See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228226770

Information Security and Cybercrime

Article · June 2009

CITATIONS READS
16 19,104

3 authors, including:

Ian Brown Christopher Marsden

Fundação Getulio Vargas Monash University (Australia)
101 PUBLICATIONS 1,374 CITATIONS 81 PUBLICATIONS 1,041 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Christopher Marsden on 06 June 2014.

The user has requested enhancement of the downloaded file.

 Information security and cybercrime
Ian Brown, Lilian Edwards and Chris Marsden1

Introduction
Information systems are increasingly important to the efficient operation of government,
corporations and society in general. With that importance has come an increasing risk of
information security breaches, compounded by systems’ networked nature. That makes
effective information security a public policy issue of far broader impact than technical
information technology (IT) policy.
Network and Information Security (NIS) policy making and investment have evolved
rapidly, especially since 1999. This evolution has been punctuated at certain points where
the necessity of adequate or mature NIS policy has been sharply emphasised by
vulnerability to attack or shocks:
• The ‘Millennium Bug’ or Y2K programme of 1997-9, which led to a complete
inventory of computing inside large organisations, often for the first time since
the deployment of the enterprise Personal Computer (PC) in the mid-1980s;
• Denial of Service (DoS) attacks, beginning in 2001 against Yahoo! and eBay;
• Business continuity planning in the wake of the attacks in September 11th 2001;
• Corporate responses to the increasing financial returns for attackers (for example
the growth of ‘phishing’ and the 2004-5 cyber-extortion cases against gambling
websites).
• The continued tendency towards government action to directly confront
cybercrime, ‘cyber-terrorism’ and ‘cyberwar’, as for instance with the US 2009
appointment of a ‘cybersecurity czar’ (sic).
Legislation, policy, government spending and corporate response in the field of
information security have been examined by for instance the Organisation for Economic
Cooperation and Development (OECD)2 and the European Commission, which has
identified three key risks for Internet security:
1. Attackers are increasingly motivated by profit rather than the technical interest
that drove earlier “hackers” – with growing interest from organised crime and a
sophisticated underground economy in stolen information and hacking tools
2. Mobile devices and networks present a significant new threat landscape, where
security is so far less developed than on the personal computer

1
Respectively, Senior Research Fellow, Oxford Internet Institute; Professor of Internet Law, University of
Sheffield; Senior Lecturer in Law, University of Essex.
2
See OECD (2005) The Promotion Of A Culture Of Security For Information Systems And Networks In
OECD Countries DSTI/ICCP/REG(2005)1/FINAL of 16 December 2005 at
http://www.oecd.org/dataoecd/16/27/35884541.pdf
 3. Ubiquitous computing will move computation and networking into the fabric of
buildings and everyday things (e.g. through RFID and sensor networks),
presenting new vulnerabilities.3

Malware, botnets and other tools for crime

The production of malicious software or “malware” used to attack systems and defraud
individuals has soared in recent years. In 2008 security software firm Symantec identified
1,656,227 distinct new malicious programs, an increase of 165% since 2007.4 This
growth has resulted from increasing opportunities for fraud, the vulnerability of online
services to attacks by “botnets” made up of huge numbers of compromised PCs, and an
underground economy driven by interest from organised crime.
The authors of this software, those using it to control networks of compromised
computers and acquire and sell on sensitive information, and their targets are located
around the globe. The Honeynet Project found in 2006/2007 that Brazil had the highest
number of observed “bots” or compromised machines, followed by China, Malaysia,
Taiwan, Korea and Mexico. The controlling servers were located principally in the
United States, followed by China, Korea, Germany and the Netherlands.5
However, the distributed criminal networks that have grown up around these tools often
include participants close to victims where they can (for example) more easily transfer
funds. As the UK Police Central e-Crime Unit’s Sgt. Bob Burls has commented: "It's a
myth that hackers are 15-year olds in darkened rooms and similarly that all
cybercriminals are overseas. As with drugs, you have major traffickers but also street
dealers. Wherever there is criminality there are criminal hierarchies, there will also be
local pockets of criminality."6

Conduits for attacks

Software: operating systems, browsers and other applications

Viruses, Trojan horses and other types of malware typically exploit weaknesses in
installed software to gain control of an Internet-connected machine and access data
entered by and available to users.
This code spreads mainly through e-mail attachments, websites and by directly
connecting to vulnerable machines. IT security company ScanSafe found in June 2008
that the number of legitimate websites being compromised and used to infect visitors’

3
Communication on a strategy for a Secure Information Society – “Dialogue, partnership and
empowerment” COM(2006) 251
4
Symantec (2009) Global Internet Security Threat Report: trends for 2008, vol. XIV, available at
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
5
J. Zhuge, T. Holz, X. Han, J. Guo, & W. Zou (2007): Characterizing the IRC-based botnet phenomenon.
Informatik Tech. Report TR-2007-010. Available at http://honeyblog.org/junkyard/reports/botnet-china-
TR.pdf
6
I. Brown and L. Edwards (2008) McAfee Virtual Criminology Report, available at
http://resources.mcafee.com/content/NAMcAfeeCriminologyReport
machines accounted for 66% of all malware blocked,7 but distribution channels vary in
significance as vulnerable software is patched, security software is updated and new
weaknesses are found. Just one recent attack on Microsoft Internet Information Services
web servers hit around half a million websites.8
Software companies are in a constant arms race with hackers to fix vulnerabilities before
they are exploited. Microsoft for example claimed to have disinfected more than 526,000
PCs in the Storm botnet in the last quarter of 2007, but accepts that Storm botnet
controllers are "probably out there still making money with some other botnet."9
The frequency with which security problems continue to be discovered in widely used
operating system and application software makes it extremely difficult for any adequate
level of Internet security to be achieved. Microsoft and other large software companies
have made many improvements in their security development processes, but the software
market does not seem to be driving the use of well-understood but little deployed security
engineering techniques – such as dramatic decreases in complexity of the security core of
operating systems and much more careful isolation of the potentially malicious code
present in Web pages and e-mails. Until software companies are properly incentivised to
make a step-change in the quality of their products, law enforcement agencies will be
unlikely to have the resources to deal with the resulting flood of e-crime.
The use of open source software10 is not a security panacea. While many programmers
may be examining source code for flaws, not all open source projects have the resources
available to patch vulnerabilities in a timely way once discovered. Attackers are also
more easily able to find flaws given the availability of source code.11

