Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes.