorist to lead to potential acts. the with are conducts Convention preparatory certain the offences to criminal as parties adopt 5-7), to required (Articles Terrorism of Prevention the on Convention the to According 1.4.2.2. Preparatory conducts criminal ofthenational informationa significant infrastructure. part disrupt or havepotentialcrashattacksto the Such cyberattacks. (DoS) Service coordinatedof in world Denial the over all from computers compromised of thousands of hundreds of networks from messages of millions with networks and systems computer flooding are attacks cyberterrorist common most Currently,the total. correct omitting by or temporary,partial is operation permanent, efficient their hindranceto the matterif or not does processing. It incorrectly data process or function to made or memory, without or at speeds, run slowerto made time, of periods extended or short for down closed be can systems navigation Computer systems. key networks, telecommunication networks, and systemsfortraffic, air and shipping water management systems, energy supplies, financial systems systemsother and government include targets Potential critical the consequencesserious to thesociety. of networks and with threat significant representa and damage massive systems cause can infrastructures information critical against computer of Attacks acts. functioning cyberterrorist of targets likely most the are government the or State a of infrastructure information of disruption or hindrance Serious 1.4.2.1. Terrorist incyberspace acts and networks are further blurring thedifferencescyberterrorism. blurring cybercrime and areand networks between further fear by effectsthat are ordisruptive, destructive withapolitical, religious orideological motivation. defined as attacks or a series of attacks on critical information infrastructures carried out by terrorists, instilling 32 agenda. ideological or social political, certain a to conform to population or to create fear by causing confusion and uncertainty in a population, with the goal of influencing a government of computers and telecommunications capabilities causing violence, destruction and/or disruption of services The USFederal perpetrated Bureau by acts ascriminal ofInvestigation theuse hasconsidered cyberterrorism 37 Treaties/Html/196.htm 36 Issues forCongress (November2007). 35 34 33 Technology, offence. criminal a is justified and necessary as offence terrorist a Presenting 5). committed” be (Article may offences such more or one that danger a causes offences, terrorist advocating directly not or public, “whether the to intended to be used for this purpose” (Article 7). The purpose must be to execute the terrorist offence or offence terrorist the execute to be contribute tomust it. The trainer must have or of knowledge purpose skills “know-how”The which is intended to be 7). used for the (Article purpose” this for used be to intended are provided skills the that knowing offence, terrorist a of commission the to contributing or out carrying of other weapons or noxious or hazardous substances, or in other specific methods or techniques, for theTraining the in provision the instruction as for of defined terrorism purpose is explosives, of use or firearms or “making person. The recruitment mustbeunlawful andintentional. for Recruitment 6). group” (Article the recruiterapproachsuccessfully the requiredthat is it but the Internet, the using out carried be mayterrorism or association the by offences terrorist more or ina one of the orparticipate commission to contributing of purpose the “to commit for group, or association are solicited an join to or offence, people terrorist a if of commission offence criminal a also is terrorism for Recruitment committed unlawfully andintentionally. These elements are also the targets of the attack. the of targets the also are elements These designed or intended to destroy or disrupt critical information infrastructure of vital importance to the society. motivation.intent terroristor systems with IT made of Terrorismbe use must the they includes cyberspace in These definitions have several common aspects: terrorist conducts are acts designed to spread public fear and

SeeArticles 5-7oftheConventionon thePreventionofTerrorism, availableat:http://conventions.coe.int/Treaty/en/

36 Public provocation to commit a terrorist offence is a criminal offence, if the distribution of a message of distribution the if offence, criminal a is offence terrorist a commit to provocation Public KeithLourdeau,Deputy Assistant Director, CyberDivision,USFederalBureauof Investigation(FBI): Terrorism,

37 See Clay See See Specific intent is required to incite the commission of a terrorist offence, while provocation must be

and

Explanatory also the

Wilson:

Homeland International

Kathryn

CRS

Report Kerr,

Security. Report

Handbook

Australia:

note

for

Testimony

98. Congress

Putting

Critical

before

–

cyberterrorism Botnets,

Information

the 34 Recent technological developments in computer systemscomputer in developmentstechnological Recent

Senate

Cybercrime,

Infrastructure

into Judiciary

context

and

Subcommittee,

Cyberterrorism:

(2003).

Protection 32 Cyberterrorism has also been also has Cyberterrorism

(CIIP)

Vulnerabilities

February

2006

35 Vol.

2004.

II,

and

page 33

Policy

14. 25

International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex In one of the first convictions in this category, a man was sentenced in København Byret (Copenhagen Byret København in sentenced District Court) was man a category, this in convictions first the of one In seriously disrupt IT systems or networks of vital importance to the society may constitute a criminal offence. Public provocation, recruitment or training for coordinated with cyber-attacks terrorist intent to destroy or not connected tonot connected any stated: specific terrorist butthe acts, court were acts His material. terrorist collecting by acts terrorist encouraged had He Code. Penal Danish the of carrying outoftheterrorist offence or carrying for contributing to it. 39 38

of thegroups to bestrengthened intheirintent to commit terrorist acts”. materialshis were forsuitable recruiting tomembers new groups,the forsuitable and members the intendedthat, thatspreadingthatdefendantincluding the and the to commitof terrorist knew acts “The defendant’s activity may be described as professional general advices to terrorist groups that are Seewww.domstol.dk/KobenhavnsByret See

Explanatory 39 in Denmark on 11 April 2007, to imprisonment for three years and six months for a violation

Report

note

122. 38 Training mustbeunlawful andintentional. 26 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Service providers areService defined by the Convention of 1(c)as: Cybercrime in Article provider 1.5.2.3. Service 1(b) includes: in Article At theCybercrime Convention inJune2007,itwas agreed Meeting that thedefinitionof computer data Computer data isdefined by the Convention of 1(b) as: Cybercrime in Article 1.5.2.2 Computer data system” 1(a)includes: in Article At aCybercrime Convention inMarch 2006,itwas Meeting agreed that thedefinitionofa “computer A computer system isdefined by the Convention on 1(a)as: Cybercrime in Article 1.5.2.1. Computer system Definitions 1.5.2. Other of misuse terrorist and acts preparatory of criminalization Internet. other and phishing spam, theft, identity Recent including categories, law. used commonly domestic further of in addition the definitions in result may extended developments technological exclude not does tha list, consensus minimum a is This in four different categories: ortheuseofcomputerthe particularity, theknowledge technology. emphasize must definition a so crimes, of categories all involvemay crimes computer that argued been has it Historically, cybercrime. or crime computer of definitions have so developed, has technology As 1.5.1.2. Cybercrime actions, approaches, and organization, as well asuser’s, management assets. risk guidelines, cyber-environment the protect to used policies, be can that technologies and assurance tools, practices, best training, of collection the is Cybersecurity 1.5.1.1. Cybersecurity cybercrime and cybersecurity of 1.5.1. Definitions i “Pin codes for usewere electronic computer data wheninputinto acomputer device”. system, includingaprogram suitableto causeacomputer afunction”. system to perform “Any representation of facts, information or concepts in a form suitable for processing in a computer also produce, process andtransmit data”. Similarly it was recognized that the personal digital assistants, with or without wireless functionality, attachments suchasphotographs, anddownloading documents. to produce, process and transmit data, such as accessing the Internet, sending emails, transmitting “Modern mobile telephones which are multifunctional and have among their functions the capacity program, automatic processing performs ofdata”. “Any device orgroup ofinterconnected orrelated devices, oneormore ofthat, pursuant to a (4) offences related to infringementsof copyright and relatedrights. (3) content-related offences; (2) computer-related offences; (1) offences againstthe confidentiality, andintegrity of computeravailability data and systems; Today, the Convention on Cybercrime cybercrimedefines in 2-10 onArticles substantive criminal law means ofacomputer system, and “Any public orprivate to that provides entity communicate theability to by users ofitsservice 1.5. Definitions/Terminology 27 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Traffic data isdefined bythe Convention of Article1das: Cybercrime in 1.5.2.4 Traffic data on the Convention by offer isunderdiscussion. adopted provider on services service new the cover would which of definition broader a for definition need Currently,the used. is Cybercrime the Chapter, this of purposes the For service”. communication’s origin, destination, route, time, date, size, duration,ofunderlying ortype by acomputer system inthechainofcommunication, indicating that the formed apart “Any computer data relating to acommunication by meansofacomputer system, generated ii service orusersofsuchservice”; service any that processes otherentity orstores computer data onbehalfofsuchcommunication 28 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex the access itself, butonlysubsequent offences. 46 tations/sg-opening-remarks-14-may-2007.pdf. integrity of computer systems. computer of integrity access with subsequent offences, or seek to limit the criminalization of the illegal access toserious access illegal the of criminalization the tolimit only. violations seek or offences, subsequent with access illegal confuse sometimes provisions enacted that shows level national the at access computer illegal of a single day using one computer. in systems computer of thousands attack can offender single a attacks,preinstalled and software of help in Art. 2,sentence2 In this context, one question that is intensively discussed is whether the act of illegal access should be should criminalized, access in addition illegal to subsequent of offences. act the whether is discussed intensively is that question one context, this In protection. of focus different a have them with dealing provisions legal the as espionage), data as (such tory Reportto the CouncilofEurope 52 Schjolberg 51 50 and uninhibitedmanner”. reflects theinterestsoforganisations andindividualstomanage,operatecontrol theirsystemsinanundisturbed 49 48 pages.cs.wisc.edu/~pb/botnets_final.pdf; http://www.cert.org/archive/pdf/Botnets.pdf; control. Formoredetails,see 47 Types, Methods, tion Meetingfor 45 EJIL 44 43 describe aconstructiveactivity. of asystem(softwareorhardware)thanitwasdesignedfor. 42 ITU-D. 41 int. 40 system computer a to access or unlawful access“hacking” to refers Illegal access1.6.1.1. Illegal 1.6.1. Offences againstthe confidentiality, andintegrity of data and availability computer systems related to hacking attacks is the availability of software tools designed to automate attacks. automate to designed tools software of availability the is attacks hacking to related harmful harmful intentions, or where data was obtained, modified or damaged. has perpetrator the where measures,or security by protected is systemaccessed the where cases in only Pentagon, Yahoo, Google, ebay and the Estonian and German Governments. the Airforce, US the NASA, include attacks hacking of Famoustargets phenomenon. mass a become has lea acs t cmue sses a peet optr prtr fo mngn, prtn and operating managing, manner. uninhibited from and undisturbed operators an in computer systems their prevent controlling can systems computer to access Illegal Legal solutions botnet related crimes. related rity_hacker_history;

2002,No5–page825etseq. 47 Art. 2 For an overview of the various legal approaches towards criminalising illegal access to computer systems, see Gercke: Botnetsisashorttermforgroupofcompromisedcomputers runningprogrammesthatareunderexternal Foranoverviewofthetoolsused,see RegardingthreatsfromCybercrimetoolkits,seeOpening RemarksbyITUSecretary-General,2ndFacilita Foranoverviewofvictimshackingattacks,see:http://en.wikipedia.org/wiki/Timeline_of_computer_secu Regardingrelatedcases,see IntheearlyyearsofIT Formoreinformation,seethetheforthcomingGuidetoUnderstandingCybercrime,bepublishedby Formoredetails,seetheConventiononCybercrime,ExplanatoryReportno16-106,www.conventions.coe. -s/hecanincrease thescaleofattack stillfurther. Sieber Explanatory ReporttotheCouncilofEurope ConventiononCybercrime, No.44:“Theneedforprotection , “TheLegalFramework”,available at:http://www.cybercrimelaw.net. Convention on Cybercrime enablesmember statestokeepthoseexisting limitationsthatarementioned , Informationstechnologieund Strafrechtsreform,Page49etseq. 43 WSIS Tools, andPrevention –availableat:http://www.212cafe.com/download/e-book/A.pdf. 51 The ConventiononCybercrime,MMR2004,Page729. Following the development of computer networks (especially the Internet), this crime crime this Internet), the (especially networks computer of development the Following Some countries criminalize mere access, while others limit criminalization to offences to criminalization limit others while access, mere criminalize countries Some Convention on Cybercrime Joyner/Lotrionte 1.6. Substantial Criminal Law 41 Action LineC5,availableat:http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presen Ianelli/Hackworth development,theterm“hacking”wasusedtodescribeattemptgetmoreout 49 It is vital to distinguish between illegal access and subsequent offences subsequent and access illegal between distinguish to vital is It Convention on Cybercrime, No.40. 46 , Information Sieber If the offender If has access to more computers – for example, through a Jones, “ , CouncilofEuropeOrganised CrimeReport2004,page65. Barford/Yegneswaran . Regardingthe possibilitytolimitcriminalization, seealso:Explana , “Botnetsasa Ealy BotNets: DetectionandMitigation”. Warfare asInternationalCoercion:ElementsofaLegalFramework, , A 50 NewEvolutioninHack Review of the various approaches to the criminalization Within thiscontext,the term“hacking”wasoftenusedto Vehicle forOnlineCrime”,2005,page3,availableat: , “AnInsideLookatBotnets”,availableat:http:// 52 48 Attacks: Other countries do not criminalize Protection aims to maintain the maintain to aims Protection 42 , one of the oldest computer- oldest the of one , 44 One of the main challenges A GeneralOverviewof 40 45 With the With - - - - 29 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex focus of perpetrators may have changed the that suggests transferreddata personal private of data thefts identity of number than rising Thethreats. these provisionsaddress information,to law criminal their valuable designed have countries of yield number a result, to a As networks. likely private within more was communications corporate of interceptions.Interceptionillegal for networks business on concentratedmainly perpetrators past, the In Legal solutions communication inorder to obtaininformation transferred. 54 jolberg, “CybercrimeLaw–survey, availableat:www.cybercrimelaw.net. radius of up to 100 meters. 100 to up of radius a within received be can point access the However, and computer points. the between exchanges access data the wireless in signals the through access Internet customers offer bars and restaurants hotels,

1.6.1.2. Illegal interception1.6.1.2. Illegal nology Law, 2003, 60 National Identification Systems,HarvardJournal ofLaw& www.privacyrights.org/ar/id_theft.htm (lastvisited:Nov. 2007); Givens the SSNistodaywidelyused foridentificationpurposes.Regardingoffences relatedtosocialsecurity numberssee: 59 reading/studies/IDTheftFIN.pdf; (lastvisited:Nov. 2007). Identity Theft – A discussionpaper, page21et.seqq.–availableat:https://www.prime-project.eu/community/further nov%2007.pdf; Foranapproachtodividebetweenfourphasessee: ing_economic_crime/3_Technical_cooperation/CYBER/567%20port%20id-d-identity%20theft%20paper%2022%20 Internet-related Identity Theft, 2007–availableat:http://www.coe.int/t/e/legal_affairs/legal_co-operation/combat pdf (lastvisited:Nov. 2007).Lee,Identity Theft ComplaintsDoublein‘02,New York Times, Jan.22,2003; Electronica, information onothersurveyssee available at:http://www.javelinstrategy.com/products/99DEBA/27/delivery.pdf (lastvisited:Nov. 2007).Forfurther 58 WLAN. 57 56 55 2006, 144. 53 Wireless technologies are enjoying greater popularity and have historically systems. provedin their vulnerable. points weak for search However, intercept. offenders to difficult and well-protected are (ISPs)Providers Service Internet or Providers Infrastructure Internet among processes transfer data Most the of the national level, integrity the at approaches inconsistent protecting Noting system. accessa to access illegal unauthorized criminalizing by on systems computer provision a includes Cybercrime on Convention The countries withoutlegislation to retain more liberal laws onillegalaccess: numbers,

or inrelation to acomputer system that to isconnected anothercomputer system. intent,dishonest other or datacomputer obtaining intentof the measures,with security infringing anyof a computerpart system without right. A mayParty require that the offence be committed by as establish to necessary be may law, domestic offences as its criminal under intentionally,committed when or whole access the the to measures other and legislative such adopt shall Party Each access 2–Illegal Article , Identity RegardingIdentity Theft, seeJavelinStrategy& Research2006IdentityFraudSurvey, ConsumerReport– The radiusdependsonthetransmittingpowerofwirelessaccesspoint.See:http://de.wikipedia.org/wiki/ Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrime,bepublishedbyITU-D.- Regardingthesystemofreservationsandrestrictions,see Foranoverviewofthevariouslegalapproachesincriminalisingillegalaccesstocomputersystems,see See: IntheUS,SSNwascreated tokeepanaccuraterecordofearnings.Contraryits original intentions, Kang 59 passwords andbankaccount information) are now ofgreater interest to offenders. Vol. 11, No.1,2006–availableat:http://www.lex-electronica.org/articles/v11-1/ chawki_abdel-wahab. Hopkins , “Wireless NetworkSecurity – Theft: HowItHappens,ItsImpact on Vol. II,No. 1;Page112. 53 the Convention offers the possibility of limitations that – at least, in most cases – enable , “Cybercrime Convention: 55 57 Offenders that are able to receive the wireless signal can try to intercept the to try can signal wireless the receive to able are that Offenders Chawki/Abdel Wahab 58 Yet anotherhurdleinfightingCybercrime”;page6etseqq. , and private data (including credit card numbers, social security A PositiveBeginning toaLongRoad Victims, andLegislativeSolutions,2000–availableat:http:// , Identity Technology, Theft inCyberspace:IssuesandSolutions,page9,Lex Sobel, The DemeaningofIdentityandpersonhoodin Gercke Mitchison/Wilikens/Breitenbach/Urry/Portesi Vol. 15,Nr. 2,2002,page350. , “TheConventiononCybercrime”,CRi, 54 Ahead”, Journal ofHigh 56 60 Nowadays,

Gercke, – Tech - Sch- - - 30 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 68 tations/sg-opening-remarks-14-may-2007.pdf. to information stored on a hard disk is covered by the Convention is of great interest. great of is Convention the by covered is disk hard a on stored information access to illegal whether of question The processes. transfer data intercepting by out carried are offences become a major cybercrime major a become example,For system. computer“phishing” the operatingrecently user has the often is security computer The Convention on Cybercrime provides various legal solutions for illegal access (Article 2) and illegal and 2) (Article only.interception3) (Article access illegal for solutions legal various provides Cybercrime on Convention The Legal solutions automate attacks inorder to access victims’ computer systems. to designed tools software of use make also can Offenders communication. electronic official seemingly a through institution) financial (e.g. business or person trustworthy a as masquerading by passwords) as 1.6.1.3. Data espionage The Internet is increasingly used to obtain trade secrets trade obtain to used increasingly is Internet The 66 Security. 64 63 D.,thepublished -D 62 61 on Cybercrime, No.51. 70 69 of datacommunication.Seethe ExplanatoryReporttotheCouncilofEuropeConvention onCybercrimeNo.51. tion Meetingfor The HumanFactorinPhishing–availableat:http://www.informatics.indiana.edu/markus/papers/aci.pdf; the to connected accessto Internet information from this offenders any Internet, the almost via is try can place the in world. system computer the If systems. computer in stored often is information Sensitive that already exists inmostlegalsystems. recording and/or tapping of illegal against protection conversations voice the of protection equates the with essentially transfers electronic provision This interception. unauthorized their criminalizing by transmissions non-public of integrity the protecting provision a includes Cybercrime on ConventionThe access to computer systems. computer to access protected computer systems and describes the manipulation of human beings with the intention of gaining The techniques used to access information vary. “Social engineering” is highly effective for attacks on well- ofremotepossibility access makesdata espionagehighlyinteresting. 67 2005, 606. espionage otherthantheinterception oftransfer processes. data of coverforms not CybercrimeConventiondoes on the of 3 Article that likely is it needed, is process 65 able at:http://www.ncix.gov/publications/reports/fecie_all/fecie_2003/fecie_2003.pdf. Article 8ofthe European ConventiononHumanRights.“ and recording oforaltelephone conversationsbetween persons.Therighttoprivacy ofcorrespondence isenshrinedin of dataespionage. lution in Art. 3totraditionalviolations oftheprivacycommunicationbeyondInternetthat donotcoveranyform

computer data. A Party may require that the offence be committed with dishonest intent, orin intent, dishonest with committed relation to acomputer system that to isconnected anothercomputer system. be offence the that require may Party A data. such computer carrying system computer a from emissions electromagnetic including system, computer a within or from to, data computer of transmissions non-public of means, technical by made right, as establish to without interception the intentionally, necessary committed when law, be domestic its may under offences as criminal measures other and legislative such adopt shall Party Each 3– Article Seetheinformationoffered byanti-phishingworking group–availableat:www.antiphishing.org; Formoreinformation,see Forthemodusoperandi,see Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrime,bepublishedbyITU- ExplanatoryReporttotheCouncilofEuropeConventiononCybercrimeNo.51. RegardingthreatsfromCybercrimetoolkits,seeOpening RemarksbyITUSecretary-General,2ndFacilita Onekeyindicationofthelimitation oftheapplicationisfactthatExplanatoryReport comparestheso See Annual ReporttoCongressonForeignEconomicCollection andIndustrialEspionage—2003,page1,avail The ExplanatoryReportpointsout,thattheprovisionintends tocriminaliseviolationsoftherightprivacy Gercke WSIS Illegal interceptionIllegal “The offencerepresents thesame violationoftheprivacycommunicationsastraditional tapping , “TheConventiononCybercrime”, MMR2004,page730. Action LineC5,availableat:http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presen 62 68 66 65 It is questionable whether Article 3 applies to other cases than those wherethose than cases other to applies 3 Article whether questionable is It and describes attempts to fraudulently acquire sensitive information (such information sensitive acquire fraudulently to attempts describes and Social engineering is usually very successful, because the weakest link in link weakest the because successful, very usually is engineering Social Mitnick/Simon/Wozniak Sieber , CouncilofEuropeOrganised CrimeReport2004,page102etseqq. 61

SeeExplanatory ReporttotheCouncilofEurope Convention , The 64 Art ofDeception:ControllingtheHumanElement , as the value of sensitive information and the and information sensitive of value the as , 70

69 Since a transfer a Since Gercke, CR Jakobsson, - - - 63 -

31 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Internet, often in attachments to emails or as files that users download from the Internet. download that users fromfiles attachmentsas in toor the emails often Internet, were distributed through storage devices such as floppy disks, today, most viruses are distributed over the 1.6.1.4. Data interference provisions theillegalaccess. criminalizing been given for access to the computer system, it is in general not possible to deal with such cases through first developed, computer viruses have threatened users who failed to install protection. proper install to failed who users have threatened viruses computer developed, first computer systems within the first 10 minutes of its distribution. its of minutes 10 first the within systems computer 75 pers/ent-whitepaper_internet_security_threat_report_xi_03_2007.en-us.pdf. of theusertoharmcomputersystem.See 74 73 72 provision wasused,becauseitissuitabletodemonstratethedogmaticstructureinabetterway. This provisionhasrecentlybeenmodifiedandnowevencriminalisesillegalaccesstodata. three yearsortoafine(2)Datawithinthemeaningofsubsection1areonlysuchasstoredtransmittedelectroni which arespeciallyprotectedagainstunauthorizedaccess,shallbeliabletoimprisonmentforatermnotexceeding (1) 71 attacks intheyear 2000alonewas estimated to amount to someUS$17billion. 80 79 technology/2693925.stm. 78 Theft andBeyond”,page21et seqq.-availableat:http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf. 77 antivirus/SciPapers/White/VB95/vb95.distrib.html. 76 further details,see:http://en.wikipedia.org/wiki/Computer_virus. Threat Report”, see Cashell/Jackson/Jickling/Webel Viruses”; “Computer virus. computer a is the interference data on of example depend common One all which administrations, and businesses users, integrity and availability of data. privateLack of access to data can result for in considerable (often financial) damage. vital are data Computer system. computer the on stored information obtain illegally to authorization the abused then and problem) computer a fix to ordered was s/he because (e.g., system computer a access offenders whereto authorized were cases relevantin especially provisionsis such of implementationThe PenalGerman Code. the of 202(a) § of version previous the is example An secrets. economic contain not do they if even data, (2) Other countries have adopted a broader approach and criminalized the act of obtaining storednot onlycovers data espionage, butotherways ofobtainingsecret information aswell.computer information is obtained - an example is secret 18 specific U.S.C.where only § espionage, data 1831, criminalize that and approach criminalize narrow economica follow espionage.countries Some (1) This provision datacriminalizing espionage. Thereby are two mainapproaches: measures technical through available is that protection the extend to decided have countries Some number of computer viruses has recently risen significantly. risen recently has viruses computer of number cally ormagneticallyinanyformnotdirectlyvisible. of infected computer systems. The computer worm SQL Slammer number the increased vastly and infection virus acceleratedmassively have distribution of methods new

Any personwhoobtainswithoutauthorization,forhimselforanother, datawhicharenotmeantforhimand A computervirusissoftwarethat abletoreplicateitselfandinfectacomputer, withoutthepermission Formoreinformation,seeoftheforthcomingGuidetoUnderstanding CybercrimetobepublishedbyITU-D. SeeinthiscontextforexamplerecentcasesHongKong. Section202a.DataEspionage: Oneofthefirstcomputerviruswascalled(c)Brainand createdbyBasitand http://en.wikipedia.org/wiki/SQL_slammer_%28computer_worm%29. SeeBBCNews,“Virus-like attackhitswebtraffic”, Regardingthevariousinstallation processes,see:“TheCrimewareLandscape:Malware, Phishing,Identity White/Kephart/Chess Cashell/Jackson/Jickling/Webel Adleman Viruses - Trends forJuly-December2006– available at:http://eval.symantec.com/mktginfo/enterprise/white_pa , “An Theory andExperiments”–availableat: 71 Abstract 73 , Computer Theory ofComputer , “TheEconomicImpactofCyber-Attacks”, page12; Symantec “InternetSecurity , “TheEconomic ImpactofCyber-Attacks”, page12. Viruses: Spafford A GlobalPerspective–available at:http://www.research.ibm.com/ , “TheInternet Viruses”. Regardingtheeconomic impact ofcomputerviruses, 25.01.2003,availableat:http://news.bbc.co.uk/2/hi/ http://all.net/books/virus/index.htm Worm Program: 76 While in the early days, computer viruses computer days, early the in While 79 78 74 The financial damage caused by virus by caused damage financial The was estimated to have infected 75,000

Ever since computer technology was technology computer since Ever An Analysis”, page3; 80 Amjad Farooq The previousversionofthe

72 Since permission has permission Since l. Cohen,“Computer 77 Theseefficient Alvi. For Cohen, 75 The - - 32 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex objects againstintentionalobjects damage. tangible by enjoyed those to similar protection with programmes computer and data computer provide against well-knowncompanies, includingCNN,ebay andAmazon. news, booking flights or downloading files. In 2000, within a short time,the reading several emails, DoS attacks checking wereit, launched accessing from users offendersprevent and handle,system computer the can down close system can computer the than requests more with system computer a targeting By Sundaram/Zamboni services. intotaking account attacks against critical infrastructures such as power supplies and telecommunication terrorism”scenarios “cyberpossible discussing currently are world the around Experts targets. only the 1.6.1.5. System interference the Internetas a toolforinfluencingforeign policy“,in csis.org/media/csis/pubs/020106_cyberterror_cybersecurity.pdf; csis.org/media/csis/pubs/050401_internetandterrorism.pdf; 88 Evidence FromtheStockMarket”, JournalofComputerSecurity, Campbell/Gordon/Loeb/Zhou 87 Offence?”, page4,availableat:http://www.projects.ncassr.org/hackback/ethics00.pdf. companies andthedatesofattacks,see: documents/0817999825_1.pdf. “The 86 tacks”, availableat:http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html; us-cert.gov/cas/tips/ST04-015.html; 85 rity, Announced InformationSecurityBreaches:EmpiricalEvidence FromtheStockMarket”,JournalofComputerSecu 84 83 82 cases whicharenotminor”. against InformationSystems: 81 Attacks like these can cause serious financial losses and affect even powerful systems. Legal Solutions operating smoothly, this can result in great financial loss for victims. from systems computer preventing in succeed offenders If accessibility. worldwide and availability hour businesses have incorporated Internet services into their production processes, to reap the benefits of 24- systems.Morecomputer against attacks to apply data computer against attacksover concerns same The interference. unauthorized Conventionthe 4, against dataCybercrime of on provisionintegrity Article a the protects thatincludes In Legal solutions of Service (DoS) attacks. A DoS attack makes computer resources unavailable to their intended users. intended their to unavailable resources computer makes attack DoS A attacks. (DoS) Service of computer dataonaninformationsystemispunishableasacriminaloffence whencommittedwithoutright,atleastfor ures toensurethattheintentionaldeletion,damaging,deterioration,alteration,suppressionorrenderinginaccessible of

(2) A Party may reserve the right to require that the conduct described in paragraph 1 result in result 1 paragraph in described conduct harm. serious the that require to right the reserve may Party A (2) deterioration, alteration orsuppression ofcomputer data withoutright. deletion, damaging, the intentionally, committed when law, domestic its under offences criminal as establish to necessary be may as measures other and legislative such adopt shall Party Each (1) 4– Article Vol. 11, page431-448. Transnational DimensionofCyber Crimeand RelatedtoCyberterrorismsee below:xxxand Regardingthepossiblefinancial consequencesoflackavailabilityInternetservices duetoattack,see: SeeSofaer/Goodman,“CyberCrimeandSecurity– Formoreinformation,see:US-CERT, “UnderstandingDenial-of-Service Rethepossiblefinancialconsequences,see: Formoreinformation,seeoftheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU-D. ExplanatoryReporttotheCouncilofEuropeConventiononCybercrimeNo.60. A 88 similarapproachto T poet ces f prtr ad sr t IT, h Cneto o Cbrrm icue a includes Cybercrime on Convention the ICTs, to users and operators of access protect To Data interference , “AnalysisofaDenialService , “TheEconomicCostofPublicly Article 4-Illegaldatainterference:“EachMemberStateshalltakethenecessarymeas 81 83 Art. 4ConventiononCybercrimeisfoundintheEUFrameworkDecision The attackstookplacebetween07.02.2000and09.02.2000. Forafulllistofattacked This provision aims to fill gaps existing in some national penal laws and to and laws penal national some in existing gaps fill to aims provision This Paxson 82 , “An Yurcik, “Information Warfare Survivability:IstheBestDefenseaGood Analysis ofUsingReflectors forDistributedDenial-of-Service Terrorism”, 2001,page14,availableat:http://media.hoover.org/ Attack on Campbell/Gordon/Loeb/Zhou Arquilla/Ronfeld Lewis Lewis The , “TheInternetand Announced InformationSecurity Breaches:Empirical TCP”. Denning, “Activism,hacktivism, andcyberterrorism: , “Cyber-terrorism andCybersecurity”; http://www. Vol. 11, page431-448. Transnational Dimension”,inSofaer/Goodman, t, Networks& Netwars: The Futureof Terror, 84 86 One example of such attacks is Denial Terrorism”, availableat:http://www. Attacks”, availableat:http://www. , “TheEconomicCostofPublicly Schuba/Krsul/Kuhn/Spafford/ 87 Businesses are not Attacks At - - - 85

33 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex attacks onthepublicandprivate information critical infrastructure ofaState. Estonia. organizationsISPsin news and as Estonia,were organized attacksThefromoutside targetedand coordinated massive 2007, May were websitescyber-attacks against launched government, the of banks, telecommunication companies, 18 to 27 April 27 From infrastructure. information critical contain that The potential threat of massive and coordinated attacks in cyberspace may focus on systems and networks 1.6.1.6. Attacks information againstcritical infrastructure (Aggravation orseparate offence) 1.6.2.1. ChildPornography 1.6.2. Content-related offences 91 several international legalinitiatives including: organizations have been engaged in the fight against online child pornography for some time, some for pornography child online against fight the in engaged been have organizations broadly is pornography child content, condemned and illegal offences constitutes related to what child pornography on are views widely recognizeddiffering aswidely criminal acts.to International contrast In html. 93 july-22-01-1-e.asp. 92 D.,the published- foreign countries”.Source: media companieslimitedthe commenting inmediaportalsandwhenitwasnotpossible toaccesswebpagesfrom company websites,e.g.DDoSagainstwebserversandcomment spamagainstmediaportals. There wereperiods for accessingInternetbankingservicesfromforeigncountries. Severalattackswerealsoundertakenagainstmedia Internet bankingserviceswereunavailableforonehourand thirtyminutes.Forseveraldays,restrictionswereapplied DDoS attacksagainsttwoofEstonia’s biggestbanksstarted.Forone ofthemtheattacklastedforalmosttwodaysand Cyber-attacks (mostlyDDoS)continuedalsoagainstgovernmentorganizations web servers.From10May2007, successful foraveryshorttime–lessthan5minutes-ofinterruptions inthedatacommunicationbackbonenetwork. data communicationnetworkbackboneroutersandattacks againstDNSservers.SomeoftheseDDoSattackswere attacks appeared.MostdangerouswereDDoSagainst someofthecriticalinfrastructurecomponents–against and Estoniannewsportals.InphaseII,muchmoresophisticated, massive(useoflarger botnets) andcoordinated lows: “InphaseI,mostoftheattackswererelativelysimple DoSattacksagainstgovernmentorganizations webservers 90 crime, No.65. being abletohavethemfunctionproperly. SeetheExplanatoryReporttoCouncilofEurope Conventionon Cyber 89 ism, Page221–249. reviews/93/60/7b15d8093cbebb505ecc3b4ef976.pdf. treatment of“cyberterror”indomesticlawindividualstates,2007,availableat:www.legislationline.org/upload/ law rorism: Immediate com/avcenter/reference/cyberterrorism.pdf; US-NationalResearchCouncil,“Information Technology forCounterter 111 etseqq.; et seqq;USDepartmentofState,“PatternGlobal ch8.pdf; Embar-Seddon Crime, andMilitancy, page239etseqq.,availableat:http://www.rand.org/pubs/monograph_reports/MR1382/MR1382. theintentional 5criminalizing provision ofthelawful hindering useofcomputer inArticle systems.

ihu rgt f h fntoig f cmue sse b iptig tasitn, damaging, transmitting, inputting, by system computer a deleting, deteriorating, altering orsuppressing computer of data. functioning hindering the serious the of right intentionally, when committed without law, as domestic establish its to necessary under be offences may criminal as measures other and legislative such adopt shall Party Each 5–System interferenceArticle - - the 2003 EU Council Framework Decision on combating the sexual exploitation of children and children of exploitation sexual the combating on Decision Framework Council EU 2003 the UNConvention ontheRightofChild, See,forexample,the“G8Communiqué”, GenoaSummit,2001,availableat:http://www.g8.gc.ca/genoa/ Formoreinformation,seeof theforthcomingGuidetoUnderstandingCybercrimebe publishedbyITU- The protected legal interest is the interest of operators as well as users of computer or communication systems Child Prostitution, andChildPornography the 1989 UN Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, The attacksagainstEstoniaweredescribedby Lake, 6Nightmares,2000,page33etseqq; Actions andFuturePossibilities”,2003,page11 etseqq.OSCE/ODIHR Commentsonlegislative , “Cyberterrorism, http:/ 91

/ meridian2006.org/downloads/newsletter_vol2_no1.pdf. Are We UnderSiege?”, A/RES/44/25 – availableat:http://www.hrweb.org/legal/child. Terrorism, 2000”,in:Prados, Sofaer, The Transnational Dimensionof Cybercrimeand Terror Toomas 93 Gordon ; Viira, fromtheEstonianInformatics Centerasfol , “Cyberterrorism”,availableat:http://www.symantec. American BehavioralScientist, America Confronts 90

Vol. 45page1033 Terrorism, 2002, 92 89 with

- - - - 34 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 100 able at:http://www.icmec.org/en_X1/pdf/ModelLegislationFINAL.pdf. 99 com/en_US/publications/NC144.pdf. ings FromtheNationalJuvenile Online 98 en_US/publications/NC144.pdf. ings FromtheNationalJuvenile Online 97 gov/mime/open.pdf?Item=1729. see: Wortley/Smallbone 96 CETS No:201,availableat:http://conventions.coe.int. 95 2004/68/JHA, availableat:http://eur-lex.europa.eu/LexUriServ/site/en/oj/2004/l_013/l_01320040120en00440048.pdf. 94 exploitation, sexual against children of protection the toregard with framework legal the harmonize improveand further to order In Legal solutions pornography. child exchange and communicate to offenders the by used is Internet The 21% had pictures depicting violence. depicting 21% hadpictures between 6-12 years on their computer their on years 6-12 between aged children of pictures had 80% computer; their on pictures 1,000 than more had possession their in of pornographyInternet-related child with people arrested behavior of 15% that shows pornographyoffenders child the into Research archives. picture and movies of exchange the supported has bandwidth pornography.

d. ande, and2,sub-paragraphs b. andc. sub-paragraphs 1, paragraphs part, in or whole apply,in to not right the reserve may Party Each 4) of age. may, AParty however, require whichshallbenotlessthan16years. alower age-limit, 3) For the purpose of paragraph 2 above, the term “minor” shall include all persons less than 18 years material that visuallydepicts: above,paragraphterm1 of Forthe (2) purpose the “childpornography” pornographic include shall following conduct: offencesas criminal underitsdomesticlaw, when committed intentionallyright, andwithout the shalladoptsuchlegislative(1) EachParty to andothermeasures establish asmay benecessary 9–Offences relatedArticle to childpornography

- ExplanatoryReport totheCouncilofEurope ConventiononCybercrime No.91. Formoreinformation, see“ChildPornography: ModelLegislation&Global Review”,2006,page2, avail See: See: CouncilofEuropeConventionontheProtectionChildren againstSexualExploitationand CouncilFrameworkDecisiononcombatingthesexualexploitation ofchildrenandchildpornography, and sexual abuse, amongothers. child pornography and the 2007 Council of Europe Convention on the protection of children against sexual exploitation c) realistic imagesrepresenting aminorengagedinsexually explicit conduct. tob) apersonappearing beaminorengagedinsexually explicit conduct; a) aminorengagedinsexually explicit conduct; storage computer-data a on or system computer a medium. in pornography child possessing e) d) procuring childpornography through acomputer system for oneselforfor anotherperson; ortransmittingc) distributing childpornography through acomputer system; computer a through b) offeringavailable childpornography ormaking through a computer system; distribution its of purpose the system; for pornography child producing a) Sieber Wolak/ Finkelhor/Mitchell Wolak/ Finkelhor/Mitchell , “CouncilofEuropeOrganised CrimeReport2004”, page135.Regardingthemeansofdistribution, , ChildPornographyontheInternet,page10et.seqq.-available at:http://www.cops.usdoj. 94 ; 100 h Cneto o Cbrrm icue a atce drsig child addressing article an includes Cybercrime on Convention the Victimization Study”,2005,page5–availableat:http://www.missingkids. Victimization Study”,2005,page5,availableat:http://www.missingkids.com/ , “Child-PornographyPossessors , “Child-PornographyPossessors 99 97 ; 19% had pictures of children younger than the age of 3 of age the than younger children of pictures had 19% ; 95 Arrested inInternet-RelatedCrimes: Find Arrested inInternet-RelatedCrimes:Find 96 An increase in increase An Abuse, 98 ; and ; - - - 35 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 103 raphy-statistics.html. pornography. provision criminalizing the distribution of pornographic material, except for the provision relating to child a contain not does Cybercrime on Convention minors). The as (such groups specific on focusing without thousand Egyptian pounds,oreitherpenalty. than sixmonths, andafinenotlessthanfive hundredthousandEgyptian pounds, andnotexceedingseven hundred cally processed picturesordrawingsthatare publiclyimmoral,shallbepunished withdetentionfora period notless Sec. 37: Whoever makes,imitates,obtains,orpossesses, for thepurposeofdistribution,publishing,ortrade,electroni bating CrimesofInformation” (Egypt): 106 rfm/2007/07/25667_918_en.pdf. ternet FreedomandRegulation intheOSCERegion”,page150,availableat:http://www.osce.org/publications/ 105 1. offers, givesormakesthemaccessibletoapersonundereighteenyearsofage;[…]. (1) Whoever, inrelationtopornographicwritings(Section11 subsection(3)): 184 DisseminationofPornographic 104 nography Statistics”,http://internet-filter-review.toptenreviews.com/internet-pornography-statistics.html. 102 D.,thepublished -D 101 time. any at Internet Recent researchInternet. has identified the as many over as 4.2 distributed million pornographic commercially websites that be may be to available content over the first the among was content Sexually-related pornography unavailable16.2.2. Making to minors access to this kind of material, the exchange of pornographic material among adults and limit criminalization to cases where minors seek Different countries criminalize erotic and pornographic material to differentextents. Some countries permit Legal solutions file-sharing systems file-sharing are useful. are

See OneexampleofthisapproachcanbefoundinSec.184German CriminalCode(Strafgesetzbuch):Section Formoreinformation,seeoftheforthcomingGuidetoUnderstanding CybercrimetobepublishedbyITU- Oneexampleisthe2006Draft Law, “RegulatingtheprotectionofElectronic DataandInformationCom About athirdofallfilesdownloadedinfile-sharingsystems containedpornography. Ropelato 105 Sieber Other countries criminalize any exchange of pornographic material even among adults, among even material pornographic of exchange any criminalize countries Other , “InternetPornographyStatistics”-http://internet-filter-review.toptenreviews.com/internet-pornog , “ProtectingMinorsontheInternet: 103 102 andchat-rooms. Besides websites, pornographic material can for example be distributed through distributed be example for can material pornographic websites, Besides 104 Writings: seeking to protect minors. For these countries, “adult verification systems” An ExamplefromGermany”,in“GoverningtheIn 101 Ropelato , “InternetPor - - 106 - - -

36 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 112 com.au/news/security/2006-the-year-we-were-spammed-a-lot/2006/12/18/1166290467781.htm1 available April 2007. smh.com.au/news/security/2006-the-year-we-were-spammed-a-lot/2006/12/18/1166290467781.htm http://www.smh. Korea (6.5percent). emails in2007were: theUS(19.6percent oftherecorded total); China(8.4percent); andtheRep. of email was sent in1978, for butfrequentlyadvertisements andservices, products alsomalicioussoftware. Since thefirstspam most common sendoutmillionsofemails oneisemailspam.Offenders to users, often containing organizations report thatorganizations asmany report as85-90percent ofallemailsare spam. 2007, No.6,page 12–availableonline:http://www.wipo.int/wipo_magazine/en/pdf/2007/wipo_pub_121_2007_06. 116 115 114 fies sanction,administrativeor criminal,undertheirlaw”. system shouldbehindered– partially ortotally, temporarily orpermanently–toreachthethresholdofharmthatjusti or otherwisesubjecttosanction. different approachtohindranceundertheirlaw, e.g.bymaking particular actsofinterferenceadministrativeoffences be criminalisedwherethecommunicationisintentionally and seriouslyhindered.Nevertheless,Partiesmayhavea in large quantitiesorwithahighfrequency(“spamming”). Intheopinionofdrafters,suchconductshouldonly email, for commercial or otherpurposes,maycause nuisance to itsrecipient, in particular when suchmessagesare sent 113 articles/2007/07/dirtydozjul07.html. Article in fies upto40%spamemails–seehttp://spam-filter-review.toptenreviews.com/spam-statistics.html. 2007 thatidentifiesupto75percentspamemail–seehttp://www.postini.com/stats/. See: http://www.maawg.org/about/FINAL_4Q2005_Metrics_Report.pdf 110 html. 109 at: http://www.itu.int/osg/spu/spam/legislation/Background_Paper_ITU_Bueti_Survey.pdf. 108 D.,thepublished -D 107 “Spam” theemissionofunsolicited describes bulkmessages. 1.6.2.3. Spam h Cneto o Cbrrm de nt xlcty rmnlz sa.Te rfes ugse ta the that suggested drafters communication. of intentionalhindering and serious to limited be should The acts these of criminalization spam. criminalize explicitly not does Cybercrime on Convention The Legal Solutions virtual currency to any real-world currency.real-worldany to currency virtual The revenues from those activities do not necessary need to remain virtual – it is possible to exchange the Online games are currently very popular. Registered users can create a 3D-character virtual 1.6.2.4. Onlinegames 18 U.S.C. §1037. is example one – approach different a followtherefore countries of number A prosecuted. be not could systems. Spam emails influencing the effectiveness of commerce, but not necessarily the computer system, spam to those cases where the spam emails have a serious influence on the processing power of computer unlawful interference with computer networks and systems only, which would limit the criminalization of Based on the legal approach of the Convention on Cybercrime, the fight against spam could be based on This approach does not focus on unsolicited emails, but on the effects on a computer system or network. currencies can support the development of an economy and businesses offering virtual objects for sale. character to move through a world,virtual communicate with other users or create objects. virtual Virtual 111 2007.pdf. able at:http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session2-sunner-C5-meeting-14-may-

Those objects rangefromclothesfortheavatars toentirevirtualbuildings. The charactersarecalledavatar. ExplanatoryReporttotheCouncilofEuropeConvention on CybercrimeNo.69:“Thesendingofunsolicited “2007SophosReportonSpam-relayingcountries”,available at:http://www.sophos.com/pressoffice/news/ Regardingthedevelopmentofspamemails,see: Foramoreprecisedefinition,see:ITUSurveyon Formoreinformation,seeoftheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU- The Messaging Tempelton See SecondLife –BrandPromotionandUnauthorised The SydneyMorningHerald,“2006: 107 , “ReactiontotheDECSpamof1978”,availableat:http://www.templetons.com/brad/spamreact. 112

Anti-Abuse 109 thetideofspamemailshasincreased dramatically. The textleavesittotheParties todeterminetheextentwhichfunctioningof Working Groupreportedin2005thatupto85percentofallemailswerespam. The yearwewerespammedalot”,16December2006; 116 Recent reports show that some games have been used to used been have games some that show reports Recent Sunner Anti-Spam legislationworldwide2005,page5,available Trademark Usein , “SecurityLandscapeUpdate2007”,page3,avail 108 Although variousscamsexist, the The providerpostinipublishedareportin Virtual 111 The Spam-Filter-Review identi The mainsources ofspam 110 Today, emailprovider Worlds,

WIPO magazine, 114 http://www. and use this - - 113 115 -

37 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex More sophisticated tools cost several thousand dollars 1.6.3.1. Misuse ofdevises 1.6.3.1. Misuse 1.6.3. Criminalization ofpreparatoryacts additioncopyright 4.In laws mayArticle beapplicableinsomecases. of information describing the object. These acts can in general be covered cybercrime-related classic by the legislation. on the Obtaining based Conventiona difficult, more virtual on is object objects Cybercrime,without virtual right obtaining in illegally generalof act requires the the of criminalization manipulation The childpornography). (as virtual enables the prosecution of users that animate 3D characters representing minors in a sexually-related way even 2(c) paragraph 9, Article 9. Cybercrime,Article Conventionon the coveredby example for is games online those in pornography child containing files of Exchange way. this covered be can offences most legal new a developing of instead provisions, worlds.framework legislation, for on Depending the in statusvirtual of their activities cybercrime-related existing of application the on focusing are states most Discussions on how to address criminal activities related to online games have only just started. Currently, Legal Solutions commit including crimes Types, Methods, 124 d03837.pdf. Sieber Internet PaymentSystem”,GAO 2003,page3,availableat:http://www.globalsecurity.org/security/library/report/gao/ resource/WebsenseSecurityLabs20042H_Report.pdf; “InformationSecurity-ComputerControls over Key 123 122 121 urges-real-life-treatment-for-virtual-cash/. life treatmentforvirtualcash”,14.05.2007,–availableat: http://secondlife.reuters.com/stories/2007/05/14/uk-panel- at: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/05/13/nternet13.xml; 120 pdf. 2007, No.6,page13–availableonline:http://www.wipo.int/wipo_magazine/en/pdf/2007/wipo_pub_121_2007_06. 119 08.05.2007 –availableat:http://www.dw-world.de/dw/article/0,2144,2481582,00.html. co.uk/1/hi/technology/6638331.stm; DW-World News,Germanprosecutorpursue childpornographyinsecondlife, 118 04.01.2007, page19. 117 pdf. tools needed to commit complex offences are widely available overInternet the The tools. software a specialist from using committed out be can carried offences sophisticated be More café. can Internet public and access Internet and computer a than more nothing needs or fraud libel online as such offences Committing equipment. basic fairly only using committed be can Cybercrime accompanies extensive forward displacement of criminal liability – is limited only to the most serious serious most the to only limited is – liability criminal of displacement forward extensive accompanies usually which – criminalization offence”. this general, an In of the “attemptto addition in tools, these of production and preparation the criminalizing provisions some have systems law criminal national Most Legal solutions other computer systems at thepress ofabutton.

