1. Introduction

2. Preparatory work

3. Having been appointed rapporteur by the Committee on Culture, Science, Education and Media on 4 December 2013, I participated in the European Dialogue on Internet Governance (EuroDIG) in Berlin on 12 and 13 June 2014. On 16 and 17 April 2015, I participated in the Global Conference on Cyber Space 2015, which was organised in The Hague and launched the Global Forum on Cyber Expertise on cybersecurity, cybercrime, data protection and e-governance.

3. Background

6. The 2013 Norton Report, observing a sample of 24 countries around the world, found the scale of consumer cybercrime to be above 1 million victims daily, with an estimated overall global cost of US$113 billion annually. These numbers are modest when compared to the McAfee Net Losses Study issued in June 2014. Here, the security software company evaluated the global cost of cybercrime to be US$400 billion per year, with a total of 800 million victims in 2013 alone. These figures have to be treated with caution, since the methods of calculation are unclear and reports on cybercrime are often influenced by private interests of security companies that benefit from them. Nevertheless, there is consensus that cybercrime is growing and becoming more profitable on a global scale. A growing national security concern is that cyberterrorist attacks become more prevalent and sophisticated, and that cyberterrorists make use of large-scale attacks to target critical services and infrastructure. To ascertain the regulatory issues related to this particular issue, it is necessary first to define cybercrime, cyberterrorism and the implications of large-scale attacks.

3.1. Cybercrime

7. The misuse of computer networks for illegal purposes has given rise to a particular criminal domain, generally referred to as cybercrime. Offences committed in cyberspace, however, can take various forms, as computers can be both target and means of criminal offences. Initial typologies on cybercrime identified three categories of offences:

• computers as instruments of an offence (computer-assisted crimes);
• computers as targets of malicious activity (computer-integrity crimes or cybercrime sensu stricto);
• computers as the environment for committing an offence (computer-related crimes).

3.2. Cyber terrorism

3.3. Large-scale attacks and botnets

13. The term botnet is the shorten version of “roBOT NETwork”, meaning a collection of machines (zombies) infected by a partially autonomous piece of software that can be controlled remotely (bot) by a botmaster, who manages the Command-and-Control server (C&C). Examples of unlawful use of botnets include click fraud, DDoS attacks, keylogging (intercepting keyboard strokes to capture personal or financial data), warez (unlawfully distributing copyrighted works) and spam.

14. But the traditional definition of botnet with infected machines controlled by a botmaster no longer reflects the stage of sophistication and complexity of modern botnets. A more contemporary definition of botnet is one of a network of bots or “advanced malicious software that often incorporate one or more forms of viruses, worms, Trojan horses and rootkits for propagation and hostile integration into a foreign system, providing the functionality of the compromised system to the attacker as they connect back to a central server or other infected machines”. While centralised botnets continue to be used, more and more botnets distribute communication protocols via decentralised structures, increasing their resilience by avoiding a single point of failure. Current forms of sophisticated botnets are structured via peer-to-peer networks (p2p botnets) where there is no single C&C controlling the activity, but infected systems performing dual zombie and C&C functions. Other creative forms of botnets have taken the form of Botclouds, in which attacks are launched via cloud services, turning cloud computing into attack vectors. If on the one hand cloud computing has brought several useful functionalities, they have also been largely fertile for botnet activities. Botclouds do not require attackers to spend much effort in spreading the bot: they can be set up on demand, on a large-scale and at low cost. Furthermore, they do not rely on owners’ activities: botclouds are permanently online and free from interruption.

15. The combination of botnet capabilities and large-scale attacks meets few technical obstacles. As noted by the United Nations Working Group on Countering the Use of the Internet for Terrorist Purposes, critical information infrastructures, such as the energy sector, water supply, telecommunication networks, public administration, transport, health care and banking, are attractive targets for powerful and widely harmful attacks. This threatening scenario calls for an efficient and proportionate framework for countering large-scale cyberattacks.

