Introduction
Cybercrime is a growing global problem. Despite intense efforts by law enforcement officers to stop it, cybercrime continues to spread. Brenner (2010) says that the growth of cybercrime partly stems from its extraterritorial nature. On the contrary, Wall (2007) argues that the growth of cybercrime mainly stems from the changing nature of such crimes.
The abuse of new technology has also led to the spread of this practice. Consequently, there have been rising numbers of cyber attacks in the United Kingdom (UK) and the United States (US). These countries have reported cyber crimes for many years and despite the increased attempts to curb their spread, they continue to increase. Loader (2012) reports that developed countries, which do not have an established internet connection also, report increased incidences of cyber crime.
The American government has taken cyber security with utmost importance. In fact, the US Homeland Security considers America as a thriving ground for cyber crimes. This is because America is not only a victim of such attacks, but also the source of most attacks (Schell 2004). The Anti-Phishing Working Group recently produced new statics that show the growth of cyber crimes within the past year (Chik 2012). Increased awareness of cyber crime in the UK and America has largely informed the rise in the number of cyber crime litigation in both countries. However, most of these litigations do not have a common legislative basis.
This paper explores the nature of cyber crime in the context of the law of defence (in the US and the UK). From this analysis, this paper highlights the legal underpinnings of UK and US laws on self-defence. A lot of emphasis is made to compare the application of the law of defence on cyber crime, viz-a-viz the application of the same laws in the “physical world.” In this regard, this paper explores the law of defence (as outlined by the UN), the right to bear arms, and the implications of these laws in the cyberspace.
UK and US Laws on Cyber Crime
America
Since federal and state governments govern American states, the process of formulating laws divides between the state and federal governments. Usually, state laws are more applicable to cyber crime, unless there is a special situation where there is a need for Federal intervention (Chik 2012). For example, when cyber crime threatens national security, Federal cyber laws may apply. Alternatively, when the prevention of cyber crime requires the uniform application of law, the Federal government may intervene in the formulation (or enforcement) of such laws. Therefore, because of the distributed functions of state and federal governments, both governments have contributed in the formulation and enforcement of cyber law.
Nonetheless, because of the political differences in America, every state formulates and enforces their laws. There is therefore no legal requirement for all American states to adopt uniform laws (Chik 2012).
UK
Specific legislations on cyber crime in Europe inform UK’s cyber laws. Indeed, there is a close relationship between Europe’s public policy on self-defence and UK’s legislations on the same. For example, the UK is subject to cyber crime legislations, as formulated by Council of Europe (CoE). Therefore, the provisions of self-defence laws (under the convention) are applicable in the UK, as they are applicable in other European countries (that are signatories to the convention). The close historical, geographic, and economic relation between UK and Europe inform the close interconnection between the UK and Europe’s cyber laws.
Nonetheless, the most common law governing cyber crime in the UK is the Computer Misuse Act of 1990 (Securelist 2012). The government has however updated this act with newer and stiffer penalties. The quest to update this law came from the inadequacies of existing laws to curb hacking activities within the UK. More so, this issue came into sharp focus when previously existing legislations failed to convict Stephen Gold and Robert Schifreen for gaining unauthorised access to a UK organisation, BT Prestel services. Because of the inadequacy of the law to convict the two suspects, the court acquitted them.
The Right of Defence
Normally, every country has a right to defend its people against any form of attack. However, technological advancements have introduced a new form of attack, which contravenes the conventional wisdom regarding the right to defend a country. The cyberspace is the platform where conventional rules of self-defence have been broken (Arsene 2012). However, as Moore (2010) observes, several countries still adopt a conventional approach to prevent cyber attacks. For example, the US uses the military to defend the country against cyber attacks. Arsene (2012) questions the justification for doing so, because there are many risks associated with adopting a military approach to defending a country against cyber attacks.
One risk is the overlap of self-defence and conventional space defence strategies. In other words, militarising cyber security may take a war-like approach, which should not be the case. Therefore, while conventional wisdom may approve the use of force in conventional space, the use of force as a right to self-defence may not work in the cyber world. Therefore, even though a cyber attack may manifest the same characteristics as a conventional attack, responding to such an attack with force may be unlawful (Arsene 2012).
People often compare the self-defence law to the English law. Researchers say this law is part of private defence because it allows for the use of illegal means to prevent an attack (or protect a country from harm) (Himma 2008). In Britain, this law stems from the common law and the criminal law act of 1967 (Samaha 2005). One common principle of self-defence rules focus on the use of reasonable force to prevent an attack. Therefore, from the nature of the law, self-defence is more of a justification as opposed to an excuse (Scheb 2011, p. 417).