• • • • • SeeSecondLife–BrandPromotionandUnauthorised SeeforexampleBBCNews,09.05.2007SecondLife‘child abuse’ SeeHeiseNews,15.11.2006, -availableat: http://www.heise.de/newsticker/meldung/81088; DIEZEIT, Foranoverview aboutthetoolsused,seeEaly, “A “Websense Security See: See Gambling inonlinecasinos; Gambling Fraud; withoutright; objects Obtaining virtual Copyright and Trademark violations; Exchange andpresentation ofchildpornography; Leapman Tamage, CriminalityontheInternet,2007, availableat:http://ssrn.com/abstract=996556. 120 Tools, andPrevention”,available at:http://www.212cafe.com/download/e-book/A.pdf. , CouncilofEurope “Organised Crime Report2004”,page143. , “SecondLifeworldmaybehavenforterrorists”,Sunday 122 117 Trends Report2004”,page11, availableat:http://www.websense.com/securitylabs/ : 121 119 NewEvolution inHack . 124

Trademark Usein Using these software tools, offenders can attack 118 claim,availableat:http://news.bbc. Telegraph, 14.05.2007, –available Virtual Attacks: Reuters, “UKpanelurges real- Worlds, , 123 A

often withoutcharge.often GeneralOverview of WIPO magazine, Treasury 38 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex but the basic elements are similar ways, different in out carried be can theft Identity numbers). security social or tax information, account 1.6.3.2. Identity theft 1.6.3.2. Identity Identity Identity theft is a serious and growing problem. victims’ numbers. socialsecurity using accounts new open or victims’accountsfrom transfers online make information, victims’ passport using services for register information, card credit with goods purchase can offenders data, personal got (for example, keyloggers distributed by spam emails and installed on victims’ computers). After they have availability ofcomputer 6: systems ordata inArticle and integrity confidentiality, the against offences committing of purposes the for misused be to data to access or devices certain regarding acts illegal Cybercrime specific for on offence Convention criminal independent the an established of drafters the initiatives, Europe of Council other account into Taking to offences. lessserious acts preparatory forhowever, criminalization legislation, the EU extend In to crimes.tendencies are there 130 theft.pdf; Insurance Corporation,2004, page4–availableat:http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_ 128 127 sions insomecountries”. November 1998onthelegalprotectionofservicesbasedon, orconsistingof,conditionalaccess)andrelevantprovi cess –ETSN°178)andtheEuropeanUnion(Directive98/84/EC oftheEuropeanParliamentandCouncil20 Council ofEurope(EuropeanConventiononthelegalprotection ofservicesbasedon,orconsistingof,conditionalac commission ofoffences under Articles 2–5.Inthisrespect theprovisionbuildsuponrecentdevelopmentsinside more effectively, thecriminallawshould prohibitspecificpotentiallydangerousactsatthesource,preceding 126 125 offenders enabling targets from information personal fraud as gathering such crimes of commit to act the describes theft Identity 129 nal/cybercrime/usamarch2001_3.htm. computer system. a of protection or testing authorized the for as such Convention, this of 5 through 2 Articles with paragraph 1 of this article is not for the purpose of committing an offence established in accordance sale, production, the where procurement forliability use, import, distribution or making otherwise available criminal or possession referred to imposing in as interpreted be not shall article This (2) eevto de nt ocr te ae dsrbto o ohrie aig vial o te items the of available making otherwise referred or to inparagraph 1(a)(ii) ofthisarticle. distribution sale, the concern not does reservation (3) offencescriminal underitsdomesticlaw, when committed intentionallyright: andwithout as establish to necessary be may as measures other and legislative such adopt shall Party Each (1) ofDevices 6–Misuse Article

Party may require by law that a number of such items be possessed before criminal liability liability attaches. criminal before possessed be items such of number a that law by require may Party Articles in established offences the of any committing of purpose the for used Formoreinformation, seeoftheforthcoming GuidetoUnderstandingCybercrime tobepublishedby ITU-D. SeeKoops,Leenes, Identity Regardingthevariousdefinitions, see:“PuttinganEndto Formoreinformation,seeof theforthcomingGuidetoUnderstandingCybercrimebe publishedbyITU-D. ExplanatoryReporttotheCouncilofEuropeConvention on CybercrimeNo.71:“To combatsuch dangers OneexampleistheEUFrameworkDecision Each Party may reserve the right not to apply paragraph 1 of this article, provided that the that provided article, this of 1 paragraph apply to not right the reserve may Party Each be it that intent with above, ii or i a) paragraphs in to referred item an of possession the (b) of: (a) the production, sale, procurement for use, import, distribution or otherwise making available Hoar , „“Identity in Articles 2through 5;and in Articles with intent that it be used for the purpose of committing any of the offences established a computer system iscapableofbeingaccessed, (ii) a computer password, access code, or similar data by which the whole or any of part 2through 5; Articles the for above primarily the with accordance in adapted established offences the of or any committing of purpose designed program, computer a including device, a (i) 127 125 Theft: The CrimeoftheNewMillennium”, 2001,availableat:http://www.usdoj.gov/crimi 128 129 Theft, “Identity Fraudand/orIdentity-related Crime”,DUD2006,553et seqq. (for example, credit card information, passport or ID numbers, bank numbers, ID or passport information, card credit example, (for - offenders first gather personal information using malicious software 130 ABl. EGNr. L Recent figures show that, in the first half of 2004, 3 % of 126 Account-Hijacking Identity 149,2.6.2001. Theft”, FederalDeposit 2 through 5. A 5. through 2 - - - 39 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex in all EU Member States. Member EU all in criminalized been yet not has theft identity that statedrecently Union European the of Commission The Legal solutions bad experiences. customers’ publicize to wish not do often institutions financial while crimes, such report not may victims shortly commence consultations to assess whether such legislation is appropriate. is legislation such whether assess to consultations commence shortly States” Member all in will criminalized it that announcedtheft and were identity served, better be would 134 able at:https://www.prime-project.eu/community/furtherreading/studies/IDTheftFIN.pdf. US households fell victim to identity theft. identity to fellvictim households US No.3, 2007. reading/studies/IDTheftFIN.pdf; “Legislative “Identity 137 criminal/cybercrime/usamarch2001_3.htm. 136 Regions towardsageneralpolicy onthefightagainstcybercrime,COM(2007)267. 135 Regions towardsageneralpolicyonthefightagainstcybercrime, COM(2007)267. 133 www.idtheft.gov/reports/StrategicPlan.pdf. 132 131 fraud. computer as such acts criminal further of perpetration preparationand the in used often is theft Identify Cybercrime doesnotcontain theft. aprovision ofidentity allaspects criminalizing oe cs eg, optr ru) Nvrhls, oe onre hv ciiaie iett tet s a as theft identity criminalized have offence, countries individual specific some Nevertheless, fraud). computer (e.g., acts some normally considerednormally asillegalaccess to computer systems andillegallyobtaininginformation. is estimatedIt that at least 75% of phishing incidents are out carried through botnets. accessIndividual is botnets. of use the through out carried be may phishing of information.type financial This and personal victim’sthe to and computer the to access subsequent perpetrator the allows computer,that their onto 2. Phishing may also be achieved by deceiving the victim into unwittingly downloading malicious software asaviolation ofspecialanti-spam conduct legislations.also beacriminal may it spamming, through out carried is phishing When services. or goods money, obtain fraudulently be then may victim The websites. company to used real be with will phisher later that the “updated”provide information, to to financial lured and personal links live and logo a with Center, Billing the appears be what to to victim the take may email the in link A cancelled. be would account the respond, not does center”consumer the “billing or if that “accountwarnings department”.contain often may text The are accurately copied, possibly the making conduct criminal as forgery. Emails may appear to be from the graphics and text website information, identification and logos Company legal. be to appear to order in The email or websites are designed to impersonate well-known institutions, often using spam techniques agencies. government or company insurance banks, by maintained websites legitimate the to identical from a legitimateoriginate organization or company.to pretending Victims may be messages, lured to counterfeit or email fake websites that look false of transmission the on based is method phishing One 1. usernames, passwords, personalorfinancialinformation). The mainmethodsinclude: In cyberspace, phishing is one of the main methods of illegally obtaining sensitive information (including 1.6.3.3. Phishing andotherpreparatoryacts § 1028A. offences. Approaches to the later criminalization of identity out theft can be foundcarry to in 18 on U.S.C. § 1028go and 18 U.S.C. if they offenders, identifying in difficulties avoid could theft) (identity act initial that follow it. Offenders can use the identities thus obtained to hide their own identity. Prosecution of the dollars.

136 132 Foranoverviewofidentitytheft legislationinEurope,see: SeeHoar, “Identity CommunicationfromtheCommission totheEuropeanParliament,Counciland Committeeofthe CommunicationfromtheCommissiontoEuropeanParliament, theCouncilandCommitteeof See: USBureauofJusticeStatistics,2004,availableathttp://www.ojp.usdoj.gov/bjs/pub/pdf/it04.pdf. Even is not criminalized in all countries, theft if identity law enforcement agencies can prosecute Theft – The President’s Identity Losses may be not only financial, but may also include damage to reputations. Mitchison/Wilikens/Breitenbach/Urry/Poresi, A discussionpaper”, page23et.seqq.,available at:https://www.prime-project.eu/community/further 134 Theft, 137 The Commission expressed its view “that EU law enforcement cooperation enforcement law EU “that view its expressed Commission The since it is often easier to prove the crime of identity theft than the crimes crimes the than theft identity of crime the prove to easier often is it since Theft The CrimeoftheNewMillennium, 2001”,availableat:http://www.usdoj.gov/ Task Force, “CombatingIdentity Approaches 131 Identity theft fraud causes losses in the region of billions of billions regionof the in losses causes fraud theft Identity To Identity “Identity Mitchison/Wilikens/Breitenbach/Urry/Portesi Theft – Theft: Theft”, 2007,Page11, availableat:http:// An Overview”, CIPPIC A discussionpaper”,2004,page5,avail 135 The Conventionon The 133 Working Paper In reality, many , - - 40 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex any other information, to identify a specific individual. This section applies to both online and manual and online cases.crime both to applies section This individual. specific a identify to information, other any “Means of identification” is defined as any name or number that may be used, alone or in conjunction with 1998 andamendedin2004,states: in adopted was fraudulent (a)(7) § 1028 involving information. identification of conducts use unlawful the or of documents identification categories eight of criminalizes example an section as This used provisions. be could legal 1028 potential § U.S.C. 18 theft, identity to related are acts preparatory Where offence” to includeallcategories ofintentional preparatoryacts. Another alternative could betheexpansion ofthetraditional concept of “attempting to commit an separate offences thepreparatoryacts criminal inthemselvesMaking may beachieved as follows: crimes. computer other or data Chapter 23§2onpreparation for includes: crime to access illegal obtaining of purpose the for created solely programs was directed not only at crimes,ordinary but also at problems with computer viruses and other computer the penal code. It was especially emphasized that the introduction of a specific on article preparatory acts Sweden, wasIn on preparatory adoptedacts an in article 2001, in with conjunction other amendments in the making of example following offence: acriminal an acts as used be may crime preparatory on 22) (Section China of Code Penal The of categories cybercrime, orotherseparate solutions, may alsobeneeded. new certain only or cybercrime, only acts or offences, criminal preparatory of categories on all focusingto regard provisionswith separate independent establishing and covered, be not may cybercrime of categories Other (1)(ii). 6 Article in involvingoffencesdataaccess only or 2-5, Articles the in established of any committing of purpose the for used be to program computer a including device, a on Cybercrime’s Article 6. However, interpretation may be limited to preparatory acts of offences involving 4. The criminalization of preparatory acts in computer systems and networks is covered by the Convention information isillegallyobtainedaccess codes. othercases, In itmay notbecovered by codes. criminal the if especially offence, criminal a be may It information. of sale the in engage openly perpetrators the cases, such In services. and goods credit, money, obtain to used be and forum web closed a a or through website parties to third be provided could information financial or personal stolen of trafficking criminals. The other to information obtained illegally the transfer or sell purchase, also may Perpetrators 3. provided (b) ofthissection.” insubsection a violation ofFederal law, orthat constitutes afelony underany applicable, shallbepunishedas intent to commit, orto that with,any constitutes aidorabet, orinconnection unlawful activity possesses, oruses, withoutlawful authority, ameans ofidentification ofanotherpersonwiththe “Whoever, transfers, (7)knowingly (c)ofthissection inacircumstance insubsection described offences.” whencommitted intentionally,or network, to criminal shallbepunishedasapreparatoryact asatooldata for primarily ofcommitting offence thepurpose acriminal ina computer system available ofcomputer making possession,sale, production, orotherwise distribution “The involvement“Other withanything that isespeciallysuitableto beusedasatool inacrime.” preparation oftools to commit“The orcreation acrime; ofconditions to commit acrime” 41 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex forgery of tangible documents to fill gaps in criminal law that might not apply to electronically stored electronically to apply data. not might that law criminal in gaps fill to documents tangible of forgery traditional the to offence parallel a creates Cybercrime on Convention the data, electronic of reliability and security the protecting By documents. tangible of forgery the criminalize systems law criminal Most Legal solutions means for theiruse–for example, by legislation recognizing digital signatures. legal by supported is documents digital by documents classic of substitution prosecutions.The in often more used are and role important more ever an play documents digitalHowever, documents. tangible were documents legal most because rare, been have forgery computer-related involving prosecutions the advice and disclose information enabling offenders to make online transfers etc. transfers online make to offenders follow enabling victims information Many information. disclose sensitive and certain advice verify the and/or disclose to recipient asks email The the target. by used institutions financial legitimate from communications like look that emails out send offenders at: http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf. Consumer Fraud andIdentity Theft ComplaintData,January– December 2006,Federal Trade Commission, available 145 ITU-D. 144 transactions, whichrelieson the authenticityofinformationcontainedindata,issubject toadeception.” unauthorised creatingoraltering storeddatasothattheyacquireadifferent evidentiary valueinthecourseoflegal serious consequencesastraditional actsofforgery ifathirdpartyistherebymisled.Computer-related forgery involves does notapplytoelectronicallystoreddata.Manipulations ofsuchdatawithevidentiaryvaluemayhavethesame traditional forgery, whichrequiresvisualreadabilityofstatements,ordeclarations embodiedinadocumentandwhich is tocreateaparalleloffence totheforgery oftangibledocuments.Itaimsatfillinggapsincriminallawrelatedto 143 Attacks. 142 see Section1.6.2.3. that areinvolvedinspamalsophishingscams, astheyhaveaccesstospamdatabases.Regardingspam, 141 papers/NISR-WP-Phishing.pdf. sea ofInternetusers. 140 usdoj.gov/opa/report_on_phishing.pdf. and Emergency PreparednessCanadaandthe harvard.edu/~rachna/papers/why_phishing_works.pdf; “ReportonPhishing”, 139 D.,thepublished -D 138 Internet, the over crimes popular most the of one is Computer-relatedfraud emails includes emails “phishing” of falsification The email. manipulating or institution reliable a from originate to seems that document a creating by example, for - documents digital of manipulation the describes forgery Computer-related 1.6.4.1. Computer-related forgery 1.6.4. Computer-related offences 1.6.4.2. Computer-related fraud mann defraud, orsimilardishonestintent, before attaches. liability criminal whether ornotthedata readable isdirectly andintelligible. may AParty require anintent to intent that itbeconsidered uponfor oracted asifitwere legalpurposes authentic, regardless input, alteration, deletion,or suppression ofcomputer data, resulting ininauthentic data withthe offencescriminal underitsdomesticlaw, when committed intentionallyright, andwithout the shalladoptsuchlegislativeEach Party to andothermeasures establishas asmay benecessary 7–Computer-relatedArticle forgery

, “ThePhishingGuideUnderstanding&Preventing 143

Formoreinformation,aboutphishingscamssee “Phishing”scamsshowanumberofsimilaritiestospamemails. Itislikelythatthoseorganised crimegroups Regardingphishing,see Formoreinformation,seeoftheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU- In2006,theUS Federal Trade Commission receivednearly205,000 Internet-related fraudcomplaints. See Formoreinformation,seetheof theforthcomingGuidetoUnderstandingCybercrime bepublishedby The term“phishing”originallydescribedtheuseofemailsto“phish”forpasswordsandfinancialdatafroma Explanatory ReporttotheCouncilofEurope ConventiononCybercrime No81:“Thepurposeofthisarticle 141 The emailsare designed ina way that itisdifficult fortargets toidentify themasfakeemails. The useof“ph”linkedtopopularhackernamingconventions.See 139 , which seeks to make targets disclose personal/secret information. personal/secret disclose targets make to seeks which , Dhamija/Tygar/Hearst 144 138 Attorney GeneraloftheUnitedStates,2006,availableat:http://www. , “WhyPhishing The PhishingGuideUnderstanding&Preventing Attacks”, availableat:http://www.nextgenss.com/ Works”, availableat:http://people.seas. A ReporttotheMinisterofPublicSafety 145 Gercke, CR,2005,606;Oll- as it uses automation and automation uses it as 142 Previously, 140 Often, Often, 42 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Kaufmann Reich Fee FraudScamsin-countryandacrossborders,Cybercrime &Security, IF-1,page1.Formoreinformation,see: 148 net. 150 years orafine. false factsexist orbydistortingsuppressing truefacts,shallbepunished withimprisonmentfornot morethanfive of another, byprovoking oraffirmingamistakebypretendingthat (1) Section 263Fraud The provisiondoesnottherefore coverthemajorityofcomputer-related fraudcases: 149 response”, “ComputerLaw&SecurityReport”, http://www.aic.gov.au/publications/tandi/ti121.pdf; small sumofmoneyinthehopereceivingamuchlarger sumafterwards.Formoreinformation, see: 147 2006, Federal Trade Commission, availableat:http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf. amounts paidbetween0-25USDollarsSeeConsumerFraud andIdentity Theft ComplaintData,January–December 146 person. a of law falsity the criminal on national based are traditional provisions where especially difficult, be can cases Internet-related to provisions existing of application However, the offences. fraud criminalizing provisions contain laws national Most Legal solutions acts. small of number a from profits large make to offenders enables Automation criminals’identities. mask to tools software investigating such crimes. The most common fraud scams include Online Auction Fraud Auction Online include scams fraud common most Thecrimes. investigatingsuch and reporting in energy and time invest to likely a less limit.With are‘small’ certain victims a loss, below Fee Fraud. related fraud: processing which seeks to effect an illegal transfer of property by providing an Article regarding computer- provisions criminal addressing fraud donotcover computer traditional systems, anupdate ofthenational law isnecessary. If offender. the of act an to responds that system computer a fact in is it Whoever, with the intentofobtainingforhimselforathirdpersonanunlawful materialbenefit,damagestheassets for anotherperson. or oneself for benefit economic an right, without procuring, of intent dishonest or fraudulent with right,the without and to anotherpersonby: causing ofalossproperty intentionally when committed law, as domestic establish its to under necessary be offences may criminal as measures other and legislative such adopt shall Party Each 8–Computer-relatedArticle fraud

The Convention on Cybercrime seeks to criminalize any undue manipulation in the course of data of course the in manipulation undue any criminalize to seeks Cybercrime on Convention The , Advance FeeFraudScamsin-countryandacrossborders,Cybercrime&Security, IF-1,page1;Smith/Holmes/ ExplanatoryReport totheCouncilofEurope ConventiononCybercrime No86. OneexampleofthisisSection 263oftheGermanPenalCodethatrequiresfalsity aperson(mistake). The termauctionfrauddescribesfraudulentactivitiesinvolvingelectronicplatforms overtheInter In2006,nearly50%ofallfraudcomplaintsreportedtotheUSFederal b) any ofacomputer interference system, withthefunctioning a) any input, alteration, deletionorsuppression ofcomputer data; The term“advancefeefraud”describesoffences inwhichoffenders seektoconvince targets toadvancea , Nigerian 148 150

Advance FeeFraud,“Trends &IssuesinCrimeandCriminalJustice”,No.121,availableat: 146 One strategy used by offenders is to ensure that each victim’s financial loss is loss victim’sfinancial each that ensure to is offenders by used strategy One Volume 21,Issue3,237. Oriola, “AdvancefeefraudontheInternet:Nigeria’s regulatory 149 In many cases of fraud committed over the Internet, Internet, the over committed fraud of cases many In Trade Commissionwererelatedto 147 Reich and Advance and , Advance - 43 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Cybercrime, No. 160. implementation ofthepreservationmeasures inparticularcases.Seethe Explanatory ReporttotheConvention on order therecipient oftheordertopreserve data,asquickactionbythis personcanresultinthemore expeditious 154 User Data,DUD2002,577et seq. Cybercrime No.155.Regarding theidentificationofsuspectsbyIP-basedinvestigations, see: regarding thesepastcommunications isrequired”,See:ExplanatoryReporttotheCouncil ofEuropeConventionon of theperpetrators.Inorderto tracethesecommunicationssoastodeterminetheirsource ordestination,trafficdata 153 ITU-D. 152 www.conventions.coe.int. 151 oftraffic analysis the data, often requires cybercrimes have committed who offenders of identification The ofstored1.7.2. Expedited preservation computer data the rights, responsibilities andlegitimate interests ofthird parties. upon section this in procedures described powersand the of impact the consider also should State Each incorporated, be should proportionality of wherebypowernaturethe tothe procedure circumstances or and offence. the of proportional be should principle The rights. human international on instruments including required, are safeguards minimum and standards common Some liberties. and rights human of protection adequate the providefortorequire States 15 Article in procedurallaw on section the in for and preserving prosecution. The establishment, implementation and application of the collecting,powers and procedures provided for procedures and investigation cross-border efficient enable and to established be should powers, evidence electronic presenting procedural for rules on provisions Common on (Convention offences Cybercrime, 14). Article criminal of forms all to relating evidence electronic of collection the to apply also are proceduresoffences criminal other forprosecutioncommitted using computersystems, of the should and necessary and powers Such cybercrime. of infrastructure prosecution and information investigation against the for conduct essential is criminal of prosecution the for laws procedural Adopting 1.7.1. Generalprinciples gnis o ec qiky o vi eetoi eiec big eee drn lnty investigations. lengthy during deleted being evidence enforcement electronic law avoid enables to data quickly react computer to of agencies preservation expedited The data. certain of deletion the preventtoproviders service order can enforcementlawagencies legislation, preservation data on Based do not fail, simply because traffic data was deleted during the lengthy and complex investigation process. (the preservation data is approach One “quickfreezeprocedure”) prosecutions cybercrime thatensure to Law enforcement outinvestigations rapidly. agenciesneedto ableto very carry prove even may possible it to identifydata, offenderstraffic thatrelevant have usedthe publicto Internet terminalsaccess thathave do notagencies requireenforcement anlaw identification. as long As them. Such regulation 16oftheConvention canbefound inArticle onCybercrime: an order to besubsequently renewed. ninety days, to enable the competent authorities to seek its disclosure. A Party may of provide maximum for a such to up necessary, as long as time of period a for data computer that of integrity the such adopt legislative and other measures as may to be oblige necessary that person shall to preserve and maintain Party the control, or person’s possession the in data computer stored specified preserve to person a to order an of means by above 1 paragraph to effect gives Party a Where 2. loss ormodification. system,in specified computer to vulnerable ofparticularly a is data of computer the that believe means to grounds are by preservation there where particular been stored expeditious has the that data, obtain traffic including similarly data, computer or order to its enable to authorities necessary be competent may as measures other and legislative such adopt shall Party Each 1. of stored 16–Expedited preservation computerArticle data

153 especially the IP addresses used by offenders, which can help law enforcement agencies to trace to enforcement agencies law help can which offenders, by used addresses IP the especially However, itisrecommendedthatStatesconsiderthe establishmentofpowersandprocedurestoactually “Determiningthesourceordestinationofthesepastcommunications canassistinidentifyingtheidentity Formoreinformation,seetheoftheforthcomingGuideto UnderstandingCybercrimetobepublishedby Formoredetails,seethe 1.7. Measures inProcedural Law Convention onCybercrime 152 , ExplanatoryReportno.128-144,and149-239,see Gercke 151 , Preservationof 154

44 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 157 tion onCybercrime,No.167. cation inminor cases”. some flexibility inrelationtotheapplication ofthemeasure,forinstance, inmanyStatesordertoexclude itsappli order todisclose suchinformationhasbeen issued byjudicialauthorities. The proportionalityprinciple alsoprovides Parties maywishtolimitthe disclosure ofthisdataforlawenforcementpurposestosituations whereaproduction require thataproductionorder beissuedonlybyjudicialauthoritiesinordertoable to obtaincertaintypesofdata. required. Ontheotherhand,in somesituationsaPartymightrequire,orbemandatedby humanrightssafeguardsto a Partymightpermitlawenforcement agentstoissuesuchanorderwhereinothersituations acourtordercouldbe service providers.Forexample, withrespecttosometypesofdata,suchaspubliclyavailable subscriberinformation, submission ofparticulartypescomputerdataorsubscriber informationheldbyparticularcategoriesofpersonsor A paragraph 2ofthearticle,dependingondomesticlaw of eachParty, mayexcludeprivilegeddataorinformation. 158 D.,thepublished -D parts needstobeexaminedinorderidentifythesourceordestination”.SeeExplanatoryReportConven mine theactualsourceordestinationofcommunication.Eachpossessesonepartpuzzle,andeachthese 156 ITU-D. 155 for thedisclosure ofdata, authorities to react faster. The protection of the rights of suspects can be maintained by requiring an order is that itispossibleto specifydifferent conditions for theobligations to apply. This enablethe competent Convention.the of 18 Article in Theadvantageseparate of data disclose dataand obligations to preserve regulated is transfer to obligation data. The the transfer to providers commit not does but data, relevant the of deletion the prevent to agencies enforcement to law authorizes data only relevant provision the The authorities. transfer the to providers oblige not does Cybercrime on Convention the of 16 Article 1.7.4. Production order might notbeableto trace offenders, where more thanoneprovider isinvolved. necessary to identify the communication path. Without such disclosure,partial law enforcement agencies informationthe disclose toinvolved,providers haveobligation been the with service of number a where renounces trace a clear classification, to as it paths includes an obligation communication to ensure identify the preservation of to traffic dataoffenders, 17 enables authorities to order Article disclosure the access Articleexpedited of17 traffic partial data. in cases immediate need agencies enforcement law Where disclosure oftraffic data andpartial 1.7.3. Expedited preservation See theExplanatoryReporttoConventiononCybercrime requirements forthehandoutofdatatolawenforcementagencies couldbeadjustedinrelationtocategoriesofdata. in anumberofways.Oneexampletheirapproachisthe productionorder(Art.18). The drafters suggestedthatthe action fromlawenforcementagenciesontheonehandand theimportanceofensuringsafeguardsonotherhand Partymaywishtoprescribedifferent terms,different competentauthoritiesanddifferent safeguardsconcerningthe 1. Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such 16, Article under preserved be legislative to: andothermeasures asmay to benecessary is that data traffic of respect in adopt, shall Party Each 1. disclosure oftraffic data andpartial 17–Expedited preservation Article 4. The powers andprocedures 14and 15. to referred Articles shallbesubject to inthisarticle of suchprocedures for oftimeprovided theperiod for by itsdomesticlaw. the oblige to custodian necessary or be other may person as who measures is other to and preserve legislativethe such computer adopt data toshall keep Party confidentialEach the3. undertaking 2. The powers andprocedures 14and 15. to referred Articles shallbesubject to inthisarticle competent to authorities order: its empower to necessary be may as measures other and legislative such adopt shall Party Each 1. 18–Production orderArticle

The draftersofthe Formoreinformation,seeoftheforthcomingGuidetoUnderstanding CybercrimetobepublishedbyITU- “Often,however, nosingleserviceproviderpossessesenoughofthecrucialtrafficdatatobeabledeter Formoreinformation,seethetheforthcomingGuidetoUnderstandingCybercrimebepublishedby providers andthepath through whichthecommunication was transmitted. by that authority, of a sufficient amount of traffic data toenable Partythe to identify service the b. ensure the expeditious disclosure to the Party’s competent authority, or a person designated providersone ormore were service involved inthetransmission ofthat communication; and whether of regardless available is data traffic of preservation expeditious such that ensure a. a. a person in its territory to submit specified computer data in that person’s possession or possession person’s that in data computer specified submit to territory its in person a a. 157 Convention onCybercrime triedtoresolveproblemsrelatedtheneedofimmediate 158 which is among other aspects regulated in Article 18oftheConvention: regulated whichisamongotheraspects inArticle No.174:“Theconditionsandsafeguardsreferredtoin 155 156 - - - 45 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex procedural laws contain provisions that enable law enforcement agencies to search and seize objects seize and search to agencies enforcement law enable that provisions contain laws procedural 1.7.5. Search andseizure ofstored computer data 162 establish anequivalent powerrelatingtostored data”. objects, otherthan bysecuringthedatamedium uponwhichitisstored. and thereforecannot besecuredonbehalfof criminalinvestigationsand proceedings inaparallelmanner astangible et seqq.;Rhoden Searches andSeizuresofComputers andComputerData,HarvardJournalofLaw& Combating Cybercrime,123etseq.Formoreinformation on Computer-related SearchandSeizure,see: 160 D.,thepublished - 159 by some countries, search and seizure procedures remain a key investigative tool. of use implemented been the already have and discussion under are offenders or identify to forensicsoftware remote data content of collection real-time the as such instruments investigation new Although but drafters of the Convention on Cybercrime included a provision dealing with search and seizure, as seizure, national laws donotcover often data-relatedand search andseizure procedures. search with dealing provision a included Cybercrime on Convention the of drafters but 161 tion ofprivacytofruitthe poisonous treeandbeyond, American JournalofCriminalLaw, 2002,107etseq. optr ytm r esrs ple t poet h cmue dt teen o rvd, s is as in provide,to paragraphs 1and2. referred measures to the of therein undertaking data the enable computer to information, the necessary the protect reasonable, to applied measures or the system of functioning computer the about knowledge has who empower person to any order necessary to be authorities may competent as its measures other and legislative such adopt shall Party Each 4. 1 or2. These measures shallincludethepower to: competent authorities to seize or similarly secure computer data accessed according to paragraphs its empower to necessary be may as measures other and legislative such adopt shall Party Each 3. other system. the to accessing similar or search the extend expeditiously to able be shall authorities the system, territory,its in lawfullyit datais of suchaccessible and from availableor systemtoinitial the part or computer another in stored is sought data the that believe pursuant to grounds have it, and 1.a, paragraph of to part or system computer specific a access similarly or search authorities its where that ensure to necessary be may as measures other and legislative such adopt shall Party Each 2. competent to authorities search access: orsimilarly its empower to necessary be may as measures other and legislative such adopt shall Party Each 1. 19–Search andseizure ofstoredArticle computer data of its services otherthantraffic or contentof itsservices data and bywhichcanbeestablished: in the form of computer data or any other form that is held 3. Forby the purpose a of this service article, the provider,term “subscriber relating information”to subscribers means any information contained 2. The powers andprocedures 14and 15. to referred Articles shallbesubject to inthisarticle

“However, inanumberofjurisdictionsstoredcomputer datapersewillnotbeconsideredasatangibleobject SeetheExplanatoryReportto the A detailedoverviewoftheelements ofsearchproceduresisprovidedbythe ABA International Guideto Formoreinformation,seeoftheforthcomingGuidetoUnderstanding CybercrimetobepublishedbyITU- b. a service provider offering its services in the territory of the Party to submit subscriber submit to Party the of territory the in provider’sinformation relating inthat service to suchservices possessionorcontrol. services its offering provider service a b. control, whichisstored inacomputer system oracomputer-data storage medium;and d. render inaccessible orremove thosecomputer data intheaccessed computer system. storage c. maintain theintegrity oftherelevant stored computer data; computer-data a or it of b. makeandretain acopy ofthosecomputer data; part or system computer a medium; secure similarly or seize a. b. acomputer-data storage mediuminwhichcomputer data may bestored initsterritory. a. acomputerofitand systemdata stored orpart therein; and on the basis of the service agreementon thebasisofservice orarrangement. availablecommunicationequipment, of accessinstallation the of site the informationon c.anyother other and telephone arrangement; address, geographic or agreement service the of or basis the on available information, payment postal and billing number, identity, subscriber’s the b. the and thereto taken provisions ofservice; period technical the used, service communication of type the a. , Challengingsearchesandseizures ofcomputersathomeorintheoffice:Fromareasonable expecta Convention onCybercrime, No.184. Explanatory Report totheConventionon 159 The aimof Article 19ofthis Conventionisto Technology, 1994, 162 160 Most national criminal Cybercrime, No.184. Vol. 8,page75 Winick , 161 - , 46 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex data isregulated 20oftheConvention: by Article the IP address of and the can server then determine its physical location. The real-time of collection traffic identify to able are agencies enforcement law services, Internet of use the during generated data traffic the Bymonitoring offenders. identify help also can data traffic exchanged, files of nature the analyze to ITU-D. 167 Data, DUD2002, 577etseq. investigations seeaswell: ABA InternationalGuide toCombatingCybercrime,page125; intrusive sinceassuchitdoesn’t revealthecontentofcommunicationwhich isregardedtobemoresensitive”.See: computer datamighttherefore beinsufficient.Moreover, the collectionofthisdataisregardedinprincipletobeless dence oftheoffence. needed totracethesourceofacommunicationasstarting pointforcollectingfurtherevidenceoraspartoftheevi 166 Voice%20over%20IP-%20Forensic%20Computing%20Implications.pdf. available at:http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Simon%20Slay%20-%20 www.itaa.org/news/docs/CALEAVOIPreport.pdf; Simon/Slay, plications of 165 opbp/OPBP%20Intercept%20Evidence%20Report.pdf. York) andIsrael,seetheLegalOpiniononInterceptCommunication, 2006,availableat:http://www.law.ox.ac.uk/ 164 ITU-D. 163 exchanged. Article 21 of the Convention gives them the possibility to intercept content data to record data agencies already know the communication partner, but have no information about the type of information whereenforcementlawcases in interceptto important exchangedatabe processes can opportunity The 1.7.7. Interception ofcontent data countries. many in investigations crime capital in used instrument an is Telephone surveillance oftraffic collection data 1.7.6. Real-time Explanatory ReporttotheConvention onCybercrime comparable to an exchange of emails than to a classic PSTN phonecall. moreor VoIP.is IP as Voiceview,overa VoIPcall such of Protocols(IP), point technicalInternet Froma on based technology over carried is communications voice of to amount growing limited a - not file-transfers and is emails data of exchange The conversations. phone classic the replaces data of exchange the role in the investigationrolethe in cybercrime. of further evidencebeforeitisdeleted ortoidentifyasuspect. The ordinaryprocedure forthecollectionanddisclosureof ervation. Consequently, itsrapiddisclosure may benecessarytodiscernthecommunication’s routeinordertocollect 4. The powers andprocedures 14and 15. to referred Articles shallbesubject to inthisarticle any information relating to it. and article this anypower provided in execution of the for of fact the confidential keep providerto 3. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service that on means territory. technical of application the through territory, its in transmitted communications to be ensurenecessary the real-time or collection recording of traffic data associated with specified may as measures other and legislative adopt instead may it 1.a, paragraph in toreferred measures the adopt cannot system, legal domestic its of principles established the to due Party, a Where 2. competent to: authorities its empower to necessary be may as measures other and legislative such adopt shall Party Each 1. oftraffic collection data 20–Real-time Article

Formoreinformation, seetheforthcoming Guide toUnderstandingCybercrime Guidetobepublished by “Incaseofaninvestigationacriminaloffence committedinrelationtoacomputersystem, trafficdatais Regardingtheinterceptionof RegardingthelegislationonlegalinterceptioninGreatBritain,Canada,South Africa, UnitedStates(New Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrimeGuidetobepublishedby b. provider, compel aservice withinitsexisting technical capability: and Party, that of territory the on means technical of application the through record or collect a. Applying theCommunications transmitted by meansofacomputer system. territory in its communications specified with associated real-time, recording in or data, collection traffic of, the in authorities competent the assist and co-operate to ii. or Party; i. to collect or record through the application of technical means on the territory of that Traffic datamightlastonlyephemerally, whichmakesitnecessary toorderitsexpeditiouspres 167 VoIP 166 Assistance toLawEnforcement toassistlawenforcementagencies,see 163 Whileaccess tocontentdata lawenforcementenables agencies , No.29.Regardingtheimportance oftrafficdatainCybercrime Voice overIP:ForensicComputing Implications,2006, Act to 165 Traffic data now plays a growing Voice overIP Bellovin andothers Gercke –availableathttp:// , PreservationofUser , SecurityIm 164 Today, - - -

47 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex ments/about-cse/museum.pdf. History ofCryptography, 2006; The Scienceof Secrecyfrom is theuseofencryptiontechnology. Regarding thefunctioningofencryptionprocedures,see: 168 operators. countries, bypassing regulators and licensed operators, effectively these diverting revenues from licensed difficult to regulate . Further, unlicensed VoIP operators are piping millions of dollars of VoIP into regulated making technically VoIP recognize circuit-switched network, cannot providers its in VoIPtraffic backbone toa subscribe zeroVoIPnear atworldcost. Incumbent the anywhere to in calls phone providermake and of favorVoIP.now in can connection services telephonybroadbandvoice a traditional Anyonewith with The ever-greater capability of VoIP solutions suggests that, in the not too distant future, users will dispense Voice over Internet Protocol (“VoIP”) is increasingly gaining ground in the market for voice communications. 1.7.8. Voice over IP(VoIP) communication andanalyze itscontent. surveillance. Although surveillance may be allowed by the courts, encryption means law enforcement cannot monitor law VoIP callsinthesame way theycanin thecircuit-switched world. means encryption courts, the by allowed be may surveillance Although surveillance. enforcement law where authorities can track VoIP it calls, moreis making datadifficultEven encryption for law enforcement trace. to conduct and track to enforcements law for islawful difficult is issue that communications secure safety of form public a as VoIP to flock Another criminals as capabilities, cut surveillance costs. enforcement’s law to and intercept, access emergencyservice offer not VoIP concerned. may is VoIPproviders where safety public ensure to concerns face also regulators and Governments the of operation efficient and and otherissues,market includingbillingand interconnection issues. smooth the ensure to practices pro-competitive as such issues, other 3) trace,to track, intercept andinterpret over communications used for any activity criminal network. 2) public safety - the toability guarantee 24/7 access to and services, lawemergency enforcements ability infrastructure, and 1) revenue collection - taxes, fees and rates are needed to maintain and grow a sustainable communications regulation canbecategorized into several general areas: of human voice is concerned. The challenges arising from unregulated VoIP are far-reaching. The need for transmission the where especially sent, is it which by mechanism the than rather sent, being information of type the consider must legislatures systems, regulatory new designing In up. keep cannot regulation systems,voicetelephonyIP migratesand to naturally data as transmittedincreasingly voice) is (including which the data is carried, rather than the type of information being sent. 4. The powers andprocedures 14and 15. to referred Articles shallbesubject to inthisarticle any information relating to it. and article this in power provided any for of execution the of fact the confidential keep providerto 3. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service specified on through theapplicationcommunications oftechnical meansonthat initsterritory territory. data content of recording or measures collection real-time other the ensure and to legislative necessary adopt adopt be may instead cannot as may system, it legal 1.a, domestic paragraph in its to of referred principles measures the established the to due Party, a Where 2. to: offences rangeserious of determined be to law, domestic by empowerto its competent authorities a to relation in necessary, be may as measures other and legislative such adopt shall Party Each 1. 21–Interception ofcontentArticle data

Onepossibilitytopreventlaw enforcementagenciestoanalysethecontentexchanged between twosuspects b. provider, compel aservice withinitsexisting technical capability: and Party, that of territory the on means technical of application the through record or collect a.

