ChapterPDF Available

Cybercrime in Asia: Trends and Challenges

Authors:

Abstract and Figures

The rapid growth in Internet use in Asia, including a tenfold or more increases in access in China, Indonesia and India since 2002 has also been accompanied by significant increases in cybercrime. The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the risks of cybercrime. The law-enforcement response in Asia is briefly reviewed in the context of the 2001 Council of Europe’s Cybercrime (Budapest) Convention. We describe the nature of cybercrime (including both ‘hate’ or content and ‘crime-ware’ such as botnets) and compare the laws and regulations in Asian states with the provisions of the Convention. The challenges faced in developing effective cross-national policing of cybercrime in Asia are also addressed as problems emerge around cloud computing, social media, wireless/smart phone applications and other innovations in digital technology.
Content may be subject to copyright.
1
Cybercrime in Asia: trends and challenges
Roderic Broadhurst* and Yao-chung Chang**, Australian National University
* Professor and Deputy Director, Australian Research Council, Centre for Excellence
in Security and Policing
** Phd, Assistant Professor, City University of Hong Kong
Draft 5.1.2012 – Asian Handbook of Criminology - words 8775
Abstract
The rapid growth in Internet use in Asia, including a tenfold or more increases in
access in China, Indonesia and India since 2002 has also been accompanied by
significant increases in cybercrime. The development of commercial-scale exploit
toolkits and criminal networks that focus on monetization of malware have amplified
the risks of cybercrime. The law-enforcement response in Asia is briefly reviewed in
the context of the 2001 Council of Europe’s Cybercrime (Budapest) Convention. We
describe the nature of cybercrime (including both ‘hate’ or content and ‘crime-ware’
such as botnets) and compare the laws and regulations in Asian states with the
provisions of the Convention. The challenges faced in developing effective
cross-national policing of cybercrime in Asia are also addressed as problems emerge
around cloud computing, social media, wireless/smart phone applications and other
innovations in digital technology.
Introduction
Information and communications technologies (ICT) are now part of everyday life
and this is illustrated by the rapid growth of the Internet and social networks in
cyberspace. Whether you are searching for travel information or buying concert
tickets, you can easily perform these functions at any time and in the convenience of
your own home or office. ICT has thus become an indispensable function of
commerce and government. With the help of computers and the Internet, businesses
2
are now able to provide immediate services to their customers at an unprecedented
level of efficiency.
However, the Internet has also become the proverbial “double-edged sword”. Along
with convenience comes the inconvenience of computer crime. The Internet was
originally built for research and its founding protocols were designed for in-built
redundancy, and openness. The rapid evolution of the computer networks that
comprise the Internet from a government and research focus to the e-commerce and
domestic arena has provided a gateway for offenders and deviant entrepreneurs:
The Internet was built for research, not commerce. Its protocols were open and
unsecured; it was not designed to hide. Data transmitted over this net could
easily be intercepted and stolen; confidential data could not easily be protected
(Lessig, 1999:39).
The costs of cybercrime are increasing in scale and gravity as the ‘industrialisation’ of
malicious software (or crime-ware) proliferates (Ollman 2008). For example, in 2009,
the United States Internet Crime Complaint Centre received 336,655 complaints
reporting a total in direct losses of USD$559.7 million (AFP, 2010). Given this is an
estimate based on complaints to just one Internet crime reporting service in one
country, the real costs of cybercrime world-wide are considerable. In short the rapid
expansion of e-commerce and the Internet has brought many benefits but also the
emergence of various forms of crime that exploit the strengths and weaknesses of
mass interconnectivity.
The speed, functionality, and accessibility that create the enormous benefits of
the computer age can, if not properly controlled, allow individuals and
organizations to easily eavesdrop on or interfere with computer operations from
remote locations for mischievous or malicious purposes, including fraud or
sabotage. (USA Government Accounting Office 2010: 3)
As most cybercrimes are transnational in character, inconsistency of laws and
regulations across country borders makes it especially difficult for countries to
cooperate when investigating cross-border cyber crimes. As Katyal (2003:180)
observed, many countries will find it increasingly difficult to enforce their national
laws against activities which are considered offensive or harmful to local taste or
culture. The harmonisation of cyber-laws and regulations and the building of
cooperation and comity among nations are vitally important countermeasures against
cybercrime. The fist step in that direction was the Convention on Cybercrime
3
proposed by the Council of Europe of 2001, which provided a common legal
framework on cybercrime.
Internet access and the digital divide in Asia
In March 2011, there were an estimated 2.95 billion Internet users in the world
(Miniwatts Marketing Group, 2011). Among all Internet users, 45% (about 943
million Internet users) are located in the Asia and Pacific (i.e. Asia and Oceania)
region. As can be seen in Table 1, the ‘digital divide’ is aptly shown by the immense
diversity between countries in levels of Internet participation. China has the most
Internet users in the Asia and Pacific region and indeed the world and now exceeds
the numbers on-line in North America. Indeed, almost half of the Internet users in the
Asia and Pacific region are located in China. India, now 100 million Internet users, is
second largest and, is followed by Japan, the Republic of Korea (South Korea) and the
Philippines. Countries like Japan, South Korea, Taiwan, Singapore, Australia and
New Zealand have over 70% of their total population on-line as internet users
whereas in developing countries like India, Pakistan, Sri Lanka, Bangladesh and
Nepal engage less than 10% of the population. The Philippines, Thailand, Vietnam
and to a lesser extent Indonesia have also achieved significant Internet penetration and
are also growing rapidly. Although China has by far the largest population of Internet
‘netizens’, this still comprises only 31.8% of the total population and these are mostly
urban users.
Compared with the proportion of Internet users in 2002, shown in Table 1 there has
been a significant increase in all countries in the Asia and Pacific region in the past
ten years. For example, only 3.5% of the Chinese population were Internet users in
2002, but this increased to 36.3% by 2011. There was also a significant increase in
other developing countries like Vietnam, the Philippines, Pakistan, and India.
Along with the rapid rise of Internet use, cybercrime has also become prevalent in this
region. However, of all the countries in the Asia and Pacific region only Japan1 has
signed the Council of Europe Convention on Cybercrime, but have not yet ratified it.
Only the USA among non-member States of the Council of Europe had ratified the
convention (as at January 1st 2007). The Convention is the only multi-lateral
instrument for the control of cybercrime and we discuss it further below. First we
begin with a short introduction to the problem of cybercrime in Asia and compare the
laws and regulations in Asian states with the provisions of the Convention. We also
1 South Africa was the only other non-European state to sign up to the convention.
4
consider the challenges faced in developing effective cross-national policing of
cybercrime in Asia.
5
Table 1 Number of Internet users in the Asia Pacific region 2011
Rank
Country
Number of Internet
users 2011
% population
2011
% population
2002*
1
China
485,000,000
36.3
3.5
2
India
100,000,000
8.4
0.7
3
Japan
99,182,000
78.4
48.0
4
Indonesia
39,600,000
16.1
1.8
5
Korea, South
39,440,000
80.9
52.7
6
Philippines
29,700,000
29.2
2.5
7
Vietnam
29,268,606
32.3
0.5
8
Pakistan
20,431,000
10.9
0.3
9
Thailand
18,310,000
27.4
5.7
10
Australia
17,033,826
78.3
46.0
11
Malaysia
16,902,600
58.8
24.4
12
Taiwan
16,147,000
70.0
49.8
13
Hong Kong
4,878,713
68.5
64.1
14
Singapore
3,658,400
77.2
55.6
15
New Zealand
3,600,000
83.9
N/A
16
Sri Lanka
1,776,900
8.3
0.8
17
Bangladesh
1,735,020
1.1
0.1
18
Nepal
1,072,900
3.7
0.2
19
Laos
527,400
8.1
0.2
20
Mongolia
350,000
11.2
1.6
Source: Internet World Stats, http://www.internetworldstats.com/stats.htm (accessed 6 September
2011); * Retrieved from Broadhurst (2006a)
6
Cybercrime and its impact in Asia
Given the expansion in Internet participation a drastic rise cybercrime and
information security problems have occurred in Japan, South Korea and greater China
since 2005, according to private information security companies. For example,
Symantec a provider of computer security software such as anti-virus tools, monitors
and quantifies malicious computer activity that occur on about 133 million computers
that use their services (Symantec 2011). This describes malicious computer activities
such as programs that are used to disrupt, damage or steal information from computer
systems. These so-called ‘malware’ or ‘crime-ware’ computer codes usually include
viruses, trojans, worms2 and botnets3 (IBM, 2009; Trend Micro, 2009; Wall, 2007).
Such crime-ware can also be purchased on-line from websites and underground
forums or ‘dark’ networks that include instructions on how to use such software. This
enables the wider use of ‘attack toolkits’ by non-technical actors, including criminal
groups and may account for the increased prevalence of cybercrime. Along with this
growth, the malware itself has evolved to adapt to countermeasures such as software
programs designed to prevent and detect intrusions. Malware has also been developed
to attack new devices such as smart phones and other digital devices (Symantec
2011).
