Multistakeholder approach to Internet governance: a collaborative effort combating illegal internet activities.

• Author: Fanno, Andrew G.

1. INTRODUCTION

   A three week long cyber attacking spree against Estonia began in April of 2007 and is considered the first cyber-attack against a state and subsequently entitled "Web War l." (1) As a result, Estonia suffered denial-of-service attacks on various government websites including the "Estonian president and its parliament, the country's government ministries, political parties, three of the country's six largest news organisations, and two of the biggest banks and firms specializing in communications." (2) These attacks left the heavily Internet based government of Estonia virtually crippled and in disarray. (3)

   Cyber-attacks pose catastrophic threats to multiplefacets of society including governments, private companies, organizations, and private individuals. (4) Continuous attacks occur daily and create enormous economic burdens. (5) Efforts are ongoing within the international community to formulate plans on how to best combat cybercrime. (6) The Council of Europe's Cybercrime Convention (Convention), instituted in an attempt to unite the international community, requires that participating countries establish criminal laws prohibiting certain Internet activities. (7) Alternatively, critics advocate that the Internet would be better served by implementing a multistakeholder approach to governance and protection. (8) A multistakeholder approach involves various organizations with disparate economic and social interests or representatives of civil society collaborating to combat cybercrime. (9) A major issue of contention within the international community is whether governments or multiple stakeholders should control the Internet. (10)

   This note will demonstrate the reality and severities of the threats posed by cyber-attacks, and examine both the governmental and multistakeholder approach to governing the Internet and the complications each method presents. (11) Part II of this note discusses the current regulations, treaties, conventions and laws governing the Internet. (12) Part III of this note focuses on the circumstantial events creating the current demand for Internet governance and the newest legal attempts to stifle the escalating effects of cybercrime. (13) Part IV of this note analyzes the current and alternative methods of governing the Internet. (14) Finally, Part V posits that the international community will benefit from a continued albeit strengthened multistakeholder approach to governance over the Internet. (15)

2. FACTS

   "Are we losing the battle against cybercrime?" (16) Governments, organizations and individuals continue to scramble to protect themselves against cybercrime. (17) The annual cost of cybercrime continues to rise. (18) Independently, governments struggle to combat cybercrime absent additional outside resources and assistance. (19) The Council of Europe's Convention on Cybercrime set out to establish a multistakeholder approach toward Internet governance to jointly combat cybercrime. (20)

   1. The Council of Europe's Convention on Cybercrime

      The Convention consists of four chapters. (21) Chapter I defines terms for the purposes of the Convention. (22) Chapter II sets forth the substantive and procedural law to be implemented at the domestic level. (23) Chapter III discusses the scope of international cooperation. (24) Finally, Chapter IV ends with final provisions. (25) In general, the Convention aspires to harmonize domestic substantive law in the area of cybercrime while establishing uniform domestic procedural law to facilitate the investigation and prosecution of computer related offenses through a fast and effective regime of international co-operation. (26) A critical examination of Chapters II and III will provide a background and illuminate the inadequacies of the Convention. (27)

      1. Convention Members Agree on Substantive Measures

         The substantive section of Chapter II of the Convention describes the criminalization of nine offenses grouped in four different categories. (28) Articles 2-6 aim to protect and preserve electronically stored computer information for the integrity of all types of data. (29) Articles 7-8 seek to extend criminalization for ordinary crimes frequently committed via computer systems, taking into consideration previously enacted domestic statutes addressing such violations when contemplating implementation of said Articles. (30) Title 3, encompassing Article 9, is the only human rights provision in the Convention that addresses the crime of child pornography. (31) Article 10, a main focal point at the Convention's inception, focuses on infringements of intellectual property. (32) Articles 11-13 define offenses of attempt, aiding and abetting, and corporate liability and provide the appropriate sanctions and measures each party should adopt. (33) All offenses, with the exception of intellectual property infringement, require unlawful intent for criminal liability to apply. (34) In addition, Articles 2-9 provide that the offense must be committed "without right." (35)