Voice regulations have previously been drafted according to the underlying technology over technology underlying the to according drafted been previously have regulations Voice means ofacomputer system. by transmitted territory its in communications specified of real-time, in data, content of,recording or collection the in authorities competent the assist and co-operate to ii. Party, or i. to collect or record through the application of technical means on the territory of that Ancient Egypt toQuantumCryptography, 2006; An Overviewof theHistoryofCryptology, availableat:http://www.cse-cst.gc.ca/docu 168

D’Agapeyen, CodesandCiphers – A

The danger is that as information Singh; The CodeBook: - 48 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex to address this challenge is the production order - the obligation to disclose the key used to encrypt encrypt to used key the disclose to Denver.in Meeting G8 1997 the data.at discussed wasinstrument an obligation such implementationTheof the - order production the is challenge this address to the question of whether such instruments are necessary is being intensely debated. intensely being is necessary are instruments such whether of question the Currently,information.suspects’for access search to and enforcementremotelyagencies computerslaw enable secretly.tools Theseused be can suspects’that computerson stored data computer to access to them allow that tools need agencies enforcementlawinvestigations, ongoing of detection Tothe avoid 171 http://www.news.com/8301-10784_3-9769886-7.html. example for a national implementation is Section 69 of India’s Information Technology Act 2000. 178 internationally inimplementingsuchpolicies. 177 176 D.,thepublished -D 175 Law Journal,2005,page365 et.seqq. Data RetentionandHumanRights: ing theconcernsrelatedtoaviolationofEuropeanConvention onHumanRightssee: http://www.edri.org/docs/retentionletterformeps.pdf; CMBA,PositiononDataretention:GILC,Oppositionto data re 174 or ofpubliccommunicationsnetworksandamendingDirective 2002/58/EC. data generatedorprocessedinconnectionwiththeprovision ofpubliclyavailableelectroniccommunicationsservices 173 polaris.gseis.ucla.edu/blanchette/papers/is.pdf. Blanchette/Johnson The CompatibilityofBlanket 172 For moreinformation,seetheCybercrimeGuidepublishedbyITU-D. articleId=9034459; Computerworld Security, availableat:http://www.computerworld.com/action/article.do?command=viewArticleBasic& computer andperformsearchprocedures,see: 170 D.,thepublished -D 169 have not do authorities access to investigativethe key that was used tothe files,encrypt could decryption takeand decades. product a such use suspects If access. unauthorized against Various software products are available that enable users to protect files, as well as data transfer processes 1.7.11. Order to disclosekeyusedfor encryption time. of period a certain for data traffic retain to ISPs the forces retention data for obligation An 1.7.9. Usetools ofkeyloggersandothersoftware the tools theyneedto protect thepublicfrom activity. criminal governments and the VoIP need toindustry work together to ensure that law enforcement agencies have Clearly, event. the after weeks potentialy them, decrypt finally they when arrests, make to transmissions intercepted using to limited are agencies enforcementlaw Instead, attacks.prevent or communications Without being able to require VoIP operators to decrypt, law enforcement agencies cannot monitor terrorist tention continuestogrow–availableat:http://www.vibe.at/aktionen/200205/data_retention_30may2002.pdf; Regard is deleted. An example of such an approach is the EU Directive on Data Retention. Data on Directive EU the is approach an such of example An deleted. is it before data traffic to access obtain to approach one is obligation retention data a of implementation criticism fromcriticism humanrightsorganizations. intense some in resulted has Directive the by covered are communications Internet about information 1.7.10. Data retention of theIPaddress usedby offenders. out remote search procedures, the recording of VoIP services, the logging of keystrokes, the identification for “remote forensic software” and its possible functions are discussed. Among them are functions to carry

Lawfulgovernment accesstopreventandinvestigate actsofterrorismand tofindamechanismcooperate Schneier, Formoreinformation,seethe forthcomingGuidetoUnderstandingCybercrimebepublished byITU- Seeforexample:BriefingtheMembersofEuropean ParliamentonDataRetention–availableat: Directive2006/24/ECoftheEuropeanParliamentand the Councilof15March2006onretention Foranintroductiontodataretention,see: Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU-D. Regarding the plans of German law enforcement agencies to develop a software to remotely access a suspects Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU- An examplecan befoundinSec.69oftheIndian Information Applied Cryptography, Page185. , Dataretentionandthepanopticsociety: Broache, Germanywantstosicspywareonterrorsuspects,31.08.2007,CNetNews–availableat: 171 Traffic DataRetentionwiththeECHR, EuropeanLawJournal,2005,page365etseq; The CompatibilityofBlanket Blau 174 , DebateragesoverGermangovernmentspywareplan,05.09.2007, Breyer 175 169 ,

Telecommunications DataRetentionandHumanRights: The socialbenefitsofforgetfulness –availableat: http:// Traffic DataRetentionwiththeECHR,European Technology Act 2000:“Directions ofCon Breyer, Telecommunications 176 One legal approach 173 170 The fact that key that fact The Various concepts Various 178 Another 177 172 One The - - - 49 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex and businesses –availableat:http://www.fipr.org/rip/RIPcountermeasures.htm; Technically inept:ineffective againstcriminalswhile underminingtheprivacy, safetyandsecurity of honestcitizens 179 Technology information”. Formoreinformation aboutIndia’s Information any agencywhichhasbeendirected undersub-section(1),extendallfacilitiesandtechnical assistancetodecryptthe any computerresource.(2) The subscriberorany personin-charge ofthecomputerresourceshall,whencalleduponby be recordedinwriting,byorder, directanyagency oftheGovernmenttointerceptanyinformationtransmittedthrough foreign Stalesorpublicorderforpreventingincitement tothecommissionofanycognizableoffence, forreasonsto expedient sotodointheinterestofsovereigntyorintegrity ofIndia,thesecurityState,friendlyrelationswith troller toasubscriberextendfacilitiesdecryptinformation. (1) IftheControllerissatisfiedthatitnecessaryor 2000. Act Powers Investigatory UK the of 49 Section is obligation such for example Cybercrime). Conventionon the of 22 (Article prosecution for jurisdiction appropriate most the determining to view a with consult appropriate,where shall,involved States the cybercrime, alleged an over jurisdiction claims State one than more When extradition. for request a after nationality, persons the of basis the on solely where alleged offenders are present in its and territory the State does not extradite them to another State, to apply only in specific cases or conditions in the jurisdictionrules. States theoffenceis should be able prosecute cases, or if or apply to not reservation a enter may it wasStates committed State. any of jurisdiction territorial the where outside committed law, criminal under punishable is offence its of the one if by or nationals, State, the of laws the under registered aircraft an board on State, that of flag the flying a ship board on territory, its on committed are offences where offences, cybercrime over established be should law. criminal provisionsJurisdiction in jurisdictional include tomeasures adopt Stateshould Each 1.7.12. Jurisdiction technology.challenge ofencryption many in countries raises self-incrimination doubts as to against whether such regulationprotection could becomestrong a model The solution investigation.to address the the support actively to need suspects authorities, competent the to investigation the leaving of Instead self-incrimination. against suspect a of relating to this approach is that the obligation could result in a potential conflict with the fundamentalright technology/7102180.stm; ABA International GuidetoCombatingCybercrime, page32. law, BBC News,20.11.2007 –availableat:http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/

Forgeneralinformationonthe Act, see: Act 2000,availableunder:http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002090.pdf Brown/Gladman Technology , The RegulationofInvestigatory PowersBill- Act 2000,seeDuggal,India’s Information Ward, Campaigners hit bydecryption 179 A general concern general A 50 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex encryption—either by legally compelling suspects to reveal their passwords, or by conducting a livedatareveal toa passwords, their conducting by suspects compelling or legally by encryption—either by-pass to have police encrypted, increasingly is rest at data Since files. encrypted containing evidence problemsencryption in the future. Already, many police by agencies have had afflicted to seize and increasingly analyze electronic be will enforcement law that suggest developments These software systems. operating and security units processing computercentral drives, hard in in technology trends encryption include to Recent beginning are now manufacturers alone. hardware and Software police often. more encryption by use also solvedwill public the be that suggest cannot encryption of problem The the avalanche offenders. ofcriminal be must Officers trained to preservation. follow the digital and equivalent of a collection “blood trail”evidence if they in wish to be able changes to investigate and fundamental prosecute these with deal must Cyber-criminals seek to cover up their electronic tracks to preventpurposes. arrest and prosecution. illicit Police agencies for used be also can encryption However, encryption. using for reasons legitimate have individuals and businesses other and institutions banking government, military, Theroute. unintended) networks between sender and recipient to prevent them being copied or viewed along their intended (or Encryption is used legitimately to encode email and computer files on their journey over multiple computer password. the without contents encrypted deciphering of chance minute a only is there that advanced so become havetechniques encryption digitalyears, few past the In password. a without decoded be cannot it that to access. difficult or unavailable be may is Encryption based on mathematical means algorithms that police convert digital information into a fordifferent programmesformat so important evidence encryption electronic computer-based incriminating that sophisticated widely-available of introduction The Challenges 1.8.2. Encryption assets isenormous. asten dollars.to transport Thus, thepotential for and lossofhugeamounts ofcashandother thetheft assets are assets weighs withoutmass. ofelectronic nomore Abilliondollars-worth andisjustaseasy stolenof electronically money(orothergoods)isgreatly facilitated that digitized by thefact moneyand no easytask-digital evidence ismuchharder to locate andtrace. andstorage transportation, The theft, while commercialcybercrimes, may firms fear thelossofcustomers’ confidence. Locating theevidence is thematterreluctant to tohow –individualsmay report theauthorities orto notknow whomto report may have noideathat hiscomputer fileshave beenstolen. Even iftheintrusion isnoted, may be victims steps remain thesame, butthemethodsandmeansofproceeding are notsoclear. Firstly, thevictim computer system, steal computer thestolen filesand items.copy ortransport The basicinvestigative course, canbe committedOf thesamecrime “virtually” withacomputer. The thiefcanbreak into a stolen. Any physical evidence are analyzed andcarefully documented for useintheprosecution. been has what determine to attempt and entry, of method a entry, of point a for look who police alerts the determine evidence, physical locate identity of the perpetrators, and arrest them. In the victim, case of a traditional burglary, the almost victim alwaysthe identify - same the remain steps investigative The where muchoftheevidence andstored iselectronic in “data trails”? leave some form of “real-world” tangible evidence. How then do these professionals respond to a situation usually which thefts, car and homicides burglaries, as such crimes, low-tech traditional handling to used are different from traditional forms of investigation in several key ways. Police officers and prosecutors are issues security network and security information other and cybercrimes investigationof the Policingand 1.8.1. The Move from Physical to Evidence Electronic its and associated technologies, have greatly complicated Internet law enforcement today.the of advent The technologies. these by created opportunities new exploit and adapt to quick been have offenders criminal contrast, persons. In police. to challenges and new pose ICTs in developments property against crimes of rapid crime, of forms investigationtraditional combating in success some the enjoy organizations enforcement law While with tasked are police world, the Around 1.8. Law Enforcement andInvestigation 51 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex of unreported criminal activity hasbeencalledthe activity criminal of unreported “dark figure” by criminologists. offenses, however, are significantly underreported, as in the case of sexual assault and rape. This incidence homicide, armed robbery, car theft and assaults tend to example, for be - accurately activity reported criminal for to approximations good the provide police.can statistics crime Other speaking, criminal Generally 1.8.5. ProblemThe Underreporting are extremelydifficult toobtain. unit as a “criminal threat”. Since there are no agreed overall definitions or classifications, accurate statistics an Internet fraud scam as a fraud case and an online stalking case might be counted by an agency’s assault For as the crime of department, “sexual exploitation of a minor”. a police A police department’s economic crimes unit might include within classified and unit abuse child units the by maintained be different may data arrest pornography child online by example, separately kept be may statistics crime Computer reporting. of cybercrime toextentstatisticsdue different reliable the about cybercrime definitions, sources varied uncertainty and few are presently,there and offenses these of number the record accurately to difficult is it Cybercrime), on Europe’s Convention of Council the in (e.g., emerged have definitions agreed few a Although crime. cybercrime over time, there has to be agreement on consistent be definitions of what constitutes a computer to in trends monitor However,to resourcesoperandi. criminals’ modus and trends new limited spot to statistics criminal allowing use by enforcement law in role analyststrends. Crime crime of analysis and benchmarking on based urgentneeds, most the toallocated important very a play statistics Crime 1.8.4. Counting Cybercrime —How Is Much There? legal mutual and rogatory letters assistance treaties, financialburden eachofwhichcanaddaheavy even treaties,for alarge investigative branch. extradition include can involved issues legal The France. in Paris and India in Bangalore in officials police between e.g., – Departments Policeinternational between coordination significant and expensive needing borders, across and world the around stretch can which investigations, cybercrime for problems poses also victims and perpetrators between distance physical updated. The constantly be also must equipment this training, with As evidence. digital of examinations forensic conduct to needed is software and hardware computer specialist expensive Furthermore, task. easy no is which training, ongoing undergo and uptodate kept be must officers change,technological of pace the Given investigators. highly-trained need they as expensive, are investigations crime High-tech 1.8.3. Costs ofHigh-Technology Investigation Crime to datathanthepolice. interception—often requiring higherlegalauthority seizure of a computer system. The latter is more complex and, under the laws of many countries, amounts 180 computer crime incidents in an efficient, timely, and confidential manner.handle to police the of capacity the about doubts to due reported be not may crimes Computer police. Worse still, many victims who understand that a crime has taken place may deliberately not report it to the constituteagainst theirnetworks acrime. the report and forward come recognizeattacks to thatnot may corporatemanagers administratorsand network individuals,Many crime. loss a suffered have who victims convincing is hurdle major Another data. of loss or intrusion computer a suffer they when unaware remain organizations and individuals of an of distribution global the and networks, organization’s computer informational assets mean that computer of crime is difficultvery to detect. The vast majority capacity storage and size Sophisticated the place. taken technologies, even has offense an that unaware are crime computer of victims the Often, Recent evidence suggests that computer crime may be the most under-reported form of criminal behavior. 181 ter-related Crime. that a bank’s computers and accounts have been compromised could drive thousands of customers to its money. This or is data especially of true theft in to the victim banking fallen and have financial who sectors, customers wherecompensate to reputation forced is if profits, everything.their Rumours or reputation their to damage fear may corporations Large foolish. look to wish not may or report to small too is loss

CollierandSpaul, p.310. InternationalReview ofCriminalPolicy-United NationsManualonthe PreventionandControlofCompu 181 Individuals may feel that their 180 - 52 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex conducts research on particular aspects of cyber-criminality and prepares reports for law enforcement law for reports prepares and cyber-criminality of aspects particular on research conducts forum for discussion expert on the latest emerging threats in cyberspace. In addition, each working party a and training provides and exports regional together brings groups these of Each East. Middle the and Africa America, Pacific, Latin Europe,Asia-South in including world, the around parties working expert of organizationsthreats. emergingcybercrime to respondto world the aroundTo enforcementnumber a established has date, Interpol law of capacity investigative the improve to diligently worked has Interpol 1.8.8. Law enforcement capacity-building computer units. crime exist worldwide andreflect regional parties expertise. These working in the field of ITC through‘working parties’, which consist of the heads or experienced members of national than ‘re-inventingwheel’,the members its of expertise the harnessed has Secretariat General Interpol the Rather 1990. since (ITC) InformationTechnology Crime combating in involved actively been has Interpol instant information access andhelpfacilitate to investigations. important criminal DNA profiles, lost or stolen travel documents, stolen cars and etc.works of art, These resources give police fingerprints, persons, wanted terrorists, suspected on information containing databases to access direct Using I-24/7, National Central Bureaus (NCBs) can search and cross-check data in a matter of seconds, with unrelated information can be linked to help create a pattern and solve transnational criminal investigations. I-24/7 has fundamentally changed the way law enforcement authorities work together. Pieces of seemingly organizations involvedcriminal areand As criminals typically activities. criminal and activities, multiple in in all 186 member countries and provides them with the means of sharing crucial information and on criminals securely information exchange to police rapidly. world’s The the organization’s enable I-24/7 global police communications to system connects law is enforcement officials functions core Interpol’s of One provide assistance matters. ininternational cybercrime to world the around from officials police unite tohave worked - G8 the Policeand Criminal Organization) low a International (the given Interpol notably - organizations international only Several all. at discussed is not is or priority cybercrime regions, other in criminality, computer discuss to 1990s early the since involvingcomputer networks. Whilepolice regions theofficials of world fromhave certain meeting been andlegal fora of anumber of instruments, enabling police forces to work establishment with their counterparts around the world on criminal offenses the by significantly boosted been has cooperation Their cybercrime. against fight the in effectively more cooperating now are world the around services Police 1.8.7. Internationallaw enforcement cooperation police officer.is anactual same offense, might waste dozens of hours engaging with each other, with neitherknowing that the other the each Internet.investigating the apart, on offenders world a sex child officers, half police Two policing when children as pose mayinvestigators police grownexample, Foraway. world a half (unintentionally) criminal locating and offenders.Sometimes, their response undercover police personnel in one have jurisdiction encountered their colleagues coordinating evidence, in gathering difficulties into run however take comfort from the fact that there is no “global Internet police”” force. Law enforcement personnel have This approach has both advantages and disadvantages. Many and civil human libertarians rights activists –these organizations have allstakedouttheirperceived incyberspace. territory security) national censorship, protection, child tax, (including authorities government other to services, police national From agencies. government and enforcement law of manner is all ‘patrolled’ byInternet defined responsibilities. For theInternet, however, no single law enforcement prevails jurisdiction and the clearly and resources allocated with districts, into territory geographic their up carve to forces police for common is It under-policed. remains Internet the areas, and precincts districts, police traditional Unlike 1.8.6. Patrolling cyberspace theincidents tothem to police report personnel. government other with closely work to have organizations, personnel the private sector enforcement and public to law increase their progress,awareness of cybercrime, make as well as to encourage order In competitors. 53 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex justice system, the public at-large, the private sector and non-governmental organizations to ensure a comprehensiveensure approach to resolving thisproblem. to organizations non-governmental and sector private the at-large, criminal public the of the elements system, other justice with closely work police that critical is It gain. illegal and personal their for technologies networked and ICTs exploit to the efforts constant of their in parts criminals with most up keep in to world police for impossible virtually is it technology, of nature ever-changing the Given cross-border whenconducting investigations.particularly police, to problem major a poses legislation of lack code.This criminal national the in delineated clearly not are cybercrimes world, the of parts many in yet law, of violations investigate to authority have only police example, For cyber-offenses. of investigation and against fight the in system justice criminal the of part one only constitute agencies police addition, In needed. all are equipment and awareness public local and regional studies have been undertaken. From these regional studies,However, many cybercrime. additional against training, fight funding, global their in effective more be to need agencies police what Toexactly determine toorder completed in been enforcementlawhas assessmentdate,global needs no 1.8.10. Law enforcement needsassessment andemerging trends attacks onbanksintheUnited States, Germany andMexico. the United States. The network has also been used on several occasions to avert hacking attacks, including records Internet disclosureof and in preservation the byfacilitating murdererUnitedKingdom a the of in and other crimes in a number of countries. For example, the G8 network was used to secure the conviction Both the G8 and the Interpol networks have been successfully used in many instances to investigate threats Bureaus withtheindication oftheunitto beinformed ineachrceiving country. Central National appropriate the through forwarded be will Points.Messages ReferenceCentral National as designated have Points Contact 121 Tocompiled.date, been has crime computer-related for (NCRPs) channels reaches the specialized police units as fast as possible, a list of National Central Reference Points Interpol appropriate the through exchanged international information in the systemthat ensure To message investigations. cybercrime I-24/7 the use to to countries member police encourages Interpol allow and to system I-24/7 as known system the to connected communications are world.countries Today,the member throughout securelyInterpol communicate all police global a developed has Interpol personal. The andtheConvention G8network onCybercrime are network now being consolidated. of theConvention onCybercrime, mustprovide a24/7reference parties point withequippedandtrained receive to week, a days information 7 and/or requests hours, for cooperation all in cases at involving available electronic evidence. are According contacts to Article 35 These network. 50 this about today,joined have and countries G8 the beyond countries include to intended always was network This networks. which network a - countries between supplements, contacts but does expedite not to replace, mechanism traditional methods new of a assistance created in cases G8 involving the telecommunication 1997, In andtheG8haveInterpol suchnetworks. and countries other in authorities with network request immediate assistance in computer-related investigations to and evidence collection. Currently, both countries enable to established been have points contact 24/7 end, investigations.Tothis cybercrime rapid a for need the with up keep cannot rogatory) letters and treaties assistance legal mutual as (such evidence cross-border obtaining for methods legal need to rapidly and securely with each other in international cybercrime investigations. traditional Often, police effective, be Toquickly. disappear can evidence i.e., time-sensitive are investigations Cybercrime 1.8.9. 24/7Points ofcontact “Interpol”/G8 phone forensics mobile andlive data forensics, to nameafew. investigations, Internet intrusions, computer from ranging topics, different many on personnel 54 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex olcin procedures. collection evidence electronic and crimes of types covernew that laws substantive new adopt to need states Many evidence required for prosecution. laws for electronic the collect to procedural needed also are technical crimes Similarly, traditional and offences. cybercrime investigating and of detecting types new these covering laws substantive need crime Prosecutors offline. traditional website company’s a a knock to have computer a uses not offender an when does e.g., – that equivalent conduct unlawful covering laws cybercrime substantive need committed using computers may already be covered by traditional law. Sometimes, however, thefts prosecutors use bank e.g., - The offences. legislation new online need not of may commitcrimes ‘old’ forms totraditional of ‘new’technologies new including jurisdictions, own their in cybercrime prosecute and investigate to tools legal appropriate for need the is enforcement agencies law facing challenge first The located abroad. ofsuspects 4) extradition evidence abroad;3) collecting and 2) understandingtechnical evidence; 1) theimplementation ofrelevant substantive andprocedural legislation; cybercrime including(amongothers): acts, criminal Prosecutors todaycybercriminals face numerousresponsible to hold challengesintheirefforts for their basis. national or regional, local, a on handled jurisdictions, territorial on based traditionally are prosecution and investigation criminal However, transnational. is itself, Cybercrime, Internet borderlessworld. the the like in anywhere located be to cybercriminal a permits committed are cybercrimes which over medium the that is cybercrime of prosecution the in face states challenges main the of One 1.9.1 ChallengesinProsecuting Cybercrime bercrime.pdf. www.itu.int/osg/spu/cybersecurity//docs/Background_Paper_Harmonizing_National_and_Legal_Approaches_on_Cy 185 Murdoch UniversityElectronic JournalofLaw, 184 (February 14,2001). 183 (February 14,2001). 182 and cooperation between states isessential. coordination effective cybercrime, transnational against effective be to enforcement networks. and systems computer of infrastructure the against attacks of prosecution and investigation the in vital fulfilled, the global prosecution ofcybercrimes may become more efficient. Such an approach is especially is provisionscountries. acrossProvidinglegal criminality of dual harmonization the ensureto steps taken other of efforts enforcement law countries. International the organizations (including the thwarting G8 Group, while OAS, APEC country, and the one Council of Europe) in have unpunished go can offenders as aythorities, enforcement law from cybercriminals shield may law in discrepancies Such unlikely. is crime the solve to cooperation not, do others and cybercrime criminalizing laws has state offenses. one Where substantive of definition their harmonize states that cybercrime against battle global the in vital also is It states interested laws 1.6). inadoptingcybercrime (seetheSubstantive inSection Law section for models as serve can engage inreal-time that provisions cybercrime procedural to and substantive key contains Cybercrime place in laws the procedural have tracing of online communications even or obtain stored evidenceelectronic of use.Internet The Convention of or offenders these charge criminal to substantive a offense have not may state A lists). customer as (such data valuable steal and computer the and cybercrimes of evidenceelectronic collection to - for example, where offenders gain unauthorized access to a company’sapply that measures procedural and laws cybercrime substantive numerous a Another challenge facing prosecutors is gaining the technical knowledge to understand the crimes and crimes the understand to knowledge technical the gaining is prosecutors facing challenge Another

Schjolberg, Hubbard,Harmonizing NationalLegal SeeBrenner, Cybercrime InvestigationandProsecution: See,e.g.CouncilofEurope, Draft ExplanatoryMemorandumtotheConvention on Cybercrime,n.6 See,e.g.CouncilofEurope,DraftExplanatoryMemorandum totheDraftConventiononCybercrime,n.6 185

184 s icse i dti i te usatv Lw eto (eto 16, hr are there 1.6), (Section section Law Substantive the in detail in discussed As 183 1.9. Prosecution Vol. 8,Number2(June2001). Approaches to Cybercrime,ITU(2005),located athttp:// The RoleofPenalandProcedural, Comment2, 182 For law For - 55 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex responsible person or persons. or person responsible Law Enforcement and Investigation, solving cybercrime needs immediate action to locate and identify the the on 1.8 Section in prosecutor’sdiscussed the proceduralAsrequirements in foradmission jurisdiction. the meets waythat a in and abroadrapidlyevidence of collection the prosecutorsis facing issue Another for prosecutors andjudges. may be helpful for ITU to work with other organizations to develop and deliver quality technology training It training. technology cybercrime offer hat organizations and governmentsprosecutors.Several to new how Internet Protocol (IP) addresses are assigned. The technical evidence and nature of cybercrime may be criminal prosecution, prosecutors may have to explain to a judge or technicaljury evidence – for example, so it is not thatsurprising they may not be comfortable with technical evidence. nature of the evidence. Most prosecutors need a lengthy and intense training as part of their legal training, and RelatedMatters, locatedathttp://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/15mcrm.htm. 189 gov/criminal/cybercrime/swartzTestimony061704.htm. Foreign RelationsCommittee onMultilateralLawEnforcement 188 http://www.usdoj.gov/criminal/cybercrime/unlawful.htm. 187 http://www.usdoj.gov/criminal/cybercrime/unlawful.htm. capabilities. enforcement facessignificantneedsintheareasofresources, trainingandtheneedfornewinvestigativetools 186 of traffic data. traffic of that measures enact to countries disclosurefor partial and storedcomputerdata of enforcementpreservation expeditedlaw obtain permit to important is it evidence, electronic of nature fleeting the to Due and obtaintheevidence quickly, 1.7.10on Data Retention. asdiscussedinSection assistance legal mutual on rules international with comply must prosecutors enforcementand law when sufficient a for data the retainperiod of time so providerslaw enforcement can accessservice the data, beforethat it is destroyed.vital This to identify is is especially challenging it points, data pass-through traffic or or routes suspects, data electronic obtaining on based often are prosecutions cybercrime Since provide to sufficient standard information canslow that meetstheevidentiary down the Failureprocess considerably. state. requesting the by imposed requirements evidentiary the meet to information sufficient provide to have prosecutors abroad, from evidence for request a making When executed. be can request their so required, information and procedure appropriate the about assistance legal mutual for Authority Central the with consult should state another from evidence obtain to Prosecutorswishing take time-sometimesmonths oreven years, whichcanderail aninvestigation. can evidence obtaining for methods rogatory.These letter a or convention multilateral Assistancea (MLAT),LegalTreaty Mutual a through proceeding, criminal a in used be can evidence the that in way evidencea such the obtain to assistance The legal concerning 2703(f). law § international U.S.C. with 18 comply law must U.S. prosecutors to pursuant provider service they the evidence, to such request want preservation U.S. a the send outside must prosecutors If days. 90 customers their of address IP the to process requirements.process and evidentiary of number a with extradition, abroad. for request a filing locatedinvolves usually extradition of suspects process The countries. of between exist prosecution treaties extradition where the even challenging, is especially be can cybercrime Extradition of prosecution the in challenge Another to andobtainstored preserve computer andtraffic data. laws have effectively, must states cybercrimes prosecuteinvestigate and to able be to Forstatesdeleted. Meeting either of these requirements ,may be difficult for cybercrime, as many states lack substantive lack states cybercrime many laws, as so cybercrime, the for principle difficult of dual be criminality ,may may requirements not these be of fulfilled.either Where Meeting a state does have substantive treaty.extradition (2) The second approach is that extradition is permitted for a list of crimes contained in, or attached to the by more thanoneyear ofimprisonment. charged with criminal conduct, if both states have criminalized the conduct and the crimes are punishable (1) The first approach is based on the doctrine of dual criminality–extradition is only permitted for persons extraditable:

SeeU.S.Department ofJustice,UnitedStates SeetheStatementofBruceSwartz, Deputy A According toareportbytheU.S.President’s ReportofthePresident’s A ReportofthePresident’s 188 Electronic evidence may move through a number of states and can be easily altered or altered easily be can and states of number a through move may evidence Electronic 189 Extradition treaties take one of two approaches for the types of crimes that are that crimes of types the for approaches two of one take treaties Extradition 187 Working Groupon UnlawfulConductontheInternet,March2000,locatedat For example, in the U.S., service providers must keep records relating records keep must providers service U.S., the in example, For Working GrouponUnlawfulConducttheInternet,March2000,locatedat Assistant Working GrouponUnlawfulConduct,itisrecognizedthatlaw Attorney’s Manual, Attorney GeneralCriminalDivision, beforetheSenate Treaties, July13,2004,locatedathttp://www.usdoj. Title 9-15.000,International Extradition 186 the During course of a 56 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Letters rogatory are usually transmitted via diplomatic channels, a time-consuming process. time-consuming a channels, diplomatic via transmitted usually are rogatory Letters treaties. (MLAT) Matters Criminal in Assistance Legal Mutual or Convention Evidence Hague the as such The execution of a request for judicial assistance by the foreign court is based on comity between nations, of testimony or documentary or other evidence or effect service ofprocess. orotherevidenceof testimony oreffectservice ordocumentary to state authorities”one and judicial appropriatein compulsion state,requesting“the court another a in from assistance obtaining of method assistance for request formal a is rogatory letter customary A treaty. a of absence the in states, other from evidence the rogatory, letters including laws, assistance legal mutual domestic by governed is assistance legal international states, two between place in agreements International legalassistancebe requested can and provided through several means. Where there areno 1.9.2 Letter Rogatory are chargedextraditing vitalinthesuccessful suspects investigation andprosecution ofcybercrime. and date specific a at address Protocol time. Internet The mechanisms in place for obtaining evidence outside a law enforcement and jurisdiction an agency assigned was who of evidence obtain to agencies requireinvestigating often and suspects, sophisticated by points pass-through proxiesor multiple of use the by complicated also are investigations Cybercrime prosecutors’ jurisdiction. the outside located are enforcement law charges to for unlawful conduct that challenges may not have an real offline equivalent.Often, the presents evidence and/or suspects cybercriminals file totools legal need and evidence electronic Prosecutors world.collect toaroundthe need authorities of prosecution global the summary, In 2oftheFrameworkArticle are Decision met. in conditions other criminality,the providingthatdual of absence the grantedin be can surrender which Framework EU the Europeanthe on ArrestDecision and Warrant,citescomputer-relatedwhich offences 32 of list the in crime for extradition, for basis a as (UNTOC) Convention Crime Organized UN Transnational the of use of the basis include possibilities the Other on Cybercrime. on mainly Convention but the and basis, penalties), list applicable a on operate not does of (which Council Extradition 1957 on the Conventionincluding Europerequests, extradition for basis a as treaties.used extradition most be also in can treaties Multilateral be covered may technology new involving offenses traditional However, developed. before time cybercrime long treatiesa givenmany surprising,statesenteredextradition that not intothe is offenses. This new the cover to treaties extradition its of all updated have not may it laws, cybercrime http://www.oas.org/juridico/MLA/en/can/en_can_prost.en.htm 192 foia_reading_room/usam/title9/crm00275.htm. 191 (1998). 190 Article 3UNTOC). Article in out (set group criminal organized an involving and nature in transnational being Convention, the by proceedings”investigations,judicial prosecutions,in offences covered assistance specific of to relation in measure the“widest another one afford to required are Parties State UNTOC, 18 Article with accordance In assistance. using legal mutual for consider basis a as can (UNTOC) Crime on TransnationalConventionOrganized UN prosecutors the nature, in transnational are cybercrimes many that Given others. than There are a growing number of multilateral conventions calling for cooperation in combating certain certain combating in cooperation crimes. for calling conventions multilateral of number growing a are There 1.9.3 Multilateral Treaties onCrime are sent backto therequesting judge, againusuallythrough diplomatic channels. results the denied), been has execution (or executed been has request the once and process consuming manner in which evidence the is taken evidence, or preserved, of the privileges that authentication witnesses may the invoke). After as this time- such matters (on state requesting the of that from different very be may state requested the of state.law the requested because process, the the to of uncertainty of law level another the add can with This compliance strict in so done is executeit executed, to is obligation it no if under and request, is the judge by The acceptedexecution. for is judge a request to the transmitted is If it state, other policy. the public state’s requested the with inconsistent be would sought diplomatic corps is generally considered free to refuse to act on a letter rogatory, if they feel the assistance

192 SeeProst,Senior Counsel,Director, International U.S.DepartmentofJustice, Epstein&Snyder, InternationalLitigation: Many of these include mutual legal assistance components, more extensive in some conventions Attorneys Manual, A GuidetoJurisdiction,Practice &Strategy, 2 Assistance group, DepartmentofJustice,Canada, locatedat Title 9, availableathttp://www.usdoj.gov/usao/eousa/ l (1994). 190

nd . Sec.10.09 191 Also, the Also, 57 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Although MLATs and multilateral conventions are different instruments, there are a number ofkey anumber are there instruments, components different common to both: are conventions multilateral and MLATs Although This broad languagehasenabledMLATs to adaptover timeinaway otherarrangements donot. state.requested the of law the under prohibited not assistance of form other anyMLAT allow A also may to and warrants, search due observe process. Generally,issue the remedies offered byto the treaties are only availableevidence, in criminal matters.tangible other and documents of production the require to witnesses, tosummon the power include treaties These Office). General’s Prosecutor or Office General’s Justice,Attorneyof Ministry a (usually assistance legal formutual requestsexecution of and transmission procedures. their facilitate and regularizeto MLAT and two A countries between assistance judicial improvetoeffectiveness of seeks the and seizures; and searches conducting cooperation; orproceedsrepatriating of ofcrime. stolen property purposes documents; for serving custody reports; in police persons including transferring records, government of copies obtaining testimony; or statements taking and witnesses questioning information; financial other and records bank acquiring in with criminal investigations to the other state. Typically, a MLAT entitles the requesting state to: assistance A MLATprosecution. placesobligationan unambiguous stateon each toprovide specific or assistanceforms in connection investigation criminal of a purpose to relating the evidence of for gathering countries, the in two assistance between providing agreement an is (MLAT) Treaty Assistance Legal Mutual A 1.9.4 Bilateral Legal Mutual Assistance Treaties appropriate instrument. an ratified and signed has sought be to is assistance statefromwhich the whether and soughtassistance basis for mutual legal assistance, prosecutors have to consider the nature of the offence, the nature of the appropriate most the selecting In Matters. Criminal in Assistance Mutual on Convention 2000 EU the as in such assistance instruments Union mutual European relevant foralso are There basis parties. contracting between wide matters criminal a as serve Matters Criminal in Assistance Mutual on protocols and with contain offences defined under the conventions relevant Convention. Additionally, these the Council of Europe Both 1959 Convention Cybercrime. on provisions obliging Convention the contracting parties to and provide mutual legal Laundering assistance to one Money another in connection on Convention Europe’sof Council the as conventions, such assistance mutual and crime regional various also are There examples ofconventions providing abasisfor mutuallegalassistance). as merely cited are conventions (these Substances Psychotropic and Drugs Narcotic in Trafficking Illicit Convention UN the include Againstoffences convention Terrorist their Financing, to the relation UN Conventionin Against assistance Terroristlegal mutual Bombing, forthe 1988 basis UN Conventiona Against be included under “serious crime” as defined in UNTOC.Other examples of UN conventions which provide Although cybercrime offences are not specified inArticle 3, depending on their nature, such offences may Agreements, located at 193 tion matters,located at 194 (3) Most MLATs forbid the requesting state from using information or evidence supplied under the MLAT (2) The grounds upon which assistance can be denied should also be specified. Typical grounds for refusal (1) Firstly, the scope of the obligation to provide assistance has to be specified, including the requirement

it should be noted that this has recently been qualified in UN instruments where the material is thematerial where UN instruments in qualified been recently has this that noted be should it for any investigation other than that for which the information or evidence was requested (although organized andcorruption have crime sought to limititsapplication. on instruments UN recent and assistance denying for basis a as serve not may criminality dual that stateMLATs today most Further, assistance. legal mutual international to predictability and clarity MLATsdenied, be conventionscan bring multilateralrequests and which on grounds the specifying By policy). public basic or security national (e.g. violated be would state requested essential the the of interestswhere permitted also are requests of Denial state. requested the to of systemcontrary legal be the or constitution the violate would request the if or law, criminal ordinary the under allow the denial of requests that may constitute a political offence or a military offence not recognized for assistance to beprovided atstageoftheinvestigation. theearliest SeeU.S.Department ofState,BureauConsular OECDPreliminarydraftissues paperonFrameworksforExtraditionandMutualLegal http://www.oecd.org/dataoecd/28/11/39200781.pd http://travel.state.gov/law/info/judicial/judicial_690.htm Each state designates a competent central authority responsible for the for responsible authority central competent a designates state Each 193 Affairs, Mutual Legal f (2006). l. Assistance (MLAT) andOther Assistance inCorrup 194

- 58 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Asia CrimePrevention Foundation(ACPF) Lecture, 2000,whichcanbe found athttp://travel.state.gov/law/info/judi 195 f gemns n lc, rsctr my ae o ok o rdtoa cie ad a i odr o purse to order in law and crimes traditional thesetypes cases. cybercrime to have look not to have do may prosecutors place, states in Where agreements globe. of the around to effectively order more in develop, cybercrime to prosecute agreements bilateral can and multilateral for need growing a is there summary, In cial/judicial_690.html. (5) Most MLATs and the most recent UN instruments on organized crime and corruption make provisions prompt and requests of transmission forAuthority, Centralresponsible a designate must state Each (4)

against Corruption obligesState Parties to return assetsto therequesting state. sharing of confiscated assets between the State circumstances,In certain Parties. the UN Convention also provideconventions the corruption) and UN for trafficking, crime the organized welldrug as on requestedstate.MLATsthe Many proceedsin located are crime which in cases forcooperationin (as execution requests from theotherparty. proper purposes. extradition in specialty of rule matters,reassurehelps and requestedthe stateinformation forthatthe providesonly it used be will the to similar is provision of kind This accused). the to exculpatory Harris,Mutual Legal Assistance Treaties: Necessity, MeritsandProblems Arising intheNegotiation Process, 195