Symantec also provides general Asian-Pacific-Japan region (APJ) Internet security
reports that have ranked the impact on APJ countries from all kinds of malicious
activities; including denial of service attacks (DDoS), bot-net infections, phishing,
spam, and viruses. Their reports also indicate the origin of the attacks, such as the
source of spam and the top countries hosting phishing sites4. According to their 2010
APJ report, Symantec found that China ranked top in terms of malicious activities in
the region, followed by the South Korea, India, Taiwan and Japan (see also Symantec
2011). As to the origin of attacks targeting the APJ region, Symantec detected that
2 A worm is a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, can
travel without any help from a person. The danger with a worm is its ability to replicate itself.
3 A botnet is a network of individual computers infected with malware. These compromised computers
are also known as zombie computers. The zombies, part of a botnet under the control of the botnet
controller, can then be used as remote attack tools to facilitate the sending of spam, hosting of phishing
websites, distribution of malware, and mounting denial of service attacks. The most commonly used
are centralised and P2P modes – hence the focus on command and control servers for a botnet that may
comprise of thousands of zombies.
4 The Symantec “APJ Internet Security Threat Report” measured malicious activity that mainly
involved botnet infected computers, bot command-and-control servers, phishing Web sites hosts,
malicious code reports, spam zombies and Internet attack origins that took place or originated in each
country. Rankings were based on a calculation of the mean average of the proportion of these
malicious activities originating in each country (Symantec, 2007a, 2007b, 2008, 2011).
7
most attacks came from the USA, followed by China, South Korea and Japan
(Symantec, 2009). The overall impact of malicious activity placed the USA first, and
China as the next the most affected, but growing rapidly from 9% of such activity to
16% in 2010. Countries such as Brazil, India and South Korea account each for about
4% of such activity (Symantec 2011).
China also had the most botnet-infected computers detected in the APJ region for the
period 2006-2010 while Taiwan was ranked second, followed by South Korea and
India. Taipei was the city with the most botnet-infected computers in the region
(Symantec, 2007b, 2007d, 2008, 2009). A 2010 survey5 conducted by Norton (a
company owned by Symantec), an anti-virus provider, found that 83% of respondents
from China experienced some form of cybercrime, including a computer virus or
some form of crime-ware. This was much higher than the global average of 65%.
Except for Japan which has a lower victimisation rate (36%), other countries in the
Asia and Pacific region like Australia (65%), India (75%), and New Zealand (70%)
are all higher than the global average (Norton, 2010).
Malware like trojans and bot-net programs are spread through social engineering
techniques (Guenther 2001) i.e. methods of deception that create a false sense of trust,
to gain ‘access information’ for example a professional looking website mimicking a
brand or service or via spam and phishing emails. Criminal groups are engaged in
computer or network intrusions to obtain sensitive information such as identity and
password information. This in turn can be used to undertake large-scale financial
crime and social engineering may be the preferred method of obtaining access to such
data contained in digital devices/computers. The kinds of activities vary but
encompass online scams and malware such as spyware, phishing, rootkits6, and
bot-nets. Malware infiltrates a computer system and may include viruses, worms,
backdoors, keyloggers, and trojans.
In online scams, the internet is used to reach potential victims by sending unsolicited
messages pretending to originate from legitimate organisations in order to deceive
individuals or organisations into disclosing their financial and/or personal identity
information. Information obtained from ‘phishing’ facilitates crimes such as financial
fraud and identity theft. For example, a common form of phishing in China are lottery
scams delivered by email or instant messenger that links the recipient to a fake
5 The survey includes the United States, Australia, Brazil, Canada, China, France, German, India, Italy,
Japan, New Zealand, Spain, Sweden and the United Kingdom.
6 Rootkits are cloaking technologies usually employed by other malware programs to misuse
compromised systems by hiding files, registry keys and other operating system objects from diagnostic,
antivirus and security programs.
8
website (cited in KIC 2011). The spread of malware is easier when a hacker is attuned
to what is happening in a particular culture, and is aware of the current issues that
help make the deception more effective. For example some malware has been
designed to target operating systems or websites using only Chinese language and
often masked with appeals to patriotic sentiments (Symantec (2008).
Bot-nets are now widespread and targeted on financial opportunities. Bot-nets are the
main mechanism for the commercialisation and industrialisation of cybercrime.
Targets will include all kinds of digital devices (i.e. mobile phones, routers, switches
and backup devices) as well as desk-top computers. The increase connectivity of
digitized appliances linked to the Internet (e.g. vending machines, gas pumps, ATM’s)
and mobile phones to pay for such products will ensure they are attractive targets.
Mobile or smart phones also tend to be less well protected against intrusion than other
digital devices. Real-time programs such as Instant Messaging are likely to a major
risk as are social network sites where it seems many users assume safety and privacy
is inherent. A trend towards the development of semantic/human intelligence methods
rather than syntactic measures is noted because human based social engineering can
obtain information in many cases where technological methods fail (Chantler &
Broadhurst 2008).
Cybercrime in Asia as elsewhere may be caused by offenders or loose groups who are
hacking “for fun” or ego driven, but can include political or ideological motivation,
hatred, or simply to earn a profit. However the involvement of traditional criminal
groups or new criminal networks is likely to be associated with financial deception
and theft (Broadhurst and Choo 2011). However, when an attack occurs, it is often
unclear who is behind the attack, where it originates or their motive (Barboza, 2010).
For example, Sony, the Japanese electronics group, was hacked into in April 2011 and
the names, addresses, emails, birth dates, phone numbers and other information in
respect of 24.6 million PC game customers were stolen from its servers (Telegraph,
2011). Hackers could have earned a lot by on-selling this personal information to
‘carding’ groups (websites and users with a focus on credit card fraud) or others who
may use the stolen identity to de-fraud e-commerce enterprises. While Sony was
pursuing legal action against the hacker goups “GeoHot” and “Graf_Chokolo”, who
allegedly hacked into their system, Sony suffered additional cyber attacks which
included a distributed denial of service attack (DDoS): an attack which makes Web
sites or other network services unavailable to Internet users by flooding it with traffic
- from another hacking group “Anonymous” - an on-line activist and civil
disobedience network. Alhough “Anonymous” are allegedly involved in the revenge
9
DDoS attacks on Sony over Sony’s pursuit of “GeoHot” and “Graf_Chokolo”, also
alleged “Anonymous” hackers (Takahashi, 2011), others argue that given denials by
Anonymous that the motives were more likely profit driven cyber criminals (Poulsen
2011). Such cases represent cybercrime were both profit and ideological reasons may
be involved: the hackers saw Sony as profiteering from the Internet gaming industry.
Content Crime
Because of the political situations and the tensions between some countries in the
Asia, cases of cybercrime with a political purpose are common. These can be seen
between Taiwan and China, as well as between South and North Korea and Japan and
China, as well as Pakistan and India (Broadhurst 2006a). For example, Taiwan’s
Ministry of National Defence was hacked and the computers in the Minister’s Office
and the Secretary’s Office were infected with trojans and spyware in 2005 and in
2006 (Huang, 2006). The National Security Bureau in Taiwan claimed that a Chinese
cyber-army launched more than 3,100 attacks against Taiwanese Government systems
in 2008, and this did not include attacks against the private sector (Xu, 2009).
Similar occurrences can be seen between North and South Korea. For example,
government agencies, banks and businesses in South Korea have suffered serious
cyber attacks. The South Korean intelligence agency believes that these attacks were
not conducted by individuals but were prepared and staged by “certain organisations
or states” and that North Korea was the main suspect (Parry, 2009).
Since the risk of cybercrimes, regardless of motive or the role of organised crime, has
expanded via bot-nets how best to prevent cybercrime and to deter cyber criminals
has become a major policy question for states and international agencies. The
transnational nature of cybercrime basically requires that states enact laws to
harmonise definitions of criminality and enhance mutual cooperation across states.
The Council of Europe Convention on Cybercrime - Budapest Convention
A key problem in the prosecution of cybercrime is that all the elements of the offence
are rarely found in the same jurisdiction. Often the offender and the victim and even
the evidence are located in different jurisdiction thus requiring a high degree of
cooperation between the law enforcement agencies to investigate and prosecute
(Brenner 2006). The extent that Asia has been able to address the need for such
cooperation is addressed by describing the first international instrument and the role it
has played in developing cybercrime law in Asia.
10
The Council of Europe’s (CoE) 2001 Convention on Cybercrime, often referred to as
the Budapest Convention7 is currently the only multi-national agreement that
provides for the means to prosecute cybercriminals and represents an important
attempt to regulate cyberspace. In order to harmonise criminal law and procedures
across the states of Europe for the prosecution of cyber-criminals, the CoE8 drafted a
convention on cybercrime. The initiative can be traced back to 1989 when the CoE
published a set of recommendations on the need for substantive criminal law to
criminalise harmful conduct committed through computer networks. In 1997 the CoE
formed a Committee of Experts on Crime in Cyberspace to draft a convention to
facilitate States’ cooperation in investigating and prosecuting computer crimes and to
provide a solution to cybercrime problems through the adoption of an international
legal instrument (Council of Europe, 2001a, 2001b; ITU, 2009; Keyser, 2003; Weber,
2003). In November 2001, the Convention on Cybercrime was opened for signature
and it entered into force on 1 July 2004 after ratification by the required minimum
five member countries9.