Networks
Botnets, networks of computers compromised by malicious software, are one of the key
vectors for online attacks and criminality. During 2008 Symantec identified 9,437,536
distinct machines in such networks. The largest networks contain hundreds of thousands
of machines and are capable of flooding the Internet with more than 100 billion spam
messages per day.12 These networks are also used to launch Distributed Denial of Service
(DDoS) attacks, where thousands of compromised machines send traffic to a target
machine, overwhelming it and sometimes its network connectivity.
We have continued to see DDoS attacks conducted against companies and governments,
some as part of nationalist political campaigns. The FBI/Computer Security Institute

7
Scansafe (2009) Annual Global Threat Report 2008, available at
http://www.scansafe.com/resources/global_threat_reports2
8
Gregg Keizer (2008) Huge Web hack attack infects 500,000 pages, Computerworld, 25 April
9
Gregg Keizer (2008) Microsoft: We took out Storm botnet, Computerworld, 22 April
10
See further discussion in Guadamuz, Chapter X
11
Ross Anderson (2002) Security in Open versus Closed Systems – The Dance of Boltzmann, Coase and
Moore, Open Source Software Economics, Toulouse
12
Joe Stewart (2008) Top Spam Botnets Exposed, SecureWorks, available at
http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets
Report 2007 report estimated that up to 10,000 DDoS attacks occur each day worldwide,
with the hourly cost of these attacks reckoned between $90,000 for a sales catalogue
company to $6.45m for a retail brokerage. Attackers commonly extort money from
targets by threatening attacks when they would be most costly – at gambling sites just
before a major sports event.
Presentation sharing site SlideShare was hit in April 2008 in apparent reprisal against
users’ presentations on corruption in China.13 Several tools were released early in 2008 to
enable attacks by disgruntled Chinese computer users against CNN in retaliation for their
coverage of issues in Tibet.14 During the conflict between Russia and Georgia, DDoS
attacks were observed against government and media sites in both countries.15 Attacks
were also observed at the end of 2007 between Russian and Ukrainian groups, and
against Russian political activist Gary Kasparov.16 We have even seen attacks on the
Church of Scientology by the "Anonymous" activist group.17

Payment services
Payment services are the route that almost all cybercriminals use to transfer fraudulent
gains. These include traditional bank transfers and direct debits; money services such as
Western Union; and new payment systems like PayPal. Financial regulation has not kept
up with innovations in payments systems, which makes the old policing mantra "follow
the money" decreasingly effective in the cybercrime era.
London's Metropolitan Police have identified four key types of fraud facilitated by
payment services:
1. Online auction site frauds: money is transferred in payment for goods that are
never delivered, sometimes to fake escrow sites that do not provide the service
claimed of holding payments until delivery.
2. 419/advance fee frauds: Victims receive e-mails promising money in return for
helping a fraudster transfer money, upon the payment of a "small" fee that will
later be repaid. Once entrapped, victims have been persuaded to pay large fees
that are never reimbursed.
3. Lottery fraud: E-mail and letters are sent to victims claiming they have won a
lottery. Winnings can be claimed upon payment of a fee – sometimes substantial.
Victims, often elderly, are commonly further persuaded using telephone calls.
4. Criminal cashback: goods plus fees to a "shipping agent" are paid for using a
stolen bank draft or cheque. Once the seller has transferred these fees back to the

13
Mark Hendrickson (2008) SlideShare Slammed with DDOS Attacks from China, TechCrunch, 23 April
14
Jose Nazario (2008) NetBot Attackers Anti-CNN Tool, Arbor Networks Security, 23 April
15
Jose Nazario (2008) Georgia DDoS Attacks – A Quick Summary of Observations, Arbor Networks
Security, 12 August
16
Jose Nazario (2007) Political DDoS? Ukraine, Kasparov, Arbor Networks Security, 13 December
17
Jose Nazario (2008) Church of Scientology DDoS Statistics, Arbor Networks Security, 25 January
 "shipping agent", they commonly find the issuing bank recovers the draft or
cheque, having being duped out of both the goods and the "shipping fees".18
Dupes ('mules') are commonly used as a middle-man to transfer money from victim to
fraudster. Recruited as an "international sales representative", "shipping manager" or
other fake job, they are asked by fraudsters to receive "payments" that they then transfer
internationally after deducting a small "commission." When apprehended by police, the
money has long since vanished through a payment system and cannot be retrieved – often
leaving both the mule and victim out of pocket.
A key concern of law enforcement agencies is services that do not allow payments that
are the proceeds of crime to be recovered. In a report19 for the US Federal Reserve, Ross
Anderson concluded:
"Online fraudsters use a variety of nonbank payment services to launder the
proceeds of crime. People had assumed that traceability was the key. However,
investigation reveals that revocability is more important. Fraudulent payments
within the banking system can be pursued and recovered with a reasonable
probability of success; but once stolen funds are used to buy transferable financial
assets such as eGold, recovery becomes much harder. This suggests that much of
the benefit that could be obtained from regulating nonbanks more closely can be
got by greater transparency about counterparty risks… The current [Financial
Action Task Force] rules impose unnecessary burdens, particularly on the poor,
while not doing enough to facilitate rapid recovery of stolen assets."
Impersonation (‘identity fraud’) is the other main route by which cybercriminals have
committed fraud. By gaining access to the passwords required to log-in to online banking
services, fraudsters are able to directly withdraw funds from target accounts, or undertake
more sophisticated fraud such as “pump and dump” stock scams. By accessing
information such as individuals’ account details, dates of birth, social security and
passport numbers and addresses, fraudsters are able to gain access to funds in existing
accounts and new loan and credit facilities.
The US Federal Trade Commission in 2007 received 221,226 Internet-related fraud
complaints totalling $525,743,643.20 Javelin Strategy and Research have predicted that
identity fraud will decline between 2007 and 2013, but individual victims' costs will rise
from $860 to $1,271 due to growing sophistication in criminal fraud techniques that use
elaborate social engineering schemes and multiple channels to evade detection for longer
periods of time.21