3.4. The international regulatory landscape

4. Legislative approaches

4.1. Substantive law

4.1.1. Scale as an aggravating circumstance of a cybercrime

23. EU Directive 2013/40/EU on attacks against information systems could serve as an example of the approximation of criminal law by establishing higher penalties for aggravating circumstances. With respect to the earlier Framework Decision 2005/222/JHA on attacks against information systems, the Directive established higher penalties in general, providing for aggravating circumstances in particular for the offences of illegal system interference and illegal data interference. According to Article 9.3 of the directive, illegal system or data interference should have a maximum penalty of at least three years’ imprisonment if the crime was committed using a botnet. Article 9.4 of the directive stipulates that maximum penalties for illegal system or data interference have to be at least five years’ imprisonment if they were committed within a criminal organisation, if they cause serious damage or if they are committed against computers belonging to a critical infrastructure.

24. These new provisions in Directive 2013/40/EU are a good example of supranational initiatives against large-scale attacks. Nevertheless, limiting the aggravating circumstance only to illegal system inference and illegal data interference implies that not all botnet-enabled cybercrimes face an increased penalty. For instance, in a keylogging scheme the bots listen to victims’ activities looking for particular pieces of personal data, such as passwords and bank account information. Keylogging surveillance gains access to data but does not necessarily amount to system or data interference and is arguably out of the scope of the aggravating circumstances of Articles 9.3 and 9.4 of Directive 2013/40/EU. Nevertheless, through their automated nature, also the use of botnets to commit illegal access or illegal interception constitutes cybercrime on a large scale, and this type of crime could also be considered a large-scale attack on information systems. Since botnets can be used for many different purposes and stages of criminal offences, one could consider stipulating botnet use for large-scale attacks as an aggravating circumstance, incurring a higher penalty, more generally than only in relation to illegal system or data interference.

4.1.2. Serious consequences as an aggravating circumstance of a cybercrime

27. Another argument should also be taken into account in the approach to stipulating “serious damage” as an aggravating circumstance. The Internet of Things is coming closer to being a reality: a world in which not only computers and smartphones, but also a variety of things are connected to the Internet: domestic appliances such as a fridge, washing machine, television, and the thermostat, as well as cars and devices monitoring, for example environmental conditions, infrastructural operations or industrial applications. Most of these devices will not be part of the basic catalogues of critical infrastructure, but attacks on these devices can cause serious malfunctioning and therewith serious damage, not only to the device itself, but also to its environment and the people therein (think of malware infecting a smart car that allows a perpetrator to remotely take over control of the car navigation). In addition, although we are nowhere near an “Internet of people” as yet, humans are also becoming more wired, with smart devices monitoring body functions and with various human implants, ranging from pacemakers and cochlear implants to bionic limbs connected to the nervous system and brain implants. These implants make also humans vulnerable to cyberattacks, and although these would not (necessarily) be large-scale attacks, they can definitely cause serious damage. And since remote attacks on things in people’s near environment as well as on humans themselves could seem particularly frightening to many people, they might become primary instruments for cyberterrorists once the Internet of Things and human implants become more common. Although the attacks are in principle sufficiently criminalised under Convention No. 185, as this gives a comprehensive conceptual list of possible types of attacks on information systems, the one-size-fits-all approach in Articles 2-6 of Convention No. 185 may not do justice to the variety of attacks in a world where everything is connected, and where attacks significantly differ in character from traditional attacks on old-fashioned computers. Providing for aggravating circumstances for cybercrimes causing serious damages could be one fruitful way of responding to new threats posed by cyberattacks, be they large-scale attacks, attacks on critical infrastructure or attacks on vulnerable cyber-connected things or people.