The CoE Convention is supported by the United Nations (UN) and because it also
included non-Council states it can be also regarded as an international, rather than
regional, treaty (Archick, 2006; Csonka, 2000; Keyser, 2003; Weber, 2003).
Resolution 56/121, of the UN General Assembly noted the work of international and
regional organisations in combating hi-technology crime, and stressed the importance
of the Convention on Cybercrime. The UN also invited Member States, when
developing national laws, policy and practices aimed at combating the criminal
misuse of information technologies, to take into account the work and ‘achievements’
of other international and regional agreements such as the Convention (United
Nations, 2002).
The CoE Convention on Cybercrime (hereafter the Convention) has four parts:
Chapter I defines the terms used; Chapter II the measures to be taken at the national
level, including substantive criminal law and procedural law; Chapter III establishes
the general principles of international cooperation and mutual assistance; and Chapter
7 Budapest was the city in which the Convention was opened for signature November 8, 2001.
8 The Council of Europe (CoE), founded in 1949, comprises 45 countries, including the members of
the European Union (a separate entity), as well as countries from Central and Eastern Europe.
Headquartered in Strasbourg, France, the CoE was formed as a vehicle for integration in Europe, and
its aims include agreements and common actions in economic, social, cultural, legal and administrative
matters.
9 Only after ratification by five States (including at least three from members of the CoE) will the
Convention enter into force. Albania, Croatia, Estonia, Hungry, and Lithuania were the first five
States to ratify the Convention.
11
IV includes miscellaneous matters such as accession to the Convention10.
In terms of substantive laws, the Convention lists four: (1) offences against the
confidentiality, integrity and availability of computer data and systems; such as illegal
access of a computer system; interception of non-public transmissions of computer
data to, from, or within a computer system; interference with computer data;
interference with computer systems, such as computer sabotage; and the misuse of
computer-related devices (e.g. ‘hacker tools’) (2) computer-related offences,
including the traditional offences of fraud and forgery when carried out through a
computer system (3) content-related offences, in order to control the use of computer
systems as vehicles for the sexual exploitation of children and acts of a racist or
xenophobic nature and (4) offences relating to infringement of copyright and related
rights.
The procedural part of the Convention aims to enable the prosecution of computer
crime by establishing common procedural rules and adapting traditional crime
fighting measures such as search and seizure, and it also creates new measures, such
as expedited preservation of data, As data in cyberspace is dynamic, other evidence
collection methods relevant to telecommunications (such as real-time collection of
traffic data and interception of content data) have also been adapted to permit the
collection of electronic data during the process of communication by police or service
providers. The real-time collection of traffic data and interception of content data are
the most intrusive powers in the Convention (Csonka, 2000). The definition of
‘computer system’ in the Convention does not restrict the manner in which the
devices or group of devices may be interconnected. These interception powers
therefore also apply to communications transmitted by means of any computer
system, which could include transmission of the communication through
telecommunication networks before it is received by another computer system.
The Convention also makes it clear that international cooperation is to be provided
among contracting states ‘to the widest extent possible’. This principle requires them
to provide extensive cooperation and to minimise impediments to the rapid flow of
information and evidence. The Convention also creates the legal basis for an
international computer crime assistance network; i.e. a network of national contact
points permanently available (the ‘24/7 network’). The network established by the
Convention is based on experience gained from the network created by the G8 and
co-ordinated by the US Department of Justice. Under the Convention, States are
obligated to designate a point of contact available 24 hours a day, seven days a week,
10 For more detail description and discussion of the Convention, please see Weber (2003), and
Broadhurst (2006b).
12
in order to ensure immediate assistance to investigations within the scope of the
Convention. The establishment of this network is one of the most important
provisions provided by the Convention to ensure States can respond effectively to the
law enforcement challenges posed by computer crime.
The convention (Article 6(1)(a)) also prohibits “…the production, sale, procurement
for use, import, distribution” of software programs with the purpose of committing
crime. The intention of this provision was to prevent the crimes potentially associated
with these tools by banning their creation and distribution. Use and possession are
also criminalized. However, if the purpose of the program was for a legitimate
purpose such as “authorised testing or protection of a computer system” then
possession of such ‘malware’ was not criminalised (Article 6(2)). An exemption
similar to the possession of certain pharmaceuticals by medical practitioners for
‘legitimate’ use, and exceptions for forensic and preventative use was also envisaged.
So legitimate industry professionals are not adversely affected but has proven a
difficult law to implement and each jurisdiction can determine what sorts of malware
might trigger unlawful use. Attempts have been made to control the use of these tools
in Germany (German Criminal Code Law 202c 2007), the UK, (Section 37, UK
Computer Misuse Act amendment effective 2008), Taiwan (Article 362, Criminal
Code) and to some extent China (Criminal Code 7th amendment in 2009 – Article 285)
and Japan (June 2011 Article 168-2 Japanese Criminal Code). In July 2011 a
European Union (EU) ministerial meeting proposed to make “hacking tools” illegal
but the definition of a “tool” has been questioned as well as the effectiveness of such a
prohibition. To date, there have been few prosecutions in jurisdictions with relevant
legislation and crime-ware is still readily available.
The continued proliferation of malware arises in part because some states continue to
be the ‘weakest links’ in the supposedly seamless cross-national security web
necessary to prevent cyber-crime. Indeed the involvement of the state or at least
quasi-state actors in the dissemination and use of crime-ware is a considerable
impediment to effective law enforcement. In some countries in Asia the absence of
appropriate laws and/or effective law enforcement enables their jurisdiction to provide
safe havens for cybercriminals.
Application of the Budapest Convention in Asia
To date the Convention has received 47 signatories and of those, 31 countries have
ratified it after signing. The rapid ascension of the convention reflects the importance
13
of the problem and the recognition that a multi-national approach will be needed.
Most of the signatory countries are Member States of the CoE with only four
non-member States (Canada, Japan, South Africa and the United States of America)
signing the Convention. The USA was the first non-member State to ratify the
Convention, however, the additional protocol to the convention which specifically
address hate crime was excluded on the constitutional grounds of the right to free
speech. The accession by the USA elevated the status of the Convention to an
international rather than a regional treaty.
As noted, most countries in Asia are not signatories of the Convention. Although the
convention is open to any non-member state wishing to join only Japan has signed the
treat while Australia is likely to accede in late 2011 as the relevant Bill is pending
parliamentary approval (The Parliament of the Commonwealth of Australia, 2011).
Nevertheless many Asian countries have looked to the Convention for guidance on
new laws.
Using the Convention as a benchmark, Microsoft (2007) investigated 14 countries11
in Asia to see whether their computer security laws aligned with the requirements of
the Convention. It shows that, in 2007, most countries in Asia could be classified as
having either favourable alignment or moderate alignment. Only India and Indonesia
were at that time classified as having a weak alignment. Since the Microsoft report
new laws against cybercrime have been introduced by PR China, India, Indonesia and
Japan. These changes make the laws in those countries more closely aligned to the
essential requirements of the Convention.
For example, amendments to the “Information Technology Act (IT Act), 2000” (India
IT Act 2000) were adopted by the Parliament of India and ratified on 5 February 2009.
The “Information Technology (Amendment) Act, 2008” (IT Act 2008) reflected
largely the requirements of the Convention (Council of Europe, 2009). Apart from
unauthorised access, introduction of viruses, damage, disruption and denial of access
in section 43 of the India IT Act 2000, the amendments also criminalised offences
such as: using computer codes or communication devices to disseminate false
information, dishonestly receiving or retaining any stolen computer resources or
communication devices, fraudulently or dishonestly making use of electronic
signature, password or other unique identification features of any other person (see
amendments to section 66 - 66A to 66F). Also amendments to section 67, enhanced
the punishment for publishing or transmitting obscene material in electronic form
from three years to five years and also impose fines from 100,000 to 500,000 Indian
11 The countries investigated include Australia, China, Hong Kong, India, Indonesia, Japan, Malaysia,
New Zealand, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam.
14
Rupees (approximately USD2000-10,000) (Ministry of Law and Justice, 2009). In
addition ancillary offences in the draft Right to Privacy Bill now before the Indian
Parliament includes provisions against illegal interception (Venkatesan, 2011). These
amendments and new laws make India more aligned to the requirements of the
Convention.
The Indonesian government enacted Law No 11 of 2008 regarding Information and
Electronic Transactions. It passed substantive laws similar to the Convention,
including illegal access, illegal interception, data interference, misuse of devices,
computer-related fraud, and forgery (Noor, 2010). China and Japan also amended
their cybercrime laws, which aligned them more to the Convention. In China, the
offence of illegal access only applied to the access to computer systems used for state
affairs, at national defence facilities, and in the aid of sophisticated scientific work.
This was widely criticised as inadequate. Consequently, Amendment VII of the PRC
Criminal Law was promulgated in February 2009, corrected this deficiency and,
illegal access to a computer system in areas other than those previously proscribed
could be sanctioned (Article 285). The amendment also added sanctions for those who
provide a tool or process, which is solely used for illegal access and unlawful control
of a computer system in section 3 of Article 285 – in effect potentially criminalising
crime-ware.
