Estimates about the impact of cybercrime on national economies and worldwide vary significantly, but they all come down to the same conclusion: online predatory crimes are a significant threat to the global economy. The public sector, banks and financial institutions, providers of public utilities, media outlets, big corporations as well as small and medium enterprises and individual internet users are all targets of malicious cyber activities. As explained by Samantah Nicole van der Meulen, Senior Strategic Analyst at Europol, criminals use underground forums and criminal online marketplaces in the darknet for global trafficking of narcotics, to sell weapons, child pornography, pirated copyright and computer exploitation kits (software, that come with license schemes, update services and 24/7 support lines, so that even users with a very limited knowledge about computer science or hacking can use it). Moreover, as Corrado Giustozzi, member of the Permanent Stakeholders' Group at the European Union Agency for cybersecurity (ENISA) explains in his contribution for this Dossier, the darknet hosts a booming crime-as-a-service industry, where highly sophisticated technical skills can be monetized and criminal capabilities assembled leveraging huge economies of scale, thus increasing the overall level of the threat posed by cybercrime. There is also a widespread, growing and worrisome promiscuity between legal and illegal markets, where the former hires criminal services from the latter in order to acquire sensitive information and gain a competitive advantage in the real economy.
This threat landscape is not likely to end soon: the cost of cybercrime will instead most likely increase in the next years just like it did in the last decades, along with the development of more sophisticated attack capabilities and the digital transformation of our economies and societies, which will bring an expansion of the available “surface of attack”. The bridging of the digital divide at the global level, the development of Artificial Intelligence and of the Internet of Things will only intensify these trends.
In many cases, the victims of cybercrime are the ones to blame: “fool me once, shame on you; fool me twice, shame on me”, the proverb says. Cybercriminals often leverage well-known technical vulnerabilities, which basic cyber-hygiene would avoid, and profits from the naiveté we have online. Incidentally, this is also the reason why it is hard to acquire a comprehensive estimate of the impact of cybercrime worldwide: victims often fail to notify the breach to the competent authorities and to their clients, fearing a reputational loss (or monetary sanctions, when in place) after the confirmation that yes, the defenses were in fact not as solid as they should have been. However, it is also true that internet and computer crimes may be very sophisticated, and that they are particularly difficult to punish given the governance gap that characterize cyberspace: cybercrime repression requires international coordination in a context of ambiguity regarding the actors, the motivations and the ultimate scope of the attack. Since cybercrime groups operate across borders, states cannot fight them alone, and criminals often take advantage of the inherent struggle in attributing a cyber attack, in pursuing international investigations, and in bringing criminals to justice for a crime perpetrated in a foreign country.
The good news is that international cooperation to counter cybercrime is the one area where cyber diplomacy is actually producing good (although not sufficient) results. The Council of Europe’s Convention on Cybercrime of 2001 (the “Budapest Convention”), signed by more than 60 countries, is the first international treaty seeking to address Internet and computer crime by requiring the establishment of national point of contacts, the harmonization of national legislations, the alignment of investigative techniques and a stronger international cooperation. Notwithstanding all the efforts of the international community, the Convention stands today as the only multilateral treaty imposing obligations to states in the way they address malicious activities in cyberspace. Recognizing the importance of the Convention, we have invited Alexander Seger, Head of the Cybercrime Division of the Council of Europe, to give us an assessment of the most notable results achieved so far thanks to the agreement, and to illustrate a possible way forward to build on these accomplishments.
As explained in detail by our analyst Samuele Dominioni in his article, multilateral efforts to enhance international cooperation against transnational cybercrime go far beyond the Budapest Convention. On the one hand, this reflects the seriousness of cybercrime’s economic burden, for which states are expected, at the domestic level, to elaborate an adequate response, which of course entails international cooperation. On the other hand, if the international community reached such a high level of cooperation in this field this is also because cybercrime is considered primarily a matter of “public order” that needs to be dealt with a traditional “law enforcement” approach. In this sense, international cooperation does not restrain but actually reinforces national sovereignty: law enforcement and judicial international cooperation are the low hanging fruits of international cooperation in cybersecurity. At least on paper: examples of poor or non-existent international collaboration to track down transnational cyber criminals, and cases where states protected individuals suspected of serious internet and computer crimes against actual requests of extraditions, are more and more common.