4.2. Procedural law

4.2.1. Implementation of the procedural provisions of Convention No. 185

29. Convention No. 185 has a fairly comprehensive catalogue of investigation powers that member States should enable through their legislation. The conceptually most important powers – production order (Article 18), search and seizure (Article 19) and investigation of telecommunications (Articles 20-21) – are included, alongside important, low-threshold, ancillary powers for expedited preservation of data that are vulnerable to loss (Articles 17). Generally speaking, the convention’s Parties have implemented in national law the substantive legal provisions of Convention No. 185 more systematically and comprehensively than the procedural provisions. For example, the power to conduct a network search regulated in Article 19.2 – an extension of a search in situ to search computer data remotely stored in the searching authority’s territory that are lawfully accessible from the premises being searched – is explicitly regulated in the laws of, for example, Germany (Article 110.3 German Code of Criminal Procedure), the Netherlands (Article 125.j Dutch Code of Criminal Procedure) and the United Kingdom (Article 20 Police and Criminal Evidence Act 1984), but no equivalent explicit provision can be found in the laws of, for example, Bulgaria, Croatia, Italy or Slovenia. Interestingly, the Philippines, which is not a party to Convention No. 185 but has used it as a model law, has implemented Articles 19.1, 19.3 and 19.4 of the Convention almost verbatim in Section 15 of its Cybercrime Prevention Act, but has not transposed Article 19.2). We think it would be useful to have a comprehensive survey of the implementation of Section 2 (Procedural law) in Parties’ national laws, in order to identify whether the implementation of Convention No. 185 indeed shows significant gaps and deficiencies, and if so, to analyse the reasons underlying this insufficient implementation.

4.2.2. Streamlining mutual assistance

31. It could be considered whether stronger legal measures might help; for instance, introducing maximum response times for responding to mutual assistance requests. But the obstacles in expeditious mutual assistance procedures are presumably more organisational in nature, and policy measures to stimulate investing in resources to handle mutual assistance requests, raising awareness of the importance for the overall fight against cybercrime of expeditiously meeting such requests, and perhaps giving clear guidelines on how national authorities can set priorities, given limited resources, in dealing with such requests, might be better suited than legislative obligations that will remain a dead letter without adequate resources or mindsets with practitioners who would have to fulfil these obligations. Given that the challenge of adequate mutual legal assistance has been recognised for a long time but that procedures, as far as we are aware, are still insufficiently speedy, further research could be undertaken to understand the particular reasons underlying the problem and to come up with innovative ways to address it.

4.2.3. Cross-border access to data

5. Non-legal measures

5.1. Capacity building

36. The Council of Europe has supported several law-enforcement training and capacity-building activities in the field of cybercrime. From 2006 to 2011, the Global Cybercrime Project (Phase 1) reached several countries worldwide, carrying out more than 110 activities aimed at strengthening criminal justice and improving implementation and co-operation at the level of Convention No. 185. Capacity-building programmes offer law enforcement and other relevant stakeholders the chance to improve their knowledge and upgrade their techniques, by coming into contact with other experts and bringing together officials from different jurisdictions. Large-scale cyberattacks are not the usual type of cybercrime and require law enforcement to be well-trained and equipped to deal with organised or politically motivated criminals and modern malware dissemination techniques. This also implies an increased need for co-operation, as the very characteristics of large-scale attacks will almost always result in cross-border infections. The relevance of capacity building for advancing cybercrime capabilities and resilience has been part of the cybersecurity agenda of many countries and is now part of the programme of the Cyber Security Strategy of the European Union.

37. Nevertheless, we could not identify specific training programmes targeting cyberterrorism or large-scale attacks at the Council of Europe level, which shows the need to foster dedicated training in this area. Due to the particular risks surrounding this potential threat and the scale of its consequences, capacity-building activities on large-scale cyberattacks are of utmost importance. There is potential room for the Council of Europe, in light of its tradition and history of advancing the rule of law, to launch a specific programme on large-scale cyberattacks and the use of botnets, with emphasis on the protection of critical infrastructure, Internet of Things and cloud computing, and include the issue in related sessions and workshops in cybercrime and counter-terrorism initiatives.

5.2. Public–Private Partnerships

38. Public–private partnerships (PPP) against cybercrime are growing as they bring together different stakeholders from the public and private sectors, pooling information and expertise about threats and enabling better strategies against cybercrime. The private sector cannot be left out in the fight against cybercrime since companies involved in the Internet infrastructure and various Internet services are in the best position to, for instance, identify the launch of a DDoS attack or recognise malicious use of their infrastructure. In addition, IT security companies with their long-standing expertise are the most capable actors to further analyse data about infections and better understand the characteristics of threats, and they could incentivise research and development of improved security tools against vulnerabilities. All in all, an efficient framework targeting large-scale cyberattacks requires the existence of a solid and highly knowledgeable multi-stakeholder collaborative network. While we are not aware of any specific PPPs against large-scale cyberattacks, there are various examples of PPPs against cybercrime as well as against terrorism, including dedicated PPPs against botnets.