In 2009 Japan revised its Penal Code to further address problems of cybercrime
paving the way for ascension to the Convention. The revision made punishable the
creation or distribution of a computer virus, acquisition or storage of a virus, and
sending emails containing pornography images to random groups of people. The
amendments also strengthened investigative powers by permitting data to be seized or
copied from computer servers that are connected via online networks to a computer
seized for investigation. Authorities are also given the power to request Internet
service providers to retain communications logs, such as the names of email senders
and recipients, for up to 60 days (Kyodo, 2011).
From the discussion above, we can see that countries in Asia are not only amending
their laws to regulate offences against the confidentiality, integrity and availability of
computer data and systems, content offences are also a focus. Publishing or
transmitting obscene material (especially obscene material involving a child) is now
punishable in most Asian countries.
However, there is still little consensus on what constitutes content crime within the
very diverse Asian region. It has been observed that, in Asia, notions of obscenity and
pornography/erotica vary widely from country to country. For example, compared to
15
people in China, Taiwan and Hong Kong, the Japanese might have a higher tolerance
to erotic materials. Islamic countries have a much less tolerant approach to obscene
materials. Many have a have a ‘zero tolerance’ approach where any form of nudity is
recognized as being obscene (Broadhurst, 2006a).
Many countries (e.g. Australia, Italy, Norway, Sweden, Switzerland, United Kingdom,
China, Iran, Saudi Arabia, Burma, Vietnam, Singapore and Thailand) attempt to
exercise control over undesirable or illegal content by blacklisting websites. Although
there is near universal criminalisation of child pornography most Internet content
crime, including those designed to incite racial or religious vilification crime are not
criminalised. Some countries (e.g. China, Singapore, Pakistan) also filter social
networking sites, however it is also evident that many attempts at blocking or filtering
web access can be readily overcome (OpenNet Institute, 2010).
In summary laws against cybercrime in most countries in Asia are either favourably
or moderately aligned with the Convention. However, dilemmas still exists when it
comes to the interpretation of certain types of content crime, and it is likely that Asian
countries (like the USA) may only join the convention with exceptions to the
protocols on content crime.
The development of the Budapest Convention
Although the Convention is widely considered to be the first international convention
on cybercrime, and is accepted as such by the UN, some countries regard it as a
regional rather than international treaty. Harley (2010) argued that, although the
Convention is not strictly a regional agreement, it is also not a global convention as
there is only one non-Member state of the CoE (the USA) which has ratified the
Convention.
The degree of participation of countries in Asia region in the Convention is limited,
and many countries have yet to fully develop their cybercrime laws to the requisite
standard. For example, differences between Chinese laws and the Convention may be
the reason why China has not signed the Convention. Although recent amendments to
its criminal laws have made China’s legal responses to cybercrime more aligned to
those of the Convention, there still remains inconsistency between Chinese criminal
procedure law and the requirements of the Convention, especially in regard to search
and seizure for the collection and production of computer data.
16
Countries such as China, Russia and India were not involved in the development of
the Convention and have at times argued that a UN treaty or code would be more
appropriate. This seems to be reflected by a senior police officer from China who
stated (cited from Chang, 2010:186):
…the Council of Europe has been in contact with China, trying to
persuade China to amend its law to fit the requirements of the Convention.
However, China did not care much about this issue then. And, anyway,
when they were drafting the convention, they did not invite China to join
in the drafting. Now they want us to join, we are not interested.
In contrast the Taiwanese Government has expressed an interest in signing the
Convention on Cybercrime, but is hindered by its ambiguous political situation, where
it is not recognized by the Council of Europe as a country (Chang, 2010)
Given the limited degree of participation of countries in Asia in the Convention China
along with India, South Korea, and a number of other developing countries recently
initiated a proposal to create a new global cybercrime treaty. More than 50 per cent of
the world’s population, or an estimated 40 per cent of all Internet users, do not come
under the auspices of the CoE Convention.
The CoE’s cybercrime convention needs to be expanded or re-invented to capture the
phenomenal growth of the Internet especially in Asia. Previous attempts to develop a
UN convention on cybercrime may also need to be re-activated as circumstances have
changed considerably since the late 1990s when the CoE began the lengthy process of
creating the convention through diplomatic and expert dialogue. The absence of
effective regional mutual legal assistance and cooperation in criminal matters in
ASEAN and wider Asia (Gordon 2009), especially cybercrime (Thomas 2009) may
be addressed via another iteration of the convention engaging those parties not
originally at the table.
For some developing countries the 2002 Commonwealth Nations model law on
computer-related crime and international cooperation provides guidance especially
useful for those jurisdictions sharing a common legal history. Indeed it had been
estimated that over a thousand bilateral treaties between Commonwealth States are
required to ensure adequate mutual legal assistance (UN 2010).
Developing countries may be reluctant to sign on to the CoE convention because of
the high standards of procedural law and cooperation required. The depth of the
digital divide and the difficulties of creating consensus should not be over-estimated
17
in the context of a UN sponsored process. Fears among the advanced technological
states that a UN instrument might result in a ‘dumb’ down version of the CoE
convention will have to be addressed in order to re-activate a more widely accepted
treaty format (Masters, 2010). The reluctance of Brazil to sign on to the CoE
convention due to concerns about the criminalization of intellectual property (Harley
2010), however shows that agreement will not be possible on all issues. Traditions of
dual criminality in mutual legal assistance matters will remain a significant hurdle and
a hybrid or two-tiered universal or UN treaty in tandem with the CoE may emerge. A
global convention on cybercrime was given further impetus by the recent
recommendation of the Twelfth United Nations Congress on Crime Prevention and
Criminal Justice (UN, 2010: para 32). Given harmonisation of responses to
non-traditional security threats is relatively novel the CoE and Commonwealth
examples will be useful guides to a truly universal treaty.
Future Developments in Cybercrime Law
As the current Convention is based on the types of cybercrime that originated in the
late 1990s, a number of new problems and attack methods are not explicitly covered
by the Convention, and these will require attention in future iterations. These include
the following:
Bot-nets
The use of bot-nets is arguably the most significant development in cybercrime to
arise since the original signing of the Convention. Using large numbers of networked
infected-computers, botnet operators can launch highly damaging attacks, including
such serious crimes as DDoS attacks. It can also be used to send out massive numbers
of spam and phishing messages. It is estimated that 80% of phishing incidents are
related to bot-nets (Schjolberg & Ghernaouti-Helie, 2011). Large bot-nets with
hundreds of thousands of computers have been discovered, and these have been
employed for purposes of cyber-terrorism and cyber-warfare. Bot-nets may mimic in
some ways a form of cyber-organised crime (Chang, 2010).
Using bot-infected computers as springboards to launch cyber attacks, criminals can
avoid investigation or disturb investigation as the compromised computers are usually
located in different countries and there are still no guidelines for international
18
cooperation on investigation. Bot-nets are now available for lease or purchase and can
be obtained on line for a reasonable price. Criminals without a technology
background are able to launch cyber-attacks by using readily available malicious
toolkits or they hire hackers to do so. As bot-infected computers, sellers, and buyers
can potentially be located in difference countries, real time cooperation in criminal
investigation becomes essential.
Cloud computing
This relatively new configuration of data storage and access is a form of shared data
warehousing long used by generic service providers such as ‘gmail’ and ‘yahoo’ but
brings new concerns in relation to cyber-security. One problem may be access to or
retention of evidentiary data such as log or ISP address data, for law enforcement.
‘Cloud’ computing provides computation, software, data access, and storage services
often at cheaper costs allowing users to store their data at remote storage facilities
provided by service companies or to use software provided by those companies.
Users no longer need to physically store their data on their own computer or buy
software for themselves. While it may be convenient for users, cloud computing has
the potential to become a barrier to successful crime investigation (Schjolberg, 2010).
Anonymity and encryption
The relative anonymity with which people conduct themselves online can lend itself
to illicit activity. The use of freely available tools to mask IP addresses, locations and
identities makes the task of law enforcement more difficult, as does the use of
encryption programs to protect data from third party access (see Chu, Holt, & Ahn,
(2010). While these tools also have legitimate uses, their easy availability to cyber
criminals may need to be addressed in future iterations of cybercrime law. Indeed,
some countries already have specific law enforcement powers to compel the release of
encryption keys.
Social networking
A considerable amount of cybercrime – including online harassment, stalking and
child grooming – is made easier through the use of social networking sites such as
Myspace and Facebook. These services are ideal for facilitating social contact and
business relationships, but they also afford insufficient protection to unsophisticated
and vulnerable users such as children. Greater attention to the possibilities for law
enforcement monitoring of such sites, assisted by the private sector entities involved,
may be required in the interests of public safety. In turn, this may necessitate a
regulatory response that connects sex offenders and law enforcement databases in a
19
more systematic way. Counter-arguments based on privacy concerns usually ignore
the privacy and safety rights of victims of cybercrime.
