Written by Giulia Raona (Bocconi University) and Cecilia Pelosi (University of Milan).
We would like to offer special thanks to Prof. Przemyslaw Roguski from Jagiellonian University, Kraków for his valuable advice.
“Computers are incredibly fast, accurate, and stupid. Human beings are incredibly slow, inaccurate, and brilliant. Together they are powerful beyond imagination.” (Albert Einstein)
A discussion about the current state of cybercrime cannot prescind from mention of the security in cyberspace. A link can certainly be drawn between cybercrime and cybersecurity in terms of functionality: the former is instrumental in guaranteeing the integrity of the latter, which is not without its challenges. In particular, issues surrounding this relationship and those that come from trying to define the essential components of cybercrime occur first and foremost on the conceptual plane. A universally agreed upon concept of cybersecurity has not yet been established at supranational level, allowing for diversified approaches in local jurisdictions as a result. By way of example, international organizations such as ISO/IEC may define cybersecurity as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”, whereas the Directive on Security of Network and Information Systems (hereinafter, NIS Directive) defines it as the “ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems”. Lack of consensus on the meaning of cybersecurity leads to the consequential absence of a constant definition of cybercrime. Even proposed interpretations of cybercrime fail to reach global approval and can sometimes be so vast that the objective and subjective elements of the illicit conduct appear murky. The EU Commission has offered its own concept of cybercrime, defining it as a criminal act that is committed online by use of electronic communications networks and information systems.
Although agreement can be found in broad sectors of criminalization of illicit conducts in cyberspace, a more detailed analysis in national laws indicates the presence of significantly different outlooks. At least in part, this is attributed to the fact that efforts made by countries to face the phenomenon of cyber attacks have been relatively recent due to the ever-changing nature of digital technologies and the slow law-making process at supranational level. Although most States envisage offenses integrated through illegal access to computer systems, they differ depending on the object of the attack (system, information, or data), and on whether the application of a criminal sanction requires both access and specific intent or if mere access can suffice. In regards to intent, some jurisdictions demand it be intentional whereas others allow reckless intent to justify the penalty. Certain countries pursue the development of provisions specific to cybercrime, others choose a more cost-effective technique allowing laws on fraud or theft, originally elaborated for the physical sphere, to extend to cyberspace and consequentially to cybercrime. Of course, mention should be made about the dangers of pursuing security too vehemently. Such is the case with the Chinese Alipay Health Code, technically implemented to track citizens in order to monitor developments in the pandemic, which denies privacy in the name of national security. This overview suggests that not only are differences between national laws present, but that they may also be crucial and deeply problematic. Stark incompatibilities between jurisdictions in cyber criminal policy appear to clash with the need to respond to crimes that are borderless by nature and therefore frequently require international cooperation. In turn, this raises inevitable concerns in terms of effectiveness in cybercrime prosecution. If legislations are too dissimilar it may be improbable, if not impossible, to find dual-criminality patterns. This aspect of internationality, and the difficulties that come with it, only intensify in a time where States are dealing with a pandemic threat that creates major dependency on computer systems and, inevitably, a fertile ground for misuse of technology.
Despite fragmentation, some harmony exists in clusters at international and European level. Uniformity regarding the application of international law to cyberspace is rooted in the GGE 2015 Report which confirms the employment of established international principles even in the world of cyberspace, outlines norms of responsible behavior and lays the foundation for confidence-building measures in pursuit of security and stability (so-called “cybernorms”). As they are volontary and non-binding, cybernorms do not aim to exclude or limit State action in repressing ICT-related crimes via national legislation if compatible with international law; they set standards of behavior that must be respected even when dealing with crimes perpetrated in cyberspace. Conversely, cyberlaw provides legal obligations that draw the line between “legal” and “criminal” even in criminal matters. However, despite the separation between the two, cybernorms and cyberlaw complement each other. The former may prove fruitful in diminishing the problems that arise from differences in national legislations and the shortcomings of international cyberlaw, as it creates consensus that binding international norms will be called to formalize. Considering the intrinsically voluntary nature of international law, whereby States may unilaterally decide to participate in the elaboration of treaties or access pre-existing ones, binding agreements on a large scale may be hard to reach. States may be drawn to respecting convenient non-binding cybernorms and, should the rule reach a robust enough level of voluntary adherence, in time this could determine the creation of obligatory international cyberlaw. Proof of this is the Convention on Cybercrime of the Council of Europe (hereinafter, Budapest Convention), first and only binding instrument of international cyberlaw on the matter of crimes committed through the Internet and other computer networks that pursues a common criminal policy for the protection of society against cybercrime.