6. Tilting the perspective

7. Conclusion

Council of Europe

1. The Council of Europe Convention on Cybercrime (ETS No. 185), widely known as the “Cybercrime Convention” (hereinafter “Convention No. 185”), presented four categories of cybercrime offences, namely: 1) offences against the confidentiality, integrity and availability of computer data and systems; 2) computer-related offences; 3) content-related offences, namely child pornography (supplemented by the Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, ETS No. 189); and 4) offences related to infringements of copyright and related rights. As clarified by the explanatory report to Convention No. 185, the substantive law provisions are aimed at harmonising domestic laws by establishing minimum common standards on cybercrime. Member States and other Parties to the convention were given discretion to build upon these minimum standards and expand the range in national cybercrime law. In fact, Convention No. 185 has been used as a model law, with several signatories opting for a broader and more comprehensive domestic approach to cybercrime, as can be seen, for instance, in the criminal codes of Germany, Switzerland and the United States.

2. Furthermore, the Council of Europe Convention on the Prevention of Terrorism (CETS No. 196) (hereinafter “Convention No. 196”) adopted a broad regulatory scope without providing a specific definition of the term terrorism. As a consequence, this definition must be found in the instruments listed in the Appendix to the treaty. Nevertheless, even the instruments listed in the Appendix fail to provide a comprehensive and internationally accepted definition of terrorism, which has been mostly left at State discretion at domestic level.

3. The Council of Europe has identified cyberterrorism and use of the Internet for terrorist purposes as priority focus areas. In fact, they have been included in the agenda of the Committee of Experts on Terrorism (CODEXTER) since 2006. The Council of Europe expert report on “Cyberterrorism – the use of the Internet for terrorist purposes” highlighted three potential uses of information systems by terrorists, in line with the typology used in Convention No. 185: a) online attacks targeting critical infrastructures and human life; b) dissemination of terrorist-related content (presentation of terrorist views, propaganda and threats, recruitment and training, fundraising and financing); and c) other logistical uses of information systems by terrorists (online communication and target analysis). As noted, a terrorist cyberoffence may be difficult to recognise as such, since this conduct will almost inevitably also constitute a cybercrime offence under Convention No. 185, with the implications discussed above.

4. The achievements of the Council of Europe and Conventions Nos. 185 and 196 in shaping the response to cybercrime and terrorism are undeniable. However, since the launch of Conventions Nos. 185 and 196, crybercrime has evolved significantly. New forms of crime have appeared and old forms have become more elaborate. In that light, the question arises whether criminal activities such as botnets and large-scale cyberattacks are currently sufficiently covered by Convention No. 185. Additionally, criminal procedural law issues impose severe obstacles on the investigation and prosecution of these offences, particularly in the context of cross-border networks. Also, no specific provision on the protection of critical infrastructures can be found in the Council of Europe regulatory framework on terrorism or cybercrime.

European Union

5. The 2004 European Union Communication on Critical Infrastructure Protection (CIP) in the fight against terrorism demonstrated regional concerns on the potential terrorist use of information systems against critical infrastructures. The Communication refers to how cyber and physical attacks can be combined to interrupt the functioning of critical infrastructure, with substantial damage to society. As highlighted by the Communication, EU member States’ critical infrastructures are increasingly dependent on information systems and on each other. This technological dependency has made critical infrastructure more vulnerable to interference, disruption and destruction, and infrastructure interdependency has raised concerns of cascade failures. The EU Counter-Terrorism Strategy has listed the development of a common approach to detect and tackle problem behaviour, in particular the misuse of the Internet, as key priority in the prevention of terrorism. The Communication on CIP in the fight against terrorism resulted in the European Programme for Critical Infrastructure Protection (EPCIP) in 2006, ultimately leading to the adoption of Directive 2008/114/EC, which made countering terrorist threats a priority.