A universal harmonized cybercrime law
In order to fight transnational cybercrime, it is widely agreed that there is a need for
an international convention that has universal application. The EU and the USA
support the CoE’s Convention on Cybercrime and are encouraging more states to sign
and ratify it. They see a process of socialising the Convention as the best way forward
and are opposed to the distraction of a UN treaty and the watering down of its scope
by excluding intellectual property offences, among others (USA, ‘International
Strategy for Cybercrime’ White House, 2011: 9):
The development of norms for state conduct in cyberspace does not require a
reinvention of customary international law, nor does it render existing
international norms obsolete. Long-standing international norms guiding state
behavior—in times of peace and conflict—also apply in cyberspace
Despite the efforts of the USA and Europe the Convention has not reached a similar
level of acceptance in other regions and countries outside the European region.
A new global cybercrime treaty was discussed at the 12th United Nation Congress on
Crime Prevention and Criminal Justice in Salvador, Brazil (UN 2010) and a draft
treaty presented by Norwegian Judge Stein Schjolberg and Professor Solange
Ghernauti-Hélie from the University of Lausanne. This outlined measures similar to
the Convention but took into account the criminal innovations noted above, such as
phishing, bot-nets, spam, identity theft, and terrorism (Schjolberg, 2010). Compared
with the CoE’s Convention, the Draft replicated the procedural law of the convention
but deleted references to intellectual property offences in cyberspace. One of the key
norms and standards identified in the USA’s promotion of the rule of law in the
‘International Strategy for Cybercrime’ was the protection of intellectual property and
its elimination from a proposed UN cybercrime treaty illustrated the significant
differences that continue to undermine efforts to harmonise cybercrime laws. The
Draft also proposed additional criminal offences such as identity theft, mass
coordinated cyber-threats against critical infrastructure, terrorism and the most serious
cyber-attacks including the criminalisation of crime-ware and attack toolkits.
Schjolberg (2011) also proposed an international criminal court or tribunal for
cyberspace because not all countries are willing to cooperate or are able to cooperate
and an international criminal court or tribunal will be able to take action to investigate
and prosecute transnational cyber criminals.
20
Russia has also sought a UN convention against cybercrime and along with China has
urged the UN adopt a voluntary code. The Russian government has argued that the
current CoE’s Convention on Cybercrime is outdated, and did not address the problem
of how to control the use of the Internet in the spread of ideas or skills relating to
terrorism and cyber terrorism. Neither does the current Convention, according to this
critiques put any emphasis on problems such as identity theft and the emergence of
social networks and microblogs (Isakova, 2011). If USA policy is any guide to the
likelihood of significant changes in international approaches to cybercrime
developments that restrict legitimate access to the Internet rather than combat illegal
activities will be unwelcome (USA, ‘International Strategy for Cybercrime’ White
House, 2011: 19-20).
Conclusion
This paper briefly reviewed developments in cybercrime and the law-enforcement
response in Asia. We noted the rapid rise of cybercrime as a problem and the
relatively underdeveloped multi-lateral response to it. Although the Budapest
Convention established a good base to harmonise the differences in laws and
regulations against cybercrime between different countries, the Convention has not
been widely adopted by many Asian countries or indeed as yet other parts of the
world. While this may be attributable to inconsistencies with laws and regulations in
some countries, for others there is reluctance to sign on to what is seen as essentially a
European instrument. Even if laws are moderately or fully aligned with the
Convention, they may still not wish to sign the Convention. This problem is unlikely
to be solved in the near future, and may frustrate cross-national cooperation on
cybercrime investigation and prosecution. With the development of new technologies
such as cloud computing, ‘smart’ phones and social media, as well as the emergence
of bot-nets and the expansion of encryption, the Convention requires updating.
Creating a network for illegal purposes and selling or renting established bot-nets to
commit or facilitate criminal activities along with so-called “attack toolkits” (eg. ZeuS
and Spyware) should be more widely criminalized and may help reduce organized
crime in cyberspace. The widespread incidence of identity theft as a common
precursor offence requires a broad-based prevention effort (Morris 2008; White &
Fisher 2008). The problem of “hate” and “content” crime will remain complex and
more widespread via social networks and the under-net but with no prospect of a
universal approach although prone to over-lap with criminal activity and enterprise.
The potential for mitigation of transnational cybercrime ultimately lies in effective
21
public-private partnerships and effective international cooperation, albeit not
completely dependent on an international treaty (Wall 2007). Greater understanding
by government and commerce of the industrial scale of commercial cybercrime, and
the recognition of a sense of ‘shared fate’ in cyberspace, will quicken the
development of multilateral responses and the capability for transnational crime
control. Comity can be promoted if wealthy states and affected industries are prepared
to fully aid those states or agencies less capable of enacting and enforcing appropriate
laws. It can be argued, however, that a strict enforcement agenda is usually not
feasible because of the limited capacity of the state, especially public police agencies
whose resources are usually rationed (Broadhurst 2006b). A risk is that
over-regulation could stifle commercial and technological development in developing
countries and those sceptical of an interventionist approach also argue that the
marketplace may be able to provide more effective crime prevention measures
(Newman and Clarke 2003) and efficient solutions to the problems of
computer-related crime than the state.
22
References
AFP. (2010, 12 March 2010). Cybercrime surge pushes 2009 losses to 559 million
dollars. Retrieved 25 August 2011, from
http://www.france24.com/en/20100312-cybercrime-surge-pushes-2009-losses-559-mi
llion-dollars
Archick, K. (2006). Cybercrime: The Council of Europe Convention. Washington,
DC: The Library of Congress.
Barboza, D. (2010, 1 February ). Hacking for fun and profit in China's underworld.
The New York Times. Retrieved 2011, from
http://www.nytimes.com/2010/02/02/business/global/02hacker.html?pagewanted=all
Brenner S (2006). Cybercrime Jurisdiction. Crime, Law and Social Change, 46:
189-206.
Broadhurst, R. (2006a). Content cybercrimes: Criminality and censorship in Asia.
Indian Journal of Criminology, 34(1&2), 11-30.
Broadhurst, R. (2006b). Developments in the global law enforcement of cyber-crime.
Policing: An International Journal of Police Strategies and Management, 29(3),
408-433.
Broadhurst, R. and Kim Kwang Raymond, Choo, 2011. Cybercrime and on-line
safety in cyberspace. in Smith C., Zhang, S. & R. Barbaret [eds.]. International
Handbook of Criminology, Routledge: New York, pp 153-165.
Bullwinkel, J. G. (2005). International cooperation in combating cyber-crime in Asia:
Existing mechanisms and new approaches. In R. Broadhurst & P. Grabosky (Eds.),
Cyber-crime: The Challenge in Asia (pp. 269-302). Hong Kong: Hong Kong
University Press.
Chang, Y. C. (2010). Cybercrime Across the Taiwan Strait-- Regulatory Responses
and Crime Prevention. Unpublished PhD thesis, Australian National University,
Canberra.
Chantler A.N. & R. Broadhurst. (2008). Social Engineering and Crime Prevention in
Cyberspace’, paper presented to the Korean Institute of Criminology. October 30,
2008, Seoul.
Chang, Y. C. (2011). Cyber conflict Between Taiwan and China. Stratigic Insights,
10(1), 26-35.
23
Chu, B., Holt, T. J., & Ahn, G. J. (2010). Examining the creation, distribution, and
function of malware on-line. Washington D.C. National Institute of Justice, U. S.
Department of Justice.
Council of Europe. (2001a). Convention on Cybercrime. Retrieved 17 November
2009. from http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm.
Council of Europe. (2001b). Convention on Cybercrime: Explanatory Report.
Retrieved 10 November 2009. from
http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.
Council of Europe. (2009). Project on Cyebercrime-- Final Report. Strasbourg:
Council of Europe.
Council of Europe, (n.d.). Convention on Cybercrime CETS No. 185. Retrieved on 13,
September 2011, from
http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&C
L=ENG
Csonka, P. (2000). The draft Council of Europe Convention on Cybercrime: A
response to the challenge of crime in the age of the Internet? Computer Law &
Security Report, 16, 329-330.
Gordon, Sandy (2009). ‘Regionalism and Cross-Border Cooperation against Crime
and Terrorism in the Asia-Pacific’, Security Challenges, Vol. 5, No. 4, (Summer
2009), pp 75-102.
Guenther M. (2001). Social Engineering – Security Awareness Series’; Information
Warfare Site U.K. Online. Available
(http://www.iwar.org.uk/comsec/resources/sa-tools/Social-Engineering.pdf) (accessed
20 Dec 2006).
Harley, Brian, ‘A Global Convention on Cybercrime?’ Columbia Science and
Technology Law Review, Volume XI, 2010, March 23, 2010. Retrieved 20, July 2010
from http://www.stlr.org/2010/03/a-global-convention-on-cybercrime/
Huang, J. P. (2006, 15 May). Chinese Net-army again stormed the Ministry of
National Defence. AppleDaily. Retrieved 10 January 2011, from
http://tw.nextmedia.com/applenews/article/art_id/2609544/IssueID/20060515
IBM. (2009). IBM Internet Security Systems X- Force 2009 Mid-Year Trend and Risk
Report. Somers, NY: IBM Corporate.