18
Metropolitan Police Service (2008) Money transfer fraud, available at
http://www.met.police.uk/fraudalert/money_transfer.htm
19
Ross Anderson (2007) Closing the Phishing Hole – Fraud, Risk and Nonbanks, US Federal Reserve.
Available at http://www.cl.cam.ac.uk/~rja14/Papers/nonbanks.pdf
20
Federal Trade Commission (2008) Consumer Fraud and Identity Theft Complaint Data January –
December 2007 p.10
21
Javelin Strategy and Research (2008) Consumer Identity Fraud Report.
Legal responses

UK Law: Computer Misuse Act 1990 amendments

Existing UK law specifically tailored to deal with computer crime is largely to be found
in the Computer Misuse Act of 1990 (CMA). As one of the earliest legislative attempts
to deal with computer crime, it was self-evidently not drafted for the Internet era. As a
result, although the Act deals fairly effectively with hacking and dissemination of viruses,
doubts have arisen as to whether the CMA adequately covers DoS.22
Two obvious routes existed within the CMA as originally drafted, which might be
explored by those seeking to criminalize DoS. The first was section 1, originally
designed to punish hacking, which prohibits “unauthorised” access to “any program or
data”. The other was section 3, designed to counteract the spreading of viruses, which
originally prohibited any “unauthorised modification of the contents of any computer”
which was intended “to impair the operation of any computer.” While s 3 was generally
seen as most appropriate to the offence, there was doubt as to whether an actual
“modification” was made since a server which is brought down by a DoS attack suffers
only temporary damage with usually no loss or corruption of data after the attack.
In 2004, Members of Parliament in the All-Party Internet Group (APIG) began a review
of the CMA, on the basis that this legislation was created before the emergence of the
Internet and therefore required updating. The Act was seen to focus too much on
standalone computers, and not enough on computer networks. In addition some of the
definitions used in the 1990 Act need updating. The final report outlined several
recommendations to the government for changes to the CMA. In March 2005, APIG
called for amendments to the CMA to address the threat from denial-of-service attacks.
An updated version of the CMA could be of greater benefit if it combined security
regulations relevant for standalone and network situations.
The Police and Justice Bill of 2005 thus amended section 3 by replacing the word
“modification” with “act”, which word is undefined save for including “a series of acts.”
In addition, section 3(2) of the CMA, as amended, specifies that the intent necessary to
commit the crime exists whether the intention is to produce temporary or permanent
impairment, or hindering or prevention of access to a computer, program or data.
Meanwhile DoS had finally arrived at the courts. In the unsatisfactory first UK
prosecution for DoS, R v Caffey,23 the charge was “unauthorised modification” under s 3
of the CMA, but there was no opportunity for argument as to the applicability as the case
fell on a dubious “Trojan virus” defense.24 The second reported prosecution was of
greater significance. In R v Lennon,25 a teenage hacker was accused of sending five
million emails to cause a DoS attack against his former employer. At first instance, the
judge refused to find there was an offence under section 3, not because of any doubts

22 See APIG report (discussed below) at 5 (regarding hacking and viruses); at 59‐75 at 11‐12 (discussing the
efficacy of the CMA in prosecutions of DoS and DDOS attacks).
23 (Southwark Crown Court Oct. 17, 2003) (unreported,).
24 The accused claimed that although his server had indeed launched the DoS attack, this had only been
because it had been taken over as a “zombie” by malicious code. Forensic experts however failed to fail any
evidence of such code. Remarkably however, the court still accepted the defense and acquitted.
25
Unreported, Wimbledon Magistrate’s Court, December 2005.
about the applicability of the word “modification” but because
“In this case, the individual emails caused to be sent each caused a modification
which was in each case an ‘authorised’ modification. Although they were sent in
bulk resulting in the overwhelming of the server, the effect on the server is not a
modification addressed by [the Act].”
In other words, the judge accepted the argument that an unsecured website impliedly
authorises the sending of emails to itself. DoS was merely different in volume but not in
essential character to the sending of email in the ordinary way.
On appeal, perhaps unsurprisingly the decision was reversed26. The Queens Bench held
that:
“the owner of a computer which is able to receive emails is ordinarily to be taken as
consenting to the sending of emails to the computer. His consent is to be implied
from his conduct in relation to the computer. Some analogy can be drawn with
consent by a householder to members of the public to walk up the path to his door
when they have a legitimate reason for doing so, and also with the use of a private
letter box. But that implied consent given by a computer owner is not without limit.
The point can be illustrated by the same analogies. The householder does not
consent to a burglar coming up his path. Nor does he consent to having his letter box
choked with rubbish. …It is enough to say that it plainly does not cover emails
which are not sent for the purpose of communication with the owner, but are sent for
the purpose of interrupting the proper operation and use of his system.”
Note that although the appeal court thus solved the particular problem of DoS, the
question of how “authorised” was to be interpreted was never raised in the CMA
amendments. Thus the CMA still leaves unresolved the scope of the standing
implied consent given by web servers to receive email and page requests. If five
million emails sent to a server are outside the bounds of implied consent, surely
millions or even thousands of spam emails face the same challenge? Does any
reasonable user impliedly consent to the receipt of even one spam email? It seems
possible therefore that in future spammers might also find themselves charged
effectively with DoS under s 3 – a result neither the judiciary nor the reformers
probably intended.
On other problems with the CMA as originally drafted, the maximum penalty for
some offences has also been increased to ten years. The bill doubles the maximum
jail sentence for hacking into computer systems from five years to ten years, a
provision that will classify hacking as a more serious offence and make it easier to
extradite computer crime suspects from overseas. Furthermore a new s3A contains
provisions to ban the development, ownership and distribution of hacker tools. Some
industry commentators considered the language used to be worryingly ambiguous,
possibly criminalising the use and sale of crucial security tools such as anti-DOS
intrusion detection software. In particular s 3A provides that it is an offence to
“supply or offer to supply [such a tool], believing that it is likely to be used to

26
DPP v Lennon [2006] EWHC 1201 (Admin).
 commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]”.
Security experts have questioned how they cannot believe it is likely security tools
they create will be abused by hackers and cyber-criminals given the prevalence of
the black market economy. The Crown Prosecution Service has however issued
guidance on s 3A which seeks to reassure the security community.27

European law
The European Union (EU) is the world’s largest free trade area, and all twenty-seven
Member States must implement European law. Failing implementation, European law
can in certain circumstances take direct effect despite the lack of national law. Therefore
much over-arching NIS legislation and policy takes place at European level.

