Chapter 4 : 4. Anti-cybercrime strategies
4.1 Cybercrime legislation as an integral part of a cybersecurity strategy
As pointed out previously, cybersecurity plays an important role in the ongoing development of information
technology, as well as Internet services. Making the Internet safer (and protecting Internet users) has become
integral to the development of new services as well as governmental policy.Cybersecurity strategies – for example,
the development of technical protection systems or the education of users to prevent them from becoming victims of
cybercrime – can help to reduce the risk of cybercrime. An anti-cybercrime strategy should be an integral element of
a cybersecurity strategy. The ITU Global Cybersecurity Agenda, as a global framework for dialogue and
international cooperation to coordinate the international response to the growing challenges to cybersecurity and to
enhance confidence and security in the information society, builds on existing work, initiatives and partnerships
with the objective of proposing global strategies to address these related challenges. All the required measures
highlighted in the five pillars of Global Cybersecurity Agenda are relevant to any cybersecurity strategy.
Furthermore, the ability to effectively fight against cybercrime requires measures to be undertaken within all of the
five pillars.
4.1.1 Implementation of existing strategies
One possibility is that anti-cybercrime strategies developed in industrialized countries could be introduced in
developing countries, offering advantages of reduced cost and time for development. The implementation of existing
strategies could enable developing countries to benefit from existing insights and experience.
Nevertheless, the implementation of an existing anti-cybercrime strategy poses a number of difficulties. Although
similar challenges confront both developing and developed countries, the optimal solutions that might be adopted
depend on the resources and capabilities of each country. Industrialized countries may be able to promote
cybersecurity in different and more flexible ways, e.g. by focusing on more cost- intensive technical protection
issues.
There are several other issues that need to be taken into account by developing countries adopting existing anticybercrime
strategies. They include compatibility of respective legal systems, the status of supporting initiatives
(e.g. education of the society), the extent of self-protection measures in place as well as the extent of private sector
support (e.g. through public-private partnerships).
4.1.2 Regional differences
Given the international nature of cybercrime, the harmonization of national laws and techniques is vital in the fight
against cybercrime. However, harmonization must take into account regional demand and capacity. The importance
of regional aspects in the implementation of anti-cybercrime strategies is underlined by the fact that many legal and
technical standards were agreed among industrialized countries and do not include various aspects important for
developing countries. Therefore, regional factors and differences need to be included within their implementation
elsewhere.
4.1.3 Relevance of cybercrime issues within the pillars of cybersecurity
The Global Cybersecurity Agenda has seven main strategic goals, built on five work areas: 1) Legal measures;
2)Technical and procedural measures; 3)Organizational structures; 4)Capacity building; and 5) International
Cybersecurity Agenda. Among these work areas, the “Legal measures” work areas focuses on how to address the
legislative challenges posed by criminal activities committed over ICT networks in an internationally compatible
manner.
4.2 A cybercrime policy as starting point
Developing legislation to criminalize certain conduct or introduce investigation instruments is a rather unusual
process for most countries. The regular procedure is first of all to introduce a policy. A policy is comparable to a
strategy that defines the different instruments used to address the issue. Unlike a more general cybercrime strategy
that may address various stakeholders, the role of policy is to define the government’s public response to a certain
issue. This response is not necessarily limited to legislation as governments have various instruments that can be
used to achieve policy goals. And even if the decision is made that there is a need to implement legislation, it does
not necessarily need to focus on criminal law but could also include legislation more focussed on crime prevention.
In this regard, developing a policy enables a government to comprehensively define the government response to a
problem. As the fight against cybercrime can never solely be limited to introducing legislation, but contains various
Cyber Crime
13
strategies with different measures, the policy can ensure that those different measures don’t cause conflicts.
Within different approaches to harmonize cybercrime legislation too little priority has been given to not only
integrating the legislation in the national legal framework but also including it into an existing policy, or developing
such policy for the first time. As a consequence some countries that merely introduced cybercrime legislation
without having developed an anti-cybercrime strategy as well as policies on the government level faced severe
difficulties. They were mainly a result of a lack of crime prevention measures as well as an overlapping between
different measures.
4.3 The role of regulators in fighting cybercrime
In decades gone by, the focus of solutions discussed to address cybercrime was on legislation. As already pointed
out in the chapter dealing with an anti-cybercrime strategy, however, the necessary components of a comprehensive
approach to address cybercrime are more complex. Recently, the spotlight has fallen on the role of regulators in the
fight of cybercrime.
4.3.1 From telecommunication regulation to ICT regulation
The role of regulators in the context of telecommunications is widely recognized. As Internet has eroded the old
models of the division of responsibilities between government and private sector, a transformation of the traditional
role of ICT regulators and a change in the focus of ICT regulation can be observed. Already today ICT regulatory
authorities find themselves involved in a range of activities linked to addressing cybercrime. This is especially
relevant for areas like content regulation, network safety and consumer protection, as users have become
vulnerable. The involvement of regulators is therefore the result of the fact that cybercrime undermines the
development of the ICT industry and related products and services.