Isakova, Y. (2011). Russia opts for university anti-cybercrime convention. Voice of
Russia. 20 July, Retrieved 7 September 2011 from
http://english.ruvr.ru/2011/07/20/53481702.html
ITU. (2009). ITU Toolkit for Cybercrime Legislation. Geneva: International
Telecommunication Union.
24
Katyal, N. K. (2003). Digital architecture as crime control. Yale Law Journal, 112(8),
2261-2289.
Keyser, M. (2003). The Council of Europe Convention on Cybercrime. Journal of
Transnational Law and Policy, 12(2), 287-326.
Korean Institute of Criminology (2011). Newsletter:Virtual Forum Against
Cybercrme. August, 2011 visited at www.vfac.org
Kyodo. (2011, 17 June). Domestic cybercrime bill passed. Japan Times. Retrieved 6
September 2011, from http://search.japantimes.co.jp/cgi-bin/nn20110617x3.html
Lessig, L. (1999). Code and Other Laws of Cyberspace. NY: Basic Books.
Masters, G. (2010, 23 April). Global cybercrime treaty rejected. SC Magazine.
Retrieved 21 September 2010, from
http://www.scmagazineus.com/global-cybercrime-treaty-rejected-at-un/article/16863/
Microsoft. (2007). Asia Pacific Legislative Analysis: Current and Pending Online
Safety and Cybercrime Laws. Retrieved 11 July, 2011, from
http://www.itu.int/ITU-D/cyb/cybersecurity/docs/microsoft_asia_pacific_legislative_a
nalysis.pdf
Miniwatts Marketing Group. (2011). Internet World Stats. Retrieved 25 August,
2011, from http://www.internetworldstats.com/stats.htm
Newman, G. and R. Clarke. (2003) Superhighway Robbery: Preventing E-commerce
Crime. Devon: Willan Publishing.
Noor, M. (2010). Cyber Legislation of Indonesia. Paper presented at the Octopus
Interface Conference-- Cooperation against Cybercrime. Retrieved 11 July 2011, from
http://unpan1.un.org/intradoc/groups/public/documents/UNGC/UNPAN040467.pdf
Norton. (2010). Norton Cybercrime Report: The Human Impact. Retrieved 25 July,
2011, from http://us.norton.com/theme.jsp?themeid=cybercrime_report
Ollman, Gunter. (2008). The evolution of commercial malware development kits and
colour-by-numbers custom malware. Computer Fraud & Security, 9, 4-7.
OpenNet, 2010 'OpenNet Institute 2009 Survey', accessed July 5, 2010,
http://opennet.net/research/regions/asia).
Parry, R. L. (2009, 9 July 2009). North Korea 'launches massive cyber attack on
Seoul'. The Times. Retrieved 26 July 2011, from
http://www.timesonline.co.uk/tol/news/world/asia/article6667440.ece
Poulsen, K. 2011, ‘PlayStation Network Hack: Who Did It?’ Wired News, April 27,
2011, accessed September 28, 20011,
http://www.wired.com/threatlevel/2011/04/playstation_hack/
Schjolberg, S. (2010). A Cyberspace Treaty - a United Nations Convention or
25
Protocol on Cybersecurity and Cybercrime (A/CONF.213/IE/7). Retrieved 11 March
2011. from http://www.cybercrimelaw.net/documents/UN_12th_Crime_Congress.pdf.
Schjolberg, S. (2011). An International Criminal Court or Tribunal for Cyberspace
(ICTC). New York: EastWest Institute.
Schjolberg, S., & Ghernaouti-Helie, S. (2011). A Global Treaty on Cybersecurity and
Cybercrime (Second edition), Available from
http://www.cybercrimelaw.net/documents/A_Global_Treaty_on_Cybersecurity_and_
Cybercrime,_Second_edition_2011.pdf
Symantec. (2007a). Symantec APJ Internet Security Threat Report XI: Trend for July-
December 06. CA: Symantec Corporation.
Symantec. (2007b). Symantec APJ Internet Security Threat Report XII: Trend for
January- June 07. CA: Symantec Corporation.
Symantec. (2008). Symantec APJ Internet Security Threat Report XIII: Trend for July
- December 2007. Cupertino, CA: Symantec Corporation.
Symantec. (2009). Symantec APJ Internet Security Threat Report XIII: Trend for
2008. Cupertino, CA: Symantec Corporation.
Symantec. (2010a). Symantec Report on Attack Kits and Malicious Websites. CA:
Symantec Corporation
Symantec. (2010). Symantec Internet Security Threat Report. Regional Data Sheet -
Asia Pacific/Japan April 2010,CA: Symantec Corporation.
Symantec. (2011). Symantec Internet Security Threat Report. Vol 16, April 2011,CA:
Symantec Corporation.
Takahashi, D. (2011). Hacktivist group Anonymous launches "payback" cyber attack
on Sony. Retrieved 25 July, 2011, from
http://venturebeat.com/2011/04/03/hacktivist-group-anonymous-launches-payback-cy
ber-attack-on-sony/
Telegraph. (2011, 3 May). Sony says 25m more users hit in second cyber attack. The
Telegraph. Retrieved 25 July 2011, from
http://www.telegraph.co.uk/technology/sony/8489147/Sony-says-25m-more-users-hit
-in-second-cyber-attack.html
Thomas, N. (2009) ‘Cyber Security in East Asia: Governing Anarchy’, Asian Security
5, 1-23.
The Parliament of the Commonwealth of Australia. (2011). Report 116 Treaties
tabled on 24 and 25 November 2010, 9 February and 1 March 2011. Canberra: The
Parliament of the Commonwealth of Australia.
Trend Micro. (2009). Trend Micro 2008 Annual Threat Roundup and 2009 Forecast.
26
Cupertino, CA: Trend Micro Inc.
United Nations. (2002). Resolution Adopted by the General Assembly on Combating
the Criminal Misuse of Information Technologies (A/RES/56/121). Retrieved 25
Spetember 2009. from
http://daccessdds.un.org/doc/UNDOC/GEN/N01/482/04/PDF/N0148204.pdf?OpenEl
ement.
United Nations, 2010, ‘Recent developments in the use of science and technology by
offenders and by competent authorities in fighting crime, including the case of
cybercrime’, working paper A/CONF.213/9, UN 12th Congress on Crime Prevention
and Criminal Justice, Salvador, Brazil, 12-19 April 2010 22 January 2010
(accessed July 6, 2010)
http://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/A
_CONF.213_9/V1050382e.pdf
United States General Accounting Office 2010, ‘Cybersecurity: Key Challenges Need
to Be Addressed to Improve Research and Development’, June 2010:
http://www.gao.gov/new.items/d10466.pdf (accessed July 5, 2010:)
United States of America 2011 ‘International strategy for cyberspace: Prosperity,
Security, and Openness in a Networked World’, May 2011, White House; accessed
September 26, www.whitehouse.org
Venkatesan, J. (2011, 7 June). Bill on 'right to privacy' in monsoon session: Moily. the
Hindu. Retrieved 11 July 2011, from
http://www.thehindu.com/news/national/article2082643.ece
Wall D. (2007) Policing Cybercrimes: Situating the Public Police in Networks of
Security within Cyberspace’, Police Practice and Research: An International Journal,
8:2, 183-205.
White M and Fisher C. (2008). Assessing our Knowledge of Identity Theft: The
Challenges to Effective Prevention and Control Efforts. Criminal Justice Policy
Review, 19:1, 3-24.
Weber, A. M. (2003). The Council of Europe's Convention on Cybercrime. Berkeley
Technology Law Journal, 18, 425-446.
Xu, S. C. (2009, 24 March). Over 3,100 cyber attacks towards Taiwanese
Government System were originated by Chinese cyber army. Liberty Times. Retrieved
21 September 2010, from
http://www.libertytimes.com.tw/2009/new/mar/24/today-fo2.htm
... Since the dawn of the digital age, the insecurities of cyberspace have become increasingly apparent. Moreover, the resources and capacities of states to patrol cyberspace are arguably even more constrained than those available in the terrestrial world (Holt and Bossler 2016; Broadhurst and Chang, 2012). It is agreed that governmental agencies of social control are neither omnipresent nor omnipotent, and this has created a demand for supplementary policing and security services. ...
... The feasibility of such a response tends to be inversely proportional to the skill of the offending attacker. Whether feasible or not, such a response is illegal in most jurisdictions and falls in the prohibition on intrusion of computers listed in the Council of Europe Convention on Cybercrime (Broadhurst and Chang, 2012) . For this reason, counter-hackers may be disinclined to publicize their exploits. ...
Article
Full-text available
Given the limited resources and capabilities of states to maintain cyber security, a variety of co-production efforts have been made by individuals, or by collectives of varying degrees of organization and coordination. This article identifies different forms of citizen coproduction of cyber security and notes the risk of unintended consequences. Safeguards and principles are proposed in order to facilitate constructive citizen/netizen co-production of cyber security. Although co-production of security can contribute to social control, only those activities within the bounds of the law should be encouraged. Activities of private citizens/netizens that test the limits of legality should be closely circumscribed.