Table1: Summary of national legislation and European law implementing NIS28

Jurisdicti Privacy Electronic Privacy Electronic Cyber Crime
on Law Law Commerce Law Law30
29

European Data Directive 2002/58/EC Electronic Framework

Union Protection repeals Directive Signatures: Decisions and
Directive 97/66/EC 15 Directive 99/93 of Communication
95/46 of December 1997, 13 December 1999 s31; 2001
24 Data Retention Electronic Council of
November Directive 2006 of 21 Commerce: Europe
1995 February Directive 2000/31 Convention on
of 8 June 2000 Cybercrime is
harder law

27
Although with mixed success – see Richard Clayton’s response at
http://www.lightbluetouchpaper.org/2007/12/31/hacking‐tool‐guidance‐finally‐appears/
28
For a recent survey, see Mitrakas, Andreas (2006) Information security and law in Europe: Risks checked?
15:1 Information Communications Technology Law March at 33‐53; also ITU (2008) Global Cybersecurity
Agenda High Level Expert Group, Global Strategic Report, at http://www.cybersecurity‐
gateway.org/pdf/global_strategic_report.pdf
29
A useful source of e‐banking legislation in English is http://rechtsinformatik.jura.uni‐sb.de/cbl/cbl‐
statutes.php
30 .
All countries in the Table have signed the Council of Europe Cyber Crime Convention
31
See particularly Communication on cyber‐crime, COM (2007) 267 and Peers, S. (2009) Strengthening Security
and. Fundamental Freedoms on the Internet ‐. An EU Policy on the Fight. Against Cyber Crime, Report for the
European Parliament, Policy Department C: Citizens' Rights and Constitutional Affairs, PE408.335 at
http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/study_internet_security_freedoms_/Study
_Internet_Security_Freedoms_en.pdf
United Data Regulation of Electronic Computer
Kingdom Protection Investigatory Powers Communications Misuse Act
Act 1998 Act 2000, Act 2000, 1990
Data Retention Electronic
Regulations 2007 Signature
No.219932 and 2009 Regulations 2002,
No.85933 E-Commerce
Regulations 2003
Germany Federal Information and Digital Signature
Penal Code
Data Communication Law 2001
Sections:
Protection Services Act 1997, 202a: Data
Law(BDS Telecommunications Espionage
G) last Act 2004 (Tele 303a: Alteration
amended kommunikationsgeset of Data
2001; z-TKG) last amended 303b: Computer
G-10 law 14/03/2005 Sabotage
applies to
communic
ations
secrecy
France Informatio E-Signature Law: Godfrain Act
n Law 2004-801 of 6 Decree No. 2001- 1988.
Technolog August 2004 relating 272, 30 March 2001 Penal Code
y and to the Protection of in accordance with Chapter 3,
Liberty Data Subjects as article 1316-4 in the Articles 323-1
Act (Loi Regards the civil code and through 323-4:
Informatiq Processing of related to electronic Attacks on
ue et Personal Data signatures Systems for
Libertés) Law n°2004-575 of Automated Data
1978 21 June 2004 of Processing
Confidence in the
Digital Economy

There has been harmonisation among countries based on both common European
legislation and cooperation in for instance police and Computer Emergency Response
Team (CERT) activities. The extent to which this harmonisation resulted in convergence
of national policies depended critically on:
 Whether national political responses to specific NIS problems34 produced strong
national legal and policy differences; and
 Whether pan-European policy preceded national response.

32
http://www.opsi.gov.uk/si/si2007/uksi_20072199_en_1
33
http://www.opsi.gov.uk/si/si2009/uksi_20090859_en_1
34
Including data protection failures and prevalence of viruses and other computer crimes
National responses to cybercrime date from the period around 1990 and also show
significant legislative and policing developments that pre-date the European response
(ENISA, the European Network and Information Security Agency, was only founded in
200435). In criminal law, pre-existing national legislation combined with a European
cooperative police force (Europol) led to harmonisation rather than convergence. In all
these cases, European legislation came after national legislative and institutional
arrangements, and national lawmakers had substantial initial room for independent policy
formation. In telecoms legislation, an area of longstanding European convergence, the
Data Retention Directive of 2006 signalled a greater convergence between national
regimes. The very late establishment of ENISA as the central NIS coordination
mechanism indicated a desire by Member States to maintain existing national
institutional arrangements in their current form. From 2010, Europol formally becomes
an agency of the European Union.36
The European Council Framework Decision on Attacks against Information Systems37
was adopted on 24 February 2005. Its objective is ‘to improve cooperation between
judicial and other competent authorities, through approximating rules on criminal law in
the Member States in the area of attacks against information systems’. The Framework
Decision indicates that attacks against information and computer systems are a tangible
and dangerous threat that requires an effective response. The Framework Decision and
the Cybercrime Convention have synchronised definitions of the relevant offences.

Council of Europe Convention on Cybercrime

One of the main international legislative instruments relevant to both global and
European regulation of cybercrime and security is the Council of Europe Convention on
Cybercrime. The final text of this was agreed on 23 November 2001 and it entered into
force on 1 July 2004.38 A further Protocol on racist and xenophobic acts in cyberspace
was signed on 28 January 2003 and entered into force on 1 March 2006.39 The
Convention is open for signature by both Council of Europe Member States (EU Member
States plus fifteen other countries) and those non-Member States that participated in its
drafting (including the United States). It is also open for accession by other non-Member
States.