The need for a uniform approach in combating criminal cyber attacks feels particularly urgent in a time like the present, where reliance on information and communication technology is at an all-time high and technology is state-of-the-art. On the one hand, this has brought about huge advantages, such as the chance to replace archives full of printed out documents with digital and online databases, improving efficiency in the workplace, guaranteeing timely communication and removing issues due to physical distance. On the other hand, it has also serious side effects. Alongside a technological evolution society has witnessed developments within the realm of unlawful conducts: information theft, pedophilia and fraud to mention a few. Harmful acts committed through digital means have multiplied quickly, forcing legal systems to address these new behaviors in order to shield interests worthy of protection: first and foremost the right to privacy. This trend has become more and more evident in the past several weeks, during which the pandemic has forced billions of people to adopt a more reclusive way of life and making the dependance between individual and technology even stronger: in the form of necessity for those attempting to maintain a relatively normal professional and social life, and in the form of expedient for those who seek to commit low cost-high risk crimes. Focusing the attention on the defining characteristics of digital technologies, one is able to identify two elements that are absolutely essential to allow the flow of information: firstly, the separation between information and its material storage; secondly, the presence of a data transmission network (i.e. Internet). Illicit actives are no longer rooted in an easily definable location which would otherwise allow for immediate, unilateral action by local authorities. Now more than ever is it imperative to create a comprehensive framework at international and, in our case, European levels to circumvent the problem.
When looking at the most commonly committed offenses, it is evident that the means by which cybercrimes are perpetrated require such a different criminal profile and expertise to what is traditional that the conventional paradigm of crime is not adequate to describe them: it must be updated. In other terms, by radically modifying the vehicle through which the crime is committed (from a personal to an impersonal approach), the negative value of the illicit conduct appears at first glance to be reduced because the offender fails to engage in any physically violent behavior. In reality, in the majority of cases he is endowed with enviable organizational and planning skills that saturate his conduct with even more negative value.
As previously mentioned, legal systems are extremely free in developing personalized notions of cybercrime. Adopting the working definition proposed by the EU Commission, they can be narrowed to criminal acts committed by use of electronic communications networks and information systems, including malicious softwares (so-called malwares) that are some of the most commonly used strategies through which cyber attacks are committed (examples include trojans, file infectors, bot and worms). A recent malware, more specifically a ransomware, is Popcorn Time which operates by encrypting and blocking the computer system and rendering its stored data unreachable. Regardless of the program used, it is important to point out that all of the unlawful conducts that realize most types of cybercrime seem to be characterised by fraud. This fraudulent element will then manifest through more specific, and occasionally more conventional, crimes such as illegal access to information systems, illegal online information leakage, intellectual property crimes, crimes against property and terrorism (so-called cyberterrorism).
Again, the immateriality and borderless nature of cybercrime make it so that it is extremely challenging to prosecute: the perpetrator could physically act in one country but the act could pass through a terminal located abroad, raising issues of competence. Keeping in mind that national legislations are seldom consistent and dual-criminality can be extremely challenging to achieve, establishing the exact location where the crime was committed becomes paramount. Case law on this issue exists in the Eurozone. The Italian Supreme Court (Cass. pen. sez. un. 26/03/2015, n.17325) has expressed its opinion on the matter through an analysis of the constituent elements of illegal access to information systems. It defined the locus commessi delicti as the location in which, by means of a computer or other device used for automatic data processing, and by performing the authentication procedure, the user surpasses the security measures affixed by the proprietor in order to regulate access and protect the database stored in the central system; this criteria further applies scenarios in which the user exceeds the limits of authorized access. In general, for countries part of the European cluster, efforts have been made to implement the spirit of the Budapest Convention, most notably through the NIS Directive. Amongst other aims, this key piece of EU-wide cybersecurity legislation requires competent national authorities to identify businesses qualifiable as “Operators of Essential Services” that are required to implement risk-management schemes and incident reporting measures which should theoretically allow authorities a better response time to identify and react to cybercrimes. This framework appears particularly relevant in light of a pandemic occurring in a technology-driven world, where vulnerability to attacks may prove fatal for businesses and individuals.
