Responding internationally

International cybercrime — attacks on mission-critical government or private

computers from across national boundaries — is an increasing threat. Can

governments respond?

Self-protection through strong secur-ity tools and practices remains

the principal defense. Ultimately, however, governments must address the

investigation of cybercrimes and the prosecution of criminals. Most countries

recognize the need to update their laws to fight crimes committed in cyberspace.

But countries today mostly are in the same boat that the Philippines was

in after the "love bug" struck in May — they have no effective legal tools

to prosecute cybercriminals. As with many issues, it often takes a crisis

to precipitate action. In June, the Philippines outlawed most computer crimes

as part of a comprehensive e-commerce statute.

To prosecute crimes across national borders, an act must be a crime

in both jurisdictions. Thus, though local legal traditions must be respected,

nations must define cybercrimes similarly. One approach to encourage such

harmony is to develop a model law that can be adapted to local conditions.

Such an effort is underway in the Council of Europe (COE).

The COE, Europe's oldest political organization, has created model laws

and treaties covering human rights, education and the environment. Its Draft

Convention on Cyber Crime was crafted by law enforcement officials from

Europe, the United States and Japan.

The convention will address a range of cybercrimes, including illegal

access, illegal interception, data interference, system interference, computer-related

forgery, computer-related fraud, and the aiding and abetting of these crimes.

It also tackles investigational matters related to jurisdiction, extradition,

the interception of communications, and the production and preservation

of data. And it sets minimum standards for penalties.

As with most cybersecurity initiatives, the COE's framework is controversial.

The computer industry argues that it had little meaningful input in the

draft convention. The COE accepts comments on its draft, then releases a

revision. The latest version is at www.coe.int.

Industry believes requiring service providers to monitor communications

and provide assistance to investigators would be burdensome and costly.

It also objects to a provision criminalizing the use of hacking programs,

which may have been designed for legitimate security testing purposes.

The Global Internet Liberty Campaign (www.gilc.org) has joined the opposition,

objecting to a lack of procedural safeguards and due process to protect

individuals' rights. It believes ensuing national laws might place restrictions

on privacy, anonymity and encryption.

The council wants to finish its work by the end of the year, after which

member nations and others could sign on to the convention and implement

the provisions in their own laws. In the meantime, government and industry

should engage the COE process at all levels to ensure a workable outcome.

McConnell, former chief of information policy and technology at the Office

of Management and Budget, is president of McConnell International LLC (www.

mcconnellinternational.com).