8.10. International Legal Issues

Earlier, the relationship among city, state, and federal law enforcement was mentioned. Often, there are collaborative difficulties between law enforcement agencies at the various government levels. For example, county sheriffs may consider a crime to be in their jurisdiction and search and seize computers, only to have the FBI show up and claim jurisdiction, having to then argue about which agency has priority of possession over the evidence and the manner in which it was collected and handled. These issues get even more complicated when taken up to the international arena.

Criminal law is very well defined in the United States with regard to computer crimes. Internationally, however, there is very little law concerning computer intrusions. Laws concerning computer systems and electronic forms of data and property are quite different from country to country. In certain countries, computer data (information) is not considered property at all. (For more on international legal issues, see [int, oE, IAA, Lip02].)

In 1999, a study of available national legal codes concerning computer crimes in 50 countries around the world was performed by Ekaterina Drozdova, Marc Goodman, Jonathan Hopwood, and Xiaogang Wang. This study found that 70% of these countries had computer crime statutes,^[4] while 30% had few or no laws covering computer related crimes.^[5] It is worth noting that a nation's not having explicit statutes concerning computer crime does not mean that computer crime is legal there. The nation may use existing principles of law as applied to the new realm of computers instead. That has its strengths (well-established and understood laws) and its weaknesses (the analogy between the cyber and noncyber situations might be strained).

^[4] The countries with computer crime statutes were Australia, Austria, Bulgaria, Canada, Finland, France, Germany, Greece, India, Israel, Italy, Japan, Malaysia, Mexico, the Netherlands, Norway, the People's Republic of China, Portugal, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, the United Kingdom, and the United States.

^[5] The countries with few or no computer crime laws were Argentina, Brazil, Chile, Costa Rica, the Czech Republic, Denmark, El Salvador, Ecuador, Hungary, Iceland, Ireland, Jordan, Luxembourg, New Zealand, Oman, Panama, Peru, Poland, Saudi Arabia, Trinidad and Tobago, Tunisia, the United Arab Emirates, and Venezuela.

In November 2001, the Council of Europe released its final draft of the Convention on Cybercrime, [oE], which provides guidelines for members of the European Union in how to formulate harmonious laws regarding computer misuse. Chapter II, Section 1, states guidelines for formulating substantive criminal law as it pertains to several offenses. For our purposes, the critical elements are the unauthorized access of computers, data interference, system interference, and misuse of computing devices. These cover both phases of DDoS attacks. The Convention states that "each party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right."

The Convention on Cybercrime attempts to address some of the legal imbalance found in the Drozdova survey. It states, "Given the cross-border nature of information networks, a concerted international effort is needed to deal with such misuse." Chapter III defines the guidelines for international cooperation. Article 23 expresses the general tenor for the principles governing international cooperation:

The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense.

Remaining articles define principles of extradition and other principles requiring mutual assistance among nations.

Extradition is important in cases in which crimes are committed by a foreign-based individual, and the victim's government wishes to bring a suspect from another country before a court having proper jurisdiction. The case of Onel de Guzman, author of the "I Love You" computer virus, provides an example. Laws in the Philippines at the time de Guzman launched this virus did not consider computer data to be property, and the Philippines had no laws on their books covering computer intrusion or damage. The FBI quickly tracked the attack to deGuzman and had the cooperation of the Philippines federal police. However, when asked by the FBI to arrest de Guzman, courts in the Philippines could not help. Nothing could be done, despite the significant estimated worldwide damages, which ran into the millions of dollars.

In addition to needing a law under which to bring a criminal action, another requirement is that the act must be illegal under both jurisdictions in order for an extradition request to be honored. This is known as "dual criminality." In the de Guzman case, he could not be brought back to the United States to stand trial here because he did not break any existing Philippines law.

In order to obtain extradition of a suspect from another country to the United States, federal law enforcement agents in the United States must first draft charges and go through a process called "letters rogatory," which involves the Department of State's producing the letters and delivering them to the foreign nation's state representatives, who then in turn provide them to the foreign government's federal law enforcement agents, who then issue a warrant for the suspect's arrest, serve this warrant, and prepare to deliver the suspect to the United States federal law enforcement agents. Mutual Legal Assistance Treaties (MLATs) that are established in advance speed up this process greatly, as does having a Legal Attache (LEGAT) from the United States FBI or Secret Service already in the foreign country and working closely with their federal law enforcement agency. Of course, the foreign government may refuse to arrest or extradite the suspect, which can cause a delay or derail a case. Interpol is one international police organization that tries to bridge this gap of international jurisdictional issues [BN].

The outlined legal procedures are clearly expensive, heavyweight, and slow. Thus, one cannot rely on them to help much in stopping an ongoing DDoS attack of international origins. At best, they may allow eventual prosecution of the perpetrator.

There are also issues of national defense that can come up in cases of massive DDoS attacks against corporations or agencies that provide "critical infrastructures," such as banking, transportation, energy, telecommunications, etc. When does an attack on a business move from a criminal matter to a national security situation? Who is really attacking, and what damage do they intend to cause? While it may be clear that a direct attack on a military command-and-control network by a foreign entity that is clearly associated with a foreign military or intelligence agency could be interpreted as an act of war, it is not clear when or how a set of DDoS attacks on banks and airlines by an unknown entity would be interpreted as an act of war.