Cybercrimes not only involve the personal sphere of individuals as they also affect the business component of society. On the basis of its immateriality, the offense must be perpetrated in a virtual space, not requiring the criminal to engage in any outward physical action unlike traditional violations, thereby facilitating the commission of the crime for those who have the knowledge and intention to do so. In a time where freedom of movement is limited and a considerable percentage of the population finds itself confined to the home, the field of action of cybercriminals is maximized. The month of February marked the end of regular risk management for businesses, particularly for those the bigger, most relevant economic players that fall in the “OES” category. Not only must they respect the obligations that derive from European legislation, but they are required to make further efforts to make their own cybersecurity iron-clad. With the advent of the smart-working era it is no longer sufficient to adopt generic protection softwares for computers in the workplace: it is increasingly important to extend safer protections to home computers because they will experience a surge in activity, for both professional and private use. Of course, with home-bound work comes an increase in seemingly harmless but secretly dangerous videoconferences: this is referred to as Zoom Booming, which has facilitated unauthorized appraisal of information via third-party intrusion in private communications. Furthermore, now that archives have been condensed in digital databases, the risk of information loss and leakage is exponentially higher. For instance, one could imagine the risks of digital information storage for a law firm: dozens of dossiers full of confidential data, paperwork, records and pleadings exposed for the taking by criminals who do not have legitimate access to it. Hypotheticals aside, the risks that come from a higher exposure to cyberattacks are tangible and they occur at an alarming rate. A notable episode is the one that occurred on March 13th where the hospital of Brno, second largest city of the Czech Republic, fell victim to a cyberattack that temporarily hindered essential activities, amongst which were urgent care operations. The Czech Republic is one amongst many: France, the United States and others have suffered at the hands of attacks aimed at their primary social services, particularly hospitals and the healthcare system as a whole. The growing ease in committing cybercrime, compounded with the current state of emergency could prove disastrous for countries, regardless of socio-economic stance. Overall, in order to minimize this ongoing threat, businesses should be aware of the risks that seem to be an unavoidable consequence of smart-working, and be mindful in taking all necessary precautions to control them. On the one hand, this entails adopting or renewing up-to-date policies for regulating remote access to information and communication systems, including authentication systems, control of who enters and exists documents stored in the cloud etc. On the other hand, proper user training must be implemented considering that, alongside State and business compliance with international, European and national obligations, individual responsibility is at the forefront of effective prevention.
Amore, S., Stanca, V., Staro, S. (2006). I crimini informatici. Dottrina, giurisprudenza ed aspetti tecnici delle investigazioni, Halley.
Bartolomucci S., Pandemia cybercrime: prevenzione del rischio di estorsione da sequestro informatico e gestione emergenziale compliant col d.lgs 231/2001 e il regolamento privacy u.e. n. 679/2016, in Rivista231, 01/2018, Retrieved from this link
Battaglia S. (2014). Criminalità informatica al tempo di internet: rapporti tra phishing e riciclaggio, Retrieved from this link
Coco, A., & Dias, T. (2020, March 24). Part I-II-III: Due Diligence and COVID-19: States’ Duties to Prevent and Halt the Coronavirus Outbreak. Retrieved May 24, 2020, from this link
Council of Europe, Convention on Cybercrime, 23 November 2001, available at this link [accessed 24 May 2020]
Delfini F., Finocchiaro G. (2014), Diritto dell’informatica, UTET, Torino.
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
Di Resta F. (03/2020). Come cambierà la nostra società democratica nell’era COVID-19: evitare i modelli asiatici di geolocalizzazione dei ‘cellulari’ per proteggere i nostri dati personali, Diritto24, Retrieved from BancaDati24, http://bd24.ilsole24ore.com
European Crime Prevention Network. Cybercrime: A theoretical overview of the growing digital threat (Publication). Retrieved February, 2016, from this link
Giannantonio, E., (2001). L’oggetto giuridico dei reati informatici, in Cass. pen., fasc.7-8, page. 2029
ISO/IEC 27032 — Information technology — Security techniques — Guidelines for cybersecurity (2012, July). Retrieved from this link
Mačák, K., Gisel, L., & Rodenhäuser, T. (2020, March 30). Cyber Attacks against Hospitals and the COVID-19 Pandemic: How Strong are International Law Protections? Retrieved May 24, 2020, from this link
Mozur, P., Zhong, R., & Krolik, A. (2020, March 1). In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags. New York Times. Retrieved from this link
Roguski, P. (2020, May 15). A Health Check on International Law ” directions blog. Retrieved May 24, 2020, from this link
United Nations Office on Drugs and Crime (2013), Comprehensive Study on Cybercrime, Vienna, February 2013. Retrieved from this link
Cass., Sez. Un., sent. 26 marzo 2015 (dep. 24 aprile 2015) n. 17325, Pres. Santacroce, Rel. Squassoni. Retrieved from this link