In 2018, we saw some interesting developments in how law enforcement addressed cybercrime; the FBI named Chinese nationals as part of the APT 10 group and charged suspects in Iran with perpetrating the SamSam Ransomware attacks. ActZero detects when incidents like these occur, responds to them, and enables our clients to recover from them – but we don’t always see whether the intelligence we provide enables law enforcement to remove the threat actors behind these attacks. We reached out to Eliott Behar, legal expert, former security counsel for Apple, and former Crown Attorney in Toronto for his unique perspective. Below, Eliott helps us understand the barriers to justice in cybersecurity incidents and the reasons for them. Note, this is a comprehensive dialog, so you’ll find it a little longer than our typical blog posts.
We’re seeing companies being held accountable across international borders on issues of privacy and proper handling of personally identifiable information. Why is it that laws like GDPR can function across borders, while those dealing with cybercriminals can’t?
We’re at an interesting moment now where business is increasingly multi-national, and huge quantities of information move seamlessly across borders, but the law remains essentially local and domestic. What we call “international law” is in practical terms built as a sort of patchwork overtop of our domestic legal systems. In some ways the GDPR functions across borders, but it really only governs companies that are established in the EU or who process the personal data of people in the EU. In this sense, it’s really just an EU law that has a major global impact, because so many businesses today are multinational and operate by default in a global marketplace.
The real challenge to investigating and prosecuting cybercrime isn’t the law itself – it’s clear enough in most countries that cybercrime is illegal – but our ability to enforce the law across borders. How do you investigate across borders when you don’t have jurisdiction to exercise any legal powers outside of your own country? In other words, how do you search servers, obtain bank records, interview witnesses, freeze assets, or visit locations? The ability to do these things across borders rests largely on agreements between countries, and frequently on the bureaucratic mechanisms that have been created to enable one country to request “Mutual Legal Assistance” from another. Not surprisingly, these tend to be rather slow, bureaucratic processes.
Similarly, if you want to arrest a cybercrime suspect and bring them to trial, you have to deal with the fact that one country doesn’t have the power to arrest a person in another country. There are mechanisms to get around this – in many cases you can extradite someone from one country to another to stand trial. But many countries don’t have extradition treaties in place with each other and, more broadly, not all countries see eye to eye on the question of bringing cybercriminals to justice (particularly when in some cases these attackers may have worked for the state itself).
There is progress being made, and law enforcement agencies have gotten much better at investigating global cybercriminals and bringing them to justice where the will, and the resources, are invested to do so. But it’s important to understand the limitations of the current system in order to move towards something better.
I don’t want to get too deep into the nature of extradition treaties, but could you explain at a high level why nations would not want to be part of one?
There are a number of reasons why countries may not enter into extradition treaties with each other – these can range from trust issues, to simple political indifference, to concerns about fair trials and human rights abuses. Canada doesn’t have an extradition treaty in place with China, for example; although China has long sought a treaty on the basis that it would help to combat international crime, the Canadian government has identified some very real concerns about abuses in the Chinese justice system, including the likelihood of biased trials, the torturing of suspects, and the use of the death penalty for non-violent crimes. It’s worth noting, however, that Canada does nonetheless send significant numbers of people back to China each year by simply deporting them – so there are other options that are often used when the political will is there.
Delivering someone up to face prosecution, jail, or even the death penalty in a foreign country can also trigger sensitivities and lead to controversy. And there are a number of countries that simply forbid extraditing their own citizens to stand trial.
How does this differ from the actions that law enforcement can take against ‘domestic’ cybercriminals?
Domestic law enforcement has the full ability to investigate and prosecute cybercriminals who commit crimes inside their borders, the same way they prosecute any other crime. These investigations and prosecutions, as with any murder investigation, or fraud case, for example, simply come down to the ability to gather evidence and prove the case in court. As long as police can find the suspect, they can arrest and potentially detain him to stand trial.
Where the perpetrator lives in another country, however – or where the crime is committed abroad – things quickly become much more complicated from a legal perspective. As I was explaining before, the police in one country don’t have the power to investigate a crime in another country – they aren’t permitted to gather evidence on the ground there, interview witnesses, execute search warrants, or freeze assets. So, in order to conduct investigations across national borders, countries normally rely on “Mutual Legal Assistance” requests. These are formal legal requests for one country to help another to take the investigative steps it needs. You can likely imagine how much slower, and more complicated, it can be to investigate a criminal case if many of your key investigative steps need to be communicated and approved through bureaucratic government channels. In the case of cybercrime, where criminals frequently (and intentionally) base themselves in different countries and often route their attacks through multiple jurisdictions, investigations can become extremely challenging.
There are, nonetheless, some great examples of law enforcement agencies building large cases across multiple borders and charging international suspects. But this takes a significant amount of effort, dedication, and patience. The result on a practical level is that even for large, capable and well-resourced law enforcement entities like the FBI, a decision has to be made about which cross-border cybercrime to pursue.
How much of a factor is ‘state sponsorship’ in our inability to hold cybercriminals accountable from a legal perspective?
This is a significant problem right now. As most people have come to realize, cybercrime isn’t just committed by individual criminals and criminal syndicates -- it’s also committed, facilitated and funded by certain national governments themselves. From a practical perspective, this can leave law enforcement with little recourse through standard legal channels. You may be able to identify your attacker and pinpoint their precise location based on your on-site investigation – but if that attacker is part of a Chinese military unit, for example -- then what? National governments use cyber-attacks more frequently than most people realize. The Chinese government is known to attack foreign corporations in order to conduct corporate espionage, supplying information to their own companies to give them a competitive advantage. We’ve started to see law enforcement agencies go after these types of attacks more aggressively and more publicly now. This past December, American prosecutors indicted two Chinese nationals linked to hacking attacks on dozens of companies (as well as NASA, the US Navy and the Defence Department), as part of a campaign intended to give Chinese companies a competitive advantage.
There’s little prospect that China will offer these men up for prosecution, but calling them out publicly is important. It may be that the only meaningful sanction for these attacks will come as a political response. As far as future attacks go – and we should expect more, from a range of states – the rest of the global community will need to be prepared to draw a line in the sand and meaningfully enforce it.
What actions can (company) victims of cyber-attacks take when it comes to reporting, if the attacker is in another country? Will a report to local law enforcement “make it” to the country where the hacker resides?
There’s definitely a lot to say about the best ways for companies to work with law enforcement. But generally speaking, your domestic law enforcement is the best place to start. That doesn’t necessarily mean that the case will ultimately be investigated and prosecuted where the attacker resides, but there are a range of considerations to think about. Cyber attacks are often part of a larger pattern, and law enforcement may have very helpful information about similar attacks on other companies – not just about the identity of the attackers but on their modus operandi, the data they’re most interested in, and what they’re likely to do with it. Local law enforcement can, and should, be a good partner to enable communications and investigations in other jurisdictions. But in cases where local law enforcement is not responsive, or is unwilling to run with a particular case or engage other partners, there are often other avenues to pursue.
Given the anonymity of one’s actions on the internet, coupled with the anonymity that cryptocurrencies afford, is the FBI’s strategy of targeting the people who enable the conversion of cryptocurrency to traditional currency the right way to get at cybercriminals?
I think we can look at these strategies along the lines of the ways law enforcement tackles any ecosystem of crime. You can try to detect and identify the perpetrators as they commit a particular crime – be that cybercrime, drug trafficking, human smuggling, etc – but you can also investigate the money, the financing, and the network and infrastructure behind that crime. A comprehensive law-enforcement strategy is smart – and is especially necessary when you’re dealing with criminal syndicates and large-scale enterprises. Of course, these investigations may in some cases become overbroad or overly aggressive, and that needs to be monitored. But cyber attacks are often part of a much broader ecosystem of crime, and the better these ecosystems can be understood, mapped, and taken apart, the more effective the policing of individual attacks will be.
How much of our problem with prosecuting cybercriminals is owing to their anonymity, rather than their inaccessibility?
It’s not uncommon for many cybercriminals to simply get away with it and remain anonymous, unfortunately, particularly where they keep their operations fairly small. But I think this anonymity is often related to the general challenges law enforcement faces in investigating and prosecuting them. If you don’t feel like the person or organization will ultimately be brought to justice anyway, you’re less likely to invest effort and resources into the investigation. Cybercrime investigations often come down to questions about resource allocation and the willingness to do the work of investigating and prosecuting.
We hope our you appreciate this understanding of the constraints and practical motivations of legal teams and law enforcement, just some of the many parties involved in protecting your business. We are grateful to Eliott for his insight, and hope that those reading are as optimistic as we are at the improvements in this area of combating cybercriminals. This exchange is part of ActZero Networks' “Protection Takes a Village” theme in 2019. If you want to detect and respond to the threats that warrant these legal considerations, talk to one of our experts today about our turnkey Managed Detection and Response Service.
Eliott Behar is a lawyer and consultant who works in the areas of security, data privacy and new technology. He served as Security Counsel for Apple, advising the company on issues at the intersection of global security and privacy and handling cybercrime, data breaches, internal investigations, and the theft of intellectual property. Prior to joining Apple, he spent ten years as a Crown Attorney in Toronto, prosecuting high-level trials and appeals and working in specialized units dealing with hate crimes, police violence, and international cooperation. From 2008-2010 he worked as a war crimes prosecutor for the United Nations, based in The Hague.