Possible directions of development of international legal institutions in the field of global cybersecurity

Gorelik Il'ya Borisovich Postgraduate student, Department of International Law, Diplomatic Academy of the Russian Foreign Ministry 119021, Russia, Moscow, Ostozhenka str., 53/2, p. 1 gorelik.ilya@yandex.ru Other publications by this author

In modern conditions of rapid development and dissemination of information and communication technologies, the problem of organizing international legal regulation of countering the criminal use of digital technologies is becoming particularly acute. The problem of cybercrime has been recognized for a long time and has been repeatedly reflected in international law-making activities.The analysis of modern activities for the development of international law in the field of countering cybercrime allows us to come to the conclusion that one of its foundations are the initiatives of many international organizations.

A striking example of this phenomenon can be called the activities of the Council of Europe, which developed the Convention on Computer Crimes of 2001. (Budapest Convention) ^[3]. Over the next two decades, the Council also developed two additional protocols to the Convention – the First Additional Protocol on Criminalizing Racist and Xenophobic Acts Committed using Computer Systems ^[11], and the Second Additional Protocol on Strengthening Cooperation and Disclosure of Electronic Evidence ^[15].

Within the framework of another regional international organization, the European Union, an active elaboration of international legal agreements in the field of personal data protection was also carried out ^{[10, p. 97]}. In particular, a system of international legal norms was created, among which are the General Regulation of the European Parliament and the Council of Europe No. 2016/679 on the protection of personal data of individuals in 2016 ^[13], Regulation of the European Parliament and the Council of Europe No. 1725/2018 of October 23, 2018 on the protection of individuals in the processing of personal data by institutions, bodies departments and agencies and on the free circulation of such data ^[14], as well as Directive of the European Parliament and of the European Council No. 680/2016 of April 27, 2016 on the protection of individuals when processing personal data by competent authorities in order to prevent, investigate, detect or prosecute criminal offenses or in the execution of criminal penalties ^[12].

Work on the creation of international legal acts in the field of cybersecurity was also carried out within the CIS. In particular, in 2001, an Agreement on cooperation of the CIS member states in combating Crimes in the field of computer Information was created ^[8], which later ceased to be effective due to the adoption of a new document in a similar area - the Agreement on Cooperation of the CIS member States in Combating Crimes in the Field of Information Technology in 2018. ^[9]

Similar work was carried out within the framework of other regional international organizations, such as the SCO, ASEAN, the African Union, the League of Arab States, etc. ^{[2, p. 33]}

Within the framework of the UN, work on the development of the legal framework for countering cybercrime was carried out on the basis of the activities of a specialized organization – the International Telecommunication Union, which developed a Global Cybersecurity Program in 2008 ^[1] and a Guide on Understanding Cybercrime for Developing Countries in 2009 ^[6]. Moreover, at the initiative of Russia, two specialized groups were created at the UN – an Open-ended Working Group (OEWG) and a Group of Governmental Experts (GGE). The main results of the activities of these groups were formalized in the form of resolutions of the UN General Assembly "Achievements in the field of information and telecommunications in the context of international security".

Thus, the activities of international organizations in the development of international legal mechanisms for ensuring cybersecurity seem to be the basis for the development of international law in this area. However, despite the significant contribution of the organizations mentioned earlier, one serious problem can be identified at the moment – the lack of a global legal framework for international legal counteraction to cybercrime.

According to the author, in the context of cybersecurity, it is especially important to form a global international legal system for ensuring information security and, in particular, combating cybercrime. This opinion is justified by the specific characteristics of cybercrime associated with the mechanics of the functioning of modern digital technologies. As you know, modern information and communication technologies (ICT) have the ability to quickly distribute data over long distances. Given the almost ubiquitous spread of ICT – in particular, the spread of Internet technologies - this leads to the fact that the international community, in fact, becomes one global information system. Due to the uneven technological development of some states and regions, this system is very branched and heterogeneous, but it still exists at the global level and covers all regions of the world. This circumstance leads to the fact that data exchange within the framework of ICT networks can be carried out everywhere and regardless of the specific jurisdiction.

This feature is a significant problem for the reason that each act of criminal use of ICT can simultaneously affect several jurisdictions at once, and even not located within the same region. However, given the differences in approaches to legal counteraction to cybercrime and the organization of investigations, joint activities of interested states are significantly hampered by the lack of unity of command. Moreover, if we consider the modern international community as a global information system, it is also necessary to take into account one of the basic principles of information security theory, according to which the level of protection of some information system is equal to the level of protection of the most unprotected element of such a system ^{[4, p. 238]}. When considering the international community in this way, the role of elements of the global information system is played by individual States and ICT complexes under their jurisdiction. This means that even if there are some regions within which legal measures to ensure information security are effectively implemented, the real level of their security will ultimately remain low due to the absence or ineffective implementation of similar legal measures in other regions. Thus, the problem of ensuring international cybersecurity (at least in the context of international law) will remain unresolved as long as there are States and regions in which effective legal mechanisms for countering cybercrime are not implemented. Such a result can be achieved only if appropriate international agreements are created regulating the cooperation of the parties and requiring the criminalization of typical criminal acts in the field of ICT. Moreover, given the global scale of the established information system, such international legal mechanisms should be created and implemented not within individual regions, but on a global scale.