... Existing cybercrime statistics are mostly published by commercial information security companies and organisations, like Symantec, AV-test, and Trend Micro, using malicious computer activity statistics to quantify cybercrime and information security problems. They record malicious computer activities initiated by malicious software (malware) such as viruses, Trojans, worms and bots (Broadhurst and Chang, 2012;IBM, 2009;Trend Micro, 2009). As ASEAN countries are not their main clients, it is rare for commercial companies to report on malicious activities in all ASEAN countries. ...
... Drafted by the Council of Europe, the Budapest Convention aims to expedite collaboration among states in cybercime investigation and prosecution. It also aims to facilitate the states' adoption of adequate international legal instruments against cybercrime (Broadhurst and Chang, 2012; Council of Europe, 2001a, 2001b). It was opened for signature for both member states and non-member states of the Council of Europe in November 2001 and entered into force on 1 July 2004 after it was ratified by five member countries of the Council of Europe. ...
Chapter
Full-text available
This chapter examines the trends in and challenges of cybercrime in the Association of Southeast Asian Nation (ASEAN) region. Although the ASEAN region is an emerging cybercrime market, there is limited research on cybercrime in ASEAN. What are the trends in and challenges of cybercrime in ASEAN? Is the current Council of Europe’s Convention on Cybercrime appropriate for ASEAN? What are the challenges faced by ASEAN countries when collaborating internationally against cybercrime? This chapter aims to answer these questions and to consider whether the strategies developed in the global north are relevant to ASEAN. This chapter will provide an overview of cybercrime trends in ASEAN, assess current measures adopted by ASEAN countries in combatting cybercrime, and make policy recommendations to strengthen those measures.
... The world has well and truly entered the field of technology and its digital age, where this technology that has covered all stages and endings and forms of life is constantly presented and our main purpose is the positive use of this technology, contrary technology has facilitated our daily lives, but it has also given contributions and solutions to resist terrorist activities and electronic crimes. Specifically, this occurs as a result of technological advancements all around the world [3], [4]. According to information security experts, many crimes are committed over the Internet. ...
Research
Full-text available
WhatsApp application is considered the largest messaging application around the world and an important source of information, they just incorporated a new technique that operates on end-to-end encryption, which presents a significant problem for forensic investigators and analysts. This study describes how to recover the encryption key from WhatsApp to decrypt WhatsApp databases and retrieve important artifacts displayed and saved in the Android system without rooting the device. As a means of presenting and analyzing artifacts taken from the most recent version of WhatsApp to signs of fresh and important evidence and artifacts to assist investigators and forensic analysts in the investigation. As a result, various techniques, devices, and software may now be utilized for WhatsApp digital forensics. The findings of this study showed a variety of artifacts in the internal memory unit utilized by the Android system for the WhatsApp application, which might aid digital forensic examiners in their examination of WhatsApp on the Android system without the need to root the device.
... Moreover, the 2003 optional protocol has had fewer ratifications (28) than its parent convention, with Senegal as the only non-European state party. In part, this is because some states (most notably the US) see the optional protocol as incompatible with the right to freedom of expression (Broadhurst & Chang, 2013). ...
Technical Report
Full-text available
At present a sophisticated large-scale cyber terrorist attack with a kinetic element appears to be unlikely. However, this may change in the next five years because of the rapidly developing capacity of many nation states (including proxy actors) to undertake offensive measures in the cyber domain. The vulnerability of technology-dependent societies, when combined with the proliferation of new versions of malware and other sophisticated cyber capabilities, significantly increases the risk posed by opportunistic or motivated offenders. An increasing risk is that sophisticated weaponised software may enter the ‘wild’ and into the criminal underworld where it could be appropriated by capable violent extremists. A serious cyber terrorist kinetic event is therefore currently unlikely, but high volume/low value or impact events are on the rise. The risk of a cyber terrorism attack should therefore not be understated as an emerging threat. This review of cyber-terrorism outlines the main trends and challenges presented by the convergence of the exceptional reach, speed and scale of the Internet and the political ambitions of violent extremists. Each chapter provides a brief summary of a key aspect of the cyber terror phenomenon, an analysis of emerging trends or perspectives, and other relevant information or examples identified during the research. At the end of each chapter a brief annotated bibliography is included to assist future research and give readers more information about the sources used. The report has drawn on a broad range of sources including government documents, web/blog posts, academic articles, information security websites and online news articles about cyber terrorism. The final chapter concludes with a discussion on the likelihood of a cyber terrorist attack.
... Key members include European nations and the United States. Nevertheless, most countries in Latin America, the Middle East and Asia-Pacific, including Brazil, Russia, China and India, are not signatories to the Budapest Convention because they were not involved in the drafting or, as is the case with less-affluent countries, they lag behind in developing domestic cybercrime laws to the requisite standards (Broadhurst and Chang 2013). This reduces the effectiveness of the convention as it applies to less than half of the world's internet users and, as Archick (2006) argued, most of the 'problem countries' are not actively involved in the convention. ...
Chapter
Full-text available
The challenge of discouraging undesirable conduct in cyberspace is, in many respects, similar to the management of misconduct ‘on the ground’. In terrestrial space, most social control is informal. Cultures— whether they are cultures of indigenous peoples or of the modern university—have their social norms, to which most of their members adhere. Minor transgressions tend to elicit expressions of disapproval, while more serious misconduct may be met with ridicule, ostracism, some form of ‘payback’ or expulsion from the group or organisation. With the rise of the modern state, formal institutions of social control have evolved to provide rules of behaviour, forums for the resolution of disputes between citizens and institutions for policing, prosecution, adjudication and punishment of the most serious transgressions. However, it is now generally accepted that governmental agencies of social control are neither omnipresent nor omnipotent, thus creating a demand for supplementary policing and security services. ese state institutions are accompanied by a variety of non-state bodies that ‘coproduce’ security. Such entities vary widely in size and role, from large private security agencies and the manufacturers and distributors of technologies such as closed-circuit television (CCTV), to the good friend who keeps an eye on her neighbour’s house at vacation time. is wider notion of policing terrestrial space has been nicely articulated by scholars such as Bayley and Shearing (1996) and Dupont (2006) (see also Brewer, Chapter 26, this volume). Cyberspace di ers only slightly from terrestrial space in its response to antisocial behaviour. Most of us who use digital technology do the right thing not because we fear the long arm of the law in response to misconduct, but, rather, because we have internalised the norms that prevail in our culture (on compliance generally, see Parker and Nielsen, Chapter 13, this volume). Most of us take reasonable precautions to safeguard things of value that might exist in digital form. Nevertheless, because there are deviant subcultures whose members do not comply with wider social norms, and nonchalant citizens who are careless with their digital possessions, there is a need for formal institutions of social control in cyberspace. So, too, is there a need for the coproduction of cybersecurity. One characteristic of cyber-deviance that di ers signi cantly from terrestrial misconduct is that cross-national activity is much more common. Very early on in the digital age it was said that ‘cyberspace knows no borders’. e nature of digital technology is such that one may target a device or system physically located on the other side of the world just as easily as one in one’s own hometown. A successful response to transnational cybercrime thus requires a degree of cooperation between states—cooperation that may not be automatically forthcoming. e governance of cyberspace is no less a pluralistic endeavour than is the governance of physical territory. is chapter will provide an overview of regulatory and quasi-regulatory institutions that currently exist to help secure cyberspace. In addition to state agencies, we will discuss a constellation of other actors and institutions, some of which cooperate closely with state authorities and others that function quite independently. ese range from large commercial multinationals such as Microsoft, Google and Symantec; other non-governmental entities such as computer emergency response teams (CERTs); groups like Spamhaus and the Anti-Phishing Working Group; and hybrid entities such as the Virtual Global Task Force and End Child Prostitution, Child Pornography and Tra cking of Children for Sexual Purposes (ECPAT), both of which target online child sexual abuse. In addition, there are independent, ‘freelance’ groups such as Cyber Angels, which exist to promote cybersafety, and ad hoc, transitory collectives that engage in independent patrolling and investigation of cyberspace. Other groups, such as Anonymous, and whistleblowers such as Edward Snowden, challenge apparent cyberspace illegality with sometimes questionable methods of their own. Anonymous attacked sites related to child pornography in 2011 (Operation Darknet) and Edward Snowden’s disclosures revealed questionable practices by the US National Security Agency. e next section of this chapter will brie y review some of the more important published works on the social regulation of digital technology. We will then discuss, in order, state, private and hybrid regulatory orderings. e chapter will conclude with some observations on regulatory orderings in cyberspace, through the lens of regulatory pluralism.
... As mentioned earlier, some reports claim that the volume of spam is in decline because spammers have shifted their focus toward more Advanced Persistent Threats (APT) such as spear phishing. A common way to convince recipients of spam e-mails to act on these e-mails is the use of " social engineering " techniques that deceive the recipients into believing that the email is legitimate (Broadhurst & Chang, 2013). Cybercriminals favour social engineering tactics to persuade their victims to click on a malicious URL or download malware because it is easier than trying to insert malware remotely, such as Trojans (Hong, 2012) (Abraham & Chengalur-Smith, 2010) . ...