35 Regulation
(EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the
European Network and Information Security Agency, OJ L 77, 13.3.2004
36
See IP/08/610 (2008) Europol to become EU agency in 2010, Brussels, 18 April 2008 at
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/610
37
Council Framework Decision 2005/222/JHA on attacks against information systems.
38
Due to its article 36, which contains the conditions for entry into force. It specifies that the Convention
should first be ratified by five States, including three Member States of the Council of Europe. The Convention
would then enter into force on the first day of the month following the expiration of a three month period after
the fifth ratification. This condition was fulfilled with Lithuania’s ratification on 18 March 2004, triggering the
entry into force on 1 July 2004.
39
Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and
xenophobic nature committed through computer systems CETS No.: 189 at
http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm
The Convention is regarded as one of the most comprehensive documents on cyber-crime
available. Substantively, it focuses on efforts to outline common definitions for crimes
relating to computers and also measures to encourage international co-operation. It is the
only international agreement that covers all relevant aspects of cybercrime policing
(substantive criminal law, procedural law, and international cooperation). Since much
cybercrime is by its nature cross-jurisdictional, the most valuable contribution of the
Convention is to harmonise definitions of offences across states so that extradition and
co-operative policing are made much easier. Although the Convention is applicable only
to state governments and not to the private actors who de facto control many important
parts of the Internet infrastructure, guidelines for law enforcement by service providers
were issued in April 2008.40
How effective is the Cybercrime Convention? Some argue that the number of nations
who have signed up is not impressive.41 27 EC nations have joined to date but only 12
have ratified, six years on, leaving 15 to go. Outside the EU, the Convention is seen as
Western dominated, both in development and at the current time. Of the few non-EU
nations that have acceded, only the US and Ukraine have ratified. On the other hand the
Convention is often held up as a model law, even for countries unwilling to accede
because the treaty is seen as too Western, or too demanding of resources. Marco Gerke,
University of Cologne, a UN and CC cybercrime expert, states that "the impact of the
Convention is going beyond the number of countries that formally signed it. At least a
couple of dozen countries have used the Convention while updating their legislation to
bring themselves in line with international standards.”42
The key question for the success of the Cybercrime Convention is perhaps whether it can
entice into membership those countries known to harbour the ringleaders of organised
cybercrime – such as many countries in the former Soviet Union bloc – as well as those
that suffer the brunt of cyber attacks – the USA and Western Europe. Even where
developing world and Eastern European countries have the political will to take a stance
against cybercrime, it is often difficult to justify allocating resources for it, when the
beneficiaries will be not that state’s own citizens but those of other countries. Despite
this the ongoing success of the Cybercrime Convention can be seen at a micro as well as
macro level. Many countries are in the process of harmonising their law to meet
Cybercrime Convention standards whether or not they plan to join, e.g. many Latin
American countries. In other regions such as the Arab states, there may be a preference
to put together their own regional instruments rather than accede – but in most cases
these are very similar to the Convention. It is thus arguably a very successful instrument
for international harmonisation.

40
See
http://www.coe.int/t/DG1/LEGALCOOPERATION/ECONOMICCRIME/cybercrime/cy_activity_Interface2008/56
7_prov‐d‐guidelines_provisional2_3April2008_en.pdf
41
See R. Anderson et al, Security Economics and European policy, Proceedings of the Workshop on Economics
and Information Security, 2008, at http://weis2008.econinfosec.org/papers/MooreSecurity.pdf
42
Private conversation with Edwards during the research for the McAfee Virtual Criminology Report 2008,
supra.
The Council of Europe, who sponsor the treaty, also provide training in how to operate
against cybercrime and use the Convention, for both judiciary and police, as well as
assisting regions to move towards accession or developing their own instruments: see e.g.
workshops held in 2007/2008 for West Africa and Caribbean regions, as well as
programmes for the training of judges, e.g. by Cybex in Spain.
The Convention despite having only been in force since 2004 is however showing signs
of a need for updating. Specific problem areas such as phishing, identity theft and crime
in “virtual worlds” – e.g. fraud on virtual banks – are not covered as nominate crimes,
though they may be subsumed beneath broader categories, such as phishing beneath
online forgery and fraud (arts 7 and 8). New investigation instruments like key-loggers
(“Magic Lantern”) and identification instruments (“CIPAV”) are already in use in
countries like the US but not mentioned in the Convention either as permissible or not.
Renegotiating the treaty would likely be a Herculean task, so future additions are likely to
be made by ways of optional protocols, as with the existing example relating to hate
speech.
Will the Cybercrime Convention ever develop into a standing cyber crime police force,
much as NATO has developed a standing capacity to combat hostilities in its region? It is
clear that national police forces, whether standard operations or specially trained
“cybercops”, struggle to make any meaningful impact on cybercrime when so much of it
is directed from countries outside their jurisdictional competence. One-time co-operative
international policing operations have had some striking successes, notably in relation to
international paedophile rings, but these are very expensive, and extremely difficult and
time-consuming to mount. An argument for a standing international cyber security force
clearly exists, particularly as Interpol seems to have little or no profile in the field of
cybercrime. The political will (and funding) for such a force seem at the moment
however to be absent, and as noted at the start of this chapter, we seem instead to be
entering a phase of distinctly national cyber-security initiatives43 as states realise the full
potential impact of a cyber-infrastructure attack.
Specific legal problem areas
Phishing
Phishing is the use of social engineering and hacking techniques to gain information such
as financial or other personal data. Profit is usually achieved for “phishermen” by sending
emails which by some means or other extract login and password details from recipients
which can then be used to gain access to bank and similar accounts. Phishing is a fast
rising crime and has accelerated in particular since the current recession began. Figures
released in October 2008 in the UK by APACS, the UK clearing banks association, 44
showed that from January to June 2008 phishing attacks rose by 186% on the same
period in 2007. In total there were more than 20,682 phishing incidents during that six