The new duties and responsibilities of the ICT regulator in combating cybercrime can be seen as part of the wider
countries, ICT regulators have already explored the possibility of transferring the scope of regulatory duties from
competition and authorization issues within the telecom industry to broader consumer protection, industry
development,cybersafety, participation in cybercrime policy- making and implementation, which includes the wider
use of ICTs and as a consequence cybercrime- related issues. While some new reg
ulatory authorities have been
created with mandates and responsibilities that include cybercrime, older established ICT regulators have extended
their existing tasks to include various activities aimed at tackling cyber-related threats. However, the extent and
limitations of such involvement are still under discussion.
4.3.2 Models for extension of regulator responsibility
There are two different models for establishing the mandate of regulators in combating cybercrime, namely:
extensively interpreting the existing mandate, or creating new mandates.
Two traditional areas of involvement of regulators are consumer protection and network safety. With the shift from
telecommunication services to Internet-related services, the focus of consumer protection has changed. In addition
to the traditional threats, the impact of Spam, malicious software and botnets need to be taken into consideration.
One example of extending a mandate comes from the Dutch Independent Post and Telecommunication Authority
(OPTA). The mandate of the regulator includes Spam
prohibition and preventing the dissemination of malware. During the debate on the mandate of OPTA, the
organization expressed the view that a bridge should be built between cybersecurity as a traditional field of activity
and cybercrime in order to effectively address both issues. If cybercrime is seen as a failure of cybersecurity, the
mandate of regulators is consequently automatically expanded.
The possibility of extending the regulator’s mandate to include cybercrime issues also depends on the institutional
design of the regulator, and whether it is a multisector regulator (like utility commissions), a sector-specific telecom
regulator or a converged regulator. While every model of institutional design has its advantages and disadvantages
from the perspective of ICT industry regulation, the type of institutional design should be taken into account when
assessing how and in what areas the ICT regulator should be involved. Converged regulators, with responsibility for
media and content as well as ICT services, generally face a challenge in terms of complexity of workloads. However,
their comprehensive mandate can constitute an advantage in dealing with content-related issues, such as child
pornography or other illegal or harmful content. In a converged environment where traditional telecommunication
regulators may struggle to resolve certain issues, such as consolidation between media content and
telecommunication service providers, the converged regulator appears to be in a better position to address contentnetwork
issues. Furthermore, the converged regulator can help to avoid inconsistency and uncertainty of regulation
and unequal regulatory intervention in respect of the different content delivered over various platforms.
Nevertheless, the discussion of the advantages of a converged regulator should not undermine the importance of
the activities of single-sector regulators. While, for instance, up to the end of 2009 the European Union had only
Cyber Crime
14
four converged ICT regulators, many more were involved in addressing cybercrime.
When thinking of extending the interpretation of existing mandates, account must be taken of the capacity of the
regulator and the need to avoid overlap with the mandates of other organizations. Such potential conflicts can be
solved more easily if new mandates are clearly defined.
The second approach is the creation of new mandates. In view of the potential for conflicts, countries such as
Malaysia have decided to redefine mandates to avoid confusion and overlap. The Malaysian Communications and
Multimedia Commission (MCMC), as a converged regulator, has established a special department dealing with
information security and network reliability, the integrity of communications and critical communication
infrastructure.A similar approach can be observed in South Korea, where in 2008 the Korea Communications
Commission (KCC) was created by consolidating the former Ministry of Information and Communication and the
Korean Broadcasting Commission. Among other duties, KCC is responsible for the protection of Internet users from
harmful or illegal content.
Cyber Crime
15
References
1) Clarke/Sandberg/Wiley/Hong, Freenet: a distributed anonymous information storage and retrieval system, 2001;
Chothia/Chatzikokolakis, A Survey of Anonymous Peer-to-Peer File-Sharing, available at: www.spinellis.gr/pubs/jrnl/
2004-ACMCS-p2p/html/AS04.pdf; Han/Liu/Xiao/Xiao, A Mutual Anonymous Peer- to-Peer Protocol Design, 2005.
2) Autronic v. Switzerland, Application No. 12726/87, Judgement of 22 May 1990, para. 47. Summary available at:
https://sim.law.uu.nl/sim/caselaw/Hof.nsf/
2422ec00f1ace923c1256681002b47f1/cd1bcbf61104580ec1256640004c1d0 b? OpenDocument.
3) The Internet Systems Consortium identified 490 million Domains (not webpages). See the Internet Domain
Survey, July 2007, available at: www.isc.org/index.pl?/ ops/ds/reports/2007-07/; The Internet monitoring company
Netcraft reported in August 2007 a total of nearly 130 million websites at: https://news.netcraft.com/
archives/2007/08/06/august_2007_web_server_survey.html.
4) Gordon/Ford, On the Definition and Classification of Cybercrime, Journal in Computer Virology, Vol. 2, No. 1,
2006, page 13-20; Chawki, Cybercrime in France: An Overview, 2005, available at: www.crimeresearch.
org/articles/cybercrime-in- france-overview; Gordon/Hosmer/Siedsma/Rebovich,
5) Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime, 2003, available
at: www.ncjrs.gov/pdffiles1/nij/grants/198421.pdf.
6) Kabay, A Brief History of Computer Crime: An Introduction for Students, 2008, page 23, available at:
www.mekabay.com/overviews/history.pdf.
7) CRS Report for Congress on the Economic Impact of Cyber-Attacks, April 2004, page 10, available at:
www.cisco.com/warp/public/779/govtaffairs/images/ CRS_Cyber_Attacks.pdf