6. More recently the Cyber Security Strategy of the European Union published in 2013 highlighted the need to improve tools and instruments to fight cyberterrorist activities. Following the efforts to strengthen cybersecurity in the European Union, a proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union (hereinafter “NIS Directive”) was launched, and shortly after the Directive 2013/40/EU on attacks against information systems was adopted. Moreover, the cybersecurity regulatory framework of the European Union has given mandate to Europol and particularly its European Cybercrime Centre (EC3) as well as to the European Union Agency for Network and Information Security (ENISA) to act on improving prevention, resilience and response to cybercrime. In December 2013, Europol and the Federal Bureau of Investigation (FBI) of the United States partnered with industry and national law-enforcement agencies in a consortium that led to the disruption of the ZeroAccess botnet, estimated to have infected 2 million systems around the world.

7. The original text of the proposed NIS Directive promotes an enhanced framework in case incidents against information systems are linked to cyberespionage or State-sponsored attacks, or if they have national security implications. In this scenario, early warning mechanisms will allow national security and defence authorities to timely inform relevant stakeholders about the threat so as to enable risk and crisis management and appropriate responses. Furthermore, the Directive 2013/40/EU on attacks against information systems (the so-called Botnet Directive) introduced the concept of large-scale attacks, criminalising the unlawful use of bots and increasing sanctions for specific offences committed through botnets. Directive 2013/40/EU used double criteria to classify large-scale attacks based on size and impact on the targeted system. Under Directive 2013/40/EU a large-scale attack is thus either an attack conveyed by several devices or one that causes substantial economic damage. In both cases, a specific minimum number of devices or minimum amount of economic loss has not been established, leaving the legal text open for interpretation in concrete cases. In short, Directive 2013/40/EU is an innovative instrument in the fight against large-scale attacks for enabling adequate sanctioning against powerful large-scale cyberattacks.

8. In addition, the EU Convention of 29 May 2000 on Mutual Assistance in Criminal Matters between Member States of the European Union provides a legal basis for law-enforcement co-operation across borders within the European Union.

International Criminal Police Organisation (INTERPOL)

9. The International Criminal Police Organisation is the world’s largest police organisation, with 190 members around the globe, actively working against cybercrime and terrorism. INTERPOL and the United Nations have a long history of co-operation in law enforcement and many international instruments enacted by the latter encourage member States to seek collaboration with INTERPOL to ensure the rule of law. INTERPOL’s role in combating cybercrime focuses on harmonisation, capacity building and operational and forensic support. Here the INTERPOL High-Tech Crime Unit acts through global and regional cybercrime expert group meetings and training workshops, co-operating with law enforcement, industry and academia, and assisting members in cases of attacks and requests for co-operation. In the area of terrorism, INTERPOL collects, stores, analyses and exchanges data about potential terrorist activities with member countries and other international organisations.

10. While INTERPOL is not a forum for creating binding international legislation on crime, in 2005 the organisation enacted Resolution AG-2005-RES-10, urging member States to, inter alia, introduce national contact points within law-enforcement agencies to facilitate the rapid exchange of information, to take part in international investigations, and to increase the exchange of information about international terrorist networks and their enabling methodologies, including information on the use of the Internet to support criminal activity.

North Atlantic Treaty Organisation (NATO)

11. The North Atlantic Treaty Organisation (is an international military organisation that has been actively involved in countering terrorism and in the areas of cyberdefence and cyberwarfare. NATO’s Strategic Concepts target cyberterrorism and the protection of critical infrastructure and demonstrate the organisation’s efforts in furthering prevention, detection and defence against cyberattacks and international terrorism. To this end, NATO offers workshops and capacity training on cyberterrorism for member States. In 2013, NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) published the Tallinn Manual on the International Law Applicable to Cyber Warfare. The Tallinn Manual revisits the existing international humanitarian law to define its particular application to conflicts in cyberspace; it is today the most solid guide in cyberwarfare and a good example of how organisations can improve the rule of law without necessarily engaging into creating new legislation.