Globally, the right of self-defence in cyber attacks is still an unresolved issue. Indeed, because of some complexities identified when comparing cyber attacks with conventional attacks, it is difficult for countries to exercise (blindly) their right to self-defence without considering the unique dynamics of cyber attacks (Committee on Deterring Cyber attacks 2010, p. 163).
The UK and the US share the same approach to cyber attacks. Both countries propose the use of force when cyber attacks result in death, injury, harm, or destruction of property. However, the US has been most vocal about this provision. In fact, there are loud calls in the US to treat cyber attacks like “ordinary” attacks if they cause death or property destruction. The US Defence Department claims that it will not hesitate to use force to defend itself against cyber attacks that can kill, destroy property, or harm its people.
The Right of Defence as Per the UN Law and Proportionality of Response
Article 2 (4) of the UN charter describes situations when countries can use force for self-defence (Ellen 2012). The clause discourages the use of force as a means to solve international conflicts, but it approves it when states need to defend themselves from external aggression. Article 51 of the UN charter stipulates this provision (Ellen 2012). Many people have interpreted the provisions of this charter to either support or oppose the use of force as a self-defence mechanism in cyberspace attacks (Jasper 2012). Here, the main dilemma centres on whether to use force, even when there is no armed attack (like in the cyberspace). Some analysts have approved the use of force in such situations, while others deny the use of force (Ellen 2012).
Because of the dilemma caused by the application of Article 51 (the use of force as a self-defence mechanism), the International Court of Justice has been forced to interpret the use of force as a self-defence mechanism. Milhorn (2007) explains the court’s ruling by demonstrating that the use of force as a self-defence mechanism only applies to situations where there is significant and the real threat of a country. The charter also stipulates that the use of force only apply to the specific country that wants to defend itself (Ellen 2012). Moreover, the article says that the intention to defend the country using force should show a high probability of success. Lastly, the charter says that the force applied should be proportional to the damage suffered from the attack (Schiller 2010).
All the above stipulations are difficult to apply in the cyberspace. In fact, some observers say it is impossible to apply the above provisions in cyber crime (Wyler 2005). Usually, the complication arises when determining any direct loss of life (or any loss of property) that meets the conditions of triggering article 51. Broadly, it is often difficult to find the evidence that would trigger the activation of article 51.
The complications brought by the nature of cyber crime also pose a challenge to the implementation of article 51 of the UN charter because some cyber crimes are difficult to trace to one country. Moreover, even if a state traces the source of the attack to one country, they may not know the individual who is directing the attack (Wyler 2005). For example, an attacker may infiltrate innocent servers and use them to direct the attacks, as a zombie. Furthermore, trying to trace such attackers may consume a lot of time. Estonia and Iran provide examples of the difficulty of tracing attackers because even though the countries experienced cyber attacks a few years back, they have still been unable to know the real identity of the attackers.
Lastly, the main issue affecting the use of force (as stipulated in article 51 of the UN charter) rests on the need to prove proportionality and necessity (Himma 2008, p. 410). Besides the time-consuming nature of knowing the identity of attackers, it is also difficult to prove that allowing a counter-attack may achieve the objective of preventing the attack. Similarly, it is difficult to limit the effects on intended targets if a defensive attack occurs. From the strict circumstances that the UN allows defensive attacks, it is difficult to meet the criterion for launching an armed attack in cyber crime (Carr 2011, p. 50). Therefore, even though cyber attacks may interfere with a country’s economic sphere, air space, maritime space, and territorial integrity, it is difficult to depend on article 51 of the UN charter to justify defensive attacks on cyber crimes.
Right to Bear Arms
In the UK, the right to bear arms is part of the English common law. Scholars, such as, Aristotle and Machiavelli have also recognised this right as part of a person’s right to self-defence. Similarly, the US constitution also acknowledges the right to bear arms as part of self-defence laws. The same protection replicates in several state constitutions. Still in the US, the government introduced the right to bear arms as a second amendment to the bill of rights. In the UK, the common law tradition acknowledges the right to bear arms (Wyler 2005).
Parliamentary supremacy in the UK has however imposed many regulations to the right to bear arms. For example, the prerogative to control the right to bear arms shifted from the monarch to parliament. Notably, the Pistol act of 1903 was the main legislative provision that regulated the right to bear arms (Wyler 2005). The right to bear arms covers several weapons that are offensive to the law. Knives and firearms are the main weapons considered offensive by the UK law.