43 See e.g. the announcement

of the UK’s first national Cyber Security Strategy launched in June 2009, reported at
http://news.bbc.co.uk/1/hi/uk_politics/8118348.stm. For the US equivalent, see infra n 73.
44
See http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm .
month period compared to 7,224 the previous year. Similarly the FTC issued a special
phishing warning for the USA, also in October 2008.45
There are two key reasons why phishing is a particularly growing threat at the current
time. First, as credit facilities become restricted and subject to detailed checking,
procuring personal data to open new accounts and acquire new credit cards loses appeal,
while using phishing data to clean out existing accounts becomes more attractive.
Secondly, the recession has brought in its midst vast confusion and loss of trust in the
consumer sector.46 As confusion around financial bust and merger (perhaps) clears,
phishing is likely to diversify into public sector websites (e.g TV and motor licensing
sites) with deleterious consequences for public confidence in e-government;47 and into
phishing of virtual currencies from virtual worlds48 – where law enforcement will have,
one suspects, not the first idea of where to start.49
In the previous and following sections we discuss what role (if any) law can play in
preventing the kind of cyber insecurity that engenders phishing. A key issue for the law,
however, is how to regulate the losses of users in this sphere, and in particular if banks
should be obliged to reimburse customers for phishing losses. It is a common myth in the
UK that banks are required to reimburse phishing losses where bank accounts are drained
by phishers. It seems that most consumers draw an analogy with the well known rights in
respect of misuse of credit card details under the Consumer Credit Act (CCA) ss 83 and
84. In fact, UK law here is unclear and antiquated.50 The CCA provides only that banks
issuing credit cards must reimburse cardholders where the card data is fraudulently
misused by a third party. In relation to debit fraud, remedies are purely conferred by the
voluntary Banking Code, and there have been disputes in the past even over
“conventional” misuse of debit card details, e.g., re "phantom" cashline/ATM
withdrawals where banks have refused to reimburse, claiming the customer is at fault or
lying.
Thus the commonest case of phishing, where a chequing or saving account is drained, is
not covered by hard law since no consumer credit arrangement is involved. Instead, the
matter appears to be covered only by banking practice as laid down in the Banking Code,
not in hard law. Historically, as Bohm et al have pointed out,51 under the Bills of
Exchange Act 1882, a bank that honoured a forged cheque was bound repay the amount

45
See http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm .
46
BBC News 10 October 2008 “Bank turmoil fuels phishing boom”, at
http://news.bbc.co.uk/1/hi/technology/7663055.stm .
47
See http://blogscript.blogspot.com/search/label/phishing .
48
See ENISA Report “Virtual Worlds, Real Money”, November 2008, at
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_security_privacy_virtualworlds.pdf .
49
See amusing fictional account in Stross C Halting State (2007).
50
See N Bohm, I Brown and B Gladman ‘Electronic Commerce: Who Carries the Risk of
Fraud?’ 2000 (3) JILT at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ ; Anderson R
“Closing the Phishing Hole – Fraud, Risk and Nonbanks”, available
at http://www.kansascityfed.org/econres/PSR/PSRConferences/2007/pdf/Anderson.pdf .
51
Supra.
debited to the customer’s account. By analogy, a bank which allowed a phisherman to
withdraw the contents of an account using “forged” credentials should surely be equally
liable. Yet the latest edition of the Banking Code makes customers liable for unauthorised
online banking transactions unless they have taken “reasonable care” – defined as the use
of “up-to-date anti-virus and spyware software and a personal firewall” and that
customers keep passwords and PINs secret.52 In practice to date banks have usually paid
up, but it may be questioned if financial cutbacks combined with a rise in claims will not
put pressure on this gentleman’s agreement.
In other countries, a mishmash of legal and para-legal remedies has emerged, with little
harmonisation across borders. For example,

• in the US, claims by customers that they have suffered loss due to card fraud of
some kind are repaid under EFTA, the Electronic Fund Transfer Act, subject only
to the customer reporting the fraud properly. Fault on the part of the consumer is
not as relevant consideration.

• In Canada, losses are usually indemnified by banks but only according to

voluntary banking codes. Furthermore fault removes customer rights, and in
Canada, “fault” on part of customer to exclude bank liability has reportedly been
defined very widely e.g. if shoulder skimming has occurred, this might be “fault”,
similarly dropping card on floor revealing data, or having PIN stuck to back of
card.53

• In Costa Rica, the customer is left to carry the losses of bank frauds and ID fraud
on their own.54

This lack of harmonisation is a problem given the increasing ability of consumers to bank
outside their home jurisdictions, especially using Internet banks. In the event of consumer
losses due to phishing, difficult issues may arise both of identifying the relevant legal
system and the legal remedies available. It also indicates though the rise of a culture
where consumers are presumed at fault if losses occur due to phishing, and have to prove
their innocence to get their money back. This seems disturbing, given that it is the banks,
not the consumers, who are in the best place both to identify and warn against phishing
entreaties, and to improve banking security thereby safeguarding consumers against
foolhardy decisions – e.g. by implementing two factor authentication for consumer
withdrawals. Accordingly, as discussed below, the House of Lords Report on Personal

52
British Bankers’ Assocation, The Banking Code, March 2008 s12.9. Available at
http://www.bankingcode.org.uk/pdfdocs/PERSONAL_CODE_2008.PDF.
53
Personal conversation by Edwards with Mary Kirwan, Canadian security expert, while conducting
research for the Macafee Virtual Criminology Report 2008, supra.
54
With thanks to Andres Guadamuz for this information.
Internet Security recommended in 2007 and again in 2008 that banks should be
presumptively held liable for phishing losses as a matter of law.55

Buying zero day exploits

Exploits or “zero day exploits” are software vulnerabilities that allow a particular piece of
software to be hacked or in some way compromised. They are, basically, “bugs”, which
arise inevitably in the creation of software as it goes through its development life cycle.
Exploits which compromise widely used programmes such as Internet Explorer, Word,
Excel, Linux kernel programs, etc can be extremely valuable. They can be used to cripple
a commercial competitor or to open “back doors” in programmes allowing theft of
personal data e.g. bank account details. They can even in theory inflict significant
damage on the infrastructure of a nation state. They can also be used indirectly to
blackmail the vendor of the affected software.
The market for exploits is cloaked in secrecy but some details have emerged in the last
few years:
• “White” or legitimate market: Two main agencies exist which openly buy
exploits at market prices, using contracts and non disclosure agreements (NDAs) -
Tipping Point56 , and iDefense57 ; other players include Snosoft58 and a number
of small firms whose business model is to employ in-house vulnerability
researchers.
• Occasional examples also exist of security researchers attempting to sell exploits
on the open market by “bug auctions”. In 2005, a researcher “fearwall”
discovered a bug in Microsoft Excel that could have caused potentially enormous
damage, and after first contacting Microsoft, went public by putting it up for sale
on eBay. Bids reached $1,200 before the auction was pulled under pressure from
the vendor. “Fearwall” claimed he had really been seeking not money, but
publicity to pressurise Microsoft into patching the vulnerability.
• “Grey” market: sales of exploits to government agencies. This market is a “white
hat” market but little is known about it. It is rumoured the US National Security
Agency59 has purchased exploits, and that various government agencies employ
vulnerability experts to hunt for exploits as full time staff or on freelance
contracts.

55
House of Lords Science and Technology Committee, Personal Internet Security, HL 165-I, 5th Report of
Session 2006-07 - Volume I: Report
56
http://www.tippingpoint.com/ .
57
http://labs.idefense.com/ .
58
See http://snosoft.blogspot.com/2007/01/exploit-acquisition-program.html for an example of their terms
of purchase of exploits.
59
See C. Miller (2007) The legitimate vulnerability market, Proceedings of Workshop for Economics of
Information Security, , available at http://weis2007.econinfosec.org/papers/29.pdf and Sutton M and Nagle
F “Emerging economic models for vulnerability research”, Proceedings of Workshop for Economics of
Information Security, 2006, available at http://weis2006.econinfosec.org/docs/17.pdf .
 • “Black” market: sales to criminals and corporations engaged in industrial sabotage
or espionage. Again revenue can then be gained directly by closing down a
system, or indirectly by attempts to blackmail a vendor by threatening release of
an exploit, resulting in bad PR and possible loss of market share. This market is
almost impenetrably difficult to research. However one known example occurred
in January 2006 when a Microsoft WMF exploit was sold by auction for $400060
– allegedly to more than one “black hat” buyer. Investigations showed the exploit
was later used by at least one buyer to capture machines to spread “pump and
dump” spam.
Legal issues around exploit sales
It might be surprising that there can be a white market in exploits at all. Discovered
exploits in their nature are primarily intended to impede or cripple software and, by
extension, to hurt users and vendors who make money from that product. Arguably their
sale should be illegal, or at least controlled, as the sale of weapons or dangerous goods
like dynamite, poisons or hand-guns are in most European countries. On the other hand it
can be argued that exploits are, rather like encryption, a “dual use” good. While their
primary purpose is to cause damage, they can also be used by security experts to provide
an early warning service of possible vulnerabilities (this is the business model of the likes
of iDefense), and studied to build safer, less vulnerable software.
From a legal perspective it is not at all clear what is being “bought” and “sold” in the
exploit market. A vulnerability is not a tangible object like a gun, so the first obvious
argument would be that it is a piece of intellectual property (IP), and this seems
anecdotally to be what some buyers and sellers claim. However the only appropriate IP
regime of protection would probably be copyright, and this analysis leads to severe
problems. The programme code that the exploit relies on, and will often incorporate, will
be the copyright of the vendor not the creator of the exploit – and the vendor will
certainly not have licensed his code to the zero day exploiter to use (or abuse) in this way.
Furthermore, sometimes what is sold may not be code as such, but merely a particular
word or an idea – knowledge about how or when a vulnerability operates – in which
case IP will not be appropriate, although trade secrets may be.
In fact, what is bought and sold mainly appears to be silence. Agreements in the exploit
market are notoriously hard to broker because if the exploit seller demonstrates that the
exploit works to the buyer, then he will often have given away the value of what was on
sale: even more so if he hands his code over to the buyers to test. As with all ideas, once
it has been explained, what is left to sell? The market thus appears to reply mainly on
non-disclosure agreements rather than transfer of property per se. Since sales will
normally be made under conditions of anonymity, there is also the problem of multiple
sales. An exploit might be traded under three different names to three different markets.
As a result the exploit market is de facto limited to a small group of experts who know
and trust each other with open auction sites partly filling the gap.

60
Cited in Miller, supra.
Finally, there remains a strong argument that an exploit market should not be valid in any
form. Vendors tend to argue that any exploits that exist should “belong” to them and thus
in law not be saleable either back to them, or worse still, to someone else. “It’s my code
and my mistake” said one unnamed programmer for a major software vendor. “Shouldn’t
I be entitled to fix it? If Shakespeare had made a spelling mistake in one of his plays
wouldn’t he expect just to be told about it, not to have to pay for it before he could fix
it?”61
Some security experts and economists argue however that a “white market” should be
allowed:
• In a professionalised world of organised cybercrime, security experts, just like
cyber criminals, increasingly work for financial reward not just glory.
Discovering an exploit is hard work and researchers should be paid for it, since
their work is for the public good.
• If a white market for vulnerabilities does not exist, researchers will sell to the
black market, probably for greater reward.
• Discovering vulnerabilities should be encouraged as otherwise software remains
insecure, adding to the instability of critical infrastructure and the growth of the
zombie bot population. An exploit market increases potential scrutiny.
Many commentators still however feel uneasy about this covert “arms trade”, with a
strong argument made that encouraging the discovery of software vulnerabilities simply
encourages illegal activity and produces insecurity (of both software and the market).62
Both the current major players on the white market respond that they engage in
“responsible disclosure” – that is, they disclose the vulnerability to the software vendor
after they have made it available to their own customers. The vulnerability is thus
eventually fixed (“patched”). They also claim to facilitate the procurement of exploit
information by having a larger range of sources than any one company normally would.
For example, iDefense reported in 2007 having a pool of about 400 contributors of
vulnerability information over the last four years.63 Given an inevitable time gap between
when a vulnerability has been found and when the vendor can patch it, the “white
market” business model is to provide advance disclosure to their own paying clientele
who are thus protected before patching is implemented. The fault if any can then be said
to lie with vendors for not patching sooner and more effectively.
Vendors, however, including major players such as Google and Microsoft, take the view
that best practice is to disclose software vulnerabilities straight to them so they can be
patched as fast as possible, and discourage an exploit market. Some vendors have been
known to offer bounty programmes for amateur “bug spotting” while discouraging the