- 59 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex liability for third parties on the other hand. other the on parties third for liability criminal of risks the limiting and involvinghand investigationsof providersone in need on the balancing orities: promotingthecontinuedgrowthanddevelopment of electroniccommerceandprotectingintellectualproperty from third parties. safe harbor regime, the DMCA excluded the liability of providers of certain services for copyright violations a creating By 1998. from (DMCA) Act Copyright Millennium Digital the on based (b), and 517(a) §§ U.S.C. the responsibility of Internet service providers needs to be limited. be to needs providers service Internet of responsibility the whether questions to leading providers.crimes, However,preventthese to ability haveno providersmay service of a number of providers.of number a of service the requires email simple a of transmission the that means Internet the of architecture Thealone. acted Committing a cybercrime automatically involves a number of people and businesses, even where offenders 1.10.1. Introduction of Legislation and PublicPolicy, pdf; Elkin-Koren nology Journal, under theDigitalMillennium Copyright - availableat:http://www.richmond.edu/jolt/v8i2/article1.html; er’s LiabilityforCopyrightInfringement-HowtoClear theMistyIndianPerspective,8RICH.J.L.& 200 rights.” function oftheUSDMCA States Courtof 199 available athttp://www.law.nyu.edu/journals/legislation/articles/current_issue/NYL102.pdf. Service ProvidersforPeer-to-Peer 197 D.,published - 196 198 tecture.html. Internet Architecture andInstitutions,2003–availableat:http://cyber.law.harvard.edu/digitaldemocracy/internetarchi tion/articles/current_issue/NYL102.pdf. ers, see:Black (b) System Caching that material inthecourse ofsuchtransmitting, routing, orproviding connections, if— or operated by provider, orfor theservice orby reason oftheintermediate andtransient storage of provider’s the of reason transmitting, routing, by or providing copyright connections for, of material through infringement a system foror network relief,controlled equitable other or (j), injunctive subsection for in provided as except or,relief, monetary for liable be not shall provider service A (a) Transitory Digital Communications Network relating§ 512. Limitations onliability to material online

1.10. Responsibility of Internet1.10. Responsibility Providers RegardingtheDMCA InthedecisionRecordingIndustry Association Of America v. CharterCommunications,Inc.theUnited Foranintroductionintothediscussion,see: Regardingthenetworkarchitectureandconsequenceswithregardtoinvolvementofserviceprovid Formoreinformation,seetheforthcomingGuidetoUnderstandingCybercrimebepublishedbyITU- provided in subsection (j), forprovided injunctive or in other (j), subsection equitable relief, for infringement of copyright (1) Limitation on liability.— A service provider shall not be liable for monetary relief, or, except as its of modification without network or system content. the through transmitted is material the (5) period forthan isreasonably thetransmission, routing, necessary orprovision and ofconnections; longer a for recipients anticipated such to accessible ordinarily manner a in network or system the on maintained is copy such no recipients,anticipatedand than anyoneother to accessible ordinarily manner a in network or system the on intermediatemaintained is storage transientsuch or of course the in provider service the by made material the of copy no (4) response to therequest ofanotherperson; automatic an as except material the of recipients the select not does provider service the (3) an through out automatic technical provider; process ofthematerial by withoutselection theservice carried is storage or connections, of provision routing, transmission, the (2) provider; the service than other person a of direction the at or by initiated was material the of transmission the (1) , Internet Appeals fortheeighthcircuitdescribed(byreferringtoHouse ReportNo.105-551(II)at23(1998))the Vol. 10,2005,page101etseqq.–availableat:http://www.smu.edu/csr/articles/2005/Fall/SMC103. , Making 200 Architecture: Technology bypointingoutthebalance.Inopinionofcourt DMCA impactontheliabilityofInternet ServiceProvider, see: Volume 9, 2005,page15etseq-available athttp://www.law.nyu.edu/journals/legisla Traffic, JournalofLegislationand Public Policy, 197 An IntroductiontoIP Visible: LiabilityofInternet ServiceProvidersfor Peer-to-Peer Cybercrime cannot be committed without the involvement Cybercrimethe committed without be service cannot of Act andtheCommunications Decency 199 An example of a legislative approach can be found in 17 in found be can approach legislative a of example An Elkin-Koren Protocols,2000; Manekshaw , Making , LiabilityofISPs:Immunity from Liability Technology Zuckerman/McLaughlin, Introductionto 198 Act, ComputerLawReviewand There are different approaches to approaches different are There Volume 9,2005,page15 et.seqq.- Visible: LiabilityofInternet Unni has“twoimportantpri , InternetServiceProvid Traffic, Journal TECH. 13,2001 196 Tech ------60 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 230(c) that Act: isbasedontheCommunications Decency Another example for alimitation providers oftheresponsibility ofInternet canbefound in47U.S.C. § 203 E-Commerce Directive. E-Commerce EU the is providers service Internet of liability the regulate to approach legislative a of example Another regard to specialgroups ofproviders andspecialareaswith oflaw. liability on focus common the share 230(c)) § U.S.C. 47 well as 517(a) § U.S.C. (17 approaches Both 202 folder/pappas.7.15.03.pdf. International LawandPolicy, To E-CommerceRegulation:Jurisdiction, ElectronicContracts,Signatures Ecommerce Regulations(including theEUE-CommerceDirective)see:Pappas,Comparative U.S.&EU commerce’) OfficialJournalL of informationsocietyservices, inparticularelectroniccommerce,theInternalMarket (‘Directiveonelectronic 201 A growing number of government agencies and credentialindustry vendors already require some form of today.of thesecapabilitiessubstantially contributed to challengesto themodern cybersecurity it was implementedonly partially network-basedcapabilities and wereimportant query lacking. The lack activity, this in governments engaged Although certificates. digital public of issuance the with combined registries, name hierarchical authoritative, establishing in role modest a playing governments on relied the ITU-T and ISO, together with regional and national standardsindustry bodies, in the 1980s. These tools Tools for Service Provider Identity and trust for open ICT internetworking environments were developed by provider trustmodels. service diminished theuseandfeasibility oflegacy that 1990s storm”the the “perfect of until decades, many for well worked regimes information.These of both relied on “strong” regulatory regimes based on licensing and reporting, combined The with the legacy publication service provider identity and trust models for public telecommunication and radio infrastructures 1.10.2. Legal Measures for Trusted Provider Service Identity of certain providers,of certain liability the limit provisionsthat graduatedresponsibility.of of number principle a containsDirective The as well as the work of law enforcementagencies. law of work the as well as e-commerce, of development the for framework legal a provide to standards legal develop to decided (c) Protection for “Good Samaritan” andscreening ofoffensive blocking material § 230. Protection for andscreening private ofoffensive blocking material

subparagraph (A), inparagraph iftheconditions setforth (2)are met. in described person the from material the to access request (B), subparagraph in described as transmitted is material the after who, network or system the of users to available material the (C) the storage is carried out through an automatic technical process for the purpose of making the at (A) subparagraph in ofthatdirection otherperson;and described person the than other person the a through to (A) network subparagraph or in system described person the from transmitted is material the (B) (A) thematerial ismadeavailableprovider; onlineby apersonotherthantheservice network or system a on material of controlled oroperated by provider orfor inacasewhich— theservice storage temporary and intermediate the of reason by See Directive2000/31/ECoftheEuropeanParliamentand the Councilof8June2000oncertainlegalaspects technical access meansto restrict to material inparagraph described (1). (B) any action taken to enable or make available to information content providers or others the whetherornotsuchmaterial objectionable, isconstitutionally protected; or or otherwise obscene,providerconsiderstobe user or lewd, lascivious, filthy, excessively violent, harassing, (A) any action voluntarily taken in good faith to restrict access to or No provider oruserofaninteractive shallbeheld liableonaccount computer of— service availability of material that the (2) Civil liability or publisher the as treated be speaker ofany information shall provided by another information content provider. service computer interactive an of user or provider No (1) Treatment ofpublisherorspeaker Art. 12– Lindholm/Maennel Art. 15EUE-Commerce Directive. 203 linkedto thedifferent operated categories ofservices by the provider. 201 Based on the international nature of the Internet, the drafters of the Directive the of drafters the Internet, the of nature international the on Based Vol 31,2003,pae325etseqq.–availableat:http://www.law.du.edu/ilj/online_issues_ 178,17/07/2000P. 0001 –0016.ForacomparativelawanalysisoftheUSandEU , CRi2000,65. 202 The regulation regarding the liability is based on the on based is liability the regardingregulation The And Taxation, DenverJournalof Approaches 61 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex ) aneac o te eust tcncl aaiiis i acrac wt te plcbe ITU-T applicable the with accordance in capabilities, technical requisite the Recommendations. of maintenance 2) and Authorities domesticallyandinternationally; Registration designated with registration provider service for requirement legal a of implementation 1) consist of: ofthemost some Identity Provider Service for Trusted measures legal steps The represent cybersecurity. enhance these to measures of significant implementation The context. transaction any in Identifier would then be available for anyone to look resources”up that their “identityusing the of Service Provider’sevidence network-based globally unique with Service Provider them notify and Authorities Registration with register would providers where Identity,Provider Trustedglobal Service universal, for means based infrastructure- an introduce to industry with working are bodies intergovernmental and Governmental environment. services ICT and infrastructure constantly-evolving today’s highly-distributed, in assessments trust enable could that differ widely, few registration schemes are compatible and none facilitate automatic instantaneous lookups government described in part in the various legal measures sections above. However, and registrationconsumers,providers, service schemes other of needs the meet toProviders Service all nearly forregistration 62 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 208 1.11.3. JudicialCourts of torture, oruseofevidence stemming from threats ortorture, mustnever beaccepted. control and based on principles recognized by international Human Conventions.Rights Threats of or use judicial under law of rule the on founded be must fight crime. The serious against fight regular the than other terrorism, against war no is there that emphasized especially conference The cooperation. border stated that acts of terrorism may take place anywhere in the world, so responses must be global with cross- this fight. Success can only be achieved by cooperation and by the exchange of information.against terrorism Theand pointed conferenceout that all authorities and institutions of a society have a vital role to playfight in the fight in coordination and the cooperation of and importance the stressed conferenceterrorism crime.The this against of challenges the discussed states thirty from Prosecutors General or Generals The Ninth Annual Eurojustice Conference Eurojustice Annual Ninth The 1.11.2. Prosecution most are protections procedural where categories provides necessary. and rights individual on safeguards for requirements the addresses Cybercrime on Convention the of 15 Article investigation. an of duration scope or in necessary or reasonable is which that to information personal of access the limit to is method second investigations.A of oversight independent or informationindividual’s intopersonal intrusions of that preserve these rights. One means to ensure proper procedural safeguards is to require judicial review In conducting cybercrime investigations, states must ensure that the procedural elements include measures Declaration ofHumanRights. Universal the of 19 Article in out set as impart frontiers, of regardless and media any throughreceive ideas and informationseek, to and interference without opinions hold to freedom the exercise to person the Protection of Human Rights and Fundamental Freedoms. These documentsthe right support of every International Covenant on the Civil and (UDHR), Political Rights Rights (ICCPR), and Human the 1950 on Council Declaration of Europe Universal Convention the for in enshrined are rights individual fundamental how These cyberspace. regarding - debates many statesof center the of at is development interests two and these balance growthgovernments the for principles important both are freedom and Security 1.11.1. The Principles advisory body. 209 207 206 ITU, Geneva(2005). 205 coe.int. 204 European Judges(CCJD) hasin2006adopted thefollowing principles: context shouldalsoapplyto of cyber-terrorism allcategories ofcybercrime. The Consultative Council of incyberspace. conducts criminal The role ofjudgesinprotecting theruleoflaw andhumanrightsinthe ofJusticeThe isthemain legalguarantee national Court onpromoting thenational ruleoflaw on evidence obtainedillegally. other refuse to able be and treatment degrading or inhuman through or torture under obtained evidence reject society, of interests the of protection the for necessary strictly those to limited are individual’s rightto afairtrial. the law, to and beproportionate theaimsofademocratic society. benecessary by determined be must measures these poses, it danger exceptional the of because rights certain

Schjolberg, Stein: See Schjolberg, Stein: Schjolberg andHubbard: HarmonizingNationalLegal Formoredetails,seetheConventiononCybercrime,Explanatory Reportno145-148,seewww.conventions. rights individual of restrictions that ensure investigations, of stages all at should, courts The Terrorism cases should not be referred to special courts or heard under conditions that infringe While terrorism creates a special situation justifying temporary and specific measures that limit Adopted November 11, 2006 bytheConsultativeCouncil ofEuropeanJudges(CCJE), aCouncilofEurope www.eurojustice.org. 1.11. Privacy andHumanRights 206 205 208 Terrorism inCyberspace– MythorReality?Seewww.cybercrimelaw.net. Terrorism inCyberspace-MythorReality? Seewww.cybercrimelaw.net. 207 was held in Oslo on 27-29 September 2006, when Attorney when 2006, September 27-29 on Oslo in held was Approaches onCybercrime– 209 A presentationatthe 204 63 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex measures. to obligation the and acts terrorist safeguard human against rights, in people particular through protect effective access to to judicial obligation review of the the administrative between struck be ofterrorism andtherightsofthosecharged ofacts withtherelevantand victims offences. are orotherinhumandegrading to torture notsubjected treatment. not involve appearance before established according to the law, and make sure that those detained do or duration in unlimited secret, are that measure detention any unlawful declare should judges While states may take administrative measures to prevent acts of terrorism, a balance must balance a terrorism, of acts prevent to measures administrative take may states While witnesses the protect to need the between struck is balance a that ensure also must Judges and supervision, judicial to subject be and law by for provided be must measures Detention 64 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Civil remedies can take the form of orders and assessment of damages resulting from cybersecurity cybersecurity from resulting damages of assessment and orders negligence. of form the take can remedies Civil 1.12.3. Civil remedies anddamages harm. intentional is there where property, or person another to harm in results that negligence by cybersecurity caused party a against damages seek to adopted be could that approach one be could actions Civil 1.12.2. Intentional harm security for analysis forensic subsequent and purposes, includingcorrectiveinvestigatory measures orevidentiary andthwarting. availability; data real-time auditing; and retention data constraints; resource and routing Management; Identity signaling); to respect with (especially VPNs and encryption testing; and maintenance integrity, network/application resiliency; infrastructure to respect with standards applicable as such obligations, include parties by undertaken obligations Cybersecurity by theparties 1.12.1. Cybersecurity obligations undertaken (or indeed, obligations) ofreasonable ordamageoccurs. where care loss, andtheallocation ofrisk, injury standards establishes that law of body important an is Negligence privacy. of invasion or or business other property, persons, against acts intentional defamation, infringements, property intellectual liability, product eHealth), IdM (in malpractice medical injury, personal include wrongs civil Such wrong). civil a as (i.e., law tort and negligence using risk Businesses these with deal in advance. may They customers. and partners, suppliers, parties for consequences employees, their by the misconduct or omissions, failures, cybersecurity define for risk allocate and or assess typically limit and obligations, of default damages anticipate and often agreements Contractual cybersecurity. protect to measures legal also important are compensation) for orders judicial (e.g., remedies civil and end-users and suppliers, equipment Alongside the regulatory and administrative measures detailed in Section 7, agreements among providers, Agreements, Federations andotherCivil Law 1.12. Civil Matters: Contractual Service measures 65 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex diverse security and network management capabilities to protect public safety capabilities and obtain and capabilities safety public protect to capabilities management network communication and security diverse private on substantially depend officials safety and public communications, these of set-up public the During 999). or 112, 911 on as such identifiers routing well-known depend using (often assistance emergency often for call to infrastructure Citizens calls/messages: emergency Citizen 1.13.1.6. Public Safety capabilities capabilities. providers. National authorities may impose requirements to constrain and security network management foreign by maintained resources ICT national of vulnerabilities potential the about arise often Concerns provisioning1.13.1.5. Security-related constraint service capabilities requirements for thesecure restoration ofthedestroyed capabilities. network reporting and architectures,practices impose can authorities local or restored.National subsequently be to need may and disrupted or damaged be can systems management identity disaster, major a During restoration majordisasters1.13.1.4. Service after regulatory and accesspersons to obtainsecure to andresources. priority networks Legal these Service. instituted Telecommunications has designatedallow ITU-T to Emergency requirepractices and architecturesproviders, institutemandate that existprovisions The the use. public as massive internationally or infrastructure requirements the to damage to due capacity During major emergencies or disasters, public communication infrastructures may experience diminished access1.13.1.3. Priority majoremergencies during capabilities in nature to andmay international besubject multilateral orbilateral treaty provisions oragreements. to respond to, analyze, and report the incident forensics. Increasingly, these requirements are international regulatory, criminal, or industry normative requirements and practices may be invoked which of are variety designed a networks, SCADA or public harms deliberately or accidentally that occurs use network When capabilities response1.13.1.2. Incident andreporting networks. to the of operation efficient and smooth the attached disrupts that behavior damaging criminalize and networks devices the control and networks their protect to providers require that provisions regulatory and legal many are systems. There health and finance, utilities, transportation, government, for services and infrastructures public critical supporting networks and systems (SCADA) Acquisition Data & Control communications infrastructure available and protect it from harm. public make to ITU’saim instruments,and regimes,These treaty legal telecommunications regional or National objectives also apply to Supervisory 1.13.1.1. Public communications andSCADA infrastructure protection capabilities Preparedness/ Security/Emergency National protection; Infrastructure Emergency Telecommunication Requirements Service Information Critical 1.13.1. “capability generic of capabilities. ICT security sufficient globalpublic imposition The testing. requirements” (type-acceptance) increasinglycompetitiveproduceessential,is highlymaynot marketplaces asadequate or homologation and requirements technical detailed of specification from away trend general a in resulted has ICTs of evolution rapid The protection authorities, homelandsecurity, law enforcement, andnational defense andsecurity. as legislative, executive, and judicial end-users. bodies. They or also include specialized government software network agencies, consumer and on equipment of imposed Relevant governmental authorities include international, regional, national, suppliers and local jurisdictions, as well requirements or providers, operational service and and operators infrastructure-based infrastructure of government by form enacted the requirements in are measures authorities legal cybersecurity important most the Among Law 1.13. Civil Matters: Regulatory and Administrative 66 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex geographic requirements where theidentifier hasageographic orcallingarea). context withina country (e.g., users of classes certain to identifiers of allocation requirementsthe concerning regulatory and legal These requirements can help ensure the integrity of Identity Management systems. They may also include identifier resolver support, and accurate attribute data associated with end-user and terminal equipment). authentication, (including requirements Management Identity of range broad a impose may Authorities 1.13.3.2 Administrative capabilities support resource identifier for provisions legal management providing for theallocation oftheseidentifiers. statutory enact countries most level, national and regional the At authorities. sector private or governmental local to responsibilities allocate may and level national or capabilities. Governmental agencies are then in turn responsible for resource management at the regional query-response server-based include increasingly and organizations, international of bureaus the within domain name all-encompassing ICT systems like OIDs). These resources are maintained at the global level to identifiers, device to identifiers, provider network public to numbers, telecommunication/telephone resourcessecurity,ICT, as such object, radiocommunicationsand network, identifiers (ranging from E.164 as significant communication network Identity Providers. These provisions include critical public identifier A range of global treaties and other intergovernmental agreements have established governmental entities 1.13.3.1 Trusted identifier/numberingallocation andassignment capabilities 1.13.3 IdentifierResource ManagementRequirements is provided therightto remain anonymous inthecourse ofsettingupacommunication. other persons subject to harm, shoulf their true identity become known). This may also occur when a party or witnesses or personnel investigatory as (such users specific and authorities of information identity the Governments may impose capability requirements on all public communication infrastructures to protect 1.13.2.4 Anonymity capabilities orfalseidentity analyzing evidence. for vital often is timestamps certified even or accurate of application custody The tampering. of of prevention chain and a in confidence maintaining to critical government often is above, management Identity described prosecution. for capabilities data evidence retained of analysis the for capabilities management and identity need may operators network interception and officials lawful the to addition In 1.13.2.3 Cybercrime forensics capabilities private may networks alsoneedsuchcapabilitiesinresponding to attacks ontheirnetworks. or in other cases a general “data retention” requirement is imposed. Public network asoperators or (known owners “preservation”), behavior of or party specific a to limited be may requirement the cases, some In service providers to extract and store signaling information for criminal forensics or national and operatorssecurity infrastructure private needs. and public all on requirements capability impose may Governments data1.13.2.2 Retained capabilities maynetworks alsoneed such capabilitiesinresponding to attacks ontheirnetworks. parties or for described behavior for national security needs. Public network operators or owners of private to monitor, capture and share specific communications or signaling information associated with identified providers service privateoperatorsand and requirements public on capability Governmentsimpose may 1.13.2.1 Lawful Interception capabilities 1.13.2. Assistance to Lawful Requirements Authority exist, often requirements designed to notify andmonitor thesituation inemergencies. service Emergency disasters. impending or emergencies of citizens notify to Authority emergency alert messages. Governments often depend on public communication infrastructure responders.to assistemergency designed exist often requirements service Emergency automatically. callers of location and identity the 67 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex a host of other legal and regulatory requirements, including consumer privacy requirements.addition, In requirements,privacy consumer regulatory including and legal other of host a with odds at often and costly both is However,anonymity rights. achieving those of enhancement an as their true identity. Anonymity is also linked with rights to free expression and, in some jurisdictions, viewed Another aspect of privacy includes the ability of customers to engage in communications without disclosing 1.13.4.3 User anonymity capabilities information identity subscriber to including namelyusageinformation. refers which (CPNI)– Information Network Proprietary Customer as described is right USA),this the (notably jurisdictions some systems.attribute identity In implementedas their of identity information. use prevent They or are controlreflected into criminalend-users orof civil cause ability ofthe action, andinvolve regulatorycapabilities mandatesPPII that are jurisdictions, many In 1.13.4.2 Protection ofPersonallyInformation Identifiable (PPII)capabilities There are at leastfivetypes of requirements regulatory that may seek to prevent unwanted intrusions: 1.13.4.1 Preventing unwanted intrusion capabilities mandates. andregulatory causes ofaction, ICT Among thisconcept otheraspects, canencompass: of end-users to has different legal meanings among jurisdictions, harm with significant implications reflected criminalin or civil prevent to however,- seek important especially be termmay the Privacy services. and capabilities infrastructure “privacy” typically requirements cybersecurity Consumer-related 1.13.4 Consumer-Related Requirements and discovery ofglobal support the and proofing accessibility for queries. identity Ref. ITU-T Rec. identity draft X.idmreq. especially – interoperability and trust capabilities for Management Identity global of sets related maintain to has authority the registration jurisdictions, assignor many In etc). names, domain astelephone TCP/IP (OIDs), Identifiers (such Object addresses, identifiers IP differect numbers, assign Providers Identity serviceand services, ICT and network providing of course the In 10. chapter in discussed is of Provider Identity Trusted importance Service The Provider Identifiers) Service capabilities(otherthan ofIdentifier1.13.3.3 Management assignments andtrusted query (5) Preventing Cyberpredators: Cyberpredation is a form of targeted intrusion usually by an anonymous an by usually intrusion targeted of form a PreventingCyberpredators:Cyberpredationis (5) (4) Preventing Cyberstalking: Cyberstalking is a form of targeted intrusion by an anonymous - party often stolen on based (often messaging unwanted consumer large-scale is SPAM SPAM: of Prevention (3) identifier party calling a of attributes authoritative the whereby service a is CallerID(2) TrustedCallerID: indicate that flags attribute or lists identifier to pertain requirements DoNotCall Opt-Out: DoNotCall; (1) 3) the ability to remain3) theability anonymous orpseudonymous to others. to protect2) theability personallyidentifiable information; and to control1) theability orprevent unwanted intrusions indifferent contexts; jurisdictions, the age of the respective parties can make it a serious criminal offense. criminal canmakeitaserious theageofrespectivejurisdictions, parties many In activity. sexual illicit in engaging or encouraging of purposes the for minor a against adult threaten, orharass any personat thecallednumberorwhoreceives thecommunications”. annoy,abuse, to intent with and identity disclosing without ensues, communication or conversation not or whether Internet, the or device telecommunications a utilize or call telephone toa “make act against single people or women - with the intent to intimidate. some it jurisdictions, is In a prohibited analysis techniques. signature other or reputational and lists, black lists, white servers, messaging the of authentication to liable messages unwanted Preventionpenalties). criminal SPAM of or of civil including capabilities support IdM requiresarrayof an sender the renders attributes identity and addresses consumers’ offenseit isacriminal to deliberately alter theauthoritative CallerID identifier attributes. enhanced be may through the use of It distinctive ringtones or automated call communication. diversion capabilities. In some jurisdictions, the regarding choice call.CallerID informed the an with make to customers conjunction in allows use CallerID to obliged are some solicitors In non-profit party). jurisdictions, calling the to identifier the assigned that provider Identity the to query real-time a set-up(‘authoritative’call the of part as usually - areprovidedand obtained party tocalled the means ofcommunications,that kinds consumers e.g. donotwant certain calls. salesandmarketing 68 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex regulations addressing fraudulent theft. abuse andidentity and laws various are Thereconsumers. as well as businesses for relevant and important is theft Identity and minimize fraud in the use of their network resources and services, as well as theft of their own identity. Operators of networks ICT and providers of depend services on basic capabilities cybersecurity to prevent 1.13.5.3 Preventing capabilities andminimizingfraudtheft and identity practices,govern industry and regulations laws, Various interoperabilitynetwork androaming. dynamics. time constrained introduces and as well as the growing numbers of service providers and network operators, complicates roaming security automatic and manual (i.e., as temporary classified ad usually are hoc agreements Theseroaming. agreements). while resources The network of unbundling use of and to network access layersallow and elements, to operators network among exist agreements (federation) multilateral and bilateral multiple are There 1.13.5.2 Secure roaming capabilities governing practices, and standards interoperability.network industry with combined regulations, and laws diverse various are interoperability. network significant for also requirementsareproviders. Thereperformance among Time-limited availability and correlation, their identifiers, provider userand network-centric object, multiple current are trusted, There for addresses. needs to traffic route and exchange to able be must that etc.) global network of distributed, autonomous infrastructures at different layers (physical, transport, network, Network interoperability: Public (and most private) ICT network and service providers collectively manage a practices, that govern interoperability. network and standards industry with bandwidth. combined exist,regulationsroutesor availableVarious and laws regime.Different levelsbilling of accountingand granularityaccounting and tollof charges mayform exist -some typically onon the basis ofbased calls, packets,is providers among infrastructure of availability and use the for Compensation world. the around often providers, other by resources provider’s network a of use substantial and availability the on based is interoperability Network compensation: Intercarrier management,1.13.5.1 Network intercarrier interoperability compensation, andsecurity capabilities 1.13.5. Provider-Related Requirements disabled andalsorequire providers infrastructureto andservice prevent abuse. the of needs cybersecurity or the account physical into take other requirements these cases, and many In sight, disabilities. mental hearing, with users accommodate to providers require jurisdictions Most capabilities assistance security 1.13.4.6 Disability has notbeenrevoked. Suchcapabilitiesare basicrequirements for maintaining cybersecurity. credential a that verification automatic as such practices, IdM industry and alreadyimproved national in resulted has need This requirement. consumer a as important more becomes information identity false repudiate or credentials revoke to Providers Identity and users of ability the grown, has theft identity As 1.13.4.5 Identifier revocation/repudiation capabilities IdM measures by providers. additional mandating and crime serious “pretexting”making a provisions cybercrime and cybersecurity the person whose identity has been stolen. The prevention of identity theft is the aim of many broad-based warrants arrest for outstanding leaving record or criminal police, creatinga identification to providefalse debts,up imposterscan credentials.torunning false addition toprovidewith or thief the In victim, the of name the in services and merchandise, credit, obtain to used then is information Providers.The Identity another person. These crimes may use “pretexting,” i.e., pretending to be the victim in communication with Identity theft is a crime where an imposter obtains key pieces of personal information in order1.13.4.4 Prevention capabilities theft ofidentity to impersonate providers fullanonymity capabilitiesfor from consumers. supporting dissuaded have proceedings, criminal in culpability potential as well as litigation, civil in investigations 69 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex of sensitive information. security- network Various confidentiality. storage and communication of use, the govern practices normative forms and standards regulation, laws,related diverse or privacy, secrets, trade trading), security (especially processes of integritysecrets, government including reasons, of variety wide a forsensitive or privileged as information designate to powers or rights recognized have individuals and Organizations 1.13.5.5 Protection orsensitive ofprivileged information andprocesses property,intellectual includingtheirassociated usagerightsandmeansofcompensation. and assets these of distribution the control to seeks management rights Digital trademarks. and patent other bodies of work in which authors and recordings and audio and publishers films, images,have materials, written vestedare assets ownershipdigital of rights classes largest arising the of under One copyright, 1.13.5.4 DigitalManagement Rights 70 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex ovnin, ietvs n rgltos a wl a truh h dvlpet f uoen ii Code. Civil European of of development development Significant developed instruments andefforts the bytheEUinthis area include: through the as though well law as regulations, international and private directives harmonize conventions, to seeks (EU) Union European The commercial arbitration. International of Court London the Arbitration. or Arbitrationof ICCthe of Theinternationalin Court International sourcemajor a is expertise of (AAA) Association Arbitration American the (ICC), Commerce of Typically, bodies. Chamber International significant the as such organizations private by developed several arbitration of rules the following are there Arbitration, Commercial international International arbitration may either be of “ad hoc” area pursuant to the UNCITRAL the Arbitration rules or “institutional” In 213 parties asthegoverning law ininternationalparties contracts. rules ofcommercial contract law derived from anumberoflegal systems usedby andisoften private alsocreatedIt Principles theUNIDROIT ofInternationalCommercial Contracts, whichrepresent general hasalsodeveloped UNIDROIT several Conventions,of Private Law (UNIDROIT). including: Unification the for Institute International the is area this in organization international significant Another child abduction. The Conventions developed by theHagueConference include: and adoption inter-country rules, jurisdiction rules, law of choice including topics addresses which Law, organizations involved in private international law, including the Hague Conference on Privatebody of conventions, International state laws, and other documents and instruments. There are number of international law”. In essence, private international law regulates private relationships across state borders based upon a a involving“foreign” transaction called international “privateelement,a governing or lawsuit a resolving Conflict of laws is referred to as the branch of international law that determines which state’s laws apply in 210 Organizing Arbitral Proceedings. on Notes UNCITRAL recent the and Rules Arbitration UNCITRAL Enactment, to Guides with Services and Construction Goods, of Procurement the on Law Model UNCITRAL the including guides, legal and laws UNCITRAL has also promoted the harmonization of international trade law through the creation of model also has It law. international private harmonizing developed several conventions onprivate international impacting law,in including: active is and 1966 in Assembly General UN the of resolution a by established was (UNCITRAL) TradeLawInternational for Commission Nations United The 211 212 h Hge ofrne lo anan a it f eta Atoiis eintd ne a ubr of number a under designated Authorities Central of list a conventions. maintains also Conference Hague The

• • • • • • • • • • • • • Formoreinformation aboutUNCITRAL,see Formoreinformation abouttheEU’s efforts inprivateinternationallaw, see Formoreinformation aboutUNIDROIT, see Formoreinformationabout the HagueConference,seehttp://www. Judgments inCivil andCommercial Matters; The BrusselsConvention andtheLugano Convention andtheEnforcement onJurisdiction of Matters Specific to Aircraft Equipment. The Cape Town Protocol ontheConvention onInternationalInterests Equipment inMobile on The Cape Town Convention onInternationalInterests Equipment; inMobile and The Convention UNIDROIT Cultural Objects; Exported onStolen orIllegally The Convention onInternationalFinancial Leasing; The Convention Adoption. ofIntercountry onProtection inRespect ofChildren andCo-operation The Convention and or ofInternationalChildAbduction; ontheCivil Aspects Civil in Documents Extrajudicial The Convention onthe Taking ofEvidence Abroad inCivil orCommercial Matters; and Judicial of Abroad Commercial Matters; Service the on Convention The The Convention Abolishing theRequirement ofLegislation for Foreign Public Documents; Awards. The 1958 “New York” Convention ontheRecognition andEnforcement ofForeign Arbitral The Convention ontheLimitation Period and ofGoods; intheInternationalSale The United Nations Convention onContracts for ofGoods; theInternational Sale 210

1.14. Civil Matters: Conflict oflaws 211 www.unidroit.inf www.uncitral.or 212

g. o. hcch.net www.europa.e 213 u. 71 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex section, alsoseethefollowing:section, For amore extensive discussionofprivate international law, inadditionto the websites cited inthis The Organisation pour l‘Harmonisation en Afrique du Droit des Affaires unificationDroit des legal du Afrique(OHADA) en l‘Harmonisation started OrganisationThepour 216 215 vateintlaw_interamericanconferences.ht number of practitioners, corporate counsel, scholars and government attorneys provide advice to the to ofState inthis areaadvice CommitteeSecretary through anAdvisory onPrivate InternationalLaw. provide attorneys government and scholars counsel, corporate practitioners, of A number law. international private development the in efforts US coordinating for responsibility the has Law, International Private for Adviser Legal Assistant the of Office Department, State the States, United the In Relating to GeneralCommercial Law. 1993. October in Mauritius in signed was Africa - in OHADA treaty Law first Business The of Harmonization the on Treaty countries.OHADA sixteen of states of head the cooperationof the with 1992 October in Africa processin 214 law. Significant Conventions developed by this group include: in the Law commercial International and law law,family procedural law, and enforcementapplicable upon Private touching instruments of codification and harmonization the Western hemisphere. Since 1975, in this organization has held six conferences and has adopted a number of role major This States. a American plays of group Organization the under organized Law, International Private on Conferences Specialized Inter-American the is law international private in active organization international Another

• • • • • • • • http://en.wikipedia.org/wiki/International_la http://www.law.pitt.edu/library/international/privatela http://www.state.gov/s/l/index.cfm?id=3452; http://www.oas.org/dil/private_international_law.htm; http://www.asil.org/resource/pil1.htm#Research%20Guides; and Invoices. Inter-American Convention ofLaws onConflict concerning BillsofExchange, Notes Promissory Inter-American Convention ofLaws onConflict concerning theMinors;and Adoption of Inter-American Convention ofLaws onConflicts concerning Commercial Companies; Inter-American Convention onGeneralRulesofPrivate InternationalLaw; Principles ofEuropean Contract Law. Commission onEuropean and Contract Law; Study Group onaEuropean Civil Code; Convention ontheLaw Applicable to Contractual ObligationsConvention); (Rome Formoreinformation, see Formoreinformation onOHADA,see Formoreinformationabout the Inter-American SpecializedConferences,see In addition to treaty-making,In OHADA is also creating such as uniformthe Uniform acts Act www.state.gov/s/l/c3452.ht m. 215

http://www.ohada.or w . m. w ; and g. 214 http://www.oas.org/dil/pri 216

72 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex Westby, Program, JodyR.(ed.): to Roadmap anEnterprise Security BarAssociation American (2005) Westby, JodyR.(ed.): InternationalGuideto Cyber Security, BarAssociation American (2004) Westby, JodyR.(ed):InternationalGuideto Privacy, BarAssociation American (2004) Westby, JodyR.(ed.): InternationalGuideto Combating Cybercrime, BarAssociation American (2003) Westby, downloads JodyR.:Electronic ofthefollowing publications are offered free to anyone in Additional resources: Wilson, Botnets, Cybercrime, Clay: andCyberterrorism: Vulnerabilities andPolicy Issuesfor Congress, CRS Viira, Toomas: Meridian, Vol.2 2008) No 1(January Cyber- andGoodman: Sofaer andSecurity Crime The Transnational DimensionofCyber and Crime Sieber, Cybercrime Ulrich: inGermany. andJurisdiction The Present Situation andtheNeedfor New Use for oftheInternet Sieber andBrunst:Cyberterrorism andOther Terrorist Purposes – Threat Analysis Sieber, Council Ulrich: ofEurope (2004) Organized Report Crime Schjolberg, Stein: decisions–www.globalcourts.co GlobalSupreme Court m Schjolberg, Stein: GlobalLegal Framework –www.cybercrimelaw.ne t Schjolberg, Stein: Terrorism inCyberspace (2007) orReality? –Myth Schjolberg andHubbard: National Harmonizing Legal Approaches onCybercrime (2005) Gercke, Marco: Preservation ofUser Data, DUD(2002) Gercke, Marco: Internet-related Identity (2007) Theft Gercke, Marco: The Convention onCybercrime, MMR(2004) against Cybercrime, 2008 CRi Gercke, Marco: National, Regional andInternational Approaches intheFight

Jody Westby at [email protected] developing countries. To obtainlinksto downloads, information sendanemailwithfullcontact to for USCongressReport (November 2007) (2008) Security Solutions, (2006) and Evaluation ofInternationalConventions (2007) 1.15. References www.cybercrimelaw.net 73 International cooperation Capacity Building Organizational Technical and Procedural for Cybersecurity Structures Measures for Cybersecurity Legal Measures

