Untangling the web around cybercrime
One of the greatest challenges in dealing with cyber attacks is identifying the initiators or perpetrators.
The boom in global information and communication technologies (ICTs) has led not only to massively increased connectivity, but also to the unprecedented growth of criminality in this environment.
Whether targeting individuals, banks, businesses or institutions, attacks take place through various means. These include the spread of malware and so-called ‘distributed denial of service’ attacks, whereby an online service is made unavailable by overloading it with traffic from multiple sources.
Cybersecurity has never been more relevant, and Africa has kept up with ICT development. Mobile connectivity is also on the increase. At the beginning of this year, mobile penetration in sub-Saharan Africa was 39%.
In June last year, an average of 26.5% of people across the continent had access to the Internet, compared to a global average of 42.3%. These developments, coupled with the complex nature of cyber criminality, have rendered Africa vulnerable to cyber attacks.
The Internet keeps evolving, as do the tools, techniques and strategies used by cyber criminals |
One of the greatest challenges in dealing with cyber attacks is identifying the initiators or perpetrators of such crimes, or the ‘attribution’ of an attack to a company, computer, location or individual. Identifying the source of a cyber attack is the critical first step in dealing with an attack or perpetrator.
Cyber attacks are becoming more organised, frequent and extensive, incurring great damage to both state actors and non-state actors. According to a report released by security software company McAfee in June last year, cybercrime costs the global economy more than US$400 billion annually.
The Internet was developed primarily as a communication tool, and it is not always possible to trace back the originator or location of an attack. Attributing an attack is made even more difficult given that the Internet keeps evolving, as do the tools, techniques and strategies used by cyber criminals.
An attack may be launched in one state using the network of another via ‘proxies’. Attribution therefore requires sophisticated digital forensics capabilities. This includes being able to identify the originator’s email addresses, store logs and trace backs. These methods do not guarantee success, however.
Cyber attacks can also be the result of, or have an effect on, international relations. In 2007, Estonia became the target of a significant wave of cyber attacks that disabled the websites of, among others, government ministries (including the presidency), media organisations, banks and private companies. Sources in Estonia accused Russia of being behind the attacks, but Russia denied the claims.
Last year, the Sony Corporation was targeted in an attack attributed to North Korea for the upcoming release of The Interview, which depicted a plot to assassinate North Korea leader, Kim Jong-un. Later evidence indicated other possible sources of this attack. These examples illustrate the challenges of attribution, how biases may feature in this process, and how evidence may change over time.
These laws should be reviewed regularly to ensure that they are up to date |
Given the absence of universal guidelines on attribution in cyberspace, the United Nations (UN) International Group of Governmental Experts on ICT created a platform aimed at regulating state action in this regard. This UN initiative is considered an important step towards identifying norms, rules and principles to guide behaviour and cooperation mechanisms in cyberspace.
The group’s work has prompted the recognition that international law, including the principles of the law of state responsibility – which govern when and how a state is held responsible for a breach of an international obligation and what the legal consequences of that violation are – should apply fully to state behaviour in cyberspace.
Africa has made important steps towards promoting cybersecurity. In 2014, the African Union adopted the Convention on Cybersecurity and Personal Data Protection. At the sub-regional level, a range of instruments have been developed, including the Economic Community of West African States (ECOWAS) Directive 1/08/11 on Fighting Cyber Crime within ECOWAS, the Common Market for Eastern and Southern Africa Cybersecurity Draft Model Bill (2011) and the East African Community Legal Framework for Cyber Laws. There are also ongoing initiatives within the Economic Community of Central African States and the Southern African Development Community.
Many of these frameworks, however, do not provide clear guidelines relating to attribution. Furthermore, many of these instruments are not legally binding, nor have they been coordinated with one other in terms of legal provisions, penalties and international cooperation. These are areas for further development, which should be prioritised in the near future.
At the national level, a handful of African countries have laws on cybersecurity. These include Mauritius, South Africa, Botswana and Zambia. Others, such as Rwanda and Burundi, have specific provisions in their penal codes. However, considering the fast-changing nature of cybercrime, these laws should be reviewed regularly ensuring they are up to date.
Given the complexities of attribution, the urgency to ensure the capacity to prevent and respond to cyber attacks is clear. A global framework that provides norms and rules for adequate regulation will contribute significantly to enabling attribution. However, this needs to be supported by measures to strengthen the capacity for investigating cyber attacks, including training, enhanced IT security measures, systems for information exchange, effective national laws and regulation, as well as public-private partnerships. Responses that go far beyond conventional intra-state cooperation and agreements are needed.
Jemima Kariri Njeri, Senior Researcher, Transnational Threats and International Crime Division, ISS Pretoria