Not since the misplaced fear of an apocalyptic Y2K bug has cyber security commanded so much attention worldwide. Firms and governments have been scrambling to make the Internet safer the wake of major data breaches at companies like Target, eBay, and JPMorgan, which potentially exposed tens of millions of customers to identity theft. Firms have contracted private cyber security providers to prevent intrusions, while national governments have enacted a range of measures from encouraging the reporting of corporate hacks to providing support for computer users infected with malware. While strengthening defenses is important, better policing of cyber criminals is severely needed. Currently, cyber criminals are rarely caught: in 2010, for instance, the FBI reported that despite preparing 1,420 criminal cases against online identity theft, it had only six convictions. Much of the problem lies in the cross-national nature of cyber crime. Catching cyber criminals often requires cooperation between several law enforcement agencies, but so far a limited international legal framework has hampered their efforts.

Cyber crime is an international problem. Intrusions that occur at American retailers like Target, where criminals steal payment card information of customers from companies for financial gain, are overwhelmingly attributed to Eastern European criminal organizations.[1] This international origin holds true for other kinds of cyber crime, though different regions predominate for different crimes; East Asia, for instance, is the leader in cyber-espionage.[2] This complicates combating cyber crime for law enforcement agencies, because the crime often spans beyond their national jurisdictions.

Consequently, cyber law enforcement relies on cooperation from agencies in different countries. The supranational components of this system are agencies like the International Criminal Police Organization (Interpol), and the European Cybercrime Centre (EC3), which serve to facilitate cooperation between national law enforcement agencies. Such organizations have no agents empowered to make arrests. Instead, they act as liaisons, bridging linguistic and cultural boundaries impeding successful cooperation. Some successes with international partnerships demonstrate the potential functionality of the current system; however, this approach faces several challenges.

First, the system breaks down when the countries involved are not on good terms. For instance, the EC3 has struggled to get assistance from Russian cyber authorities, particularly after the imposition of sanctions related to Ukraine.[3] Secondly, Interpol is severely underfunded with its mere $75 million budget ensuring that its assistance capabilities are extremely limited.[4] Another challenge is the disharmony between the laws of different countries. Because many cyber crimes are relatively new, several nations have yet to adequately legislate against them, making it difficult for law enforcement agencies to cooperate with one another. According to Former Interpol chief Ron Noble, this lack of local legal framework to facilitate international cybercrime investigations forces police to be “creative” and work around legal hurdles. [5]

However, the faults of the collaborative approach suggest a need for a more cohesive global system. A singular success on this front was the 2001 Budapest Convention on Cyber Crime. The Convention mandated that its members create robust cyber crime laws and enforcement procedures, as well as establish a 24/7 international cyber crime helpline. By making all its signatories enact similar cyber crime laws, law enforcement agencies in each country had similar legal authority to tackle the issue. Unfortunately, the benefits of this agreement were limited since it only extended to 44 ratified parties. Attempts to reach a global agreement modeled on the Budapest Convention failed at the UN in 2010. Russia chafed at provisions in the Budapest Convention which allowed the law enforcement agencies of one nation to access servers in another under certain conditions.[6][7] These concerns about sovereignty pose a serious challenge to any agreement.

Beyond sovereignty considerations, the implementation of a common legal code can be hindered by the differing legal structures of governments. National laws may conflict with those required by the convention. For instance, the US is not a party to an additional Protocol on Cyber Crime adopted by the Budapest Convention in 2006, which criminalized online dissemination xenophobic or racist material, due to concerns of conflict with the First Amendment to the US Constitution. Such concerns, compounded by the eccentricities of hundreds of countries, make a global agreement on the scale of the Budapest Convention unlikely.

Although instituting a global regime would difficult, there is room to improve on the current collaborative system. A more modest global proposal, with general guidelines for legal harmonization and flexible jurisdiction rules seems feasible. Shaming countries into action could also be effective: Interpol regularly publishes audits on national legislation and police infrastructure, which point out areas for countries to work on. Beyond updating law, practical improvements are consistently being made. One of Interpol’s main cyber security goals is capacity building: providing training and support for domestic police forces lacking cyber crime expertise.[8] Public-private partnerships have also accentuated crime-fighting efforts in recent years: Interpol has partnered with Trend Micro and Kapersky, two of the largest Internet security companies.[9]

Currently, the risks of cyber crime are too low, and the rewards too high. Stronger defenses may help keep data safe, but they do not prevent criminals from trying to get past them. In order to prevent cyber crime, it is imperative that criminals that feel they cannot attack without impunity. Law enforcement needs a stronger international framework with which to punish criminals and deter others.

[1] 2014 Data Breach Investigations Report. Verizon. Web. 25 Apr. 2015. pg 16

[2] Verizon. pg 40

[3] Brewster, Tom. “Trouble with Russia, Trouble with the Law: Inside Europe’s Digital Crime Unit.” TheGuardian.com. Guardian News and Media Limited, 15 Apr. 2014. Web. 25 Apr. 2015.

[4] “The Global Regime for Transnational Crime.” Cfr.org. Council on Foreign Relations, 25 June 2013. Web. 25 Apr. 2015. <http://www.cfr.org/transnational-crime/global-regime-transnational-crime/p28656>.656

[5] Goldstein, Matthew, and Nicole Perlroth. “Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase.” The New York Times. The New York Times, 15 Mar. 2015. Web. 25 Apr. 2015. <http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closing-in-on-hackers-who-stole-data-from-jpmorgan-chase.html>.

[6] Ballard, Mark. “UN Rejects International Cybercrime Treaty.” ComputerWeekly.com. Tech Target, 20 Apr. 2010com. Web. 25 Apr. 2015. <http://www.computerweekly.com/news/1280092617/UN-rejects-international-cybercrime-treaty>.

[7] Ballard, Mark. “UN Rejects International Cybercrime Treaty.” ComputerWeekly.com. Tech Target, 20 Apr. 2010com. Web. 25 Apr. 2015. <http://www.computerweekly.com/news/1280092617/UN-rejects-international-cybercrime-treaty>.

[8]“Cybercrime.” Interpol.int. Interpol, n.d. Web. 25 Apr. 2015. <http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime>.

[9] Jowitt, Tom. “Interpol Opens Cyber-Crime Base, Partners With Kaspersky, Trend Micro.” EWeek.com. Quintsreet Enterprise, 02 Oct. 2014. Web. 25 Apr. 2015. <http://www.eweek.com/security/interpol-opens-cyber-crime-base-partners-with-kaspersky-trend-micro.html>.