In most cases, the isolated hacker conducting sophisticated cyber robberies is only science fiction, as cybercrime is in fact a labor-intensive endeavor that requires a savvy combination of different technical skills. By and large, cybercrime is better understood as a transnational organized crime, against which international cooperation has been established long time ago. Transnational organized crime spreads corruption, drains tax revenues from the coffers of the state while forcing governments to dedicate resources to border control and law enforcement, and it poses a direct challenge to the authority of the state. At the international level, transnational organized crime empowers destabilizing non-state actors, imposes a financial burden to the world economy, and it corrodes international norms and stability. President Clinton, in his address to the United Nations General Assembly on its 50th anniversary, noted that the forces of international crime "jeopardize the global trend toward peace and freedom, undermine fragile democracies, sap the strength from developing countries and threaten our efforts to build a safer, more prosperous world." The UN Convention against Transnational Organized Crime of 2000 is a good example of the efforts of the international community to coordinate responses against this threat. The Budapest Convention and all other streams of international cooperation against cybercrime respond to the same logic.
But the cyberspace, we have seen, is the “domain of ambiguity”, and cybercrime’s damage is much larger than the loss of trust it causes among Internet users and the costs it imposes to the world economy, and requires an attention that goes beyond the law enforcement perspective. Cybercrime, as we will show in this fourth ISPI Dossier on cybersecurity, is in fact a phenomenon that directly attains national and international security on a scale that exceed in many ways traditional organized crime.
In the first place, cybercrime is an extraordinarily profitable and a relatively “safe” industry, with a sophisticated business model, as Giorgio Mosca, Director of Strategy and Technology in the Security and Information Systems Division of Leonardo, explains in his article. A massive amount of human and financial resources are therefore invested in the research and the development of new, more sophisticated hacking tools and technics, which in turn significantly contribute to the proliferation of the international cyber arm race. Thanks to their ability to innovate, in the mouse-cat race between criminals and public authorities, the former is able to run at least as fast as the latter. As Francesca Bosco and Michael Becker, of the United Nations Interregional Crime and Justice Research Institute (UNICRI) and University of Maryland, explain in their article, these sophisticated weapons in the cybercrime market are readily available to the best bidders, and therefore there is the concrete risk that, sooner or later, these weapons will be acquired by terrorists. In fact, the development of cyber weapons might directly or indirectly impact the functioning of national critical infrastructures even in the context of criminal campaigns, as the WannaCry ransomware campaign did, impairing UK health services.
Particularly troublesome is also the fact that, given the difficulty in ascertain authors, scope and motivation of online criminal campaigns, and considering the difficulty in restraining the attacks to specific target networks, states might perceive a criminal campaign as a state’s, or a state-sponsored attack to its critical infrastructures. This would of course entail the right to put in place countermeasures or even the use of force, with the risk of fueling an escalation in the cyber or in the conventional domain. Besides, states have a customary international law obligation not to allow malicious activities from ICT assets in their territory, and even if the state victim of an attack does not hold another State directly responsible for the cyber campaign, it could nonetheless expect cooperation in order to stop or mitigate the attack: this might lead to misunderstandings or worst to international crisis, in the case a state is not willing or able to comply to the victim’s demands.
Finally, as Alexander Klimburg explains in his excellent book The Darkening Web and in the article he wrote for this Dossier, the most serious threat that cybercrime poses to international security comes from the fact that states might want to use the attack capabilities developed by cybercrime in order to advance their goals in the international arena. Cybercrime develops hacking tools and technics that may directly advance states’ operational capabilities in the course of intelligence and military campaigns, or may be used to “cover” tailored computer network operations with much larger and “noisier” campaigns. Cybercrime also offers the unique advantage of providing the state with plausible deniability: in the domain of ambiguity, this is a priceless operational advantage. In this sense, cybercrime organizations represent a proxy and a multiplier of states’ cyber power. This explains why some state-actors allow a certain degree of freedom to the cyber underground involved in criminal activities, especially if it operates against foreign targets and it is available to play as a proxy in case of need. Paradoxically, a state’s power in the cyber global arena depends, in some ways, also on its implicit and voluntary tolerance to cybercriminals operating within its borders.
Since we will most likely have to live with cybercrime in the years to come, it would be useful to consider the threat it poses in a more comprehensive way than just as a law enforcement matter, putting at the center of the attention its impact on the stability of international relations. Transnational organized cybercrime is a very relevant actor of cyberspace: an understanding of how it affects international security is essential in order to mitigate the risk of future misunderstandings and escalations among States in the context of criminal online campaigns. If, at the strategic level, we are drifting toward a militarization of cyberspace, it is important to leverage all available political-diplomatic skills and tools in order to identify and impose an undisputed principle of states’ international responsibility, and a clear threshold of not-acceptable behavior in cyberspace. It is not only a question of law and order, but also a matter of war and peace.