Increasing co-operation against cyberterrorism and other large-scale attacks on the Internet
Meeting of the PACE Committee on Culture, Science, Education and Media (The Hague, 11-12 March 2015) - Agenda point 7
First let me thank the PACE Committee on Culture, Science, Education and Media for looking at the problem of cyberterrorism and other large-scale attacks against critical information infrastructure.
Over the last two years we have seen a very worrying increase in cyberattacks. As technology evolves, law enforcement agencies frequently find themselves playing catch-up. Victims often have low expectations of the justice they’ll receive. And these crimes don’t just undermine the Rule of Law, they undermine our democratic freedoms too. The European Court of Human Rights has affirmed – in the case of Yildirim v Turkey in 2013 - that the Internet has become the principal means of freedom of information, which applies not only to the content of information but also to the means of its dissemination. Attacks which shut down computers or distort content are a direct affront to freedom of information, just as hacking into personal data harms the right to privacy too.
We need to stop talking about cyberspace as if it is somehow different from the real world. Internet and social networks are public spaces – like streets, parks, theatres or shopping malls. The same Human Rights – and responsibilities - should apply there and the Rule of Law must be upheld.
In order to do this, criminal justice authorities need additional tools, and my strong view is that international cooperation is key. The internet is borderless and States will be far more effective at catching cyber criminals and terrorists if they are operating under the same legal framework.
However, you’ll know that such solutions can be notoriously difficult to negotiate. A big part of the problem is confusion, in the political debate, between covert surveillance by national security services on the one hand, and measures used in criminal investigations – also known as special investigation techniques – on the other. Criminal investigations require access to specified data for specific cases. Bulk interception of data for national security purposes is a very different story, and there are serious concerns regarding democratic oversight of this activity. I call on PACE to make this distinction. We need more effective criminal justice; we need stronger safeguards when it comes to surveillance by the security services. What we don’t need is ongoing confusion between the two.
Given the difficulties around negotiating new international solutions, we should also make sure we are making the best possible use of the legal instruments and other tools which already exist. These include in particular the Council of Europe’s Conventions on the Prevention of Terrorism (ETS 196) and on Cybercrime (ETS 185). Together, they provide a comprehensive international response to the terrorist use of the Internet. I trust that PACE will agree that these instruments represent a unique acquis of the Council of Europe. The Budapest Convention in particular has a worldwide vocation.
I know that there are a number of specific issues under consideration by the Committee on Culture, Science, Education and Media, so I’d like to take those in turn.
Let me clarify first that the Budapest Convention does cover Distributed Denial of Service and other types of large-scale attacks against computer systems. This was clearly demonstrated by the Cybercrime Convention Committee (T-CY) in its Guidance Notes on “botnets”, “DDoS attacks”, and “critical information infrastructure attacks” in 2013. In these Guidance Notes, the Committee encourages Parties to consider aggravating circumstances as well as the impact of attacks when establishing sanctions and measures. In 2015/2016 they will assess how Parties implement Article 13 of the Budapest Convention on sanctions and measures.
You are rightly concerned about the effectiveness of mutual legal assistance when it comes to cybercrime and electronic evidence. Indeed, it is essential that national procedures are streamlined so that replies to requests are provided more efficiently. I would like to draw your attention to a set of recommendations adopted by the Cybercrime Convention Committee in December 2014. Most of them can be addressed at the domestic level, for example by allocating more resources and better trained staff responsible for judicial cooperation. Some of these recommendations would require a new Protocol to the Budapest Convention. For example: a light, perhaps even automated regime for requests for subscriber information; or the possibility of international production orders for electronic evidence.
Sometimes mutual legal assistance isn’t possible, such as when the origin of an attack or the location of data are not known to criminal justice authorities. The Cybercrime Convention Committee has therefore looked for three years into the question of transborder access to data. In December 2014, the Committee issued a Guidance Note to provide more clarity on the existing provision of the Budapest Convention, namely Article 32. At the same time, going further, for example by developing a Protocol to the Budapest Convention on transborder access to data, has proven difficult in the context of reports on mass surveillance by national security services. However, the Committee decided that giving up on the rule of law in cyberspace is not an option. A new working group, the Cloud Evidence Group, has now been established to identify solutions for criminal justice access to data on cloud servers. The results of this Group would also feed into a Protocol to the Budapest Convention. We need the political support of PACE when it comes to the negotiation of a Protocol.
The sharing of information between public bodies and private firms also needs to be improved. This includes the sharing of threat and incident data, which is crucial to prevent, mitigate and control large-scale attacks on ICT and cybercrime. However, this will be difficult so long as the data protection frameworks at the level of the European Union and the Council of Europe are not completed. PACE should therefore take a strong stance and support completion of these frameworks.
Our states have also signed up to a framework of inter-state cooperation to protect and promote the universality and integrity of the Internet. This framework extends to information sharing, consultation and mutual assistance in identifying and responding to disruptions to, and interferences with, the infrastructure of the Internet. PACE delegations are encouraged to promote this framework at domestic levels.
Finally, a word on capacity building, which is a major component of the Council of Europe’s approach to cybercrime. A Cybercrime Programme Office of the Council of Europe (C-PROC) was established in Romania and became operational in April 2014. The sole purpose of this office is to support capacity building programmes. Since then, more than 60 activities were implemented not only in Europe but also in Africa, Asia/Pacific, the Caribbean and Latin America. Support covered the strengthening of legislation, but also the training of law enforcement, prosecutors and judges, the establishment of high-tech crime units and many other measures. Should resources become available, specific programmes on large scale attacks could also be launched.
Overall, it would seem that the concerns raised by the PACE Committee on Culture, Science, Education and Media are similar to the concerns of the Cybercrime Convention Committee. And as you can see, your concerns are being addressed within the framework of the Budapest Convention and its Committee. The work ahead, in particular the negotiation of an additional Protocol will not be an easy task. Strong political support by PACE will be needed if we want to achieve a breakthrough and strengthen the rule of law in cyberspace.