Annex 1. United Nations Office on Drugs and Crime 1. UnitedonDrugsand Nations Office 2. Council ofEurope 5. Asia Pacific Economic Cooperation (APEC) 4. European Union 3. G8Group ofStates 7. The Commonwealth 6. Organization States of American 8. Association Asian ofSouth Nations (ASEAN) 9. Organization ofEconomic Cooperation (OECD) 10. The Arab League 11. The African Union www.unodc.or www.conventions.coe.in www.apectelwg.or www.ec.europa.eu www.europa.eu www.g7.utoronto.ca www.thecommonwealth.or www.oas.org/juridico/english/cyber.htm www.aseansec.or www.oecd.or www.arableagueonline.or www.africa-union.or g Inventory ofrelevantInventory instruments g g g g t g g Appendix 1: 74 CHAPTER 2 Technical and Procedural Measures for Cybersecurity Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex Figure 2.1:Framework for national infrastructure protection distinguishes framework This 2.1). • (Figure perspective national • a other and from between: cybersecurity protection challenges specific the infrastructure consider these to critical which and from addressing policy-makers torelevant are that issues security network and framework security information cybersecurity on helpful a work provides ITU-D’s (CIP) situations. general against beyond assets user’s This definition, in its attempt and for completeness, is necessarily broad and may be difficult to apply organization attainment the the of ensures confidentiality”. non-repudiation); and authenticity include properties may (which Cybersecurity integrity availability; following: the of more security or one include environment. properties security the The environment. cyber the cyber in risks of security relevant the in maintenance transmitted of totality the and and information computing systems, environment connected stored cyber the include telecommunications and/or assets protect services, user’s to and used applications, be users, Organization can devices, assets. that user’s and technologies and organization and assurance training, practices, actions, approaches, best management risk guidelines, policies, tools, of collection “the ITU-T as: Recommendation X.1205definescybersecurity Constitution 2.2. its under activity ITU of scope the account into taking 2006Finaland Plenipotentiary 130. Resolution Acts support in technologies, ICTs of use the in supporting security and and infrastructures critical confidence people, assets, and resources its including building cyber-ecosystem, the of measures procedural and technical The objective of this chapter is to advise the on ITU potential Secretary-General forITU support 2.1. Critical Information Infrastructure Protection (CIIP): focuses on specific IT risks to deter or or deter to risks IT specific on focuses (CIIP): Protection Infrastructure mitigate attacks andpromote resiliency. Information Critical mitigate attacks andpromote resiliency. Critical Infrastructure Protection (CIP): Identifying, assessing, and managing risks to deter or Definitions Objective 76 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex Although new technologies for protecting networks, devices, and applications are being being of are diversity and nature applications ubiquitous and the by driven devices, computing quickly, more multinational networks, even today’s communications andcomputing technologies. dynamic in growing are protecting vulnerabilities and environments threats for pace, ever-faster an at technologies developed new Although • • • • including: through concerns, regulate or privacy and security numerous create they but growth, economic boost help can trends of These intercept use to the hard or are key USB a transfers unexpected in of combined carrying being ways to produce newinformation, which itselfisvulnerable. (by kinds also is Data These protocols. information or of policies player). communications-oriented media location amount raw the physical portable the a increasing also change is can devices of devices information proliferation the and – of data being transferred, privacy downloaded,technologies processed, stored and exchanged. For wireless example, local portable on based of applicability and aredevices,portable technologieswhich and manynew of in explosion an Therebeen has the creating involving processed is transactions, issues and commercial borders, other everyday laws.security of across and part as businesses, internationally many jurisdictional by flows localities information multiple in economy, global today’s In different in located be may and exponentially. rules multi- of of emergence sets and growingis services and data devicesdigital to access user services, data and communications different network of to portability growing the adhere With environments. devices regulatory and networks protection. of These levels varying with devices and networks diverse traversing flows, data through global in involved are and processes accessible paper-based are older displaced and have processes and assets digitized Digital become processes and a variety of networked artifacts devices, the risks of posed by cyberthreats continue to grow in importance.number increasing an As 2.3.1. Additional information canbefound inrelated sources, brochure. includingtheGCA provides Thisof current Section a issues summary in cybersecurity, technologies and solutions. 2.3. information on recommendations practice best System.Management provides series SecurityThis Information overall an of context the within controls,3). and risks management, security Chapter laboratories in 3.6 evaluation Section for and (see IEC the and ISO products, the by jointly published standards, security their information comprises series of 27000- ISO/IEC The claims. the meet actually attributes they whether determine to products security the test to the about claims make or and/ implement to vendors for requirements, security their specify to users system computer forframework a provides It security. computer for standard international an is 15408) ISO/IEC CC,Criteria, Common (or Information EvaluationTechnologyfor Criteria Security Common The How can the ITU help create a favorable environment for continued growth of the Internet Internet the of growth continued owners for environment infrastructure favorable a critical and create economy by encouraging continuing investment andnew businessdevelopment? help ITU governments the of can How flexibility regulatory the advocating without and operators? restrict approaches, may common that promote to regimes do ITU the can What infrastructure protection?critical identifiedmanagementbe promotedand practices How risk and successfulcan for security economy? How can an acceptable level of security be established to build consumer trust in the digital One aspect not depicted in Figure 2.1 is specific applications of software assurance. Product Product assurance. software of applications specific is 2.1 Figure in depicted not aspect One n ae re t te raet xet osbe fo itninl n unintentional and vulnerabilities and unintentional and intentional intentional from free are from services software, and protocols, possible) hardware possible, as extent far intended as as greatest that, ensures function assurance the System vulnerabilities. services (to and free hardware are software, that and ensuring on focuses assurance functions. malevolent The Growing Importance of Cybersecurity Cybersecurity of Importance Growing The Cybersecurity: Issues, Technologies &Solutions 77 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex • • features • defining the of one is • Security built mobility. is NGN generalized etc). studiesare developingof NGN.SG13NGNsecurity architectures network that providewith for: IETF, technologies in CableLabs, and/or mobile and ATIS, fixed occurring over networks services work converged of NGN variety rich 3GPP/CommonIMS, a regional offering (IP), TISPAN, for Protocol Internet ETSI forum on as global (such the as bodies serves and other Next for (NGN) standards on Networks initiative large-scale a Generation leading is 13 Group Study ITU-T example, For 1 which procedures, and processes and flexible efficient as needs goal measures this security make Realizing to and can beadapted to anincreasingly dynamicthreat environment. possible. as processes and cost-effective technology improved on levels, acceptable based to risks reduce to is goal toultimate equate however.The not elimination, risk does whilstcomplete Resiliency attacks. infrastructure, withstand to critical ability the and and resiliency government increasing also management across risk functions is to improve ICT-supported A objective key for is impossible. practices which security phones, technical or perfect smart or as Absolute such (read devices, intelligent or printers next-generation other target to now can may to beconnected theInternet. printers and devices networked software from targeting modifiable) spread can now worms are and Attackers viruses malware, services. attacks, targeted Today’sstealthy targeted. and never continuallypreviously were providersthat systems, applications CI and products, vendors their while attacks, strengthen of types new funding into money and of sums researching substantial investing are Criminals profitable. highly now is Cybercrime networks interconnected of theICTs we now dependonisahighlycomplex challenge. multiple area, trusted has boosted efficiency, flexibility the and innovation. However, of an promoting the security and zone.trusted the of outside and resiliencyinside authorized outside perimeters within traditionalThisdisappearance of devices be may users and of classes virtual) numerous and devices security, of levels different inside with sometimes operation in (and often are perimeters computing both mobile Many network and used the protect. to be however, Now, can perimeters difficult more network. and network trusted a fuzzier of becoming protect are integrity the to preserve to sufficient enterprise was it Formerly, they cannot be resolved through standards alone. alone. standards through resolved be efforts, cannot standardization from they benefit environment issues CIP an excellent and provide cybersecurity Although structure cooperation. for collaborative and recommendations non-binding ITU’s • • • • • • • providers) notedissues inthefollowing, list: non-exhaustive IdM of range broad A (IdM). being addressed, including assertion and areassurance of end-users entity identities (e.g.management and user,governments device, providers, service network/service identity telecommunication is to concern ITU-T of in development major Another 2.3.2. ITU is currentlyout vital carrying workand CIP in in cybersecurity both the ITU-D and ITU-T. security solutionsthat applyoversecurity multipleadministrative domains; mechanisms; security end-to-end technologies; for ofmultiplenetworking co-existence support andend-userresourcemaximal network protection; security (e.g. confidence of transactions, protection from identity theft) and protection of of protection and theft) identity from protection transactions, of NGN infrastructure, resources andapplications) andend-userinformation; (services confidence (e.g. security controlprivacy/user ofpersonalinformation; services; governmentelectronic (e-government) services; internationalandpriority public safety services, emergency /sign-off; ease ofuseandsinglesign-on secure provisioning devices; ofnetwork IdM common using applications) and multipleapplications includinginter-networkinfrastructure communications; to support services NGN (e.g. services subscriber of support - seehttp://www.crime-research.org/news/07.04.2006/1928 secure identity management – for example, in security solutions (e.g. content/service/ ewr/emnl rtcin fr PV ht r cs-fetv ad ae acceptable have and usability, ofservice, quality ontheperformance, andscalability.impact cost-effective are that IPTV for protection) network/terminal Ongoing Efforts to Promote Efforts Ongoing Cybersecurity andCIP 1 / 78 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex 2 risks the on literature substantial a X.805 Recommendation ITU-T communications, is end-to-end providing systems For mechanisms There elements different the the protection email). and environments Within (e.g., computing remedies today’s inherent available (for example, the notion modern of Layered Defense is common of within the of industry). contain security components protection. various of their with associated diversity applications means enhance and common to different use have designed environment, and complexity all networks computing extreme a and vulnerabilities of the of devices applications, by types (OS), different Source characterized Open is environment. computing cyber-ecosystem The education and awareness campaigns to explain new tactics and teach IT users how to address address to how users IT teach otherand and cybersecurity to tactics threats new address issues. security information and network security to miscreants begin to explain and possible to is it critically, more software campaigns security awareness Malicious and education systems. to tactics shifted rapidly technological have embrace information “social and engineering” data modern as a tokey foundation method for evading a access many of defense strategies. unauthorized With gain regular provide use to wishing can making above) those those as for (such educationprocedures and training adequate and without complete is solution no cybersecurity, improved for solutions Audit) and technological Whilst Authorization (Authentication, AAA for policies and otherindispensableactivities. consistent plans, remediation sound measurements and provisioning, use of proven secure architectures, reliable incident reporting, users and personnel.and services, Successful approaches include best forpractices operations, applications, clients, servers, to infrastructure) critical (including infrastructure and networks diverse from devices ranging techniques, and of components of set comprehensive a cover to mobility technologies, need remediation but and the detection to makes limited while not are measures users) cybersecurity Effective protection, of of millions need by in operations elements (accessed of the systems all diversity of the containing confidential information makesthemtargets for attack. analyze Further, to thousands and models. what impossible it networks exclusionary distinguish multiple through to spanning achieved ways be can feasible what with limits problem computationally The devices. require cannot now be resolved without they networked constant input from users. The balance that of mobile of usability and security methods) is highly models needs to be excluded from what is legitimate.of similar Thisis increasingly distinction blurred, and often and models growth control exclusionary the of access given use tools, exclusionary detection effective, widespread less The intrusion now is firewalls, insufficient. example, are (for data protection and safer a computers building for networks, protection of of methods rest current security, methods greater at ensuring in data success considerable of Despite Innovative security adoption. the growing and applications rapidly control, and access enjoys computing environment and (suchastrusted computing) are beingadopted by themassmarket. systems stricter visible and more operating becoming is management are identity patched tools more through considerably,widespread advanced regularly has accounts anti-spyware of security and The and problems. security many secure solve help anti-virus to approaches design privacy-conscious and more security- using developed, firewalls, been have protect to whilst Personal management standard become have attacks. pervasive, measures configuration various software strong devices, and client against For access rest, tools. at data monitoring anti-virus stored or for control, encryption 24-hour as such technologies, protection separation, generic support physical servers, For used, protecting theintegrity andconfidentiality ofdata intransit. enforced increasingly is and audited. Secure protocolsnetworking control comprising authentication and trafficare encryption Access increasing. is detection extrusion as such safeguards further of use the tools, prevention or detection intrusion and firewalls by protected typically arecommon. have becomemanynetworks organizational Whileand users, of categories all for Over time, tools and mechanisms to protect networks, servers and clients have been introduced confidentiality, Data Non-repudiation, Communication security, eight data integrity, Availability, Authentication, Privacy). and control, Management), (Access Control, dimensions (End-user, security planes security three Infrastructure), Services, (Applications, layers security three on based model reference systematic and comprehensive 2.3.3. ITU-T Means of Protection in Today’s Complex Environment Environment Complex Today’s in Protection of Means Recommendation X.805(2003),Securityarchitecture forsystemsprovidingend-to-end communications. 2 provides a provides 79 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex Figure 2.2:Client Protection versus andNetwork Server Protection Consistent and needsurgent protection ofthesedevices attention. isstillinitsinfancy essential.is security where finance), or healthcare (e.g. environments professional sensitive in they can compromise entire organizational networks. Ultra-mobile devices are increasingly used business operations and are often used to networks transfer or several day-to-daystoreand in involved sensitive increasingly are information. phones) If smart lost and PDAs or as servers (such stolen,devices affecting Ultra-mobile to breach compared a of protected equivalent lightly are the PCs be may However, (FigurePC 2.2below). a servers. at aimed business-critical breach A sources. multiple capacity, modern PCs are repositories of highly confidential information, aggregating data from clients.directed at networked Withgreater computing power unlimited storage practically and noware attacks many consequently and information, sensitive of amounts huge store can PCs the lastdecade. older from overchanged devices). ultra-mobilehas situationand This PCs client as (such elements certain legacy a as components, fromaway located were certain points access important to and information sensitive protection. where technology, applied of is level protection same lighter the cases, enjoy some environment In communications a of components all Not security: future approaches to end-to-end successfulof development the in account into taken be also must security in trends key Other (trusted) organizational from networks isdisappearing. publicnetworks protectedseparating perimeter a of notion The clear-cut. so not is picture the reality, In hold. and they are allowed to perform only the functions permitted networks,for and systemsthe protected types access of can accounts applications that and theyusers authorized only theory, In 2.3.5. 2.3.4. 3. 2. 1. For example, encryption is a fundamental component of effective security for information, It is difficult to guard against the misuse of legitimate and common security technologies. xenlzto o scrt cmoet: ay raiain hv bit extensive built have organizations Many components: security of Externalization enforcement should not regulate the technology itself or it could potentially chill chill potentially could it or itself technology the regulate innovation. not should enforcement theft, etc.) is vital in establishing trust in individuals’ use of technology. However,identity lawhacking, against (e.g. laws of enforcement Effective purposes. bad or good either for used be can encryption technology, any with As data. personal including mechanisms define to vital is it all, for out growth inlegitimate applications. carry security to and innovationused impeding enhance be without technologies, security to may of uses illegal VPN) reduce order that and In encryption activities. data as illegal (such technologies Legitimate standards self- Open (or review basedonashared framework)certification muchgreater.certification a of value the makes self-certification: implementation of on diversity interoperability,but of levels reliance higher ensure to systems security increasing in used commonly and are standards open of Use of emergence the of infrastructures.organizational consequence security another is functions security of Centralization and sometimeshardware applications isnow widespread. and systems identity management systems). Using such safeguards detection to enable security in software intrusion firewalls, PKIs, (including infrastructures security Servers, Clients, Diverse Networks Networks Diverse Clients, Servers, Diverse Environments andLevels ofProtection

80 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex sophistication of cyber-attacks has continued to grow. Although the sophistication of attacks attacks of sophistication the Although to attacker grow. an to by needed knowledge continued the technologies, has protection available of the ahead grows connected, cyber-attacks globally of and diverse more sophistication become has environment international computing an the at Whilst encryption to approaches shared privacy, encryption Since and published. been security not level important. are very have of ciphers if foundation a difficult, is is interoperability and guaranteed becannot cipher untested an of robustness the since systems, of security theand interoperability both hinder can This encryption. in especially strong, still are approaches local IEEE) However, in areas networks key recognizedstandards.commonly by supported are approaches different commoncountries, in differently in treated and security organizational national for issue an for standards been always has cybersecurity new Although encryption of node standards. of emergence and rest importance recent at vital the the data and for underlines technology, encryption a in of (e.g., some technologies, maturity security of the of of indicator level development good a the is Standardization recently. to until overlooked paid been have components been has attention much While offer country same the vastly different in levels ofassurance intheircomputing environments. institutions education higher example, consumers For comparable. are for not protections of often levels organizations, similar environment among and geography, same safer the within a Even such so produce to access, for need public The devices same However, the symbolic. use often geographies. isnowusing theInternet crucial. and increasingly is different interact across frequently separation spread networks environments enterprise and computing and networks Thereare significant differences organizationalbetween consumerand levelsthe security in of not impregnable) to environments isfrequently where security overlooked. (butacceptable environments,from rangingcomputing global of differentsegments in widely varyrequirements Security anywhere. virtually from application and networks accessing users and geographies,of many traversing many flows data where with global, is environment Today’scomputing machines, client of protection of levels general thediscuss featuresthe security ofowners andend-users. are stilloptionalanddependontheexpertise to across defined be premature cannot is It and function board. their on As depending varies servers of Protection implementation. commercial for ready yet not and all andtonetworks NGNcontinues to beapriority.to applicable solutions immature security defining integrated, increasingly still becomes traffic are network approaches security security earlier define to Wi-Fi in models as in the approach standard networks development same cycle. the However, use in WiMAX) technologicalthe case as different Subsequent of sensor (such point. networks, developmentsfor access example, with the and devices access elements, acquired between confidentiality gradually and these 802.11x) integrity data protected (IEEE that inside encryption) Wi-Fitraffic and authentication example, as (such Forfeatures computing security homogeneity protection. modern no of a levels of often varying elements is offering the there among assurance of environment, levels different to addition In 2.3.6. Nature of Attacks Attacks of Nature 81 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity classifies threats to data communication systems, basedonthefollowing categories: Basic Reference Model– Part2:Security Architecture”. Figure ofAttacks 2.3:Sophistication versus Attackers’ Knowledge cause significant damage. proliferation tools makes it possible for hacking of easy-to-use even inexperienced attackers to commit a successful security breach continues to decrease, as illustrated in Figure 2.3 below. The 3 Annex trends technology consider to helpful is it complex, so is within a environment simplified framework. Several threat categorizations have been developed. computing ITU-T X.800 today’s Since environment an create to reduced be to need in breaches innovation and security for breaches are lessprofitablewhere for cybersecurity perpetrators. proliferation drives incentives economy Economic criminal This threats. theft. data and botnets code, exploit frommoney of sums substantial make can hackers that means cybercrime of monetization The computing. and firmware to andclient-side networks applications needto work together to ensurefrom trustworthy spanning areas in technologists security issue; trust end-user the on solve can provider technology directly focus to Security solutions now need multiple layers of security to protect need the overall platform. No single now issues developers security developed be technology risks. inmind, againstsecurity to weighingwith security andusability agility need from stack that the in means components All assurance. detached of levels expansion acceptable be providing down This to OS. and up the on used moving now mainly that are focus vectors longer no attack First, Attackers evident. also are the stack. There is attacks in trends key Other Source: 2.3.7. threats categorizing for framework Simplified A 2.4: Figure link to tool good a provide that incidents security of categories six defined has CERT US 5. 4. 3. 2. 1. www.cert.or ITU-T Destruction ofinformation and/orotherresources;Destruction the major risk categories in cybersecurity andoutlineavailable remedies: categoriesthe majorrisk incybersecurity describeto used be can categorization issues.This technology to incidents security Interruption ofservices. Interruption Disclosure ofinformation; and removalTheft, orlossofinformation and/or otherresources; Corruption ormodification ofinformation; Categories ofRisk

Recommendation increased targeting of firmware, as well as targeting of the application layer. g X.800 (1991), “ Information Processing Systems – Open Systems Interconnection – Interconnection Systems Open – Systems Processing Information 3

82 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex malicious code are starting to use malicious code customized for the environment where it it where environment the for customized code malicious use to systems starting anti-spyware using are and hackers Unfortunately, code anti-virus code. malicious updated generic malicious by infection Regularly against protect help applications. can the or OS commercial affects or or infects institutions This category includes malicious code, when malicious code (a agencies, bot, a Trojan, a virus, or spyware) government Code 3–Malicious 3) Category only encompassing companies, rights. which donotenjoy privacy information root 2) unclear 1) exchanging servers routing query-response The information; is actual or It roots. the include: at not is and however not systems of particular layers lower dorequirements in Privacy infrastructures. the support at DNS within exist requirements privacy which system mainly exist is name today needs OID namespace ITU Security DNS The IETF namespaces. the because important those significant of inhelpingpromote cybersecurity.important is This cybersecurity DNS. the to attend IETF to needs ITU the and are, the namespaces own ITU-T the but to ITU’sremit, the within not addition in system, nameITU-T’sown the notably, including systems, name all encompass DNS for needs Security considerably.with DoS associated risks the reduce can attacks DoS in use and access unauthorized against clients of to recognize and block infected machines relaying repeated requests. Protection and hardening adaptedbe also Configurationscan servers). DNS Systemsor Name applications Domain (including systems and to requests repeated stop networks that configurations of use providers service if reduced, or stopped be functioning normal the canattacks when Such requests. generated automatically with flooded are they because attacks, impeded is DoS describes As category This norm. the now Attacks (DoS) ofService 2-Denial 2) Category is control access user with stronger combined storage ofcredentials, islikelyto improve security inotherareas aswell. is interactions), authentication identity management government/citizen and multi-factor device authentication and technologies are When combined with online protected (including banking applications situation. certain For positive. the more even are results improve the authentication, help can and (multi- systems, to strong access auditing passwords, with associated dynamic artifacts of and/or storage protected stronger authentication, factor) individual 1), an (Category where access unauthorized access For unauthorized with associated events to gains access to networks, that applications,he/sheisnotauthorized to use. orservices dedicated is category This 1. Category 1 – Unauthorized access access Unauthorized – 1 Category ITU-T Study Group 17 Question 7 outlines a categorization scheme for the analysis of of analysis the for scheme categorization a outlines 7 Question 17 Group Study ITU-T the sixth): to mitigate damage arising from incidents in the first five categories (and potentially, availableare categories.Technological solutions six on based risks, security various Other Incident Other Management (TD2989 basis) X.ismf Framework X.sim Information Security Information . Mang Incident Security : Governance Vulnerability Handling Incident Handling Practical Implementation Methodologies Implementation Practical Announcement Incident Mang Handling Alert . Maintenance Mang Management from NSMF (TD 2988) (TD NSMF from on Based the proposals Incident . * * * * * BCP Compliant Event Systems Security OtherManagements Mang Assets Management Assets Methodology . Organizational Policy Controls Security Access Policy Mang . Operational Asset Asset Security Assets Risk Management Risk Mang Personnel Physical & RiskProfiles& Baseline X.rmg . Risk Risk Mang . 83 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex era of interconnected and interoperable networks, information transmitted in basic functions functions basic in transmitted today’s In information account. into networks, concerns privacy interoperable and taking without interconnected of impossible is era systems secure Building peer- As encryption robust, through hardware, mitigated to technologies. be can networks reviewedciphers and and internationally security risks inter-operable cryptographypublic encryption standards. security software Some from evolve. move also encryption-based must for technologies need applications the as security and of well as digital components of pervasive stored, amount and the is multiplied massively transferred has data encryption technologies new of deployment mass arrangements, The travel making to accounts omnipresent. bank accessing software assets, critical and from traffic off-the-shelf network protecting to content commercial premium and email accessing in From pervasive is above. described technologies security the of many driving component vital a is Cryptography technologies encryption programs).email browsers(e.g.,and webapplications software common particularly products, of use The if remediation, theITU-T SG17framework provides ausefulframeworksixth, for analysis. risk the potentially, and Although the remedies listed above categories represent an five incomplete attack. list an of first measures be needed the to for in effective proven is incidents incident from an arising to investigation damage further potential needing incidents unconfirmed to determine dedicated whether they are is malicious in nature. category Technologicalas solutions last for are available The to mitigatecomputers protection host to perimeter applied Unconfirmed Incidents 6–Other 6) Category on be to solely needs relying defense. approach of of layer protection Instead another as well, perimeter Internet. same the the to open networks, is everything and servers for personal firewalls and patches,anti-virus systems) can access up-to-date full Internet services. Networks (including are porous, security mitigation acceptable risk of levels minimal with complying additional systems providing topology network and clients. For consumer client systems, platform vendors and internal ISPs must ensure that use only edge can intrusion ports, and Organizations environments. systems protect help can masking monitoring and auditing firewall system constant systems, effective detection events, such For protocols. and ports, open where access), attempted and and probes (scans, unauthorized attackhackers try to collect and of exploit measures information on and category identify computers, services, largest the control is interfaces category This user administrative better only (e.g. 5–Unauthorized Access5) Category andExploitation but systems of usage architecture), can improper system Technology 4. from consistent application ofpreventive processes andprocedures canfullymitigate thisrisk. Category risks under security-conscious mitigate incidents and use partly improper to used combating for be vital are auditing and This category describes cases where users violate acceptable usage policies. 4-ImproperUse ofSystems4) Category Training, monitoring, in useful rebooted be patch’ cannot easily, orincaseswhere nopatch exists yet. that to servers especially or ‘hard patch, in a is deploying before vital testing which extensive is need servers This behavior, vulnerabilities. application known and protocol attacks. application zero-day correct new combating enforcing in powerful very are HIPS integrated.as Technologies being such also are features control application and software’. security ‘endpoint protection. better provide can point to solutions for anti-virus, anti-spyware and distribution evolvepersonal firewalls are now being integrated to as into packets) continues software serving security outgoing End-point Systems and code. incoming best malicious with both of (along customized from monitoring solutions channels for maliciouscode needto beidentified and removeddamage from thenetwork. and security reduce auditing hardware the New significantly as such configurations. in practices changes unauthorized to sensitiveare that systemshardware as such needed, are approaches new result, a Asoperates. 2.3.8. 2.3.9. Reasonable Use ofCryptography Security and Privacy Privacy and Security

Host Intrusion Prevention (HIPS) technology, data leakage prevention prevention leakage data technology, (HIPS) Prevention Intrusion Host HIPS can also provide virtual patches to shield to patches virtual provide also can HIPS

environments - for example, where critical critical where example, for - environments o example, For 84 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex Incident response capability must perform three essential functions: response mustperform Incident capability serve to formed be government agencies, vendors and/orcommercial enterprises. can CSIRTs responsibility. Teams or constituency Response their within incidents Emergency security computer prevent and Computer them a resolveor to try to (CSIRTs) incidents Teams security computer to respond (CERTs) Response Incident Security must preparation this Computer alike to Key enterprises malicious. or and unintentional Governments whether incident responseis theestablishment ofemergency capability.cyber-attack. emergencies, a from inevitable for resulting prepare damage serious of risk The growing sophistication of attacks, combined with new, easy–to-use hacking tools, raises the cannot economy digital the in trust users’ privacy, secure prioritizing building Without be preserved. User awareness solutions. ofsuccessful andeducation security are allvitalparts select in options. actively and release consistently its control privacy-friendly used to information of be owners the should allowing environments, solutions technology Privacy-conscious to berelatively unprotected. PDAs)and phones treasurecontinue area devicesbut (e.g.,data, also trove smart important of are often unprotected, but frequently used to store confidential or sensitive data. mobileOther drives)(e.g.,devicesflash devices.Such storage mobile highly proliferationand inexpensive of theis security network and privacy developmentstrongforimplicationsuser key with Another users’ the with designed be must inmind. services privacy monitoring and analysis, processing, Data basis. can severely compromise users’ privacy and needs to be protected and used on a “need to know” 2.3.10. 3. 2. 1. There are several highly successful joint forums for CSIRTs/CERTs. CSIRTs should join join should CSIRTs CSIRTs/CERTs. for forums joint successful highly several are There together work to enterprises and vendors government, needs response incident Effective Technology sector. public and private the both affect cyber-incidents Large-scale strongly is CSIRT/CERT national a of establishment the impact, maximum For ul tutd eainhp wt cnttet, o h ta cn sals effective establish can team the so constituents, with relationships trusted Build communicate securely and confidentially with their constituency and with other other with and constituency their with to capability confidentially the and have they CSIRTs’ securely that for ensure standards communicate different should are handlers There Incident initiatives. interactions. regional or global existing to disruption or damage minimum services. critical with quickly, recover response to incident Systematic constituents cyber-attacks. enables from recover and mitigate assess, to benefit may strategies. response utilities revising regularly and and channels, communication of testing response, firms and Large play. the to to threats organization. specific All entities should cooperate in the to preparation role of incident monitoringrespond can that CSIRT/CERT internal important specialized a an from have also vendors can CSIRT/CERT capacity. national The events. physical and also disseminate threat informationcyber and best practices to improve incident response both for response coordinateneed can CSIRTs/CERTsemergency capabilities, entities national a and With regional government CSIRT/CERT. of national other structure the responsibilities and clear of and organization vendors, roles and authority its the understand Enterprises, a to CSIRT/CERT, defined. national dependent, a clearly be and creating within should When sectors and vital. is interconnected organizations more country different for a become coordination and contact of point central infrastructures As recommended. recovery. to the throughoutdetection constituents from assist otherattack, to with CSIRT/CERT cooperation the (in enable capabilities that responseorganizations) constituents to incident exercise and information Develop warning cyber-threat and rapidly; disseminate to vendors with Work vulnerabilities; andattacks analyze and monitor,identifyto partners its with working for processes Incident Response 85 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex 4 infrastructure protection. are critical software in important being and as well hardwareas vulnerabilities, addressing systems,for vital is computer secure) as certified which by process the (or assurance available. Security applications and systems existing of range wide evaluation, the party support to third adopted be to should should self-certification from ranging approaches, certification of and variety A situations. mechanisms assurance and complex be is developed, where appropriate. No environment certification scheme is perfect and computing applicable to Today’s all security of cooperation The learning. and listening and mutual disclosed addressed isvitalfor producing responsibly high-quality, comprehensive patches. in are vulnerabilities security that engaging ensure to and community security treatingthe channels, respect, communication with open maintaining by researchers this accomplish help can vendors on them, demands responsible disclosure of vulnerabilities by researchers. security Technologydepend that customers the and cyber-ecosystems, or environments computing of Protection canprovidecommunity effective mitigation andresolutions ofthethreat quickly. security the and researchersvendors, multiple between cooperation rapid only cases, those In There are exceptions to full disclosure and responsible disclosure, Vendors such as broad zero-day code. attacks. surrounding in coverage andquality. rapidly vulnerabilities securityvery of terms in costs significantare there releaseddisclosure) full of favor in argument key a be (often may resolve updates while areSo, not rapidly. details them vulnerability exploit does once can that hackers or published, knowing to, have they because ineffective shortcuts can these is take only fix websites) a or that lists risk mailing the boost can Shortcuts process. development public the in made be may on shortcuts rapidly,updates (e.g. details updates that customers can use to guard against the reported vulnerability. However, vulnerability to release of raise customer anxiety. Such can reports forceneeds vendors to put out rushed solutions and security disclosure the meet full to However, vendors allows researchers security by disclosure theof customers by creating themosteffective patches, withminimumside-effects. of investigation Responsible the during found issues vulnerability. additional all address should patches security Completeway. predictable consistent, a in delivered are patches that essential is it concerns, The application of security patches to both home and enterprise systems is vital. Given customer well-tested patches that addresses thevulnerabilities inquestion. produce to chance the vendors gives professionals This attacks. malicious to customers exposing not while Security produced,be can patch quality highest the that ensures vendors product to vulnerabilities of vulnerabilities. notice advance Giving overnight. patches security produce to possible security not is it technologies, discover who products, before people publicly disclosing the theirin vulnerabilities of vulnerability.address to opportunity Givenan them give and the vendors notify to rapid duty a have evolution in mass-deployed cooperation the on manner.fixestimely wheredistributenecessary, a and in customersto risks depend often They Technology vendors investigate reports of security vulnerabilities in their products, analyze the disclosure, responsible in lies investigation andremediation ofvulnerabilities. leadership true vulnerabilities; and flaws contains technology Technologysafety.customer of researchersgoal common sharethe Every security vendorsand

There areseparate guidelinesforusers,operators, manufacturersandregulatory authoritiesincyberspace. 2.3.12. 2.3.11. • • • Well-known challengesto incident response include: corrective measures. and detection Incident diagnosis may not proceed to the stages next of analysis and The broader telecom world hasnoequivalent to FIRST; systemsDetection-response may notbewell-knownorwidespread orlackcapacity; CSIRTs. Responsible DisclosureResponsible Assurance and Business Models Models Business and Assurance 4

86 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex 5 Different methodologies exist, but they all share some common elements. In February 2007, February In the elements. common some share all they but exist, methodologies Different alike.vendors and firms governments, for security improve can approach lifecycle a Adopting Since • Customers • Customers • Customers • CC canhelpcustomers decisions: makeinformed security can helpcustomers buildmore secure ITsystems. CCthe embracedhave that vendorssecurity, effective providing to contribute can that factors in their implementation of evaluated products. Although CC certification is one of many Thedifferent CC program provides customers with substantial information that can enable higher security be may that flaws any address discovered. to processes with product, the supports vendor the that and documentedas performs product the that assurance security of levelgreater a provide does it vulnerabilities, security of free is product a that guarantee not does certification CC Although apply to consistent,customers stringentandindependently verified evaluation requirements to theirITpurchases.allows and assurance quality of product’s levels a specified provides that certification CC confidence of level higher a specifies etc.) certification andeffectively. correctly willbeperformed functions andsecurity EAL cards, antivirus, higher A smart firewalls, systems,firewalls, products. operating other for routers, developed been systems, have profiles operating Protection as (such as products of are(IEC) evaluated against the security functional and assurance requirements of classes protection profiles. Commission CC, the Under Electrotechnical International and (ISO) ISO/IEC InternationalStandard 15408. Standardization for International the by as Organization recognized are known and evaluations CC recognize process, that body nations international of an by composed evaluation maintained and defined are CC security The a CC). or Criteria toCommon design referredthe to as (commonly Evaluation forces Security Technology Information joined for Criteria Common nations the of group a products, IT for market the in globalization and technologies of sophistication growing the to response In including incident response and sustained engineering. Another model that can be used is theis used be can that model engineering.Another sustained and responseincident including are in phases seven highlighted The development. software secure of elements key the identifying paper a organization established by experts to share best practices about secure development, released technical knowledge, become state-of-the-art for allsystems, devices, andapplications. technical knowledge, become state-of-the-art make security environment transparent and painless to secure all users, including those that do not thata have technologies reasonably specializedwhen happen only can Thisdevices. maintaining connected for their for configurations and be responsible will businesses and organizations owners where insurance, control,their beyond home incidents for compensated are or and events some for responsible car held are to Similar devices. and networks for security of levels minimum ensuring on premium a place will models business mature,technologies Internet As interconnected increasingly an in and, hasbeensuggested that theymayIt impedegovernment access to thelatest technologies. countries of number limited world,a CC by membership may need to adopted be expanded. been CC has been only criticized as has being systemslow certification and CC costly.the However,agreement. CC the to signatories are who governments byacceptedare approvedlabs in evaluatedProducts recognition. mutual on based areCC The operations. local of needs security the meet that products choose to use can companies multinational testing labs. to judgetherelativeconsumers canusethesereports ofcompeting ITproducts. security products,evaluated of features security the on report to bodies certification requireCC the theyrequire;the level ofsecurity 2.3.14. 2.3.13. sfwr Asrne ou fr xelne n oe (www.SAFECode.org Code in Excellence for Forum Assurance Ssoftware

www.SAFECode.org

the Common Criteria Criteria Common A Lifecycle Approach to Security Security to Approach Lifecycle A

CC can can can n otie lfcce rm ocp truh o maintenance, to through concept from lifecycle a outline and 2 Appendix

compare decide depend

international more

their on

CC easily specific

evaluations,

standard, whether requirements

products because it

provides against

they meet

are common the their

CC’s performed security standards

set

requirements. by

) standards 5 , a non-profit non-profit a ,

to independent determine

that As

87 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex 6 include,Measures cybercrime butare that canhelpthwart notlimited to: measures for threatImportant include, detection butare to: notrestricted thefollowingMeasures that enableprotection shouldobserve principles: and coordinated initiative security orprogram that includes, butisnotrestricted, to: Technical and procedural measures for cybersecurity are best addressed as part of a comprehensive illustrate the scope of potential solutions. An exhaustive overview of measures can be found in in found be can measures of overview exhaustive An solutions. standardsthe cybersecurity-related 2.6(References). andframeworks listedpotential inSection of toscope cybersecurity the for measures procedural illustrate and technical key summarizes briefly section This 2.4. (PDCA) modeladopted inISO9001(QMS)Plan-Do-Check-Act andISO14001 (EMS). • • • management, technical andoperational controls forcompliance. security necessary the and policies promote that programs security information comprehensive Establishing integrity oravailability ofaresource. confidentiality,the compromise to attempt that actions detect – tools detection Intrusion investigation. Forensic analysis – reveals current or potential threats and provides the basis for subsequent 2.4.4. 2.4.3. 2.4.2. 2.4.1.

• • • • • • • • • discusssomeofthesemeasuresThe following ingreater sub-sections detail. • • • • • • • • • • • An exampleof thisis: Technical andProcedural Measures ofCybersecurity orc vleaiiis icvrd hog frni aayi, ae o rtie or retained on real-time data. based analysis, forensic through discovered vulnerabilities correct to principles above the of any adjust to available be should mechanisms Corrective time. real- in available be should data granular and accurate - availability data Real-time of availability the available. and management denied be to Data retention andauditingcanhelpensure that are data onnetwork-based actions identity access enable with orapplicationnetwork resources forconstraints communication orsignaling to becontrolled. including resource and levels, Routing models assurance identity known common federation interoperability capabilities. their with through of process) especially maintenance assurances or known attributes, object, trust and to and planes; organization, common protocols for access to identifiers ability those (person, trusted credentials; proper the identity entities credentials, provides by IdM – assertions and management identity Digital for data at restEncryption –secure andtrusted information should bemaintained. their maintained. ascertain that beshould testing paths transport network trusted and secure – (eg VPN) Transportsecurity and maintenance including integrity. expected, applications as and perform devices, terminal shouldapplications and devices terminal networks, – integrity Network/application infrastructure, network – underallintentionalshould beableto function andunintentional threats. infrastructure Resilient collaboration. Industry and activities; Standards-making Cybersecurity-related standards andframeworks; Data protection; Continuity andrecovery; Communications; security; hardware and Device Software; Personnel; Organization; Infrastructure; Measures that enableprotection Measures that thwart cybercrime cybercrime thwart that Measures Measures that enablethreat detection Overview of Measures Measures of Overview http://www.itsc.org.sg/pdf/2ndmtg/Contributions.pd f. 6

88 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex This isbasedonthefollowing Strategic references: Report of openness, interoperability andnon-discrimination. organizations with a view to ensuring that new standards are developed in accordance with the principles organizations, the standardization other ITU by could developed act are as that standards a to facilitator regard With in cybersecurity. forpromoting standards collaboration and between different standardization They build upon workthe important that has been done by the ITU on the development of best practices for establishingnational CSIRTs andfor effectively authorities.communicating with the CSIRT state of the art in incident response on regional basis, and (3) collaborate on the development of materials join the existing global and regional conferences and forums, in order to for build capacity improving the CSIRTsto for possibilities support and promote (2) worldwide, discipline a as response incident advance to necessary - sources of capabilitiesworldwide. enhance cybersecurity ecosystem institutional publicly-available a including – information related “centreexcellence”of cybersecurity- telecommunications/ICT timely of distribution forand collection the and foster adoption of enhanced security procedures and technical measures. couldIt become the global 2.6. as companies and possible. countries in many facilitator as to a frameworks as and rolestandards ITU’sthese on out opening focus and book suggesting this to 1 Annex in presented unnecessary proposals HLEG’s avoid ICTs. To duplication, of use the in security and confidence building with associated material activities exhaustive present on which exist, standards and frameworks of number A field. complex in a problems such all solve can framework or initiative single no – cybersecurity for bullet”“silverno is There 2.5. Measures that promote businesscontinuity include, butare to: notrestricted • • • • • • • • • • • • 2.4.5. devices anddata. Redundant facilities provide components, devices anddata to ensur Systemsdataand response. Handling/Emergency Incident with potential disasters. rec and Contingency Protection usingclassification to choosesecur Legal Measures (Chapter 1) and other law enforcement, that may be pursued as a result of of result a as pursued be may that enforcement, law other and 1) investigatory measures. (Chapter Measures Legal conjunction in resources, enable or deny to used be can that with routing andresource- constraints ordigital management.lists identity measures settings maintaining Blacklist/Whitelist and establishing for measuresInvestigatory that canbeusedto create reputation sanctions. measures including or configurations for computer systems. management, Configuration Protective mechanismsinedgedetection. Common tools suchasfirewalls orprotective topology. network point. a goodstarting Risk evaluation and risk management – detailing the status of system security at any time is is time any at security system of status the detailing – management risk and evaluation Risk Proposals for strategies draft in the field of technical measures are presented in Annex 1 to this book. ITU could collaborate with organizations, vendors, and other appropriate subject matter experts to (1) • • • References In terms of ITU’s role, Conclusions

T- wr i Suy ru 1, see: index.asp 17, Group Study in work ITU-T with f cybersecurity-framework.pd collaboration in ITU-T ITU-D by Question 22/1, see: at: developed available index.html Roadmap, NISSG, and Standards ENISA Security ICT ITU-T Measures that enable businesscontinuity ). back-uprestorationand providing- measures backup for systems, critical overy planning to develop foresight on how an organization will deal will organization an how on foresight develop to planning overy ITU can work with existing external centers of expertise to identify, promote additional levels of assurance for critical systems, components, http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft- . e recovery following anincident. http://www.itu.int/ITU-T/studygroups/com17/ict/ http://www.itu.int/ITU-T/studygroups/com17/ ity protection measures;ity 89 Technical and Procedural International cooperation for Capacity Building Legal Measures Cybersecurity Measures for Cybersecurity Annex throughout all aspects of production. Best practices for coding ensure that all programmers programmers all that ensure standards coding and for practices practices coding Best effective implementation ofstandards. consistent production. use of to manner.similar ensuretoa trainedProgrammers in be should functions similar implement will aspects all implementers actual into needs throughout coding specification and design the Effective translate code. programmers where is phase This Programming: each of specification systematic be produced to coincide withfinalrelease oftheproduct. requires todocumentation of drafts near-final enable should design detailed - functionality product of programming Efficient in requirement for a resources software application. This phase is more than an explicit, Documentation: detailed description and management and Design testing programming, subsequent affects the development process. this as reliability, of degree functionality, including provided, be to availability, functions maintainability and the interoperability. measurable,The specify requirements phase into and should shall…”explicitly define product product a “theas requirements of these phrase to tend aspect Developers requirements. testable conceptual and observable the translates phase This Requirements: the ITinfrastructure. Product development managersassembleateam to develop aproduct. software, how users thewill of interact aim with the the product, define and to how is it lifecycle will development relate software to every other of products phase withininitial The Concept: development3.7.2. Appendix 2.Software lifecycle Global 3.7.1. Appendix 1:Survey ofCybersecurity Technical Forums 3.7. Appendices com17/tel-security.html • itu.int/publ/T-HDB-SEC.03-2006/en • com17/tel-security.html • Telecommunication Security” available at: http://www.itu.int/ITU-T/studygroups/com17/cat005.doc • com17/tel-security.html • “Security Guidance for“Security ITU-T Recommendations”, available at: ITU-T Manual, Security “ at available definitions” security approved ITU-T of “Extract to related Recommendations ITU-T approved of “Catalogue a including Compendium Security ITU-T T- La Suy ru o Tlcmuiain euiy at Security Telecommunication on Group Study Lead ITU-T • • • • • • • • • • • • include technical forumsOther dealingwithcybersecurity • • • • Regional • • • IT Information Sharing andAnalysisIT Information Sharing Center (IT-SAC). IT Association (ITAA) ofAmerica network and systems AssuranceSoftware Forum for Excellence inCode (ww.SAFECode.org). information of certification security.and evaluating testing, on Standards IT BaselineProtection Manual, COBIT, amongothers. FCC Alliance for Telecommunications Solutions Industry W3C Engineering Task Force IEEE International Electrotechnical Commission International Corporation for Assigned NamesandNumbers regional organizationsOther ENISA European Telecommunication Standards Institute European Commission globalorganizations Other International Organization for Standardization International Telecommunication Union . . . Security in Security Telecommunications andInformation Technolog y http://www.itu.int/ITU-T/studygroups/ http://www.itu.int/ITU-T/studygroups/ http://www.itu.int/ITU-T/studygroups/

” at: http://www. 90 CHAPTER 3 Organizational Structures International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex four mainstages(Figure 3.1): has approach This infrastructure. information reliable and resilient maintain and cybersecurity promote and availability ofdigital information andinformation systems. integrity good confidentiality, the provide protect to Systems which Management Security standards, Information on security guidance practice main information the of account family 27000 into ISO/IEC take the should in countries recommendations that proposes It coordination. international promote to response incident and warning watch, of role the examines and cybercrime for structures organizational awareness,protection andinpromoting cybersecurity tools andpractices. firewalls and regular virus updates and checking for security alerts. Civildevelop society playsto aneed vitalchain”. roleUsers in“security larger consumer far correct and ethical behaviour online in order to protect their safety and their values,a including investing in of part are they that understand citizens helping in latest and knowledge exchanging research for findings. essential articles publish and conferences host and cooperation encrypt confidential data toexchange and onlineused transactions). algorithms They often engage security in industry-academia-government key many developed have researchers academic (e.g. technologies (Chapter 2);andcooperating withlaw enforcement authorities. lead in developing cost-effective security technologies; adopting vital measures to mitigate vulnerabilities of the utility sector in many countries, the private sector often operates critical infrastructure. It can take the privatization Following solutions. technical innovative develops and researches and cyber-incidents with intheuseofICTs.in buildingconfidence andsecurity ultimately are They role leadership awareness.a take can and jurisdictions public their within order and law of maintenance and the for responsible standards issues, regulatory and legal policy, in consumers alone cannot secure cyberspace. Governments balance the interests of public sector, business and citizens/ sector private or public the as stakeholders, different of role the account into take countries that vital is it cybersecurity, for strategy national their designing In initiatives. existing and new between coordination cross-border ensure to response incident and warning watch, of role the and cybercrime combating for collaboration withallrelevant partners. builds on existing national, regional and international initiatives to avoid duplication of work and encourage progressITU-T,in society.in or done work activities, ITU existingunites GCA The ITU-D.and ITU-R GCA The information the in security and confidence building to seeking cooperation international for framework and pitfalls”. On 17 May 2007, the ITU launched the Global Cybersecurity Agenda (GCA) as an international where all participants of the global information society can reap the benefits of ICTs and avoid the dangers addressed withastrategy unitingkeystakeholdersinaframework ofinternational cooperation. be only can issues security network and security information and cybersecurity to challenges global The informationsociety.global inclusive, and an secure building in pillars main the of ICTsone of as use the in 3.2. Organizational StructuresandPolicies for Cybersecurity 3.1. Introduction The World Summit on the Information Society (WSIS) acknowledged the role of confidence and security This chapter proposes an approach to the development of effective organizational structures to structures organizational effective of development the to approach an proposes chapter This Takingintodifferentaccountroles of creationeffective the the of chapter stakeholders,considers this play to role key a have also organizations non-profit and Finally,associations groups,trade consumer and understanding new on based solutions develop and cybersecurity in research fund Universities The private sector also has a vital role to play, as it has developed substantial know-how in how to deal This chapter on Organizational Structures considers the creation of effective organizational structures nations all for society information high-trust and to secure “createseeks a Secretary-General ITU The 92 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex n plc fr yescrt, dniyn ky tkhles n pooig clue f cybersecurity. of culture a promoting and stakeholders Governments have amajorleadershiprole key to play in: identifying cybersecurity, for policy and Protection canshare ofInformation Infrastructures withothers. bestpractices the for Plans National successful developed already have that Countries strategy. cybersecurity national their developing in countries help can countries other of society.experience information The the of pillar such have integrated cybersecurity into their national ICT strategy, prioritizing cybersecurity as an essential developed policies to meet their national objectives and commitment to national security. Some countries and expertise. It is difficult for developing countries to match the capacity of developed countries, due to lack of resources structures. such establish tohaveyet countries structures other cyber-attacks, tocoordinatingforresponses needed organizational the place in put have and response, incident and systems warning and watch and agencies nationalcentre. established have countries many Whilecross-disciplinary a have or councils advisory established have others while groups, committees working launched up permanent have set others cybersecurity, have address to countries - some greatly differ experiences strategy cybersecurity maintain resilient andreliable information infrastructure andaimto: including benchmarking. developing countries. A internationalnational strategy for countries, Security and many of by Network priority top and a regionalInformation as recognized Systemsis cybersecurity should promote throughto policy a of development issues,The security network and security information 3.2.2. National Roadmap for Governance inCybersecurity 3.2.1. The RoleofBenchmarking 4. 3. 2. 1. • • • The development of a nationalframework policy is a topin developingpriority high-level governance Countriesdeveloproadmapcan afor governancestrategynational cybersecurity,a byin establishing A benchmarking exercise of different countries’ national strategies forcybersecurity reveals that national key challenges, their and circumstances specific their analyze and research first should Countries Figure 3.1:An Approach to Organizational Structuresfor Cybersecurity Many developed countries have already established a strategy for national cybersecurity and have and cybersecurity national for strategy a established already have countries developed Many cybersecurity. Encouraging private sector involvement and in partnership government-led initiatives to promote aclearcommitment to cybersecurity,Making whichispublic and transparent; federal ornational),defined withclearly roles and responsibilities; and regional (local, government of levels all at cybersecurity for responsibility clear Establishing Ensure thesafety ofcitizens; Minimize damageandrecoveryMinimize timesfrom cyber-attacks. Prevent infrastructures; againstcritical cyber-attacks Protect thematerial assetsofcitizens, and intellectual organizations andtheState; 93 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex be designed. (NCC). Depending on the size and needs of the country, several alternative organizational structures could Council Cybersecurity National facilitatea establish to and wish may Countries cooperation. international policy and regional cybersecurity national a support to established be entity organizational point focal specific central or a that recommended is it country, each For resources. and functions roles, allocated development of and each ICT country. has toEach country define its own relevant structures, with specific These structures need to be adapted with regards to the availability of resources, private/public partnerships rtcl nrsrcue Fgr 32. he kns f raiainl tutrs r pooe t promote to proposed are structures organizational of issues: security andotherinformationnetwork andaddress cybercrime security cybersecurity kinds Three 3.2). (Figure infrastructure critical to facilitate the establishment of organizational entities that could help promote and cybersecurity protect citizens.its organizational frameworkof an safetypropose as wellfollowingdevelopment,The as sections 3.3. AFramework for Organizational Structures differentcybercrime types of(Chapter One). address they that ensure to updated be to need may laws and law in grounded properly is it that ensure to framework, legal national the with linked be should strategyincidents. nationalfrom Therecovery and and users)shouldbeaware oftheirroles incontributing to theprevention of, preparation for, response to, sector, private nation’s citizens the the authorities, (government welfare.Different stakeholders economic issues at thenational level, security information andnetwork whichcould security include: in promotingandexperience. cybersecurity, asitmakesuseofprivate expertise sector effective is cooperation sector public and Privatesectors. private and public the between also sector,and of seek needs also should the It protection. account infrastructure information into take must framework policy national The cybersecurity. for • • • • • • • These organizational structures may already exist in some countries, sometimes under other names. other under sometimes countries, some in exist already may structures organizational These 3. 2. 1. It is duty of the state to protect the national digital heritage, critical infrastructures and sustain economic A national strategy to promote cybersecurity issue is vital for national security, citizens’ safety and safety citizens’security, national for vital is issue cybersecurity promote to strategy national A other and challenges FrameworkaddressingNational a on built be should governanceCybersecurity A National CERT and/orCSIRTsA National CERT A National Cybersecurity (NCA); Authority and A National Cybersecurity Council (NCC); Cybersecurity programme control, evaluation, validation andoptimization. policy; Effectivecybersecurity implementation ofthenational information (reporting, management, justicesharing, andpolice collaboration); alerts incident-handling and breaches security ICT addressing for Procedures Developing aculture for cybersecurity; Involvement ofallstakeholders; Legal foundations for laws transposing security into andonlineenvironments; networked National strategy andpolicy; . to foster information-sharing within the public the within information-sharing foster to national critical critical national 94 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex functions (such ascompliance evaluation) verification,functions risk auditsandsecurity could beoffered NCA. by other addition, In interference. avoid to independence of degree a have must NCA the implementation, its and policy of definition the guaranteebetween separationtoorder Council. CybersecurityIn National cybersecurity goals. The NCA would facilitate the measures identified in the national policy defined by the structures, (orequivalent includingthenational institution). CERT government authority and integrated with existing structures. The NCC could rely on other organizational measures, in: of cybersecurity adoption and coordination for structure leader national a be should NCCCouncil. This Security National National the as to existing an of referredcomponent a or entity (separate) specific a (NCC). Councilis be Cybersecurity NCCcould The point focal this Chapter, this of purposes the For sector. private the with efforts. Different countries will choose different models, and all models should involvepartnership aclose 3.3.2. National Cybersecurity Authority (NCA) 3.3.1. National Cybersecurity Council (NCC) • • • • • • • • Figure 3.2:Aframework for organizational structures In In some cases, it may also be effective to set up a National Cybersecurity Authority (NCA) to implement In order to ensure the implementation of the national strategy, the NCC should be linked to top-level cybersecurity its coordinate and formalize to entity an establish should governments National practices relatedpractices to digital identities, amongothers. good and management and systems identity digital of development and actions coordinating systemsmonitoring governmental andinfrastructures; ICT collaborating withregional orinternational agencies(suchasEuropol orInterpol); bureau, security policeservice, forces, High-Tech Unit, Crime secret service, intelligence as such agencies or services governmental several with collaborating identifying stakeholdersandpublic-private issues; relationships to address cybersecurity at thenational level; actions coordinating cybersecurity initiatives; forsetting priorities national cybersecurity policies; cybersecurity defining national 95 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex ones andthisnumberisgrowing rapidly allthetime. 250 “official”least at security.areToday, there network and computer improve help to information other offer may and threats and vulnerabilities concerning alerts publishes also It attacks. of victims to services an organization that monitors computer and network security to provide and coordinate incident response and maximize returns on investments in IT infrastructure. A Computer Emergency Response Team is (CERT) institutions, governmental agencies or at the national level - can help protect countries’ information assets providers. or services infrastructures, ICT of certification or accreditation the and cybersecurity to relating standards security of the ICT infrastructure and for services. guidelines The NCA and could also goals contribute to establish the application to of international industry with work could NCA The plans. emergency their test having theterm “CERT” intheirtitle isworththeeffort ofapplyingforpermission touseit. tend as teams who have teams abroad, Software 2 ITU’s website,whichprovidesacomprehensiveoverviewofthedevelopmentCERTs/CSIRTs. Morel, 1 3.3.3. National Computer Response Emergency Team (CERT) resulting damage. tools deployment andtraining, dealwiththehandlingofincidents andmitigating whilereactive services Proactive seekto prevent services incidents mainlythrough awareness, information-sharing, security Fundamental appearinboldfont. ismadebetween reactive andproactive services Adistinction services. (asdefinedinthe services ofCSIRT an overview “Handbook for CSIRTs” published by theCERT/CC). threats.national coordination security ofresponsesCSIRTs to ICT deliver many Figure services. 3.3gives which represents agovernment’s information infrastructure protection, orinsomecases, apoint for • • • • • • • • • • a generic The formation of dedicated information security teams within different organizations - firms, academic industry help to exercises organize help and activities operational its all in NCC assist will NCA The A national CERT or Computer Security & Incident Response Response &Incident orComputerA national CERT Security Team (CSIRT) Figure 3.3: The provided mainservices by CERTs/CSIRTs to coordination Incident responseonsite coordination Incident response Incident responsesupport Incident analysis Vulnerability response Vulnerability response Vulnerability analysis Vulnerability Handling Incident Handling Alerts and Warnings ® ENISA Reactive Services that David be which

The Engineering This older wish term terms Mundie Section were not and to and use

applied CERT also larger have Institute & draws the called Adam

tried acronym than and for substantially (SEI). the CSIRT to average, CERTs Tagart, find use CERT • • • • • • • As

of semantic are . Carnegie SEI but Assessments Security Audits or Technology Watch Information Dissemination Security-Related Services Intrusion Detection Tools Development ofSecurity Maintenance ofSecurity Configuration and Announcements concerns the Proactive Services

used on must term that then “Computer synonymously. differences first is “CERT” sought Mellon over mainly apply IT and

Security University, security was due to between was SEI resolved “CERT” to the awarded for Incident grew, the fact Pittsburgh, permission. • • • • • • Management • • • by two was similar that the a Response Certification Education/Training Awareness Building Security Consulting Disaster Recovery Business Continuityand coordination Artifact response Artifact response Product Evaluationor Risk Analysis Artifact analysis names, Security Quality Artifact Handling the 1 trademark term these name teams published The “CSIRT”. where centres Teams: 2 given question were isanorganization for there by have the established to An People ITU the are term of grown Overview” what original none and “CERT”. often to in to available - many a the use call group size by U.S. “CERT” Security security CERTs Benoit where at from and the 96 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex These CERT/ CSIRT resources CSIRT These CERT/ include: steps and attacks toward remediation. potential of awareness raise to necessary is organizations, international and regional academia, sector, private the with and government of levels all at Collaboration requirements. legal and of consideration requires management funding, human incident resources, training, technological capability, government and private Effective sector relationships, capabilities. response incident and warning watch, of establishment the through cyber-incidents to responding preparations and management about detection, level,for, the national the at cybersecurity addressing for activities key on reports researchdetailed developed has ITU-D (WARPs). Points Reporting and Advice Warning, and CSIRTs CERTs, about less effective. far is it but develop, to easier be might strategy one-size-fits-all a - audiences specific to tailored should be also campaigns Awareness audits. risk through security information evaluate to firms requiring laws have countries Some workshops. and brochures training, administrators, system and users IT general at solutions. security Awarenessof ICT campaigns could make use of websites seminars and directedportals, a reach could of the population throughlarge with ISPs part a combination of advertisements, partnering and providers campaigns Outreach initiatives. private and public national planned or existing together link to established be should system alert as and information-sharing multilingual alerts, A practices. communication good and as well cyber-risks dedicated cyber-threats, overon list) information distribution email free portals, web and e-security (e.g., up-to-date channels provide also would point focal This countries donotyet have aCERT/CSIRT, theycould beencouraged to establishone. 3 In early 2007, CERT/CC published a list of some 40 CERTs recognized as having “national” responsibilities. CSIRTsof ability totestthe fromdifferent contingencies.countries to cooperatively large-scale respond to simulating large-scale attacks on critical sectors. APCERT also organizes a drill every year along similar lines, has US-CERT infrastructures. critical exercisesinternational(e.g. organizedmajor US “Cyberstorm”,protect toCanada), Zealand,involvingand Australia,New is US-CERT of mission main the example, For attacks. as possible. these changes, it evenmaking more essential that different CSIRTsof find ways to shareabreast as much information keep to need CSIRTs and relentlessly evolving is environment cyberthreat The needed. when provide timely information about the latest relevant threats and to provide assistance in incident response to able be should Incident they that CERTsis forshareall that Forum function key One the Response Teamsand (FIRST). Security of members are they fact the to status their owe Many widely. vary all structure and size activity, constituents, fulfill services, to mandate, Their situation. established their are on depending and functions, organizations specific private to belong CSIRTs Most responsibility. national with • • • • • • • • • CSIRTs dramatically vary in they the provideservices and the constituents they serve. Some are CSIRTs The CERTs often also undertake “watch, warning, incident response and recovery” for ICT-related incidents. National CSIRTs almost always assume responsibilities for readiness and response to large-scale large-scale to response and readiness for responsibilities assume always almost CSIRTs National Action ListforAction Response Developing Incident aComputer Security Team (CSIRT Handbook for Response Incident Computer Security Teams (CSIRTs State ofthePractice Response Incident ofComputer Security Team Staffing IncidentResponse Your ComputerSecurity Team Skills – WhatAreNeeded Basic Organizational for Response Models Incident Computer Security Teams Creating Response Incident aComputer Security Team: AProcess for Starte Getting Defining Incident ManagementIncident Defining Processes for CSIRTs: A in Work Progres “NationalComputer SecurityIncidentsResponse Incident Management Capability Metrics Metrics Capability Management Incident Version 0. Steps for Creating National CSIRT T-’ IT plctos n Cbreuiy iiin website Division Cybersecurity and Applications ICT ITU-D’s (pdf) s (pdf) Teams”, publishedbySEI/CERT, 2007. (pdf) 1 (pdf) rvds wat o information of wealth a provides (pdf) |html s (pdf) (pdf) ) (pdf) (pdf) s (pdf) (pdf) |html (pdf) ) d ? 3 If 97 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex among CSIRTsamong (an European the GovernmentAPCERT CERTsinclude and CEENet NORDUnet, group (EGC), cooperation promoting bodies and forums regional Other response. incident in expertise sector private ensure that watch, warning and incident response capabilities are effective and efficient, by capitalizing on difficult to access. in otherwise sharing a body of knowledge canPrivate also help and public partnerships 200 some to grown now has membership members from five continents. its Many members are now so private companies, FIRST, attracted by the of opportunity joined have companies private within working teams Many response. incident in cooperation active promotes It worldwide. CSIRTs for point meeting a regulatory collaboration, cross-border of andoperational/technicalrestrictions issues. nature complex the of awareness increase to Response APCERT) Emergency Team, Computer Asia-Pacific the or CERT/CC FIRST, (e.g., conferences and communities internationalresponseincidentin remaintoensureaccessible.they participate that also can Stakeholders availablecouldmade be networks these of assistanceoperationalbetween incidenthandlers. directory A success of any framework extending their coverage. The success of any WWN depends on trust and mutual as welljurisdictions, as at the regional and international level. of theseThe groups efforts are critical to the potential mitigating orcross-border and damage incaseoflarge-scale cyber-incidents. crises managing for essential are Cross- effective.. information-sharing be for to cooperate mechanisms to border need CSIRTs them. with deal to best how and cyberthreats new in collaborationCERTsmakes between irreplaceable.and vital CSIRTs developmentsabreastof tokeep need Cooperation”, describes “International 5 international Chapter cooperation andaglobalframework for cybersecurity. levels. international and regional the at coordination improve help to and initiatives, existing and new between coordination cross-border ensure to needed also is framework global ICTs. A in security and confidence build to cooperate to enforcement authorities and incident warning, effective prosecution and law watch, enforcement. Principles of mutual assistance and national partnership are vital for law Effective for cybercrimes to relating evidence of cyberspace. collection and investigationfor essential are capabilities response of misuses addressing in collaboration from ITU’s website,whichprovides acomprehensiveoverview ofthedevelopmentCERTs/CSIRTs. Benoit 4 framework3.4. Global for watch, warning andincident response assistance andsecurity-related training. information resources Other include: their customers with a variety of other security services, including alerts and warnings, advisories, technical provide often CERTsCSIRTsresponse,nowadaysalso and incident as such services, reactive to addition In • • • • • • • • • ay onre akolde h iprac o a itrainl rmwr fr oprto and cooperation for framework international an of importance the acknowledge countries Many The “Forum of Incident Response and Security Teams” (FIRST) was established in 1990 and provides and 1990 in established was Teams” Security (FIRST) and Response Incident of The “Forum national and sectors firms, within - exist currently (WWN) Networks Warn and Watch of number A The cyberthreat environment evolves very rapidly and is very complex and difficult to understand. This Morel, handling tools). CERT/CC Virtual Training Environment (VTE CSIRT Service CSIRT Security vulnerabilities andfixeSecurity Training resource for incident response teams organized by TERENA’s andfundedby TF-CSIRT GOVCERT.n CPN Clearing HouseforClearing Handling Incident Tools resource (CHIHT) the European Commission

CSIRT FrequentlyCSIRT Asked Question ENIS Some , United Kingdom: I, United Kingdom: CSIRT Step-by-StepA: CSIRT guid e David material Mundie l , inaBoxThe CSIRT Netherlands: s in this & Section Adam The WARP Toolbo Tagart, is drawn s , 2006 s Carnegie from “Computer x Mellon ). University, Security Incident Pittsburgh, s (includesalistingofincident Response published Teams: by 4 ITU An Overview” and available by 98 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex country’s informationmanagement architecture: security requirements.countries respond to specifycybersecurity This referential issplitinto five domains: industry-specific of publication and development the versions. ISO27002-2005covers: to applied be may ininter- It build confidence activities”. help to organizational and practices management security effective and standards security a formal by assessment. risk identified Thestandardintended also is to provide developmentguidancethe on of requirements “organizationalspecific the address to intended are standard the in listed controls initiating, for principles general and implementing, maintaining, “guidelinesand improving information security management establishes within an organization”. standard The This programme. cybersecurity 3.5.2. NCSec Referential3.5.2. NCSec 3.5.1. BuildingReferential 3.5. offshoot ofthe Asian Pacific Economic Cooperation orAPEC). It also It proposes 34 control objectives comprising a generic requirementsfunctional specification for a help can Referential) (NCSec standard cybersecurity national the 27002-2005, ISO/IEC on Based national a in for organizationalstructures used and adapted be standardscould family 27000 ISO The

NCSEC REFERENTIAL Assessment Risk and • 2.4 Encourage development orCSIRT; CERT ofsectoral cyber- national from recover and to respond detect, for, prepare to CERT national a Establish 2.3 Specifichighlevel2.2 Define stakeholders; Authorityfor cybersecurity coordination among 2.1 Identify National Cybersecurity Council for coordination between stakeholders; Organizational2. NCSec Structures 1.9 Assess periodically,priorities. anddefine efforts thecurrent state ofcybersecurity 1.8 Ensure that alawful framework issettledandregularly levelled; mechanisms that1.7 Define canbeused activities; to coordinatecybersecurity the development1.6 Identifyofanational policy strategy for cybersecurity; 1.5 Identify elements ofgovernment withinterest incybersecurity; 1.4 Identify leadinstitutionsfor eachelement ofthenational framework; 1.3 Identify aleadinstitutionfor developing anational strategy; 1.2 Promulgate andendorseaNational Cybersecurity Strategy; 1.1 Persuade national leadersinthegovernment ofthe needfor national cybersecurity; Strategy1. NCSec andPolicies 5. 4. 3. 2. 1. Compliance. • and BusinessContinuity; • management; Incident Information Security • Information Systems Acquisition, Development, Maintenance; • Access Control; • Communications andOperations Management; • Physical Security; • HumanResources Security; • Asset Management; • Organization ofInformation Security; • Policy; Security • Structure; • incidents; StrategyNCSec andPolicies; Cybersecurity Awareness Activities. National Coordination; Implementation; NCSec OrganizationalNCSec Structures; Treatment; 99 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex to beundertaken. measures have security cost-effective and simple efficient, time, same the Atonline.behavioursafe adopt to end-users empower to sufficient However,not people. is older alone and awarenesschildren including to educateundertaken and train all the actors of the information society, from decision-makers to citizens, be should campaigns AwarenessICTs. of misuses and incidents international and national to respond to willbenefitallstakeholders. andbroad participation on dialogue, partnership approach,stakeholder secureprivatecannot or alone public the as Ancyberspace. sector approach based cybersecurity multi- initiatives.a different existing adopt the and account should haveof stakeholders take Countries to promote to strategies National structures. organizational and institutions national sound on built be must cybersecurity promote to cooperation international effective, be Tocyber-threats. and 3.6. Conclusions Cybersecurity is a global issue, needing a global approach to mitigate the growing ICT-related risks risks ICT-related growing the mitigate to approach global a needing issue, global a is Cybersecurity Specific actions are needed at the national level to build cybersecurity capacity in order to be able be to order in capacity cybersecurity build to level national the at needed are actions Specific 5.8 Develop awarenessandavailable risks solutions. ofcyber regime existing andupdate privacy 5.7 Review itto theonlineenvironment; 5.6 Enhance Scienceand Technology andResearch andDevelopment (R&D) activities. (S&T) the participants—businesses, all that so programawarenesscomprehensivenational Promotea 5.5 individual and children of needs the to attention special with society civil to outreach Support 5.4 5.3 Encourage thedevelopment inbusinessenterprises; ofaculture ofsecurity awareness security 5.2 Implement programs andinitiatives for usersofsystems andnetworks. planfor government-operated acybersecurity systems;5.1 Implement 5. Cybersecurity Awareness Activities incident for sector private and government between arrangements cooperative Establish 4.6 4.5 Encourage cooperation amonggroups from interdependent industries; 4.4 Identify training requirements andhow to achieve them; 4.3 Identify international expert counterparts and foster international efforts to address cybersecurity 4.2 Establish mechanisms for cooperation among government, private sector entities, university and 4.1 Identify cooperative arrangements for andamongallparticipants; 4. National Coordination technical and policy 3.6 Establish of an integrated risk management process sharing for identifying and prioritizing protective efforts for responsibilities cybersecurity with institutions Identify and sector 3.5 private government, within policy-makers and experts appropriate the Identify 3.4 responsibility national with team response incident security computer for a identify mechanisms or Establish 3.3 and efforts national 3.2 Identify mechanismsfor coordination amongtheleadinstitutionandotherparticipants; ongoing coordinating for institution lead Identify 3.1 Implementation3. NCSec consultation, facilitate to university and industry government, within contact of points Establish 2.5 general workforce, andthegeneral ofcyberspace; population—secure theirown parts users. management. issues, includinginformation andassistance sharing efforts; OrganizationsNon-Governmental (NGOs)at thenational level. Informationregarding Critical Infrastructures. cybersecurity, particularly information andtheprevention, preparation, response, andrecovery from anincident. university; (N-CERT); coordination; cooperation andinformation exchange withnational CERT. 100 International cooperation for Capacity Building Organizational Technical & Procedural Legal Measures Cybersecurity Structures Measures for Cybersecurity Annex Tagart, Carnegie to buildaninclusive andsecure information society. experts by leading and be developed can strategies innovative effective which from framework interdisciplinary an efficient developed has ITU ICTs. of use the in security and confidence building to challenges 3.7. References “Computer Security Incident Response Teams: An Overview” by Benoit Morel, David Mundie & Adam & Mundie David Morel, Benoit by Overview”Teams: Response An Incident Security “Computer global with deal to framework unique a established has ITU Agenda, Cybersecurity Global its With NCSEC Referential andthe Mellon University, Mellon Pittsburgh. ISO27000familystandards 101 CHAPTER 4 Capacity Building Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex rately. framework isrepresented Acapacity-building for promoting schematically cybersecurity inFigure 4.1. Awareness-raising andtheavailability ofresources are issues that needto cross-cutting bedealtwithsepa at thenational level.rity andinstant communications meanthatconnectivity countries have to to initiate promote actions cybersecu haslongbeenconsideredcurity asatechnical field, belonging to specialized agencies. global Furthermore, nation states. However, iscomplex, tofor capacity-building promote several cybersecurity reasons. Cyberse ing United Nations development programmes andthe World cybersecurity, themainagents In are the Bank. Considerable for outincapacity-building work hasbeencarried development by variousinstitutions, includ 4.2. Capacity-building andawareness improve to national promote capacity cybersecurity. both thenational andinternational perspective, andhow interms to ofthemainactors, theirmainactivities collective isonlypossiblethrough action. voluntary security This chapter considers from capacity-building There to imposelaws isonlylimited authority ontheborderless environment soimproving oftheInternet, isuneven to andcountries address mustbuildcapacity theseissues.cybersecurity doers isuniversal, even for countries withlow access Internet rates. However, countries’ to promote capacity themtoers andbring justice, albeitintheonlineworld. The needtoandprosecute deter cybercrime wrong- to behavior ofcorrect reality ofcyberspace,butitisalsobasedonnorms pursuewrong-do andthecapacity bersecurity. Cybersecurityandacceptable needsthedevelopment userbehavior inthe new ofacyber-culture issues. However, resources are unequallydistributed andcountries needto resources prioritize cy to support to international regimes. regulatory Sovereign states alsocommand the resources neededto address these istheprerogativeIt ofsovereign states to create legalregimes andto governing sign up theirjurisdictions of Cybersecurity andtheOECD’s ofInformation Systems Guidelinesfor theSecurity andNetworks. Useful guidesinthisarea are theUNGeneralAssembly 57/239ontheCreation Resolution ofaGlobalCulture the possibilitiesofnewcommunications mediumwillbeautomatically followed, expands. asthe Internet that adopted thebenign thatusersoftheInternet codes intheirexcitement community early ofconduct over of behavior that users follow voluntarily. However, has to Onecannothope benurtured. such acyber-culture The isthedevelopment bestguarantee ofareliable withestablishednorms for cyber-culture, cybersecurity economy fails to grow to itsfullpotential. and countries could face growing challenges, astheireconomies are eithernegatively ortheonline impacted cannot pay safely for andsecurely. goodsandservices rises, As consumer thescaleofcybercrime trustsuffers bercrime onasmallerscale–for example, whengoodsare ordered online, butnotdelivered, orwhenpeople that almostsucceeded inshuttingdown inEstonia theInternet inApril-May 2007to everyday incidents ofcy cybercrime potentialrange from damage.Incidentscyber-attacks of ofusersto thehighly-publicized inflict greater to transfer capacity more data thanever before. As usageandbandwidthhave sotoo risen, hasthe communicationModern systems are characterized by growing digital content, generalized anda mobility 4.1. Introduction 103 ------Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex Figure 4.1:Capacity-building general framework widespread campaigns to publicity reach asmany Undertake people aspossible; whenrequired; Establish public-private partnerships, • • for between countries,Mechanisms awareness-raising asdoneedsandmethods. vary certainly The lead of cybersecurity issues, policy-makers and other stakeholders in cybersecurity could: andother stakeholdersincybersecurity issues, policy-makers of cybersecurity ofasustainableframeworkhelp ensure for thefunctioning international cooperation. To raise awareness Awareness-raising for andto of establishingcapacity national governments isavitalpart incybersecurity agenda. onto thedomesticpolicy cybersecurity level to advance at thepolicy-making specialists and create expertise tion between security thenecessary frameworks andtechnical solutions. Suchtraining workshops shouldpromote theexchange ofinforma Training programmes policy, shouldbemadeavailable organizational inestablishingcybersecurity educate keydecision-makersingovernment. neededtoillustration promote ofpublicity for cybersecurity. the kind Awareness campaigns shouldalso inthe news. Foring cybersecurity example, theawareness created by Y2K campaign could beagood become championsfor thecause. This isbestaccomplished by educating decision-makersandby keep For awareness campaigns to beeffective, itisvitalthat decision-makers are fullyinformed, inorder to that were already inuseby thegovernment. awareness campaign, dedicated website usingPublic andprojects anddigital IDcards, KeyInfrastructure they establishedtheambitiousgoalofbecoming nation themostcyber-secure by 2009,and launchedan telecommunication operators) decidedthat asafer would Internet benefittheirbusiness.In 2006, directly The private canalsotaketheinitiative. sector Estonia, theprivate (e.g., In sector and thefinancialsector online behavior lessonsinto Many countries schoolcurricula. have already donethis. infact roles.have important For governments, includesincorporating safe buildingaculture ofcybersecurity ing role takenby isoften non-governmental organizations, butgovernment andtheprivate also sector W N R A A E E S S

International End user Regional N ational

O C R U R E E S S

- - - 104 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex Council ofEurope, whichinitiated thecreation oftheConvention onCybercrime. inthisarea Another becomes was pioneerworking aregional moresecurity important. organization, the Non-governmental organizations. on theirmainagendawillgrow,The numberoforganizations that cybersecurity willprioritize ascyber and Business actors; • International organizations; • • There thework including: oftheGCA, are that cansupport anumberofglobalactors LineC5. WSIS Action intheuseofICTs”.ConfidenceSecurity and astheframeworkThe ITUlaunchedtheGCA for its in work assoleFacilitator/Moderator (WSIS) mation withresponsibility Society for LineC5, WSIS Action “Building is theGlobalCybersecurity Agenda oftheITU. The ITUwas entrusted by the World SummitoftheInfor hasfewAs cyberspace boundaries, one example ofamajorinitiative at thegloballevel buildingcapacity 4.4. Capacity-building at thegloballevel seminate collective know-how require long-term commitment from donors. threatsAt atimewhenactual are constantly evolving, thefinancial resources needed to buildanddis Countries’ promotion varies, willingness according to spendoncybersecurity to perceived threat levels. nation network. resource centers, regional centers could bebuiltupandintegrated into coordi theoverall cybersecurity andaglobalfacilitatorof knowledge overall efforts for asaferIn addition Internet.to general global forprovide theentire international world. cybersecurity role asarepository ITUcanplay animportant by launchingtheGlobalCybersecuritycurity Agenda (GCA). At thesametime, nosingleorganization can asignificant leadinginitiativeThe ITUhasundertaken ininternational cooperation cyberse to promote cultures between countries). tional cooperationcountry’s isinevery interest (despite inevitabledifferences inthepoliticalandlegal andwell-resourcedeven themostpowerful alone, countries cannotsafeguard sointerna cybersecurity requires resources.Building andmaintaining cybersecurity Given theborderless nature oftheInternet, 4.3. Capacity-building andresources associations, shouldcontinue to besupported. example, by bothprivate organizations, ENISA).Ongoingefforts andpublicsector as well asnon-profit Several significant initiatives alreadyawarenesscybersecurity exist andpromoteto raise training (for Train andeducate oftheinformation allactors society. awareness Security programmes could be tailored to targeted audiences (children, theelderly, large orSMEs, firms etc.). Empower end-usersto adoptsafe behavior onlineto beresponsible cyber-citizens; • national, regional, Support international cooperation (Chapter 5); • Put inplace organizational (Chapter structures 3); • Promote measures theadoptionoftechnical andprocedural(Chapter 2); cybersecurity • • Develop aneffective legalframework enforceable at thenational level andcompatible at the international level (to answer theneedsidentified in AreaWork 1inChapter 1); • useofNGOs, Make institutions, banks, ISPs, libraries, localtrade organizations, cen community • Countries to: shouldalsobuildcapacity organizations to getthemessageacross aboutsafe online. cyber-behaviour ters, computer stores, colleges community andadulteducation programmes, schoolsandparent-teacher ------105 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex criminals. The illicitprofitscybercrime have possiblethrough to be minimized offensesto makecriminal with greaterjunction international cooperation (Chapter 5),can helpraise thelevel perceived of risks by measures (covered in Chapter 1), aswell asmore effective organizational structures (Chapter 3),in con procedural measures (Chapter more difficult 2) canhelpmakecybercrime toachieve. legal Effective and increasing have criminals thelevel ofeffort to make to perpetrateImproved acrime. technical and A globalstrategy canbeenhanced by to Increasingthelevel promote of perceived cybersecurity risks and maketheprosecution ofoffenses enforceable andeffective (seeChapter 1). Awareness campaigns and strong laws canhelpraise perceived therisks againstcybercrime by criminals grammes shouldbetailored to different audiences (e.g. youth andolderpeople, professionals etc.). Awareness programmes to canhelpbuildnational promote capacity cybersecurity. Eucational pro and management procedures. measures management Reactive includecrisis andrecovery actions. andpreventivedamage causedby pro-active Both cybercriminals. rely onsecure actions andreliable ICTs sis inorder to understandtheissuesat stakeand to design preventive avoiding actions andlimitingthe functions Figure cybersecurity 4.2:Generic canbeclassifiedinto and measures pro-active reactive tions ofsecurity (Figure 4.2). (including theirmotivation, andinteractions). As inter-linkages withCSIRTs (Chapter func 3),thegeneric shouldtakeintoCapacity-building to account promote therole cybersecurity ofdifferent stakeholders cycle. isintegratedthat security at thebeginning ofinformation technologies’ infrastructure development life untrained Chapter users(See 2).Partnerships between thepublicandprivate shouldhelpensure sectors and comprehensive mechanismsshouldbereadily understood andsecurity andconfigured easily by include simple, yet measures flexibleandmechanisms. security shouldbe Products well-documented and services. The publicandprivate should work together sectors to ensure that andservices products andcontent withITservice providers workto inpartnership improverity oftheirproducts thesecurity reliable andsafe behavior withregards to theuseofICTs. isessential that stakeholdersincybersecu It technologies should belessvulnerable (seeChapter 2).Cybersecurity alsoinvolves thedevelopment of Cybersecurity includestopics related andthemisuseofICTs, to cybercrime butitalsorequires that any chain. security needsofSMEsandindividuals,approaches aspeople are mustalsomeetthesecurity theweakest linkin tion ofmeasures to reduce andprotect theITresources risk oflarge organizations. However, security organizations approaches and individuals. are limited Security often to management risk andtheadop issues, includinggovernmental security andnetwork institutions,security large andsmallfirms, andother devices, isconcerned andotherinformation by tools cybercrime orservices Everyone dealingwithICT for thesafety ofcitizens,and services firm competitiveness andstate sovereignty. canbepromotednation steps state, to by information protect critical taking infrastructure cybersecurity erates withintheframework ofnation states, canbepursuedandpunished. sowrong-doers Within each ontheglobalagenda.Law enforcement isvitaltoNational capacity-building promote cybersecurity op 4.5. Capacity-building at thenational level Pro-active measures includeintelligence to promote gathering, andanaly cybersecurity data collection ------106 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex governments, asvitalcomponents ofanawareness-raising strategy to promote cybersecurity. organizations andtheprivate sector. Incentives shouldbeprovided initiatives for cybersafety by national by allagents,these tendencies effort needsconcerted especially by governments, non-governmental aremerce, diversifying andotherapplications, andgrowing cyberthreats banking rapidly. To counter the threats, aswellworld. asbenefits, As more ofthevirtual societiesmove to embrace electronic com strata andage groups are to applications learning usedifferentandare thus exposed to ICT networked The rapid expansion of theuserbasedoesnotoriginate solelywiththeyounger generation. All social usage know-how. thisrespect,initiativeshavior on.In early suchasthecomputer driver’s license could helpwithsoftware ments, especiallyby WEB2.0 socialsoftware, andwhilesocietiesreadjust, itisvital to teach safe online be andonline identity.personal privacy Current existing regulations are outdated by technological develop to abouttheuse ofICTs. learn particular, In end-usersneedto beeducated between aboutboundaries andsafe behaviourcybersafety onlineshould beincludedinbasiccomputer courses, whenpeoplestart awarenessMinimum and ‘safety’ requirements are neededat theend-userlevel. The of basicprinciples 4.6. Capacity-building at theend-userlevel Technological orlegalsolutions cannotfullycompensate for design ormanagement errors. security, to ofICT realizeremain at aninclusive theheart information offullyaware society consumers. is onlyasstrong whichaffects asitsweakestoverall link, cybersecurity. levelsIndividuals should ofglobal ment -thedigital divideshouldnotbeexacerbated divide. by asecurity The chain international security develop needsneedto infrastructure. beaddressed at Security thesametimeasICT ofICT the roll-out Cybersecurity force isadriving for theeconomic development ofregions andmustbeincorporated into Figure 4.3Cybersecurity capacity-building technical, legalandorganizationalmentary measures andeffective international cooperation. thatbuilding measures require are actions pro-active agoodunderstandingofICT-related comple risks; Achieving thesegoals would helpcreate adigital environment that ismore difficult Capacity- to attack. the numberofpotential targets andtheirinterconnectivity. ecuted. Effective measures capacity-building (Figure 4.3)canalsohelp reduce vulnerabilities and reduce raise levels takenby ofbeingidentified, ofrisk includingrisks cybercriminals, located, pursuedandpros less profitable visathelevelrequired Effective ofskill canhelp andthelevel capacity-building risk. of ------107 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex government, industry and civil society on security training andinitiatives. onsecurity andcivilsociety government, industry planshouldalso addressThe training security ofusers ofgovernment systems andcollaboration among incident management, includingresponse, watch, warningand recovery, aswell asinformation-sharing. sure progress andto identify areas where improvement isneeded. The planshouldincludeprovisions for and implementation. Periodically, boththe plananditsimplementation shouldbereassessed to mea plan.Preparationsecurity planshouldaddress management, risk design ofthissecurity aswell as security The initialstep to secure government-operated systems isthedevelopment andimplementation ofa planfor government-operated acybersecurity systems.4.7.2.1. Implement 4.7.2. Specific Steps to Promote a Culture of Cybersecurity of regional fora to facilitate interactions andexchanges. infostering4. Internationalcooperation aculture isextremelyimportant ofsecurity, alongwiththerole practices, andtheuseofinternational collaboration standards. amongparticipants policies. Awareness-raising ofbest alongwiththe sharing andeducation initiatives important, are very rity. countries Some are establishingahigh-level governance for structure theimplementation ofnational andmulti-stakeholderapproach to3. Countries promoting shouldadoptamultidisciplinary cybersecu individuals. E-government plays akeyrole infostering thediffusionofaculture ofsecurity. beyond extends publicadministration,e-government activities to theprivate and sector of eficial impact prevention,should alsoincluderisk management risk anduserawareness. The OECDfound that theben information systems shouldbeaddressed andnetworks notonlyfrom atechnological perspective, but internal operations, aswell asto provide to theprivate andcitizens. better sector services of The security to improve applications andservices national administrations their shouldimplement e-government ment andprotection ofnationalinformation applications critical andservices, infrastructures. As aresult, 2. According to anOECDstudy, thekeydrivers for at aculture thenational level of security are e-govern privacy, spamandmalware. government andprivate systems, future improvements insecurity, andothersignificant issues, including outreach to theprivate sector, andindividuals. civilsociety This element alsocovers training ofusers the operation anduseofinformation infrastructures (includinggovernment operated systems), butalso 1. The promotion ofanational addresses culture notonlytherole ofsecurity ofgovernment insecuring 4.7.1. Creation ofanational Culture ofSecurity framework efforts. for organizing national cybersecurity participants”. Promoting isanintegral anational cultureelement ofthemanagement ofcybersecurity ofother theefforts andinsupporting take aleadershiprole inbringing aboutaculture ofcybersecurity appropriate issuesandtakeaction to theirroles to protect networks.cybersecurity Government must whodevelop,participants own, provide, anduseinformation manage, mustunderstand networks service becoming more andmore widespread, across andthat connections national borders are increasing, all computers are becoming ever more that powerful, technologies are converging, that theuseofICTs is tensive management framework efforts: for organizing national cybersecurity “Considering that personal ITU Study Group Q.22/1 for onbestpractices offers anational an approachex to Report cybersecurity 4.7. Capacity-building for aninclusive society - - - - - 108 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex websites canbeauseful mechanismto promote anational awareness programme, enabling government will alsobuildtrustwiththe private sector.security Cybersecurity isashared responsibility. Portals and abilities. Government coordination ofnational outreach and awareness to enableaculture activities of personnel andadoptwidely-acceptedfor personnelwillhelp certifications reduce security thesevulner tem administratorsto train plan.Promoting aweak efforts isoften spotinanenterprise security industry of theinfrastructure itself.even apart iftheyare For notactually example, awareness thesecurity ofsys tors, chiefinformation officers or corporate boards. Thesevulnerabilities canjeopardize the infrastructure, of users–whethertheseare system administrators, technology developers, procurement officials, audi Many information awareness system onthepart vulnerabilities exist becauseofalackcybersecurity 4.7.2.5. Promote acomprehensive national awareness programme mestic information infrastructures. and training users, from learn others’ successes andinnovations andwork to improve ofdo thesecurity Government andtheprivate canshare sector thelessonstheyhave plans indeveloping learned security material for teachers;port providing children withonlinetools; anddeveloping and games. textbooks such initiatives include:training courses for parents providing to risks; inform themaboutsecurity sup used variesfrom websites, games, andonlinetools, to postcards, anddiplomas. textbooks Examplesof students eitherthrough school, orbyofguidance distribution material. thedirect material The support ties to promote informationto abroad security audience. initiatives Most aimto educate children and and measures that shouldbetakento counter countries them.Some organize specificevents, withactivi governmentsSome have cooperated withtheprivate to raise sector citizens’ awareness ofcyber-threats outreach to civilsociety 4.7.2.4. Support secure proactive systems steps towards ortaking enhancingcybersecurity. orotherincentivestool; and offering financialassistance andtaxsupport for of fostering the production ing SMEsandotherspecificstakeholders;provision oftraining; provision ofanonlineself-assessment and online(e.g. manuals, booklets, handbooks, modelpoliciesandconcepts); settingupwebsites target cation andtraining initiatives. information Examplesofsuchinitiatives available include:making off-line associations collaboration orgovernment-industry canhelp administrations design andimplement edu ment initiatives have beendirected at awareness-raising for SMEs. Government dialoguewith business Developing canbeachieved inprivate aculturefirms inseveral sector ofsecurity ways.Many govern 4.7.2.3. Encourage thedevelopment infirms ofaculture ofsecurity industry, educational institutions, homecomputer users, andgeneral public). (3) communications, communications withbothinternal andexternal (e.g. othergovernment agencies, across(2) coordination thegovernment; activities and andcollaboration oncybersecurity awareness;government andacademiato raise cybersecurity (1) stakeholderoutreach andengagement to buildandmaintain trusted relationships between industry, Three components needto functional beconsidered, indeveloping anawareness programme: initiatives,information andpromoteissues. aboutcybersecurity collaboration oncybersecurity professionalsamong thepublicandkeystakeholders, maintain relationships to share withcybersecurity awarenesscybersecurity An effective programme national awarenesscybersecurity should promote awareness4.7.2.2. Security programmes andinitiatives for usersofsystems andnetworks ------109 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex Protection and of Privacy Transborder Flows ofP and in obviating unnecessary restrictions to tr restrictions and inobviating unnecessary personal information. settingoutcore By pr one form ofinternational consensus ongen by variouscountries, andby international orga governments, businessandconsumer represen • U.S. NISTsite: csrc.nist.gov/ and csrc.nist.gov/fasp/ andcsrc.nist.gov/ispab/ • U.S. site: www.us-cert.gov/ CERT • • U.S. Federal Acquisition Regulation(FAR), 1,2,7,11,and39.www.acqnet.gov/FAR/ parts news/releases/2003/12/20031217-5.html • U.S. HSPD-7, final.pdf • State• Multi andAnalysis Information Sharing Center: Page: Main www.msisac.org/ Final. A Culture for Information Systems ofSecurity inOECDCountries andNetworks (DSTI/ICCP/REG(2005)1/ Declaration ontheProtection• OECDMinisterial (1998) onGlobal Networks ofPrivacy [2002] www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html • OECD • UNGARES57/239Annexes aandb. www.un.org/Depts/dhl/resguide/r57.htm 4.8.1. Government systems (4.2.7.1,4.2.7.2,4.2.7.7) andnetworks 4.8. References (e.g., regulations) andpersonnel(i.e., guidelinesormandatory components. voluntary bestpractices) together to develop andimplement measures that incorporate technological (i.e., standards), process Addressing t 4.7.2.8. Develop awareness ofcyber-threats andavailable solutions. regime andupdate itto theonlineenvironment. T existing privacy 4.7.2.7 Review to engagestuden may beopportunities as addressing difficult technicalchallenges. berthreats ofinforthe security To theexten 4.7.2.6. Enhance Scienceand Technology andResearch andDevelopment (R&D) activities. (S&T) ofcyberspace. that willprotect theirportions agencies, businesses, andindividualconsumers to obtainrelevant outmeasures information andcarry The [U.S.] National Strategy to Secure Cyberspace: www.whitehouse.gov/pcipb/ The U.S. Federal of2002(FISMA) Act Management Informationcsrc.nist.gov/policies/FISMA- Security “Guidelines ofInformation Systems for theSecurity andNetworks: , countries features canhelpshapethedevelopment withsecurity ofproducts built-in, aswell t that government supports R&D activities, some of its efforts shouldbedirected towards someofitsefforts R&Dactivities, t that government supports echnical issuesrequires that governments, businesses, andindividual userswork civilsociety “Critical Identification, Infrastructure Prioritization andProtection” mation infrastructures. Throughcy theidentificationto mitigate ofR&Dpriorities ts in cybersecurity initiatives. ts incybersecurity inciples, theseguidelinesplay amajorrole inassisting Where inanacademicinstitution,there R&Disconducted er al guidance concerning andmanagement of thecollection ansborder data flows, bothonlineandoff-line. niza ta ersonal Data ,adopted on23September1980,represent tives in their efforts to protect privacy andpersonaldata, tivesto protect privacy intheirefforts his review should consider privacy mechanismsadoptedhis review shouldconsider privacy tions, suchastheOECD. The OECDGuidelinesonthe Towards aCulture ofSecurity” www.whitehouse.gov/ The Promotion of -