Organisation for Economic Co-operation and Development (OECD)

12. The Organisation for Economic Co-operation and Development is not particularly involved in countering crime and terrorism, but is mostly involved in the area of economic growth, social development and environmental challenges. Nevertheless, the OECD acts as an observer in the Cybercrime Convention Committee (T-CY) of the Council of Europe and has joined efforts in the field of cybersecurity. It has launched Guidelines for the Security of Information Systems and Networks. In 2012, the OECD published “Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies for the Internet Economy”. In this document, the organisation features the use of the Internet for terrorist purposes, as an example of how sources, motivations, nature, organisation and sophistication of threats are quickly evolving.

United Nations

13. Key resolutions enacted by the United Nations Security Council have brought States’ attention to cyberterrorist threats (Resolutions 1373/2001 and 1566/2004). In particular, Resolution 1624/2005 condemned use of the Internet for terrorism justification and glorification, calling on States to prohibit by law and prevent incitement to commit a terrorist act or acts. Other United Nations instruments stressing the need for improved measures against cyberterrorism include Security Council Resolution 1963/2010 and the Secretary General’s 2006 report to the General Assembly entitled “Uniting against terrorism: recommendations for a global counter-terrorism strategy”. The report specifically emphasises the need to ensure promotion of the rule of law, respect for human rights and effective criminal justice systems.

14. The United Nations has also joined efforts in forming a co-operative network between its agencies and other important international organisations and international actors. The Counter-Terrorism Implementation Task Force (CTITF) co-ordination framework harmonises United Nations efforts on the fight against terrorism, supporting the implementation of the UN Global Counter-Terrorism Strategy, adopted by the United Nations General Assembly in September 2006 (A/RES/60/288). Acknowledging the threat posed by terrorist use of the Internet (Section II, paragraph 12 of the Strategy), States pledged: “To work with the United Nations with due regard to confidentiality, respecting human rights and in compliance with other obligations under international law, to explore ways and means to: (a) Coordinate efforts at the international and regional levels to counter terrorism in all its forms and manifestations on the Internet; (b) Use the Internet as a tool for countering the spread of terrorism, while recognizing that States may require assistance in this regard.” As described, the Strategy acknowledged the dual role of the Internet as both a means of spreading terrorist manifestations as well as for countering its dissemination.

15. The CTITF created eight working groups, focused on the main counter-terrorism areas, which included setting up a Working Group on Countering the Use of the Internet for Terrorist Purposes. The mandate of this particular Working Group includes identifying and bringing together stakeholders and partners on the issue of abuse of the Internet for terrorist purposes, such as through radicalisation, recruitment, training, operational planning, fundraising and other means. In 2011, the Working Group published an overview of the challenges, best practices and recommendations on legal and technical aspects. In this particular report, the Working Group found botnets a special reason for concern. In the opinion of the Working Group, botnets can be used to commit powerful attacks, such as the one launched against Estonia in 2007. The Working Group considered that several procedural law issues had hampered the investigation of the Estonian case. This was due to a lack of effective instruments that could enable the quick collection of evidence and to the limitation of procedural instruments to specific communications. This hampered the analysis of the botnet communications, as they are not necessarily established between the infected device and the command-and-control centre. The final recommendations and conclusions of the report were:

• Importance of ensuring protection of fundamental rights – States’ responsibility to respect and protect human rights, and in this particular context the right to privacy, may not be overridden by the need for public safety and national security. Rather a balance between the counter-measures and techniques against cyberterrorism and the right to privacy must be ensured;
• Key role of public–private partnerships (PPPs) – as telecommunications infrastructures and information systems are manufactured, owned or distributed by the private sector, and given private-sector expertise in fighting cyberthreats, creating networks of co-operation between public authorities and business is of utmost relevance. PPPs have the potential to bring together expertise from different sectors and share critical information about cybercrime to improve prevention, resilience and disinfection of information systems;
• Multi-pronged approach – as legal and technical measures have limited effectiveness in themselves, a holistic approach to tackling cyberterrorism in all its sources must include awareness programmes to educate citizens and discredit terrorist organisations.

16. As described above, counter-terrorism efforts led by the United Nations are managed at the level of the CTITF. Nevertheless, other UN agencies have played an important role in strengthening policy on cyberterrorism-related issues. The United Nations Offices on Drugs and Crime (UNODC) and the International Telecommunication Union (ITU) participate in the CTITF and are active contributors to policy and high-level discussions on issues related to cybersecurity and cybercrime.