Chapter
Cybercrime involves unlawful activities done by the individual in cyberspace using the internet. It is cyberbullying, financial theft, code-hack, cryptojacking, hacking, etc. The main difference between cybercrime and cyberattack is that cybercrime victims are humans. The crime associated with the latter is that of a computer network, hardware or software. Cyberattack activities include ransomware, viruses, worms, SQL injection, DDoS attacks, and government and corporate are potential targets. Cyber security provides a specialised approach to the protection of computer systems from cybercrimes and cyberattacks. As of now, no cyber defence is 100% safe. What is considered safe today may not be secure tomorrow. Blockchain enables a new way of recording transactions or any other digital interaction within the network with security, transparency, integrity, confidentiality, availability, and traceability. This chapter explains in detail about cyber risks and how blockchain can be used to avoid risks in financial and insurance frauds.
Chapter
This chapter provides an understating of the phenomenon of cybercrime, its evolution, and typology. Further it also sheds light on the economic lens of cybercrime. It explores the phenomenon of cyber economic crime in the Indian context and elaborates on the concept of cyber economic crime, its nature, extent, victims, accused characteristics, and typology.
Chapter
This chapter elucidates the conceptual framework of cyber economic crime envisaged. It throws light on the concept of cyber economic crime from a criminological perspective in the Indian context. Various criminological studies on cyber economic crime in the Indian context, the response of the criminal justice system to it and the legal regime, along with its efficacy is also reviewed. It attempts to explore theories of crime and how cyber economic crime is evolving in criminology. The cyber economic crime phenomenon is explored from a translational criminological approach. This chapter also discusses the theoretical framework of cyber economic crime which explains the concept and phenomenon and response of criminal justice system. It maps the technology–crime relationship in relation to cybercrime. The methodological and analytical framework to study the efficacy of the system are also explained in this chapter.
Chapter
Full-text available
The continued rapid growth of the Internet and the emergence of the Internet of Things (IoT) have resulted in the increased sophistication of malicious software or crime-ware tools and the refinement of deceptive methods to conduct computer attacks and intrusions. Cyber attacks via spam emails (unsolicited bulk messages) remain one of the major vectors for the dissemination of malware and many predicate forms of cybercrime. Monitoring spam as potential cybercrime can help prevention by observing changes in attack methods including the type of malicious code and the presence of criminal networks. In this paper, we describe the nature and trends in spam borne malware. This paper outlines some of the issues and problems in respect to the spam in cybercrime and gives examples of known cases and offers insight to tackle spam problems.
Article
Full-text available
Cybercrime is essentially a transnational crime with a ‘modus operandi’ that exploits inter-state differences in the capacity to respond to such crime, and appears in the same company as such powerful global concerns as civil war, genocide and poverty (United Nations 2004). This transnational character provides cybercriminals, especially organized crime (OC), with the agility to avoid counter-measures even when implemented by capable actors (Brenner 2002, 2006; Council of Europe 2004). Although some have questioned the existence of organized criminal activities in cyberspace, several studies have noted the potential and actual synergy between organized crime and cyberspace in recent years. This paper outlines some of the issues and problems in respect to the role of OC in cybercrime.
Thesis
This thesis contributes to our understanding of the nature and extent of cybercrime in and between Republic of China (Taiwan) and People's Republic of China (China). Guided by Routine Activity Theory, it explores the viability of regulatory responses to cybercrime. It seeks to assist cybercrime prevention across the Taiwan Strait. Through secondary data analysis and qualitative interviews, the thesis finds a high volume of malicious computer activity in Taiwan and China. Language and culture both play an important role in facilitating these malicious activities. Of all these activities, the establishment of the bot-net is identified as the most serious. Because of the structured character of bot-nets and the damage they cause, cybercrime facilitated through bot-nets can be defined as cyber-organised crime. This is the case even though it does not fit the definition of organised crime found in the United Nations Convention Against Transnational Organised Crime, which requires that there must be . three or more people involved in the crime. Regarding legal responses, the thesis compares the legal responses of Taiwan and China with responses recommended by the Council of Europe's Convention on Cybercrime. Although neither Taiwan nor China is a signatory to the Convention (each has different reasons for not signing), the thesis finds that their responses to cybercrime are quite similar. Indeed, dual-criminality is not a concern between Taiwan and China. However, the lack of sufficient law enforcement officers capable of investigating, prosecuting and sentencing poses a significant challenge in both states. One solution might be to consider thoroughly the advantages and disadvantages of allowing investigators to use Trojan horses and spyware as new effective tools to investigate cybercrime. The research finds that current legal responses to cybercrime between Taiwan and China have achieved little. Although dual-criminality is not a concern, obstacles imposed by the special political situation mean that there is a lack of official cooperation between the two governments. Third party cooperation and informal police-to-police relationships can play some role in the absence of official cooperation. However, the utility of these is still limited by the political situation. Therefore, the thesis argues that, currently, there is no capable guardian existing between Taiwan and China to help combat cybercrime across the Taiwan Strait. This thesis argues that there is an urgent need to establish a feasible pre-warning system, and to make potential targets less vulnerable. A voluntary reporting approach is identified, using positive incentives and praise to encourage victims to report information security incidents affecting them. Information security companies can be used as gatekeepers to help victims to report malicious computer incidents. The potential of pluralist regulatory pyramid of supports and sanctions to guard against cybercrime is explored. Most importantly, this research argues that the public image of victims of information insecurity needs to change from negative to positive. The media should be encouraged to report more on the positive side of the victims who have disclosed incidents affecting them.
Book
Cybercrime is a worldwide problem of rapidly increasing magnitude and, of the countries in the Asia Pacific region, Taiwan and China are suffering most. This timely book discusses the extent and nature of cybercrime in and between Taiwan and China, focussing especially on the prevalence of botnets (collections of computers that have been compromised and used for malicious purposes). The book uses routine activity theory to analyse Chinese and Taiwanese legal responses to cybercrime, and reviews mutual assistance between the two countries as well as discussing third party cooperation. To prevent the spread of cybercrime, the book argues the case for a ‘wiki’ approach to cybercrime and a feasible pre-warning system. Learning from lessons in infectious disease prevention and from aviation safety reporting, Cybercrime in the Greater China Region proposes a feasible information security incident reporting and response system. Academics, government agency workers, policymakers and those in the information security or legal compliance divisions in public and private sectors will find much to interest them in this timely study.
Chapter
The explosive growth in information technology during the last decade has precipitated unprecedented economic and social changes. Our virtually unlimited electronic access to information and telecommunication services has profoundly and irrevocably changed the way we live and the way we think. So too have technological advances dramatically altered the manner in which criminals carry out their activities. Information technologies not only have created an additional platform for launching traditional crimes but also have paved the way for new and pernicious forms of criminality, including cyberterrorism - a threat made all the more real by the tragic events of 11 September 2001. One of the most disturbing aspects of these developments is that cyber-criminals are not confined by national boundaries but rather, with a few keystrokes or the simple click of a mouse, can perpetrate acts with devastating global implications - and can eliminate crucial evidence with the same degree of ease. Crimes committed today rarely touch only a single jurisdiction and, indeed, even relatively unsophisticated forms of cyber-crime commonly resonate on multiple continents. © 2005 by Hong Kong University Press, HKU. All rights reserved.
Article
Thirty-three countries–including the United States–have signed the Council of Europe's Convention on Cybercrime of November 2001. The Convention seeks to better combat cybercrime by harmonizing national laws, improving investigative abilities, and boosting international cooperation. Supporters argue that the Convention will enhance deterrence, while critics counter it will have little effect without participation by countries in which cybercriminals operate freely. Others warn it will endanger privacy and civil liberties. This report will be updated as events warrant. Future questions may be directed to Paul Gallis.
Article
CHANGSHA, China — With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims. "Here's a list of the people who've been infected with my Trojan horse," he says, working from a dingy apartment on the outskirts of this city in central China. "They don't even know what's happened." As he explains it, an online "trapdoor" he created just over a week ago has already lured 2,000 people from China and overseas — people who clicked on something they should not have, inadvertently spreading a virus that allows him to take control of their computers and steal bank account passwords. Majia, a soft-spoken college graduate in his early 20s, is a cyberthief. He operates secretly and illegally, as part of a community of hackers who exploit flaws in computer software to break into Web sites, steal valuable data and sell it for a profit. Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China. Three weeks ago, Google blamed hackers that it connected to China for a series of sophisticated attacks that led to the theft of the company's valuable source code. Google also said hackers had infiltrated the private Gmail accounts of human rights activists, suggesting the effort might have been more than just mischief. In addition to independent criminals like Majia, computer security specialists say there are so-called patriotic hackers who focus their attacks on political targets. Then there are the intelligence-oriented hackers inside the People's Liberation Army, as well as more shadowy groups that are believed to work with the state government. Indeed, in China — as in parts of Eastern Europe and Russia — computer hacking has become something of a national sport, and a lucrative one. There are hacker conferences, hacker training academies and magazines with names like Hacker X Files and Hacker Defense, which offer tips on how to break into computers or build a Trojan horse, step by step.
Article
Peter Csonka reviews the proposed Council of Europe Draft Convention on Cyber-crime which is currently going through its stages towards implementation.