While the right to bear arms may be a critical part of self-defence law, its applicability in the cyberspace is impractical. Indeed, the right to bear arms aim to protect a person from a physical assault (or harm). However, attacks in the cyber world are intangible. Similarly, as other situations described in this paper, it is difficult to know the attacker. Therefore, it is equally difficult to apply the right to bear arms as a means to protect a person from cyberspace attacks.
Case Studies
First Case Study
Cyber space security poses unique challenges to the application of self-defence laws. For example, when two people share organisational resources through open port access, it is difficult to establish the legal justification for using self-defence legal provisions if an attacker tries to infiltrate the cyber network. This situation is true when one party gives another party the authority to gain access to the organisation’s resources, and the second party responds to a security threat through the established connection. Technically, the second party would not be breaching the law because he responds to the attacker through an established connection.
In the above situation, it is difficult to establish the right legal framework for approaching the issue because the intention of the attacker is not established. If the second party knew the intention of the attacker, it would be easier to justify the action of the second party who acts in self-defence. This scenario elopes in the Computer misuse act, which seeks to establish the intention of the attacker (first) before any legal consequences are determined. Without knowing the intention of the attacker, it is difficult to establish that the law was broken.
An incident that occurred in the UK, in 2004, demonstrates the need to establish the intention of the attacker before castigating an attacker. Here, an organisation accused a teenager of destroying a server by sending millions of mails to the server (Ellen 2012). However, the court ruled that the defendant had not contravened the computer misuse act because his actions did not lead to any unauthorised changes to the information in the computers. The failure to prove the intention of the defendant proved to be the biggest weakness here. However, if the organisation could prove that the teenager changed the information in their servers, they would have established the intention of the attack and held the defendant liable for his actions. They however failed to do so.
The above case highlights the need to establish the intention of an attacker as he tries to gain access to the cyber network. With the absence of a determined intention from the attacker, it is difficult to justify a response to an enemy threat. Therefore, the existence of the intention to gain unauthorised access to a cyber attack does not provide sufficient ground to warrant a counter-attack. However, if the attacker went further and altered information on the servers, substantial grounds for a response would be sufficient to warrant a conviction.
Second Case Study
In a situation where an attacker declares that he is part of a wider network of global cyber commons, issues of self-defence also arise because if an attacker is part of the global cyber commons, he may install cookies into an organisation’s resources. Cookie installation poses significant threats to online privacy and security because an organisation’s resources could be availed to a third party, thereby compromising an organisation’s cyber safety. Indeed, through the installation of cookies, an attacker may easily access an organisation’s resources and use them to harm it. Bajaj (2012) says that the installation of cookies resembles the storage of an organisation’s resource in a central database where everyone can gain access to it. Moreover, an attacker may intercept an organisation’s traffic (through cookies sent on ordinary unencrypted Http sessions) and use the information acquired here to harm the organisation (Bajaj 2012). Therefore, even though an attacker may be part of the global cyber commons, he may pose significant threats to an organisation. These threats prompt organisations to defend themselves. Therefore, based on the severity and the possibility of such threats occurring, it is crucial for an organisation to defend itself from such risks. Stated differently, if a burglar enters a person’s house, the owner of the house has a right to defend himself.
However, the cyberspace (as part of the global cyber common) poses unique challenges to cyber security (and more specifically for issues of self-defence). Albeit an artificial one, Bajaj (2012) explains that the cyberspace is part of the global cyber commons. Therefore, like other national assets like the sea, oceans, land, and air, states need to protect the global cyber commons against any attack. However, unlike physical resources like land and oceans, the global cyber common does not have national borders. Therefore, except for a few strategies discussed in this report, it is very difficult to defend a country/organisation (completely) from attacks in the global cyber commons.
However, if an attacker declares that he is part of the global cyber commons and installs cookies in an organisation’s resource base, the law of self-defence applies because as a resource owner it is crucial to monitor the activities of every website visitor. Even though there may be significant flaws in comparing the cyberspace with the physical world, monitoring visitor activities on an organisation’s website resembles installing CCTV cameras to monitor shoppers’ activities in a supermarket. This is a critical safety measure of self-defence.
Nationally, states also protect their interest in the global commons because they understand the implications of the global cyber commons on national security and strategic interests (Bajaj 2012). This is especially more profound in the US. Therefore, protecting a nation’s interest in the cyber common network forms part of national defence. The same justifications, which countries use to protect their national interests in the cyber commons, outline the justification for the enforcement of self-defence laws to monitor visitors’ activities on an organisation’s website.