61
Conversation quoted during personal interviews by Edwards with a spokesman for iDefense for McAfee
Virtual Criminology Report 2007, supra.
62
Kannan and Telang (2005) Markets for Vulnerabilities? Think again, Management Science, 51 (5).
63
As above
“professional” approach.64 Some support mandatory vulnerability disclosure. While
delayed disclosure of bugs in traditional software products such as Word or Excel may be
workable, and prevent collapse of confidence in a product, in relation to web services,
immediate disclosure to the service provider so the vulnerability can be patched is
regarded as vital, since silence leads to further infections being spread to multiple users. 65
A distributed non-commercial scheme in which all Internet users work voluntarily
together to search and disclose exploits may also be a future model; a preliminary basis
for such already exists in the StopBadWare list of infected websites, which appears as
warnings against lists of Google search results.66

Future legal directions

In August 2007 the House of Lords Science and Technology Committee published the
results of their year-long inquiry into Personal Internet Security.67 Their investigation was
particularly concerned with the nature and scale of the security threat to individuals; how
these threats could best be tackled; what types of governance and regulation would be
most appropriate in this area; and how well the government is responding to cybercrime.
A wide range of individuals and organisations gave evidence to the inquiry, including
academic lawyers and computer scientists, trade bodies such as the British Computer
Society and Association of Payment and Clearing Services, Internet Service Providers,
law enforcement agencies and children’s charities.
The committee made recommendations in a number of areas, with the main aim being to
better align the security incentives of organisations, ISPs and users. They found that end
users rarely have the time or technical background to shoulder the responsibility pushed
onto them by the government for securing their own online activities. Financial services
institutions, ISPs and software vendors in particular are in a better position to manage
some security risks.68 The best way to encourage them to do this would be to carefully
reallocate to them some of the liability for fraudulent payments, traffic from infected
machines and insecure software.
Banks have been encouraging customers to switch to online services (which are much
cheaper to provide than branches and staff) while at the same time attempting to shift risk
for fraudulent transactions onto those same customers, as discussed above. Given the
continuing arms race between virus authors and anti-virus software companies, and the
ingenuity of those harvesting passwords from infected PCs and phishing sites, it will be
difficult for the average user to assess the risk and veracity of a transaction. Banks have

64
Eg Netscape’s Mozilla Foundation (http://www.mozilla.org/security/bug-bounty.html)
65
See Day O, Palmen B and Greenstadt R (2008) Reinterpreting the Disclosure Debate for Web Infection,
Proceedings of the Workshop for Economics and Information Security, at
http://weis2008.econinfosec.org/papers/Greenstadt.pdf
66
Project run by Harvard and Oxford Universities plus others in collaboration with Google: see
http://stopbadware.org/
67
Supra n 54.
68
This argument was first made in N. Bohm, I. Brown and B. Gladman, supra n 49.
been slow to develop and deploy the type of hardware authentication tokens69 that would
protect users, because the costs of their failure to do so fall partly on their customers.
Banks are also in a better position than their customers to profile and analyse transactions
for suspicious events. The Lords therefore recommended that banks be encouraged to
take more responsibility for their customers’ security by holding them liable for
electronic fraud losses. They also suggested that banks and other businesses should be
required to notify customers when security breaches occur, giving them advice on
practical steps to reduce the resulting risks.70
The committee similarly found that ISPs are in a better position than their customers to
protect against certain types of attack. In particular, they are able to monitor outgoing
traffic for and receive reports of spam, worm infections or Denial of Service attacks.
Once such traffic has been detected, ISPs are able to limit infected machines’ network
access to sites that will allow them to download the latest software patches and antivirus
signatures and hence remove the infection. The Lords recommend that the E-Commerce
Directive’s Article 12 “mere conduit” defence71 be removed once ISPs have detected or
been notified of such traffic, making them liable for damage done to third parties unless
they take preventative measures with a limited time period.
Finally, the committee noted that software companies have historically paid limited
attention to the security of their products and that “radical and rapid change” is needed.
This is partly due to their ability to dump liability onto customers using restrictive
licensing agreements that would be held void in many other markets (and partly due to
the preference seemingly shown by consumers for flashy new features over security and
stability in software). The committee therefore recommended that in the short term,
liability waivers should be ignored when vendors have been negligent. In the long term, a
framework for vendor liability and consumer protection should be developed. More
specifically, the committee suggested that users should receive better security advice
when first setting up new software; that patches should automatically be downloaded
when machines first go online; and that default security settings should be set as high as
practicable to give users time to understand risks and tradeoffs of reducing those settings.
These recommendations broke new ground in the debate on Internet security in the UK.
While they were almost completely rejected in the government’s initial response to the
report, 72 they have continued to generate discussion and further activity by the Lords
Science and Technology Committee. They were also echoed in a recent cybersecurity
review carried out by the US government, which further recommended attention to

69
See for example details of Barclays Bank’s new PINsentry device at
https://www.barclays.co.uk/pinsentry/.
70 Mandatory security breach disclosure is likely to be passed as part of the reform of the Privacy and Electronic
Communications Directive 2002 in 2009, but only for the telecommunications industries and not for the likes of
banks. See further, Edwards, Chapter DP1 at PP xx.
71
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal
aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178,
17.7.2000, p. 1–16.
72
The Government reply to the Fifth Report from the House of Lords Science and Technology Committee
Session 2006-07 HL Paper 165, Cm 7234.
 indemnification, tax incentives, and new regulatory requirements and compliance
mechanisms.73 While cybersecurity remains an enormous global problem, it does seem
some consensus on a holistic strategy to combat it, taking into account law, business
practice and technology or “code”, is finally beginning to emerge.

73
United States Government (2009) Cyberspace Policy Review: Assuring a Trusted and Resilient
Information and Communications Infrastructure, available at
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

View publication stats