Yesterday, there were two relevant workshops, one on “Legal Aspects of Internet Governance: International Cooperation on Cybersecurity” and “Cybercrime Common Standards and Joint actions”. Some of the relevant points that were subject of discussion were:
There is no need to create additional legal frameworks but to use the existing ones like the Council of Europe Convention on Cybercrime (Budpaest Convention)
There is terminology confusion when using the terms “Cyberwarfare”, “Cybersecurity” and “Cybercrime”. Vint Cerf warned the audience that we should be very careful when using term “war” because that involves a very sensitive decision among governments.
The frameworks on Cybersecurity vary significantly in different regions of the world. A speaker mentioned that issue is not entirely dealt with in the European Union and there are a number of issues that need to be addressed like for instance creating a cybersecurity coordinator and develop a strategy on fighting cybercrime.
A number of speakers referred to the Budapest Convention as the only existing treaty to fight cybercrime in different fronts (substantial and procedural law, international cooperation, technical measures and 24x& points of contacts). And although many countries have signed and ratified this treaty, there are yet a number of countries in different parts of the world that have not fully implemented legal frameworks on cybercrime.
Other aspect that was constantly mentioned in both workshops is that there in no actual need to create another international treaty on cybercrime taking into account the intense discussions that took place during the Twelfth United Nations Congress on Crime Prevention and Criminal Justice in Salvador, Brazil, last April
Instead, international organization and government countries in conjuction with the private sector should launch a global capacity building program in order to provide least developed countries with the adequate tools, training and cooperation to counter cybercrime in a more efficient fashion.
Early detection and prevention are important elements to combat cybercrime and to avoid possible liability issues arising from criminal investigations.
There is the need for more partnerships between industry, governments, the technical community and civil society to fight cybercrime effectively.
Human rights should not be ignored, there is the need to protect privacy and the confidentiality of information in criminal investigation carried out by law enforcement authorities and avoiding ISP surveillance on the data that is subject to investigations.
There is consensus that the Budapest Convention provides in general a good legal framework for countries to follow, however there is the urgent need to revise some of the provisions of the convention like Articles 32 (a) (b) particularly with regards to criminal investigations and the obtaining of digital evidence of data that resides in third countries in the cloud computing environment; the protection of privacy and the information exchanged between ISP’s and law enforcement authorities taking into account existing privacy international standards like the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data ; jurisdictional conflicts arising from the application of criminal laws to cybercrime having effects in more than two countries.
Finally, there is the need to use the Budapest Convention in combination with other instruments to implement laws, policies and strategies and providing capacity building to combat cybercrime at the international and national level and asses progress on a regular basis instead of spending the next 10 years in discussing whether a new international treaty or international oversight body is needed.