Different organisations have adopted different strategies for defending themselves against attacks from the global commons. One such strategy is the installation of filters to enforce censorship. However, none of these strategies provide absolute protection to an organisation because the protocols for gaining access to organisational resources are accessible from anywhere in the world. Therefore, different servers and networks can access company resources from different locations around the world. Broadly, the laws for defending an organisation/country against cyber attacks are still unrefined, but it is crucial to say, different countries and organisations continue to pursue the same strategy they would use when defending themselves against physical attacks.
Conclusion
Self-defence laws aim to protect people and organisations from injury, or harm. However, the changing technological nature of the environment has brought new challenges to the applicability of these laws. Often, the law has played catch up to cyberspace attacks and even developed countries are still grappling with the challenge of enforcing self-defence laws without contravening other laws. This paper demonstrates that the provision for the enforcement of self-defence laws pose unique challenges to the enforcement of the same laws in the cyber world. Therefore, albeit cyber attacks may bear the same characteristics of an armed attack, it is difficult for organisations to evoke self-defence laws, even as outlined by article 51 of the UN charter. Some of the unique challenges posed to the enforcement of self-defence laws in the cyber world include proportionality issues, the trans-national nature of cyber attacks, and the difficulty experienced in identifying the attacker.
Besides the above challenges, it is similarly difficult to invoke self-defence laws (at least in the conventional way) in cyber attacks because cyber attacks (often) do not lead to the direct loss of life. Therefore, there is a significant mismatch between the use of armed attacks (as a self-defence mechanism) because it is difficult to satisfy the conditions for approving armed attacks in the cyberspace.
This paper also highlights significant differences and similarities in the applicability of defence laws in the UK and the US. By the nature of their geography and distribution, both countries are subject to larger legislative provisions in cyber laws. For example, the UK is a signatory to European laws on cyber attacks, while cyber defence laws that the Federal government formulates also bind American states. Even though cyber defence laws continue to evolve in these countries, the English common law is the basis of their enforcement. In America, the bill of rights also plays a critical role in the enforcement of these laws. Nonetheless, throughout the analyses in this paper, there is a clear trend towards the militarisation of self-defence laws in cyberspace (especially in the US) (Greenwald 2012, p. 2). Analysts should treat this trend with a lot of caution because the militarisation of self-defence laws in the cyber world may fail to achieve the same objectives they would achieve in the “real” world. It is therefore pertinent for international and local laws to encompass the unique dynamics of cyberspace attacks. The introduction of a new set of laws to accommodate these dynamics may be a good start for many countries to address the unique challenges of the cyber world.
References
Arsene, L 2012, U.S. to Apply Self-Defense Rule if Cyber Attacks Turn Hostile. Web.
Bajaj, K 2012, Cyberspace as Global Commons. Web.
Brenner, S 2010, Cybercrime: Criminal Threats from Cyberspace, ABC-CLIO, New York.
Carr, J 2011, Inside Cyber Warfare: Mapping the Cyber Underworld, O’Reilly Media, Inc., New York.
Chik, W 2012, Challenges to Criminal Law Making in the New Global Information Society: A Critical Comparative Study of the Adequacies of Computer-Related Criminal Legislation in the United States, the United Kingdom and Singapore. Web.
Committee on Deterring Cyber attacks 2010, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, National Academies Press, New York.
Ellen, M 2012, ‘Cyber Security without Cyber War’, J Conflict Security Law, vol. 17 no. 2, pp. 187-209.
Greenwald, G 2012, Various matters: cyberwar, last gasps, and hate speech. Web.
Himma, K 2008, The Handbook of Information and Computer Ethics, John Wiley & Sons, London.
Jasper, S 2012, Conflict and Cooperation in the Global Commons: A Comprehensive Approach for International Security, Georgetown University Press, Georgetown.
Loader, B 2012, Cybercrime: Security and Surveillance in the Information Age, Routledge, London.
Milhorn, T 2007, Cybercrime: How to Avoid Becoming a Victim, Universal-Publishers, New York.
Samaha, J 2005, Criminal Justice, Cengage Learning, London.
Securelist 2012, Cybercrime and the law: a review of UK computer crime legislation. Web.
Scheb, J 2011, Criminal Law, Cengage Learning, London.
Schell, B 2004, Cybercrime: A Reference Handbook, ABC-CLIO, New York.
Schiller, J 2010, Cyber Attacks & Protection, CreateSpace, New York.
Wall, D 2007, Cybercrime: The Transformation of Crime in the Information Age, Polity, New York.
Wyler, N 2005, Aggressive Network Self-Defense, Elsevier, Massachussets.