      2. Scope of Procedural Provisions

         Section 2 of Chapter 2 of the Convention sets forth the minimum procedural powers to be taken by member states. (36) This section encompasses a broad scope in that it applies to offenses defined in Section 1 and additionally, any offense committed by means of a computer or evidence which is in electronic form. (37) One of the two exceptions to the scope of the procedural powers is provided in Article 21 and relates to the interception of content data. (38) Article 16 details the procedures necessary to expedite preservation of stored computer data for the purpose of data retention. (39) Production orders, as articulated in Article 18, permit law enforcement authorities in states to not only require that residents turn over requested computer data, but also force service providers in certain areas to relinquish pertinent information on subscribers. (40) Article 19 expands the traditional procedures of search and seizure to adapt powers relevant for computer data. (41) Articles 20 and 21 relate to the real time collection and interception of traffic data. (42) Finally, Article 22 establishes the jurisdictional authority over the offenses enumerated in Articles 2-11 of the Convention. (43)

      3. International Cooperation

         Chapter III of the Convention begins with a general provision introduced in Article 23 that requires states to cooperate with each other "to the widest extent possible." (44) The treaty also extends international cooperation to all criminal offenses enumerated in the treaty as well as to the collection of any criminal evidence in electronic form. (45) However, this provision does not supersede provisions of preexisting international agreements on mutual legal assistance and extradition or domestic laws. (46) Articles 29 through 34 set forth mutual assistance mechanisms for specific instances. (47) The final article in this chapter, Article 35, attempts to establish a 24/7 network to facilitate communications between member states. (48)

   2. Private Industry

      In an attempt to ensure their own security, private organizations are contributing to further the cybercrime prevention agenda. (49) It is very difficult to stop cybercrime all together, but there are steps to effectively minimize the effect of an attack. (50) Companies can secure themselves with various tools that are designed to combat these specific threats. (51) Education is also essential in the process to combat cybercrime. (52) Organizations have not been powerless to attacks. (53) Organizational efforts have been paramount in the successful take down of some of the largest cybercrime syndicates. (54)

      A successful private industry takedown commenced in March 2010 when authorities took down Butterfly/Mariposa, resulting in the arrest of one developer and five associates. (55) The botnet affected more than 12 million PCs, half of which belonged to Fortune 1000 companies and over forty banks. (56) Several months later, in September of 2010, organizational task forces dismantled the Zeus/Zbot network, responsible for over USD3 million in transferred money from a combination of corporate and individual victims, with thirty-six transfers greater than USD860,000, and authorities charged eleven Eastern Europeans and seventy-three money mules worldwide with cybercrime violations. (57) In October 2010, an operation earning USD139,000 in spam rentals known as Bredolab was disrupted by The Dutch High Tech Crime Unit, resulting in the arrest of one Armenian man. (58) Despite making no arrests, in November of 2010 U.K. Internet Service Provider Coreix unplugged access to Koobface command servers and subsequently it was taken offline several times. (59) A collaborative effort between the Microsoft Digital Crime Unit and the U.S. government led to a takedown of the Kelihos botnet in September 2011, resulting in the prosecution of its operators and elimination of nearly 40,000 bots. (60)

3. History

   1. Scope of Cybercrime

      Unfortunately, the openness and anonymity of the Internet fosters widespread illicit activity on the Internet, referred to as cybercrime. (61) Cybercrime encompasses a broad range of crimes. (62) First there are crimes against computer systems. (63) The second category of cybercrime includes traditional crimes committed via computer networks. (64) The last type of cybercrime includes illegal content published electronically. (65)

      1. Crimes Against Computer Systems

         Cybercriminals target Governments, companies, and information technology infrastructures such as power plants and electrical grids, disabling the entities computer systems and leaving their victims offline. (66) Denial of service [DoS] attacks are a common approach perpetrators use to facilitate their crimes. (67) A distributed denial of service [DDos] attack is a more sophisticated version of a DoS attack. (68) DDoS attacks can now be executed through the complex means of what is referred to as botnets...