110 Organizational Technical and Procedural International cooperation for Legal Measures Cybersecurity Capacity Building Structures Measures for Cybersecurity Annex • Canada: www.psepc-sppcc.gc.ca • NewZealand: www.netsafe.org.nz U.S. inthisarea. efforts org/COMNET/STI/IccpSecu.nsf?OpenDatabase). The U.S. response provides acomprehensive of overview ICCP/REG(2004)4/Final) andtheU.S. response to thequestionnaire (whichisfound at webdomino1.oecd. also: • See • OECD’s www.oecd-antispam.org Anti-Spam toolkit, • U.S. CERT: www.us-cert.gov/nav/nt01/ • OnGuard Online:onguardonline.gov/index.html • Stay Safe Online:www.staysafeonline.info/ • U.S. President’s Information • U.S. Federal Plan for R&D:www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf • U.S. DHSR&DPlan: www.dhs.gov/xres/programs • U.S. DHS/Industry • U.S. CERT: www.us-cert.gov/ • National Cyber Partnership: www.cyberpartnership.org Security 4.8.2. Businessandprivate organizations sector (4.7.2.3,4..5,.7) 4.8.3. Individuals andcivilsociet 4.8.3. Individuals ties: www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf The OECDquestionnaire onimplementation ofaCulture (whichis found at DSTI/ ofSecurity “Cyber Storm” Technology Committee onCyber research Advisory report Security priori y (4.7.2.4,4..6,.7) exercises: www.dhs.gov/xnews/releases/pr_1158340980371.shtm - 111 CHAPTER 5 International Cooperation for Cybersecurity International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex with substantial economic andtechnological resources. Cyber-criminals are increasingly developing new Cyber-criminals are nolongerplayful hackers, butare now well-organized inprofitable conglomerates botnets allgive causefor concern. presence– theoverwhelming ofspam,thesophistication ofphishingsites andthespread ofimplanted threats are growing incyberspace rapidly. The rate at which newvirusesemerge upto –often 20aday must guardals andsoftware againstmany differenttypes ofvulnerabilities. As vulnerabilities increase, sider. profession Further, security needfindonlyonevulnerability to exploit, whileICT cyber-criminals andduelegalprocedure boundaries jurisdictional –niceties thatneednotconmust observe criminals sion ofrapidly renewable arsenalsofattack weapons, that canpotentially Authorities causeglobalharm. Cyber-attacks are independent oftimeandplace. Cyber-defense ishard are -criminals now inposses (Figureits impact 2.3inChapter 2). tions. Further, itiseasyto how learn to commit needsfew acybercrime,whichoften resources relative to orresourcesexpertise to address theissue. Cybercrimes are notalways illegalinsome jurisdic clearly to coordinate,inability dueto legalreasons technical donothave orbecauseauthorities thenecessary The casefor international cooperation iseven stronger, takeadvantage whencriminals ofcountries’ in theworld andmasktheiridentity. jurisdiction”, investigation making andlaw enforcement difficult.act Perpetratorsfrom can any location The borderless nature enablesmalicious individualsandgroups oftheInternet to exploit of “loopholes usingacomputermit acrime inanothercountry, ornetwork withoutever oforigin. leaving country Cyberspace is ortheInternet “borderless” innature. and canbelocatedcom Offenders inone country The needfor isevident, international dueto thenature itself. cooperation ofcyberspace incybersecurity 5.2. common platforms to promote cybersecurity. givesin cybersecurity. It examples ofhow different organizations are interacting and collaborating on ITU-D. This chapterto develop discussesefforts andenhance frameworks for international cooperation plays aleadingrole incybersecurity,by incapacity-building withthework currently beingundertaken thatprinciples have infrastructure. benefited governments ITUalso dependent andindustries uponICT ITU hasplayed aleadingrole inthisarea andprovides aplatform for countries to agree oncommon these vehicles for international dialogueissometimeslacking. Countries musttakeadvantage ofthesevehicles for international cooperation. However, awareness of be international inter-governmental; regional inter-governmental orPrivate andPublic Partnerships andstimulate dialoguebetween stakeholders.cyber-threats, Suchvehicles enhance cybersecurity can There are anumberofvehicles for international cooperation that have beenestablishedto respond to respond andquickly. to cyber-threats swiftly andbeableto cooperate to inamannerthat protect cybersecurity allowsown jurisdiction countries to issuesinatimelymanner.security They mustensure that there organized exist structures withintheir threats isvitalthat countries andotherinformationnetwork canrespondIt to security cybersecurity must view, anddealwithinformation prioritize security. interconnectivity withitnewpossibilitiesfor brings inhow digital we disruption,requiring asea-change are now interconnected, andexchanging peopleandobjects, linking information innewways. Global mation society. Countries, economies, government have systems, andfirms come but to dependonICT nowInternet transcend borders, negating frontiers andreducing distance, andcreating aglobalinfor Today’s everyone. connect Computing networks capabilities, telecommunications globalICT andthe 5.1. The Needfor InternationalCooperation Introduction ------113 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex The global nature of thelegal, technical andorganizational can only challenges related to cybersecurity on bilateral andmultilateral platforms. currently noglobalgovernance system to control spam.,where international cooperative isbased action countries develop watch andwarningnetworks, with real-time ofthethreat sharing information. There is one ofanumberregional initiatives (Chapter 1).Internationalcooperation canalsowork well, where launched theITUGlobalCybersecurity Agenda. The Council ofEurope’s Convention onCybercrime is Frameworks for international cooperation have beenputinplace by anumberoforganizations. ITUhas (includingpolicies,structures roadmaps andstrategies) isvital. exchange ofinformation andbestpractices, training andresearch. Capacity-building inorganizational of thenation-state. Countries shouldtakeaproactive role ininternational initiatives, especiallyinthe through justice andpolice systems. Cybercrime isaphenomenonwitheffects farbeyond theborders nature andtheorganization necessitate ofcyber-attacks ofcriminals international cooperation actions efficient. International cooperation keeping islagging behindandhasdifficulty pace. The cross-border are constantlyWhile activities onlinecriminal evolving, are structures criminal better organized andmore 5.3.2. Internationalcooperation Operationscan UnionandNetwork Groups (NOG). Statesof American (OAS), theAssociation EastAsian ofSouth Nations (ASEAN), theArab League, theAfri the Council ofEurope, theG8Group ofStates, Asian Pacific Economic Cooperation Organization (APEC), At theregional level,initiatives for have important example, beenundertaken, by theEuropean Union, national strategies incorporating international cooperation. such asinformation-sharing, networks. warning, Countries early needto monitoring andalert establish withorganizationsternational cooperation from othercountries shouldbebasedonpartnership inareas issueshaveAs security cyber-threats andotherinformationnetwork become borderless, security in asinspirationbest practice to othercounties. the establishment ofinternationally secure andthedevelopment ofasafe environment. They canshare asaliaison.Developed societiesare to act well-positionedlish acentral to contribute point-of-contact to regions shouldwork withneighbours, withregional initiatives opento shouldestab others. Eachcountry A coordinated approach includestheexchange ofinformation andbestpractices. Countries from specific sufficiently developed. cyber-attacks, mutualassistance proven hasoften ineffective andnew cooperation are structures not yet al operational cooperation remains amajorchallengeinthearea ofcybersecurity. When confronted with are confined to national borders.Sovereign ininternational states discussions. shouldparticipate Region canbeeffective, toDue theglobalnature ifefforts ofinformation oncybersecurity networks, nopolicy 5.3.1. Regional cooperation givesThis section examples ofmodelsinternational cooperation at work. 5.3. ing damage. cantake advantage ofthepotentialother groups ofthesetoolsfor andsoftware intent caus oncyberwar be driven by more sinister motives is easyto for imagine how orstates politicalgain.It cyber-terrorists or attack software, whichsoonfindits way ontoBeyond theblackmarket. profits, these groups may also Current ofInternationalCooperation Models - - - - - 114 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex organized more crime effectively. organized crime, andseeks to promote international cooperation to prevent andcombat transnational tion 55/25,of15November isthemaininternational instrument inthefight 2000.It against transnational The UNConvention against Transnational Organized was Crime adopted by General Assembly resolu 5.3.3.2.Existing UNInternational Provisions new treaty. theConventionimplement existing instruments, inparticular onCybercrime, rather thandeveloping a whether aseparate instrument was neededfor andconcluded cyber-terrorism that countries shouldfully xenophobic propaganda viacomputer offence. acriminal networks In 2007-2008, the CoE reviewed The Convention hasbeensupplemented by anAdditional Protocol publication ofracist and making tion. and prosecution ofsuchoffences.It seeks to set upafastandeffective regime of international coopera cybercrime, providing for procedural thedomesticcriminal law for powers theinvestigation necessary cooperation”. The Convention seeksto substantive harmonize thecriminal law elements ofoffences and againstcybercrime,interof society alia,by adoptingappropriate legislation andfostering international is mainobjective Its “to pursue, asamatter ofpriority, aimedat theprotection acommon policy criminal procedures suchasthesearch ofcomputer andinterception networks (seeChapter 1). related fraud, childpornography andviolations security. ofnetwork alsocontains ofpowers aseries It and that entered withinfringementsofcopyright, into force computer- dealsinparticular on1July2004.It monizing national laws, improving investigative techniques andimproving cooperation amongnations, er networks. The Convention onCybercrime isaregional to initiative by address har cybercrime seeking addressing theneedfor committed newsubstantive conduct through laws comput certain criminalizing andothercomputer-relatedhacking since crimes 1989,whenitpublishedastudyandrecommendations The Council ofEurope (CoE) to address hasbeenworking growing concerns over thethreats posedby 5.3.3.1.Convention onCybercrime 5.3.3. FIRST(Forum andSecurity Response ofIncident Engineering Internet • The InternationalElectrotechnical Commission (IEC); • InternationalOrganization for Standardization (ISO); • Corporation Internet for Assigned NamesandNumbers(ICANN); • UNInterregional andJustice Crime Research (UNICRI); Institute • UNOrganizations Problems onDrugandCrime (UNODC) • The Organisation for Economic Cooperation andDevelopment (OECD); • /Europol; Interpol • International • United Nations GeneralAssembly; • • tant initiatives by: have beenundertaken holders andexisting initiatives inaframework ofinternational cooperation. At international level, impor be properly addressed through astrategy that takesinto account therole played by allrelevant stake Legal Measures Telecommunication Union(ITU); Task Force; Teams). ------115 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex recommendations adopted by theEleventh Congress. Recommendations by anAd-hoc Congress Justice.Criminal Para. 2ofGeneral Assembly 60/177invites Resolution Governments to implement all Crime”, of theEleventh UNCongress 2005 aspart heldinBangkok on22April Prevention on Crime and • Paras. 15and16ofBangkok Declaration on Prevention Justice”, andCriminal endorsedby 60/177of16December 2005. GAResolution • of the Twenty-first century” annexed 2002. Generalto Resolution 56/261of31January Assembly Para. 18ofthe forof action theimplementation ofthe Vienna Declaration andJustice: theChallenges onCrime Meeting first century”, endorsed GeneralDecemberby Resolution 55/59 of4 2000and Assembly Para. 36of “Plans • ECOSOC 2004/26 of21July2004on Resolution related crimes”. investigation, prosecution andpunishment offraud, and misuseandfalsification thecriminal ofidentity • ECOSOC E/2007/20 of26July2007on Resolution E/2007/SR.45). investigation, prosecution andpunishment ofeconomic fraud andidentity-related crime” (E/2007/30and • CCPCJ 2007 16/2ofApril 2007Resolution • on arange ofareas andcybercrime: related to cybersecurity There are many decisions, resolutions andrecommendations emanating from theUnited Nations system 5.3.3.3.United Nations system decisions, resolutions andrecommendations some element oftransnational involvement”. committed by organized groups criminal where orthegroups either thecrimes whocommit themhave “States Parties shallbeableto rely ononeanotherininvestigating, prosecuting andpunishingcrimes 2(asdefinedabove). Italsostates: justice); crimes, and otherserious asdefinedin Article of 23(criminalizationofobstruction 8(criminalization ofcorruption); Article proceeds Article ofcrime); inanorganized ofthe 6(criminalizationofthelaundering group); crime nalization ofparticipation Article The Convention appliesto theprevention, investigation andprosecution 5(crimi ofoffences in: Articles constituting anoffence conduct crime: Serious punishablewithamaximumdeprivation ofliberty of at leastfour sanction. years orastricter An offence committed inoneState, butwithsubstantial effectsinanotherState. • • An offence committed inoneState, butitinvolves anorganized group criminal that engagesin inmore thanoneState; activities criminal • An offence committed inoneState, ofpreparation, planning, butsubstantial part or direction control takesplace inanother; An offence committed inmore thanoneState; • Transnational crime: • • Organized group: criminal • do provide elements ofaclearconcept oforganized crime. For instance: Although theConvention doesnotprovide asingle, agreed definitionoforganized crime, itsprovisions sponses to combat sexual exploitation ofchildren” (especiallyparas 7, 16). ous crimes inorderous crimes to obtainfinancialorothermaterial benefit. Declaration andJustice:theChallengesof onCrime Meeting “Vienna Three together ormore to personsworking commit oneormore seri “Effective prevention crime justice andcriminal re Workshop on “Synergies Strategic andResponses: Alliances inCrime “International cooperation intheprevention, “International cooperation intheprevention, “Measures to Combat Computer-Related Twenty- - - - 116 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex lack oftechnical resources. cies are notwell-prepared to meettheseemerging challenges, eitherthrough lackofunderstanding or and Itorganizedcrime. gaged indrugtrafficking concluded that most front-line law enforcement agen UNODC hasalsoreviewed measures to counteract newtrends intheuseoftechnology by groups en ments andconcerned industries.recent During meetingsofHeadsNational Drug Law Enforcement, The InternationalNarcotics from Control govern withexperts actively Board (INCB)hasbeenworking other agencies. to terminate suchsalesthrough greater coordination between thejudicial, police, postal, customs and offer, ofinternationally saleanddistribution controlled licitdrugs.3Member States candevelop policies UNODC encourages States Member to takemeasures to prevent for themisuseof the Internet theillegal and oflicitdrugs andpeople(human aretrafficking) engagedintheonlinetrafficking cybercriminals this publication isnow asa reference. inneedofrevision, itdoesserve Organized conglomerates of onthePreventionUNODC publisheditsManual andControl ofComputer-related in1994. Crime While cybercrime to UNODCefforts combat 5.3.3.5.Other cooperation to prevent, investigate andprosecute high-technology andcomputer-related crime. national measures andinternational cooperation andwelcomed to enhance againstcybercrime efforts tegic Alliances Prevention inCrime Justice”, andCriminal develop States calledonMember to further The outcome oftheeleventh UNCongress, theBangkokDeclaration on “Synergies andresponses: Stra workshop. The Congress andbackground report paperoftheworkshop are bothavailable from UNODC. Congress inBangkok, Thailand, 2005focused inApril onissuesofcomputer-related inaspecial crime Congress onthePrevention andthe ofCrime Treatment inHavana, ofOffenders Cuba. The most recent computer misuse. 1990,theUNadopted aresolution In oncomputer legislation crime at the8thU.N. CongressesUN Crime have also considered thetechnical enforcement issuesandcriminal associated with 5.3.3.4.United Nations Congresses Crime collaborationrity andto promote aculture ofcybersecurity. ation ofaglobalculture ofcybersecurity”, whichinvite States Member to takenote ofongoingcybersecu 2004on 2003and58/199of30January GeneralAssembly 57/239of31January Resolutions • The InternationalNarcotics Control Board (INCB)publishedrecommendations in2005to the curb INCB isalsofinalizingasetofguidelinesonthis. spread ofillicitsalescontrolled pharmaceutical preparations, substances, particularly over theInternet. • Various conclusions bodiesoftheCommission andrecommendations onNarcotic ofsubsidiary and regional HONLEAmeetings). Drug Drugs (e.g., onIllicit theSub-Commission Traffic Related MiddleEast and Matters intheNearand • ECOSOC 2004/42on Resolution Internet”. Commission onNarcotic 43/8of15March DrugsResolution 2000onInternet. • • Para. 17ofGeneralAssembly resolution 60/178of16December 2005on • Commission onNarcotic 48/5on DrugsResolution order to prevent to theuseofInternet commit drug-related crime”. • Justice.and Criminal ogies, to takeinto account, inter alia,thework andachievements oftheCommission Prevention onCrime GeneralAssembly 55/63of4December 2000and56/121of19December Resolutions 2001on when developing national law, to andpractice combat misuseofinformation thecriminal policy technol “Combating misuseofinformation thecriminal technologies”. The latter resolution invites States, Member • tion againsttheworld drugproblem”. ofinternationally“Sale controlled licitdrugsto individualsviathe “Strengthening international cooperation in “International coopera “Cre ------117 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex Jurisdiction. oftraffic data timecollection andinterception Real ofcontent data; and • Search andseizure ofstored computer data; • Production order; • • Powers ofexpedited disclo ofstored preservation data andexpedited andpartial preservation • offences. Suchprocedures include: mitted over computer systems, evidence ofelectronic andshouldapplyto ofallcriminal thecollection However, thesepowers andprocedures are alsovitalfor theprosecution offences ofother criminal com against ITinfrastructure isessential for theinvestigation across andprosecution borders. ofcybercrime Adopting appropriate procedural laws, powers andprocedures for theprosecution offences ofcriminal 5.4.2.1.General principles 5.4.2. vices, computer-related andcomputer-related forgery; fraud. access,could criminalize Illegal illegalinterception, data interference, system interference, misuseofde substantive offences. Onthebasis ofkey regional andinternational harmonizationefforts, countries To combat globalcybercrime,countries mustestablishsomedegree inthedefinitionof ofconsistency 5.4.1. 5.4. the adoptionofappropriate legislation. Stateskok Declaration,fraud document whichcalledonMember andidentity encourage to tackle identity-relatedcurb Group Meetings. crime, withtwo Expert These initiatives are inlinewiththeBang onbeststrategies dialogueamong 2007/20, UNODCcontinuesexperts to to promote itsefforts further the Commission, ECOSOC adopted 2004/26.Furthermore, Resolution andinlinewithECOSOC Resolution arecrimes committed andcomputer-related usingtheInternet technology. At therecommendation of (identity-related misuseandfalsificationing onthecriminal ofidentity whichis crime), relevant when Commission Prevention onCrime Justice. andCriminal Among otherareas, theCommission iswork combat misuseofinformation thecriminal technologies, to takeinto account, inter alia,thework ofthe formation technologies” invites States, Member whendeveloping national law, to andpractice policy General Assembly 56/121of19December 2001on Resolution “Combating misuseofin thecriminal appropriate legal, administrative andtechnical responses. More information aboutthemethodsusedby traffickers onlinewillhelp to recruittheirvictims formulate potentialfriend victims. The ofyoung risks peoplefallinginto traffickers’ nets have risensubstantially. bureaux) canbeusedasploys to target potential chat Internet websites victims. are usedto often be using onlinedating, employment andrecruitment agencies(e.g. agenciesandmarriage modelorartist withgovernments,partnerships NGOs, industry, mediaetc. Traffickers can online now recruittheirvictims 2007,UNODClaunchedaGlobalInitiative toIn Fight Human Trafficking to raise awareness andbuild include representatives from G8countries, law enforcement andacademics. andtraining experts a focus oneffective law enforcement andjudicial cooperation. Although a regional initiative, experts provide training courses andtechnical advice ontheprevention andinvestigation ofcybercrime,with a digital platform for law enforcement, judicialofficialsandacademics from developing Itwill countries. UNODC hasdeveloped a ForumVirtual againstCybercrime withtheKorean as ofCriminology Institute sure oftraffic data; Procedural Law Substantive Law Criminal Areas for Potential InternationalCoordination inLegal Efforts ------118 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex 5.5.1. security, the andsponsoring WSIS. networks, establishingadialogueonnumberofproblematic issues, including spamandinformation to build efforts consensus onanumberof topics, including settingstandards onproviding security for dence andtrustintheuseofICTs. Various UNbodies are engagedinsignificant research and negotiation The UNhaslongbeenengagedinwork onglobalissues andisinvolved inmany building confi efforts 5.5. Identify newstandards work that ITU-T Study Groups andotherStandards Development Organi Complete astandards gapanalysis; and • IdentifyIdMframework generic components; • Perform requirements analysis basedonusercasescenarios; • • tion ofaperson. The Focus Group aimsto: Management onIdentity such asasubscriber, adevice, oraprovider”, whichisnot, however, intended to indicate positive valida framework. The term ‘IdM’ isunderstood as “management by providers oftrusted attributes ofanentity, Management. onIdentity tion ofexperts The Focus Group may related analyze otheraspects to sucha meeting, to facilitate thedevelopment framework Management Identity ofageneric withtheparticipa ITU’s Focus Group was Management establishedby onIdentity Study Group 17at its6-15December 2006 seamless nomadicroaming between services. IdM solutionsoffers benefits, suchasincreased ofspamand trust byusersofonlineservices, reduction Interoperability between existing andotheronlineservices. vitalin e-commerce customers andservices, andfraud. theft Further,tity IdMisoneofthekeyenablerssimplifiedandsecure interactions between ofpersonalinformation.used, AglobalIdMsolutioncould whilemaintaining privacy helpdiminishiden IdM offers of thepossibility reducing theneed for multipleusernamesandpasswords for eachservice (IdM) Management 5.4.2.3.Identity crimes.of electronic vention onCybercrime provides a scheme for mutuallegalassistance casesofinvestigation inelectronic on,investigatorsEarly realized theneedto andprocedures establishcontacts inothercountries. The Con between States more rapidly thaninvestigators canfollow usingtraditional investigative techniques. id growth andtheincrease ofnetworks speedsallow to inconnection criminals transfer theiroperations LegalMutual Assistance isvitalfor investigations international cybercrime orcivilinvestigations. The rap Legal5.4.2.2.Mutual Assistance Agreements munication Standardization Advisory Group (TSAG). munication Standardization Group (TSAG). Advisory representatives from recognized SDOsandforums. IdMexternal progress willreport JCA-IdM to Telecom by TSAG includerepresentatives inDecember Members 2007.JCA-IdM from ITUStudy Groups andinvited The establishment oftheJoint Coordination was approved for (JCA-IdM) Management Activity Identity entity’s attributes. provider orIdP)that islegallyresponsible for maintaining identifiers, credentials andsomeorallofthe trust between entities; ofanentity’s andthediscovery information identity (e.g., authoritative identity information;identity identities recognizing representing partial entities inaspecific context; establishing IdM isacomplex technology that includes:establishing, modifying, suspending, archiving orterminating of secure information management ofidentity (e.g., credentials, identifiers, attributes, and reputations). context and doesnotindicate positive validation management (IdM)istheprocess ofaperson.Identity For ITU-T by represents anentity purposes, asserted theidentity inaspecific theuniquenessofthat entity zations (SDOs)shouldundertake. General Assembly Resolutions International conventions andrecommendations ------119 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex 5.6.1. 5.6. Promoting aGlobalCulture ofCybersecurity Terrorism. University inCalifornia, whichresulted inaProposal for an InternationalConvention onCybercrime and Conference onInternationalCooperation to Combat Cybercrime and Terrorism, organized by Stanford mendations for thedevelopment ofcomputer legislation. crime Another example istheDecember 1999 include theUniversity of Wurzburg Conference in1992,whichintroduced andrecom 29national reports Academic conferences have alsoprovided ideasthat have later appeared innational legislation. Examples 5.5.3. has approved over onehundred Recommendations onsecurity. technical languagesandotherissuesrelated oftelecommunication toaspects systems. thesoftware It ies onsecurity, theapplication ofopensystem anddirectory), communications (includingnetworking ance and thecoordination ofsecurity-related work across allITU-T Study Groups. isresponsible for It stud Study Group 17istheLead Study Group onCommunications guid System andhandlessecurity Security Framework thiswithguidelinesonprotection againstcyberattacks. extends security,end network enablingoperators to pinpoint andaddress vulnerabilities. network ITU’s Security architecturethe security for systems communications providingthat canprovide end-to-end end-to- tion keys for digital signatures, transactions. ITU’s emailande-commerce X.805Recommendation defines betweenX.509 areweb-browsers andagreeing connections widelyusedinsecuring andservers encryp cates anddesigning applications related to Public (PKI). KeyInfrastructure The elements definedwithin for authentication electronic over publicnetworks. X.509isthedefinitive reference for public-key certifi standards inusetoday security Recommendation isX.509,anITU-developed One ofthemostimportant ments. for telecommunicationstication, security emergency andtelecommunicationrequire security network eavesdropping, theft, from identity attacks, for network ordenial ofservice, authen theft tele-biometrics and countermeasures to mitigate risks. ITU’s covers work onsecurity abroad insecurity range ofactivities requirements,security guidelinesfor security protocol authors, guidance onhow to identify cyberthreats bodiesinstandardsof themostactive development andharmonization.ITUhasdeveloped overview andhelpprovideproducts businesseswithasystematic approach to information security. ITUisone Standards intechnologies, helpguarantee andsecurity establishedlevels systems ofperformance and 5.5.2. 58/199of23December 2003on Resolution Protection Information of Critical Infrastructures”. 57/239of20December 2002on Resolution • • 55/63of4December 2000and56/121of19December Resolutions 2001on ofInformation Misuse Criminal Technology”. • 53/70of4December 1998,54/49of1December Resolutions 1999,55/28of20November 2000, ments intheField ofInformation and Telecommunications intheContext ofInternationalSecurity”. 56/19 of29November 2001,57/53of22November 2002and58/32of18December 2003on “Develop • passed anumberofresolutions. Relevantinclude: UNGAResolutions The First, Secondand Third Committees issuesand oftheGeneralAssembly have examined cybersecurity Different Perspectives Educational andResearch Bodies ITU Standards and Working Groups “Creation ofaGlobalCulture ofCybersecurity andthe “Creation ofaGlobalCulture ofCybersecurity”. “Combating the ------120 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex How to identify valuable assetsandrelated risks; mission,management andconditions practices ofsuccess; Security • Assessments ofvulnerabilities andthreats; • • ment, inparticular: Executive manage security managersofany organization (includingSMEs)shouldunderstand basicICT 5.6.4. Organizational dimensions the international level anddevelop measurescybercrime toat aninternational fight level. need tocyberlaws beableto definealegalframework enforceable of at national level and compatible at and ofinternational collaboration Law inorder enforcement to dealwithglobalcyberthreats. authorities ing international regulation. Combating requires cybercrime aunderstandingofcomputer-related crime computer investigation andforensic methodologies andtools andhow to interpret and implement exist technologies musttakeaccountuse ofICT legalrequirements at thenational andinternational levels; Taking into account theneedsofjustice andpolice professionals, thelegalframework relating to themis How to develop strategic improvements security. inICT 5.6.3. Legal dimensions How to create, environment; maintain anddevelop and trustinICT • The role ofrelevant stakeholdersandtherelationship between theprivate andpublicsectors; • Needsfor protection at national, regional andinternational levels; • ICT-related threats, andeconomic issues; crime privacy • • The linksbetween socialandeconomic issuesinaconnect development andsecurity withcrime • should takeaccount of: issuesare governmental, andcybercrime Since andnational security, cybersecurity issues, governments 5.6.2 Political dimensions Figure 5.1:From aglobalculture to aspecificculture intheinformationfor actors security political, legal, organizational, technical andsocialdimensionsofcybersecurity. An international approach shouldunite many (asshown actors inFigure 5.1)belonging to thedifferent makers; professionals andlaw enforcement officials. for end-users(includingchildren); technologies, orcontent service professionals andproviders; policy- mation society. shouldbedeveloped An appropriate through aglobalframework culture ofcybersecurity musttakeintoA globalapproach account to promoting allthedifferent cybersecurity intheinfor actors ed society withinterrelateded society infrastructures;

- - - - - 121 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex forcement rapidly. membersinclude ISPs, Its sites, onlineauction financial institutions, law enforcement andlaw enforcement,tion between industry data socritical to fight phishingcanbe provided to law en those responsible for andphishing. crimes electronic DPN establishesasingle, unifiedlineof communica and caseinformation, DPNfocuses law onassistingcriminal enforcement inidentifying andprosecuting groups haveWhile otherindustry focused onidentifying phishingwebsites bestpractices andsharing financial information, credit card numbersand codes. sites (usuallythrough forged or “spoofed” themto inputtheir personal data, including spammail)asking Phishing onlinethreat isaharmful theft. thattity involves peopleto directing falseandmisleadingweb leaders withlaw enforcement to combat “phishing,” andincreasing adestructive form offraud and iden Digital PhishNet (DPN)was establishedin2004asacollaborative enforcement bodyto unite industry 5.8.1. Digital Phishnet 5.8. Initiatives by thePrivate Sector/Industry/Academia/Government 2008 inHyderabad, India. course. To date, theIGFhasheldtwo meetings, withthe Third oftheIGFscheduledfor Meeting December foster thesustainability, robustness, security, anddevelopment stability andfacilitate oftheInternet dis issuesrelatedSociety. aimsto discusspublicpolicy to keyelementsgovernance It ofInternet inorder to in July2006. The mandate oftheIGFissetoutinParagraph 72ofthe Tunis Agenda for theInformation governance.Internet The establishment oftheIGFwas formally announced by theUNSecretary-General The Governance Internet Forum (IGF) is a multi-stakeholder forum dialogue on issues forrelating policy to Governance5.7.1. Internet Forum 5.7. Strategies for integration anddialogue resources; andbecybersecurity-aware. offence, etc…) understandhow andtheirimpact; toadoptsafe behavior online for thesecure useofICT Citizens shouldunderstandthreats for end-users(virus, usurpation,fraud, spam,identity swindle, privacy dimensions 5.6.6. Social transparent, auditableandthird party-controllable. technologies infrastructure. shouldbecost-effective, tools Security to user-friendly, protectsecurity ICT professionals reduce thevulnerabilities ofdigital environment anddefine, design andimplement efficient nical vulnerabilities andmisuse, aswell security asICT-related andcyberattacks. ICT risks, cyberthreats Concerning tech professionals thetechnological dimensionofcybersecurity, mustunderstandICT ICT 5.6.5. Technological dimensions rate withlaw enforcement andtechnical professionals. be ableto produce process effective security andmaster ICT-related costs and collabo risks andsecurity Executive managersneedto create theappropriate organizational andprocedures structures inorder to Howincomplex to anddynamicenvironments. managesecurity How to organize missionandto control, security evaluate, auditandestimate cost; • Howpolicy; to definesecurity • • ------122 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex Centre: Global Response IMPACT response willestablish anemergency centre andEarly • Research &Development: Certification, IMPACT Security ofglobalbest willdevelop achecklist auditsand o andinternational maypractices security conduct benchmarks. It • Training Development: IMPACT &Skills specialized willconduct training, seminarsetc. for the closing potential vulnerabilities. benefit ofmembergovernments to share‘best practices’ infrastructure, identifying and inprotecting ICT • functions: to to enhance respond theglobalcapacity to experts willhave cyber-threats. It fourers andcybersecurity academia againstgrowing willdrive cyber-threats. collaboration It amonggovernments, lead industry As anot-for-profit organization, IMPACT seeks to from rally efforts governments,private the and sector initiative establishedto respond againstEstonian websites). to (suchasthecyber-attacks cyber-terrorism tional Multilateral Partnership Against Cyber Terrorism (‘IMPACT’). IMPACT isamajorglobalpublic-private establish theworld’s firsttrulyinternational collaborativecyber-terrorismInterna –the institutionagainst To combat theGovernment cyber-terrorism, ofMalaysia announced inMay 2006that Malaysia would 5.8.3. Collaborate andpromote information-sharing aboutcompliance frameworks andregulatory to intheemerging andcomputerstrengthen security world. data privacy outITandsecurity-related R&Donissuesrelated Carry to cyberthreats. • • Promote innational computer capacity-building response/readiness emergency teams and among them; andinfrastructure, andinformation-sharing andcollaboration incident response teams (CERT andCSIRT) frameworks andsecurity; for Develop policy privacy • andinfrastructure; practices cyber-best Develop state-of-the-art • Promote by bestpractices tools, sharing cyber-defense procedures andpolicies; • Promote informationawareness security by professionals users, security andproviders; • • Create aninternational collaborative framework involving keygovernment, academic, andprivate to address to risks theglobalinformation partners sector infrastructure; • Promote to andinfrastructure,citizens inthedeveloping ITcapability connectivity andInternet world, consistent bestpractices, concerns; andsensitive withsecurity to privacy • The Center willseekto: groups. board andworking intheadvisory participate government andprivate entities, andconference, training, andexercise revenues. Sponsorsare invited to corporate sponsorship,include GMUsupport, government andfoundation funding, contracts with public andprivate entities toto identify buildonexisting and fund efforts requirements. Funding sources University (GMU),George Mason Washington DC,USA. The Center with willpromote partnership active One oftherecent initiatives from academiaistheproposal to establishanInternationalCyber Center in 5.8.2. InternationalCyber Center and several Electronic Task Forces). Federal USPostal byService, theFBI,Secret Service, (including participation Inspection Trade Commission panies to onjoint embark R&Dwith governments inspecificareas. International Multilateral Partnership against Terrorism (IMPACT) encourage membercom Warning - - - 123 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex Building onrecent in organizations efforts such asthe Asia-Pacific Economic Cooperation (APEC), EU, ITU, Global cooperation andPPPs are vitalfor spamenforcement, asrecognized by various international fora. 5.10.1. 5.10. InternationalPublic-Private Partnerships (PPPs( resolutions oftheOAS GeneralAssembly. The OAS asthe GeneralSecretariat serves Technical Secretariat to pursuant thisGroup to the ofExperts, To consider thepreparation ofinter-American legalinstruments andmodellegislation for protection ofinformation, procedural prevention. andcrime aspects strengthening cooperation hemispheric incombating cybercrime,considering standards for privacy, the To follow upimplementation oftherecommendations adopted by REMJA-III; and • • reconvened withthemandate: identify mechanisms ofcooperation intheInter-American system to combat cybercrime. The Fourth ofREMJArecommended Meeting that onCyber-Crime theGroup be ofGovernmental Experts identify national andinternational entities and withrelevant expertise; • diagnose national legislation, regarding policiesandpractices suchactivity; • • diagnose of committing anoffense; • mended theEstablishment ofanintergovernmental group oncybercrime,withthemandate expert to: ofJusticeorAttorneys March 1999,theMinisters or In (REMJA) GeneraloftheAmericas recom 5.9.2. Organization States ofAmerican (OAS) tion security. tion security, theSCO approved Plan theAction intheSCO framework international onensuring informa cooperation andcrime. Given onissuessuchassecurity thegrowing ofinternational informa importance ment withtheCollective Security Treaty Organization (CSTO), inthe Tajik capital, Dushanbe, to broaden Kyrgyzstan, of China,Russia,Kazakhstan, Tajikistan 2007,itsigned anagree October In andUzbekistan. The SCO isanintergovernmental organization whichwas mutual-security founded in2001by theleaders 5.9.1. The ShanghaiCooperation Organization (SCO) 5.9.1. InternationalInter-Governmental 5.9. area”. The newCyber Defense centre willbeformally openedin2009. of theCyber Defense Center. The centre willhelpNATO “defy andsuccessfully counter thethreats inthis Defense ministers pressed for aNATO 2007,whichledto thecreation inOctober policy cyber-defense somefinancialsystems off-line forseveralknocking hours, prompting Estonia toask forhelp from NATO. da for thepastyear, following againstEstonia inMay 2007. thecyber-attacks The attacks succeeded in Defense Center ofExcellence willoperate outof Tallinn, Estonia. Cyber-warfare hasbeenonNATO’s agen NATO plansto setupadefence centre to researchcyber warfare. andhelpfight The Cooperative Cyber Atlantic 5.8.4. North Treaty Organization (NATO) Centre for Policy, Framework Regulatory &InternationalCooperation: national laws cyberthreats. to tackle as Interpol, EU, ITUetc., IMPACT willcontribute to thedevelopment ofnewpoliciesandharmonization • System providing protection across pro-active theglobe. London Plan Action Strategies for multi-stakeholderpartnerships criminal activity targeting computers and information, or using such Working withpartners computers as the means - - - - - 124 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex organizations to prepare Examine thecapabilities ofparticipating for, protect from, andrespond • Cyber Storm IIsought to: ships that are theexercise during critical situations. cyber-response andinactual Exercise planningandexecution strengthens cross-sector, inter-governmental andinternational relation cedures, tools andorganizational responses coordinated to amulti-sector attack onglobalinfrastructure. As theDepartment’ssectors). biennialNational Cyber Exercise, Cyber Storm IIexamines processes, pro (includingchemical, infrastructure sectors oncritical IT,cyber-attack communications andtransportation Cyber Storm exercise, II,acomprehensive coordinated cybersecurity whichsimulated alarge-scale ofHomelandSecurity’s March National 2008.theDepartment Cyber-SecurityIn Division(NCSD) hosted 5.11. Strategies for information-sharing -Cyber exercises Drill ticipation, ascooperation to national law issubject andinternational obligations. does notconstitute oracommitment legallybindingobligations amongparticipants, to continuing par The London Plan Action themutualinterestinfight reflects againstillegalspamand ofparticipants 4) Work with Agencies to develop efficient and effective ways to frame information requests. casesofspamandnewmeanscooperatinging spamcasesby reporting withagencies. 3) Participate theregular conference callsfor ofassistinglaw thepurpose enforcement agenciesinbring (e.g.,lar sectors ISPs, registrars, etc.) onspamenforcement. working 2) Work with otherprivate representatives sector to establisharesource listsofindividualswithinparticu 1) Designate spamenforcement withineachorganization; contacts Participating private representatives sector intend to develop PPPs againstspamandto: theinvolvement7) Encouraging andsupporting ofLDCsinspamenforcement cooperation. 6) Completing theOECDQuestionnaire oncross border Enforcement ofAnti-Spam Laws. when requesting5) Prioritizing to international casesbasedonharm victims assistance. Agencies inbringing spamcases.the private cansupport sector 4) Encouraging dialoguebetween Agencies andprivate representatives sector to promote ways inwhich 3) Taking inregular conference part to discusscases; callswith otherparticipants Plan.this Action for contact to coordinating designatewithin thesamecountry aprimary enforcement cooperation under to achieve withintheircountry efficient and ity effective enforcement, and towork withother Agencies 2) Encouraging communication andcoordination between agencieswithspamenforcement author enforcement; for1) Designating further apoint withintheiragency ofcontact competence, to develop better international spamenforcement cooperation, by: Participating government andpublicagenciesintend to usetheirbestefforts,in areasrespective of representatives,sector to expandofentities thenetwork engagedinspamenforcement cooperation. by interested PlanTthe Action isalsoopento participation governments, publicagenciesandprivate tions agenciesandconsumer protection agencieswere present, includingprivate representatives. sector forcement. Arange ofspamenforcement agencies, includingdata protection agencies, telecommunica for enforcing laws concerning spammetinLondon to discussinternational cooperation inspamlaw en 2004,governmentfightOctober againstspam.On11 andpublicagenciesfrom 27 countries responsible developed theLondonwork (ICPEN),participants Plan Action to promote international cooperation inthe the OECDandSpam Task Force andtheInternationalConsumer Protection Enforcement Net ------125 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity

Annex Area five are presented in Annex 1 to thisbook. andadvocatingharmonizing international cooperation. The recommendations from arising HLEG Work work outsideITU,ing cybersecurity and(2)involving for general activities themonitoring, coordination, (1) theenhancement ofthefocal point withinITUto incollaboration managediverse activities withexist The HLEG Work Area five hasdeveloped strategic proposals inthedomainsof: Secretary-General, for ITU cybersecurity.collaboration inthefieldof examples ofpromising channelsandinitiatives andindevelopment underway to promote international vital. Strong andeffective framework for international collaboration isneededandthischapter has given national cooperation. The international scope oftheseissuesmakesinternational dialogueandaction issuesandconsidered security information andnetwork how thesecanbeaddressed security by inter This chapter hasprovided andother ofsomethekeychallengesposedby cybercrime anoverview 5.12. Conclusions pendencies ofglobalcommunication networks. companies fromintheexercise thefour participated infrastructure sectors critical to simulate theinterde Centers, Coordinating Sector Councils andGovernment Coordinating Councils. 40private Over sector of Justice). was Private coordinated participation sector through andAnalysis theInformation Sharing inCyber ofDefenselevel andDepartment agenciesparticipated Storm II(includingtheDepartment and othernational governments (includingAustralia, Canada, Eleven NewZealand, cabinet- andthe UK). specific vulnerabilities.Participants in Cyber Storm IIincludedtheprivate sector, as well as federal, state built thescenario to accommodate oftheorganizationsbutnot theobjectives participating, andsectors over an18month planningprocess whichCyber during Storm IIplannersinteracted regularly. Planners agenda usingsophisticated attack vectors to createincident. alarge-scale The scenario was developed cise websites from exercise control simulating attack by persistent,adversaries withtheir fictitious own inthe facility Washington DCarea. Players received “injects” phone, fax,inperson,andexer viae-mail, infrastructure sectors.critical The control center ofHomelandSecurity was located at aDepartment Cyber asacatalyst Storm IIacted for assessingcommunications, across coordination andpartnerships Examinemeansandprocesses through whichto share sensitive information across boundaries interests.and sectors, ornational withoutcompromising security proprietary • Validate information-sharing relationships andcommunications paths for anddis thecollection • Exercise strategic coordination andinteragency decision-making ofincident response(s) inaccor • cyber toattacks; thepotential effectsof semination of cyber incident situational awareness,semination ofcyber response andrecovery information; dance with national policy andprocedures;dance withnational policy ------126 ANNEX International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex as areference orasa guideline, andthe Convention onCybercrime was designed inaway sothat itcould 1.5. A few memberswishedto delete thisproposal. onprocedural 14-22inthesection law.Articles and to establishtheprocedural to investigate tools necessary andprosecute in asdescribed suchcrimes 1.4. member wishedto delete thephrase “may want to” inproposal 1.3. recognizing oftext delete proposal 1.3,despitetheConvention theinsertion asaregional initiative. One vention inparagraph 40ofthe WSIS Tunis Agenda for theInformation Society. memberswishedto Some tive belonging to thosecountries whichare signatories, consistent withthestatus accorded to theCon thatwished totheConvention acknowledge isanexample oflegalmeasures realized asaregional initia one memberstated that theConvention could notbeproposed asthe onlysolutionfor allstates and mention oftheConvention onCybercrime, althoughtheyrecognized itasanavailable reference, whilst it contains, inaccordance withtheirown legalsystem members preferred andpractice. Other omitting or asareference for developing theirinternal legislation, by implementing thestandards andprinciples islation. Onemembersuggested that countries could, ormay want to, usetheConvention asaguideline, couldtries beencouraged to joinandratify theConvention anddraw theirrelevant onitindrafting leg With regard to theCouncil ofEurope’s Convention onCybercrime, somememberssuggested that coun itcontains,principles inaccordance withtheirown legalsystem andpractice. a guideline, orasareference for developing theirinternal legislation, by implementing thestandards and ceding to theConvention ofCybercrime. countries should, ormay Other want to, usetheConvention as realized asaregional initiative, countries shouldcomplete itsratification, ofac or consider thepossibility 1.3. initiatives including, butnotlimited to, theCouncil ofEurope’s Convention onCybercrime. 55/63 and56/121on “Combating misuseofinformation thecriminal technologies” andregional relevant investigation andprosecution ofcybercrime, notingexisting frameworks: for example, UNGAResolutions 1.2. 1.1. Proposals: 1) Proposals were madeinthefollowing areas: role to play.full agreement andITUhasaimportant isneededto promote that vitalaction cybersecurity forclear direction ITU’s future work particular, inthedomainofcybersecurity. In were HLEGMembers in wereproposal, inbroad agreement nevertheless mostoftheHLEGexperts onmany proposals that seta ofdifferenta variety perspectives. Although HLEGmembers didnotachieve full consensus inevery Cybersecurity isacomplex issuewithfar-reaching consequences requiring closeexamination from legislative measures. issuesthat are security globallyapplicableandinteroperablenetwork withexisting national andregional andotherinformation legislationment asguidelinesoncybercrime security ofmodelcybercrime Cybercrime legislation shouldbedesigned usingexisting international andregional frameworks 2-9inthesubstantive to law implement criminal at section, leastArticles important isvery It “Considering theCouncil ofEurope’s Convention onCybercrime asanexample oflegalmeasures Governments should cooperate legislation withotherstakeholdersto develop for necessary the ITU isaleadingorganization oftheUNsystem andcould elaborate strategies for thedevelop Legal Measures ------128 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex 1.8. 1.7. One memberwishedto delete thisproposal. appropriate approach to cover suchoffences. related legislation, mostoffences shouldbe covered countries should consider an otherwise, this way; worlds.veloping anewlegalframeworkonthestatus Depending ofcybercrime- forinvirtual activities Currently, moststates seemto focus theapplication onextending ofexisting provisions, instead ofde 1.6. and thenormative statement asto what itmight beableto achieve. few othermemberswishedto delete referring ofthedesign thetext oftheConvention to thehistory One memberwishedto deletecybercrime thefirstphraselegislation onhow shouldbedeveloped. A able to address developments. modern be adapted to technological developments, andlaws usingtheConvention asaguidelineshouldbe industry and ICT community”, andICT industry whilstanotherwishedto makemore general reference to “all relevant par presents initialchallenges for law enforcement. reference Onemember supported to “government, to VoIP withmore general recognizing text that theintroduction ofabroad range ofnewtechnologies Two memberswished to delete this proposal. memberswishedto Some replace thespecific references compensation instituted by legalsystemsmonetary occurs. whenharm to develop agreements,sary aswell asprovide civilremedies intheform ofjudicialorders foror action obligations incivilmatters.sures Acoordinated oncybersecurity isneces approach between allparties shouldbeunderscoredresponsibilities andresponsible in thedevelopment partnership oflegalmea orsupplythe equipment andsoftware,infrastructures andservices, orend-users. The concept ofshared andoperational requirementsinfrastructure-based imposedonthosewhoprovide and operate network tion shouldbegiven to requirements by enacted government that onthe authorities beardirectly 1.9.a Given theresponsibility ofgovernment inprotecting theirconsumers, authorities specialatten activity. work together to ensure that law enforcement hasthetools itneedsto protect thepublicfrom criminal that law enforcement,is important government, the consider community waysVoIP to andICT industry For example, VoIP andothernewtechnologies may beachallengefor law enforcement inthefuture. It 1.9. whilst anothermemberwishedto remove thisterm. Two memberswishedto delete thisproposal. One memberconsidered that theterm “data espionage” isambiguous, andshouldbedefinedproperly, ing madeavailable to minors. the Convention. A few memberswishedto delete thefirstsentence referring in to theneed for supplementing Articles infrastructure. attempted andmassive acts, andcoordinated againsttheoperation information cyber-attacks ofcritical prior to criminalizationofpreparatoryacts cially considertheft, againstspam,identity legislation efforts Countries shouldconsider how to address data espionageandsteps to prevent pornography be intheConventionSupplementing Articles may however benecessary. Countries shouldespe Discussions abouthow related to address activities criminal to onlinegameshave justbegun. The introduction ofnewtechnologies always presents aninitialchallengefor law enforcement. ------129 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex General consensus was achieved. the problem. andnon-governmental organizationssector to ensure themostcomprehensive approach to addressing justicecriminal system, andotherinternational Interpol organizations, thepublicat large, theprivate gains. With thisinmind, that itiscritical police work closelywithgovernment andotherelements ofthe world to intheirconstant keepupwithcriminals to exploit efforts technology for personalandillegal 1.12. One memberwishedto delete thelastsentence. for defenseimportant againstit. Cybercrime hasbeenstudiedwithrelation to terrorist andhasbeenfound misuseoftheInternet to be 7ontraining for addition,theConventionterrorism, terrorism In andArticle are especiallyimportant. on 5onpublicprovocationand practice. Article to commit aterrorist offence, 6on recruitment Article for by implementing thestandards itcontains, andprinciples inaccordance withtheirown legalsystem may want to, usetheConvention asaguideline, orasareference for developing theirinternal legislation, their ratification ofthe Convention onthe Prevention of Other countries should,Terrorism or of2005. 1.11. 1.10. needed”. in1.9(a). oftheadditional text Onememberproposed thespecificinsertion ties” [who] “should work together to ensure that law enforcement hasthetools, resources andtraining 1.14. 1.13. ing suchprocedural legislation”. intofully examined, account taking ofprivacy, expectations risks, etc., security whenconsidering adopt investigations. Development ofabalanced andreasonable data retention requirement shouldbecare implementation approach ofadata preservation hasproven to beakeyresource to law enforcement in Two memberswishedto delete thisproposal. Another memberproposed thealternative text: “the procedural legislation. ting access to traffic data before they are deleted, and countriesshouldcarefully consideradoptingsuch consistent withtheir obligations under international human rightslaw. Preventive measures, investiga cedural elements includemeasures andhumanrights, thefundamental that rightsto preserve privacy reference mentioned, 25with35. withthereplacement to theArticles ofArticle One memberwishedto delete thelastsentence, whileseveral othermemberswishedto the extend tional cooperation cases. incybercrime challenge.serious The Convention onCybercrime 23-25address basicrequirements Articles for interna andrequirecrime innovation by international organizations andgovernments, inorder to meetthis located abroad. Thus, international coordination andcooperation inprosecuting are cyber necessary standing thetechnical evidence evidence; abroad; 3)collecting and4)beingableto extradite suspects cases.crime These challengesinclude:1)implementation ofrelevant legislation; 2)under cybercrime Given theever-changing nature ofICTs, itis challenging for law enforcement ofthe inmostparts thefightInternet against and In terrorist misuseofthe related ICTs, countries should complete The implementation ofadata retention approach isoneapproach to avoid thedifficultiesofget In conducting cybercrime investigation cybercrime conducting andprosecution,In countries shouldensure that theirpro There are several challengesfacingprosecutors today inorder to successfully prosecute cyber ------130 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex municating with the CSIRT authorities.municating withtheCSIRT (3) collaborate inthedevelopment ofmaterials for establishingnational CSIRTs andfor effectively com and incident response onaregionalforums, basis; inorder for to buildcapacity improving state-of-the-art possibilitiesfor(2) promote CSIRTs andsupport to jointheexisting global andregional conferences and (1) advance incident response asadisciplineworldwide; to: 2.3. ITUshouldcollaborate with organizations, vendors, andother appropriate matter experts subject for reference, whilstanothermemberexpressed thischange. itsoppositionto making One memberpreferred to refer to ITUbeing “a” globalcentre ofreference rather than “the” globalcentre licly available institutionalecosystem capabilitiesworldwide. ofsources –to enhance cybersecurity information cybersecurity-related –includingapub oftimelytelecommunications/ICT and distribution 2.2. ITUshouldtakesteps to facilitate itbecoming theglobal “centre ofexcellence” for thecollection procedurestion ofenhanced security andtechnical measures. ITU, to theITUshouldwork centers identify, withexisting external ofexpertise promote andfoster adop 2.1. With regards work to outsideof enhance collaboration to opportunities withexisting cybersecurity Proposals: 2.) Technical andProcedural Measures tions insquare brackets refining thescope ofthestakeholdersinvolved. members includedreference to ITU’s mandate asFacilitator for LineC5andproposedWSIS Action inser ofITUremainingcountries, opento collaboration. theimportance whilstanotherunderlined Several member emphasized that ITUconferences shouldbeopeninitsmembership, especiallyto developing members wishedto remove thisproposal –one membervoiced itsstrong oppositionto this. One theproposal ofaglobalconferenceMany memberssupported to promote cybersecurity, whilstother Asian Nations (ASEAN), NATO andtheShanghaiCooperation Organization (SCO). Cooperation andDevelopment (OECD), The Commonwealth, European Union,Association East ofSouth cific Economic Cooperation (APEC), The Arab League, The Union,African The Organization for Economic G8Group ofStates, (UNODC), Crime Council ofEurope, Organization States ofAmerican (OAS), Asia Pa ticipating organizations include, butare notlimited to: INTERPOL,UnitedonDrugsand Nations Office andrelevantand international private organizations organizations oncybersecurity incybercrime.Par Members, intheuseofICTsbuilding confidence ofITU of andsecurity regional withtheparticipation 1.15. General consensus was achieved. tion, prosecution mustbebasedontheruleoflaw, andtrial andbeunderjudicialcontrol. ing and maintaining comprehensive cybersecurity programmes.ing andmaintaining comprehensive cybersecurity and CIIP, aswell asto establishregional workshops that help identify andshare techniques for establish to identify andpromoteefforts bestpractices related to national frameworks cybersecurity for managing 2.4. The ITU, asthesoleFacilitator for LineC5,shouldorganizeWSIS Action aglobalconference on ITUshouldestablishalong-term commitment to develop andrefine Study Group 22 1/Question ------131 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex 2.9. 2.8. approach inITU-Tin thesecurity Recommendation X.805. issuesrelatedrity to applications withalackofattention to issuesrelated andinfrastructures to services One memberagreed withproposal 2.7,butwishedto draw attention to tooverstate thetendency secu tion ofinformation systems security. andnetwork mendations (developed by ITU-T SG17),andotherdocuments aboutsecurity, evaluating andcertifica inderInformationstechnik),Sicherheit theCOBIT (from ITGovernance ,ITU-T Institute) X-series Recom techniques, onsecurity theITBaselineProtectionand technical reports (from Manual Bundesamt für mote procedural measures. The frameworks to beinvestigated includeISO/IECJTC 1/SC27standards standards andframeworksand otherrelevant security that canbeleveraged bodies, to oftheICT pro 2.7. interoperability andnon-discrimination. a viewto that ensuring newstandards are developed in accordance ofopenness, withtheprinciples asafacilitator inpromotingact collaboration between different standardization organizations with 2.6. 2.5. 2.11. own versions orstandards. and promotion ofexisting standards andframeworks (ortheircombinations), instead ofelaborating its dards andframeworks. As there are many usefulmaterials, theITUproposal might concern application There was noconsensus on proposals 2.10&2.11,proposing that ITUcould explore possibilitiesfor a institutions), aswell asprivate organizations sector that are vitalfrom theCIIPperspective. that theseapplication environments are organizations in bothpublicsector (includinggovernmental ments where whichhave ITproducts a Common earned are It is Criteriaexpected certificate advised. networking, social networking, anti-virus socialnetworking, software,networking, andothers. ment management (including archiving), communications, network instant messaging, peer-to-peer hardware systems, firmware systems, operating systems, office systems,software, e-mail docu- browsers, evaluation framework. security The systems to beinvestigated for Common Criteria evaluation include standards andframeworks that canbecomponents ofaglobally-accepted Common Criteria for ICT analysis, (incooperation andselection withITU-T, ISO, security IEC,andotherrelevant bodies)ofICT for ITapplications andsystems (hardware, firmware HLEGcalled andsoftware), for theinvestigation, framework to andaccreditation forcriteria ensure security Commonminimumsecurity Criteria for ICT 2.10. With regards for to general activities technical measures, to establishagloballyaccepted evaluation developed (althoughthat may ultimately happen,dependingonthetopic andwork inITU-T &ITU-D). ‘models’ in2.9,rather than ‘recommendations’, soitdoesnotimplythat anITU ‘recommendation’ willbe One memberwishedto delete proposals 2.8and2.9.Another memberproposed thedevelopment of tional environments where theprocedural measures proposed by ITUshouldbeused. development andstandards ofbestpractices for cybersecurity. field of thattechnical measureswork hasbeendone by theITUon mustbuildupontheimportant es for improvingmanagement andrisk processes, security any initiatives orrecommendations inthe ITUshoulddevelop modelrecommendations that canassistgovernments specifyingorganiza ITUshoulddevelop proposals stan for security procedural measures ICT basedontheselected calledfor investigation,HLEG experts analysis, incooperation andselection, withITU-T, ISO, IEC, With regard to standards that are developed by otherstandardization organizations, ITUcould With regards for to general activities procedural measures, to promote more efficient approach HLEG calledfor thedevelopment ofmodelrecommendations specifyingapplication environ ------132 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex management capabilitiesthat includediscoverable andsecure identifier resolver services”. infrastructure, aswell to providecation/ICT astheability othertrusted andinteroperable globalidentity and suggested alternative wording of: “Initiate areview ofthecurrent architecture ofthetelecommuni system. Onemembersuggested oftheDNSserver that referencesfunctioning to DNSshouldbedeleted define the responsibilities and relationships between institutionalarrangements, especiallyinvolving the DNS onthebasisthat itisoutsideITU’s mandate to review thecurrent architecture orto oftheInternet A few wishedto memberswishedto delete delete reference proposal 2.14.Onememberinparticular to withrelationticularly to theITUOIDDNS. management capabilitiesthatidentity includediscoverable andsecure identifier resolver par services, system, aswell totioning oftheDNSserver provide astheability othertrusted andinteroperable global and relationships between theinstitutions, required to guarantee continuity ofastableandsecure func infrastructure, anddefinetheinstitutionalarrangements, includingtheInternet, andthe responsibilities 2.14. SG-13,and SG17. Global Standards Initiative (IdM-GSI), hasoccurredManagement amongtheITU-T through community Management theIdentity security andinterrelationshipsaspects withother Work Areas. particular, In significant onIdentity work security 2.13. players andtechnical bodies”.of globalindustry relevant work oftherelevant ITU-T SGs. The focus shouldcontinue to engageabroad, large cross section ofspam;NGNs,SG 13and17intechnical related aspects ofIP-based aspects technology, andother One memberproposed alternative wording of attention“particular shouldbepaidto thework ofITU–T players andtechnical bodies. ofindustry cross-section global information infrastructure, protocol Internet andNGNs-that hasengagedabroad, aspects large paid to investigating results ofSG13-ITU-T’s largest standards andmostactive bodythat addresses the ITUmay examine therole ofISPs spamandotherissues. Particular attention inblocking should be examined anddiscussed.collaborationtelecommunications In withprivate might befurther industry, vider (SPID) initiative, DNSSEC,orsystemic andeconomic incentives for security protection ofglobal ofpubliccommunicationto enhanceandISPs networks thesecurity -for example, Trusted Pro Service 2.12. systems (hardware, firmware &software)”. Two memberswished to delete proposals 2.10&2.11. andaccreditation criteria minimalsecurity similar initiatives schemesfor toITapplications and support “Encourage inthe countries to participate “Common Criteria” recognition agreement andotherrelevant tions –may notyieldpositive results. Another memberproposed alternative wording for proposal 2.10: to applyCommon Criteriatant, requirements trying to ICTs –today organiza usedlargely by military signatories andeven fewer have labs. certification ofmutual While itsprinciples recognition are impor Criteria isalimited agreement between governments, withonlyasmallnumberofITUmemberstates as accreditation Onememberstated Security framework. globally-accepted itsviewthat theCommon ICT 2.16. operators andgovernments to proactively ofemerging managetherisks technologies. other membersuggested that collaboration owner in analysis withSMEscould enableITUto helpICT role, ifany, oftheITU-T SGsinconsidering newtechnologies andinfrastructures (for example…)”. An One membersuggested alternative wording for proposal 2.15: “Emerging technologies: examine the applications critical or ambient intelligencemobile devices andRFIDinsecurity environments). implementation ofnewtechnologies andinfrastructures (for example, emerging from risks massuseof 2.15. HLEG memberscalledfor areview ofthecurrent architecture ofthetelecommunication/ICT Digital management (DIM):HLEGmemberscalledfor identity theinvestigation oftechnical calledfor HLEGMembers Internet: theinvestigation ofways to collaborate withprivate industry Management system and personal certifications: HLEG memberscalled and systemManagement for the selection andpersonalcertifications: Emerging technologies: HLEGmemberscalledfor consideration to begiven to related risks to ------133 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex very important, especiallythe important, very WSIS multi-stakeholder approach. One membersuggested that there shouldbegreater mention ofcivilsociety. The role is ofcivilsociety in WSIS outcomes. ofmulti-stakeholdercooperation, withinthespirit development asoutlined ineachcountry level ofICT specific needsofintocountries, account taking resource availability, andthe public-private partnerships, 3.4. initiativescoordination at thenational, ofcybersecurity regional andinternational levels; 3.3. issuesin aglobalperspective; security andnetwork tion security national, regional andinternational strategiesincidents andotherinformacybersecurity to fight against 3.2. and promotion ofnational policiesincybersecurity. 3.1. Proposals: 3) Organizational Structures procurement, themfor andnotselect others. mechanisms istheuser’s processes selection for theirown decision-UNagenciesshouldonlyundertake based onsupplierdeclarations ofcompliance. ofsystemsThe andcertification/compliance selection compliance mechanisms for potential users. This operate markets memberbelieved thatwell many ICT information management systems, onsecurity management systems andidentity andcertification/ One memberwishedto delete proposal 2.16.Another memberunderstood proposal 2.16to refer to information certifications. security improvement ofinformationmanagement schemes, system security as certification well aspersonal 3.6. tional cooperation. needsandshouldpromote assistanceaddress through itsnational cybersecurity regional andinterna 3.5. 4) Capacity Building 4) Capacity issuebeingaddressed.cybersecurity structures, dependingonthespecific issue(givensecurity thedefinition adopted by ITU-T SG17)andmay require different organizational One membersuggested that theproposals shouldtakeinto account that thebroadness ofthecyber lishing appropriate organizational programmes. andcapacity-building structures asoutlinedinthework ofITU-Tteristics ofcybersecurity countries inestab SG17,ITUshouldsupport ITU shouldassistcountries insettinguporganizational aimedat structures responding to the ITU shouldassistgovernments inputtingplace policies andstrategies aimedat improving the ITU shouldprovide assistance to developing andleastdeveloped countries intheelaboration of ITU shouldprovide assistance to developing andleastdeveloped countries intheelaboration Taking into account thebroad andthecharac nature ofissuesto beaddressed incybersecurity toITU shouldencourage develop eachcountry itsown strategy andorganizational to structures - - - - - 134 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex 4.2. 4.1. Proposals: needs bearing in mind local factors; putinplace organizational inmindlocalfactors; needs bearing aspresented structures in WA 3”. ingraduated response,coordination to organizational building incybersecurity; andcapacity structures global perspective, includinganimprovement innational, regional andinternational level governments national, regional andstrategiesincidents ina and internationalcybersecurity policy to fight against One memberproposed alternative of: text ITUmembersindevelopment andpromotion“Support of andhelpingto putinplacemind localfactors); organizational aspresented structures in Work Area 3. encouraging agraduated response to in organizationalbuildingneeds(bearing andcapacity structures including improving national, regional andinternational governments coordination incybersecurity; international policiesandstrategiesincidents withinaglobalperspective,cybersecurity to fight against 4.3. the work ofinternational bodiesliketheITUwhocould play arole shouldbehighlighted. legislative measures inorder to answer theneedsidentified in WA1”. Another membersuggested that islation asaguidelinethat isgloballyapplicableandinteroperable withexisting national andregional effective legalframework inelaboration ofstrategies cybercrimefor thedevelopment leg ofamodel investigationticipation andsolutionsdevelopment incybersecurity develop andputtheminto action, One memberproposed alternative of: text “ITU’s leadrole incoordinating robust, multi-stakeholderpar measures, inorder to answer theneedsidentified in AreaWork 1. guidelines that are globallyapplicableandinteroperable withexisting national andregional legislative frameworks intheelaboration ofstrategies for thedevelopment legislation as ofmodelcybercrime investigationrity andsolutionsdevelopment developing andputtingtheminto effective action, legal as specified by WA 2”. (4) measures addressing specific technical topics; (3) general technical measures; and (2) general procedural measures; outside theITU; (1) becoming theglobal ‘centre ofexcellence’ work through collaboration withexisting cybersecurity measures throughcedural four cybersecurity strategic in: proposals for theSecretary-General One memberproposed alternative of: text “Promote oftechnical andpro theadoptionandsupport as specified by AreaWork 2. (4) measures addressing specific technical topic, (3) general technical measures; and (2) general procedural measures; outside theITU; (1) becoming theglobal ‘centre ofexcellence’ work through collaboration withexisting cybersecurity sures in: ITU should promote the adoption and support of technical and procedural cybersecurity mea oftechnical andproceduralITU shouldpromote theadoptionandsupport cybersecurity ITU shouldhave aleadrole incoordinating incybersecu robust, multi-stakeholderparticipation ITU should support ITUmembersinthedevelopment andpromotionITU shouldsupport ofnational, regional and - - - - - 135 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex To promote culture, asecurity behaviour andtools, To integrate into infrastructure, security • • 4.9. to helpbuildaglobalculture ofcybersecurity”. ofcybersecurity aspects soitsuggested theglobalframework, alternative text: port “Continue to develop inall humancapacity One memberwas concerned abouthow proposal 4.8relates to sup to –needactions capacity-building global culture ofcybersecurity. 4.8. 4.7. end-users’ andto takesteps to support andservices products measures; cybersecurity 4.6. 4.5. defined by WA 5”. inacoordinatedactivities national, mannerinorder regional, to support international cooperation as One memberproposed alternative of: text “Create afocal point withintheITUto managethediverse national,manner inorder regional, to support international cooperation asdefined by AreaWork 5; 4.4. 5.1. Proposals: 5) InternationalCooperation 4.11. and parents-teacher messageacross. organizations to getthecybersecurity centres,community computer stores, colleges community andadulteducation programmes, schools 4.10. To fight againstcybercrime. • ment, address thecompletion newissuesthat after ofthework arise ofthe HLEG. focalThis structural tation oftheHLEGrecommendations theirapproval after environ and, given thedynamismof theICT theHLEGhas completedcontinuity identify intheITUafter priorities, follow itswork, uponimplemen ner inorder to ensure successful execution oftheITUmandate. The focal to point would ensure serve sible cyber-citizens. ITU shouldpromote whenrequired theestablishment ofpublic-private inorder: partnerships to helpbuilda ITU shouldcontinue ofcybersecurity to develop inallaspects humancapacity ITU shouldtrain andeducate at several levels oftheinformation alltheactors society; to oftheir increase thesecurity andservices ITU shouldencourageproducts providers ofICT ITU shouldassistinempowering end-usersto adoptasafe behaviour inorder to become respon ITU shouldcreate afocal point withintheITUto inacoordinated managethediverse activities ITU shouldcreate afocal point withinITUto inacoordinated managethediverse activities man ITU shouldpromote awareness campaigns through initiatives for greater publicity. ITU shouldmakefulluseofNGOs, institutions, banks, ISPs, libraries, localtrade organizations, - - - - - 136 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex means “to preside over”. They donot mean “coordinate” or “manage” or “harmonize.” All of these words the ITUisasa facilitator ormoderator Line C5. ofAction “Facilitate” meansto “make easier.” “Moderate” inthesedocuments.forth This member noted that the WSIS outcome documents state that therole of The onlyHLEGproposals that thefocal point can implement are thosewithintheITU’s mandate asset One memberstated that ITU’s mandate is defined by its Constitution and Convention and by WSISC5. mandate. member believed that theITUneedsto have more inthisarea flexibility andshouldnotbelimited to its ist. One membersuggested that afocal point already exists inITU-D, whichcould beenhanced. Another member agreed withtheproposal to create anITUfocal point, butsuggested that onemight already ex comms) implementation, have emergency focal points. areasation –othercross-cutting (WSIS Another Another memberexpressed appreciation that theircomments onafocal point were takeninto consider coherencefor policy andcoordination to avoid duplication ofefforts. resources andcoordination between different bodiesontheir respective resources. Onemembercalled shouldbemadebetween ITUmanagingclearer itsresources, distinction bodiesmanaging their external Two themanagement membersqueried ofwhich&whoseresources andactivities. They suggested a oftheproposed organization.function initiate astudy to isrecommended definemore preciselyIt that theSecretary-General the and form resource asanexpert Act for assistingstakeholdersintheresolution ofinternational issuesthat might relating arise to cybersecurity. • Work towards ofstakeholdersinthevariousfields international harmonizationoftheactivities cybersecurity. • To facilitate thecoordination oftheITU’s work inthisfieldwithotherorganizations to avoid amongst thevariousindividualinitiatives. and,duplication ofeffort to thepossible,extent to assistinidentifying andachieving compatible goals • To work onongoingbasisto withtheglobalcommunity engagetheexisting international re • To theextenttheyare withintheITU’s mandate, to implement any HLEGrecommendations that are approved by Council, withoutduplicating thework ofotherorganizations inthisarea. • accordance In withtheITU’s • To andpromote ininternational support forums theITU’s inthedevelopment activities oftechni • To andmakethis compile information oninitiatives inthefieldofcybersecurity andactivities information available to allstakeholders • ible unifiedstrategies andsolutions. ofthestructural focal point The functions would include: tions inthecontext ofinternational security” ofDecember 5,2007,and, asappropriate, develop compat tions GeneralAssembly 62/17 Resolution “Developments inthefieldofinformation and telecommunica issues, ,includingtheexisting multiplethreats to informationinaccordance security withtheUnited Na regional andnational inbuildingacommon structures understandingoftherelevant international point would work onanongoingbasisto withtheglobalcommunity engagetheexisting international providing information aboutnational (i.e., bestpractices ITU-Dactivities). ing assistance to developing countries to protect theirIP-based networks, through buildingand capacity cal standards to(i.e., ofnetworks increase ITU-T thesecurity andtheITU’s activities) inprovid activities cybersecurity anddeveloping unifiedstrategiescybersecurity andsolutions. gional and national inbuildingacommon structures understandingoftheinternational issuesinvolving and maintaining awebsite. developing andpublishinginformation, collecting multi-stakeholderandpublic/private partnerships, asinformationsuch activities exchange, creation ofbestpractices, ofknowledge, sharing assistance in areas inwhichtheITUdoesnothave through expertise, nizations incybersecurity whohave expertise WSIS C5mandate, andpromote thework to ofotherorga support ------137 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex ality forality better utilization of resources andresults, Generalexplore itisrecommended that theSecretary tivities, initiatives fieldalongwith thepotenti ofdifferent andprojects cybersecurity stakeholders inthe groupings”. “Having considered theefficienciesthat could beachieved by coordinating the ac various whileaddressing theissuesofindependence andsovereignty satisfactorily bersecurity ofnations and mended that the ITUshouldstrongly consider astrategy relating to theseactivities to harmonies cy would result indiluting theaffectofproposed strategies to an unacceptable extent. Thus itis recom the maximumextentpossible, ifthepotential benefitsare lackofharmonization to bederived.In fact dural &technical work areas, itisevident that these measures needto beharmonized across borders to - c) Harmonizing “Based ontherecommendations legalandproce oftheotherwork areas particularly especially incapacity-building, cannotbestressed more. initiatives towards a common programme. The beneficial effects of coordination on the other work areas, them asproposed above. At thehighestlevel, ITUcould coordinate actively anddrive theindividual stakeholdersaware ofallorganizations thatactivities andmaking have of amandate oncybersecurity of otherorganizations andtheavailability ofresources. At thelowest level, itcould besimplytracking would andcould exercise, that role, thewillingness to ofITUto obtaintheconsent undertake theability avoid duplications. This could bedoneat different scalesdependingontheof extent control that ITU are available, ITUshouldtaketheleadincoordinating thework ofvariousorganizations inorder to tosubscribe theinitiative, othersmay feel more encouraged to joinin.” thepoliticalwillandresources If recommended basis. thatonavoluntary theinitiative bestarted When massofstakeholders acritical an initiative positively, especiallythosewho may perceive thisasadilutionoftheirsovereignty, itis through agreements ormemoranda ofunderstanding. Given that allstakeholdersmay notreceive such explore ofcreating thepossibility for anetwork coordinating initiatives suchactivities, andprojects, potentiality for better utilization ofresources andresults, itisrecommended that theSecretary-General initiativesous activities, fieldalongwiththe ofdifferent andprojects cybersecurity stakeholdersinthe b) Coordination - “Having considered theefficienciesthat couldbeachieved by coordinating the vari as thesework areas rely to alarge extentonmultilateral coordination onspecificinitiatives. and enablethemto coordinate addition,that willhelpimmenselytheotherwork In areas theiractivities. their cooperation thisinformation ismostdesirable. available Making to stakeholderswillencourage require theconsent oftheorganizations whoseprojects/initiatives that are beingmonitored though eration. This doesnotrequire inthe doesnoteven of much effort form speaking resources andstrictly tions (international, national, private andthird asmeansofandaprelude sector) to promoting coop should bemonitoring thedifferent initiatives by organiza andprojects various cybersecurity related to sources withinITUandtherelationships ITUhasbuiltwithgroupings ofstakeholders”. At aminimum,ITU recommended thatmeasure. thismechanismutilizes isfurther equallythecurrently available It re and to disseminatecybersecurity suchinformation aswidelypossible,in thefieldof asanimmediate amechanismtowithin theITUstructure gather information andinitiatives aboutthevariousprojects rent role theITUplays andtheresources create at itsdisposal, itissuggested that theSecretary-General through theirown initiative, onanoptimumcost for in benefitbasis,to consideration andtaking thecur - a) Monitoring order“In to improve thepotentiality for different stakeholders to achieve better synergies advocating international cooperation: 5.2. The second proposal involves for general activities themonitoring, coordination, and harmonizing which closelyfollow thecontours oftheITU’s mandate, oralternatively, deleted. alongthelinesofmember’ssubstantially re-written proposed terms ofreference for thefocal point, aswritten andneedsto believed isout-of-scope be beyond that thissection It thescope ofitsexpertise. C5. This membersuggested that ITUshouldnotgetinvolved issuesthat are inresolving cybersecurity stated itsviewthat It “harmonization” impliesoversight/direction andexceeds themandate of WSIS nation’ impliesoversight/ ofITUfor andisoutsidetheauthority reasons direction expressed before. inmanysome areas ofcybersecurity,others. ithasnoexpertise This memberstated itsviewthat “coordi notauthorized towhich itisclearly do. isalsoinappropriate, in It becausealthoughtheITUhasexpertise imply that theITUisplacingitselfinanoversight/ directive role to withrespect otherorganizations, ------138 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex its suggestionsrespected and mostly complied with”. facilitating role for WSIS”. Another memberwished to delete from 5.2.(d) voice“Its isheard andfollowed, after “mandate from States”, Member “and consistent withitsConstitution and Convention andwith the at theend of5.2.(d): One memberwishedto insert “and withintheareas ofexpertise” andwishedto add bullet pointaltogether. onHarmonizing tional aspirations oftheITUare constrained by itsmandate. Another memberalsowishedto delete the e.g.of expertise, incident response activities. This memberdrew attention that theorganiza to thefact to legalsystems beharmonizing aroundexpertise theworld, or for that matter any area outsideitsfield One memberwishedto delete thebulletpointbecause theITUdoesnothave onHarmonizing the to would joinin.Harmonizing theITUinto bring areas that are notwithinitsmandate”. basis. toWhen mass ofstakeholderssubscribe theinitiative, acritical othersmay feel more encouraged nisms that are mutuallyagreeable. isrecommended onavoluntary It that theinitiative beundertaken is inclusive andopenfor facilitating initiatives suchactivities, andprojects, through ofmecha avariety results, explore ofcreating itisrecommended thepossibility that anetwork that theSecretary-General fieldalongwiththepotentiality for better utilization of stakeholders inthecybersecurity resources and ficiencies that could beachieved by facilitating initiatives theactivities, various of different andprojects The samememberwishedto replace bulletpoint 5.2.(b) with “Facilitating -Having considered theef them asproposed above”, becauseitrepeats the “Monitoring” above. section stakeholdersaware ofallorganizations thatactivities andmaking have of amandate oncybersecurity One memberwishedto delete from 5.2.(b) thesentence “At thelowest level, itcould besimplytracking initiative positively, especiallythosewhomay perceive thisasadilutionoftheirsovereignty”. delete from 5.2.(b) “memoranda ofunderstanding. Given that allstakeholdersmay notreceive suchan that are beingmonitored thoughtheircooperation ismostdesirable”. The samememberalsowishedto doesnoteven speaking, and, require strictly theconsent oftheorganizations whoseprojects/initiatives One memberwishedto delete from 5.2.(a) doesnotrequire“this inthe of mucheffort form resources coordination and, to someextent, monitoring isnotinaccordance withITU’s role. One memberagreed onharmonizationandinternational cooperation, withthesub-points butfelt that international relations. on thelevel ofresources available, thescaleofownership theITUwishesto exercise andtherealities of tional fora oreven level. to community country Again, themagnitude ofthework inthisarena depends role inadvocacy. at theprimary variouslevels Advocacyfrom could beundertaken internaundertakes mostly complied with. Thus, inorder tothat aboutaculture ITU bring ofcybersecurity, itisimportant ideally placed to play therole ofadvocate. voice Its isheard andfollowed, itssuggestionsrespected and ternational relationships”. ITU, withitsmandate from States Member anditspositionintheUNsystem, is commensurate withresources underthecurrent at itsdisposalandisdeemedpracticable context ofin at adegree andonascaleinkeepingwithitsorganizational oncybersecurity aspirations,in advocacy a trusted source theworld over, ofknowledge theleadrole itisrecommended that theITUundertake d) Advocacy - “As andawareness knowledge andastheITUis plays akeyrole cybersecurity inensuring to theinitiative, othersmay feel more encouraged to joinin”. basis.mended thatonavoluntary theinitiative bestarted When massofstakeholderssubscribe acritical initiative positively, especiallythosewhomay perceive thisasadilutionoftheirsovereignty, itisrecom agreements ormemorandum ofunderstanding. Given that allstakeholdersmay notreceive suchan ofcreatingthe possibility for anetwork coordinating initiatives suchactivities, andprojects, through ------139 International cooperation Capacity Building Organizational Technical and Procedural Legal Measures for Cybersecurity Structures Measures for Cybersecurity Annex catalyze focus towards Line”. achieving thegoalsofC5Action the LineimplementationWSIS C5Action meetings. Collaborating to convene asenior-level summitwill issues. cybersecurity The proposed Summitshouldbeaday andahalfsummitimmediately preceding ISACA, ISC2,IMPACT, andotherkeyorganizations ICANN to convene ayearly summitthat focuses onkey OECD, Forum Response ofIncident AssuranceTeams Software Forum for Excellence (FIRST), inCode, tive, incooperation including withleaders ofthekeyorganizations andconjunction for cybersecurity One memberwishedto addtheproposal: should establishacollaborative initia Secretary-General “The initiativescapacity-building andprogrammes focused onthedeveloping countries”. relatedthe many bodies, othercybersecurity withacontinuing focus ontheleadershipofITU-Din especially involving intheITUsectors, combined themany withresources experts from allBureaux and One memberproposed alternative of: text activities, shouldinitiate necessary ITUSecretary-General “the proven effective. to bevery plans, andalsorepresentnational cybersecurity a “bottom-up’ approach. This bottom-up approach has the experience membersthat ofcountries have andsector already developed andare implementing developed inQ22. by StatesMembers Member andSector These have bestpractices beendistilledfrom needs andnotby aplan.Similarly, intheITU-D, thework program hasbeenfollowing thebestpractices ple, intheITU-T, work isdriven by company contributions whichare basedonmarketplace and industry ment. The work intheITU-T andITU-Dhasuntil now beenbasedona “bottom-up” approach. For exam ITU could result ina “top-down” planfor cybersecurity, whichITU-T to andITU-Dwillbeexpected imple One memberexpressed concern that theSecretariat becoming inthe thefocal point for cybersecurity anduseofthesecapabilities.ability – especiallyITU’s own forums inthe T, –to advance DandRSectors andexpand thedevelopment, avail 5.3.2 To encourage greater attention, involvement, andresources devoted to globalcollaborative forums capabilitiesworldwide;tional ecosystem and to ofsources enhance cybersecurity -necessary information cybersecurity-related –includingapubliclyavailabletimely telecommunications/ICT institu 5.3.1 To facilitate theITUbecoming theglobal “centre ofexcellence” for of anddistribution thecollection the many bodies: othercybersecurity-related in theITUsectors, combined withresources withinthe GeneralSecretariat andtheBureau Directors and 5.3. especiallyinvolving activities, shouldinitiate necessary themanyThe experts ITUSecretary-General - - - - - 140 List of Acronyms and Abbreviations

APCERT Asia Pacific Computer Emergency Response Team CERT-CC Computer Emergency Response Team Coordination Center CI Critical Infrastructure CII Critical Information Infrastructure CIIP Critical Information Infrastructure Protection COE Council of Europe CSIRT Computer Security Incident Response Team EU European Union FIRST Forum of Incident Response Security Teams G8 Group of Eight (Nations) ICANN Internet Corporation for Assigned Names and Numbers ICT Information and Communication Technologies IEC the International Electrotechnical Commission ISAC Information Sharing and Analysis Centers ISMS Information Security Management System ISO International Organization for Standardization ITU International Telecommunication Union NCA National Cybersecurity Authority NCC National Cybersecurity Council NCSec National Cybersecurity OECD Organisation for Economic Co-operation and Development PDCA Plan, Do, Check, Act R&D Research and Development UNICRI United Nations Interregional Crime and Justice Research Institute UNIDIR United Nations Institute for Disarmament Research UNITAR United Nations Institute for Training and Research UNODC United Nations Organizations on Drug and Crime Problems SCADA Supervisory Control And Data Acquisition WARP Warning, Advice and Reporting Point WWN Watch and Warning Networks