In connection with this opinion, the question arises as to how exactly such activities should be organized. On the one hand, within the framework of the UN, work is already underway to create a global system for countering cybercrime, which, in particular, includes the activities of the SGE and the OEWG, as well as Russia's initiatives related to the development of draft universal conventions on combating cybercrime – the draft UN Convention on Cooperation in Countering Information Crime 2017. ^[7] and the draft UN Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes 2019. ^[5] On the other hand, such activities can be optimized in some way.

When considering possible ways to overcome this problem, you can rely on the experience of solving similar issues. One of these may be the problem of money laundering and terrorist financing (ML/FT). Despite the fundamental differences in the essence of the phenomena of ML/FT and cybercrime, according to the author, conceptually the problem of ML/FT has similarities with the problem of cybercrime. For example, known methods of money laundering often involve financial transactions involving the banking systems of many different states – and especially in this context, countries where anti-ML/FT (AML/CFT) measures are not effectively implemented are attractive to criminals. In addition, offshore zones are often used for ML/FT, on the territory of which conditions are implemented to preserve the anonymity of company owners or to accompany their activities with minimal reporting. Here we can draw an analogy with the use of digital technologies that ensure the anonymity of Internet users and encrypt their traffic (for example, VPN services). Or the use of the digital infrastructure of states in which information security measures have not been implemented effectively enough in order to commit cyber attacks or other illegal acts in the field of ICT from their territory.

In addition, financial transactions, the real purpose of which is the implementation of ML /FT, are often carried out using as many financial organizations as possible, transferring funds in complex and branched ways, regularly splitting and combining the transferred amounts. Such acts are carried out by criminals specifically in order to confuse law enforcement agencies and slow down the investigation of the facts of ML/FT. In this case, a suitable analogy from the field of cybersecurity may be the branching of Internet networks, which also make it much more difficult to find the original source of a criminal act and determine jurisdiction in the investigation of a crime. At the same time, the branching of the global financial system can be comparable to the branching of Internet networks.

In connection with the described features, it seems that the AML/CFT problem is conceptually similar in many respects to the problem of cybercrime. At the same time, it is important to note that, as in the case of national legal measures to combat cybercrime, national legal mechanisms in the field of economic security may also differ depending on the jurisdiction. Despite this, it was possible to implement an AML/CFT system at the international level, which presupposes active cooperation of States on this issue, as well as the development of unified legal measures within national jurisdictions. Namely, the Intergovernmental Commission on Financial Monitoring (also known as the Financial Action Task Force on Money Laundering or FATF) was established. The essence of the activity of this organization assumed the cooperation of the member states in order to develop measures to jointly counter ML/FT, as well as to optimize national legislation in order to increase the effectiveness of such activities. The basis for the implementation of such tasks were the recommendations developed by the FATF on the implementation by Member States of appropriate organizational and legal measures, compliance with which will increase the effectiveness of AML/CFT in each individual participating State and, thus, reduce the global threat of ML/CFT.

In this regard, it seems that at the global level, the solution to the problem of comprehensive cybersecurity can be implemented in a similar way. Taking into account the conceptual similarities between ML/FT and cybercrime described above, one of the possible ways to increase the level of global cybersecurity may be the creation of a specialized international organization in the field of information security, the principle of which will duplicate the organizational structure of the FATF.

The basis for the activities of such an organization – as in the case of the FATF – could be made up of recommendations developed by member States. Among these may be, for example, recommendations on the introduction into national legal systems of provisions imposing restrictions on the use of technologies that mask Internet traffic. Other such recommendations may be provisions recommending participating States to create specialized organizations within their jurisdictions that carry out a continuous analysis of national trends in current cybercrime problems, on the basis of which new legal measures will be developed in the future. Also, an important recommendation provision is the criminalization of a number of typical topical types of cybercrime. At the same time, it seems advisable to regularly review the list of recommendations in order to update it in accordance with newly emerging digital threats.

In addition, it is advisable to include in such an international organization a constantly functioning expert analytical center that collects information from participating States on national cybersecurity problems. The result of the work of such a center may be proposals for improving and updating existing international legal mechanisms in connection with the emergence of new threats in the field of ICT. Since digital technologies are constantly evolving, and their structure is becoming more complex, the work of such a unit is particularly important in order to maintain effective and adequate international legal regulation of countering cyber threats. At the same time, according to the author, it is important to carry out the work of such a unit on the basis of a permanent dialogue not only between the participating states, but also on the basis of a dialogue between specialists in the field of jurisprudence and specialists in the field of information technology. It seems that such an organization principle will allow developing legal measures that best meet modern trends in the development of digital technologies. In addition, such an approach can help bring together specialists of various disciplinary fields in the context of understanding the problem of legal regulation of information technologies. In the future, this will contribute to raising standards for the development of secure digital technologies on the one hand and the development of adequate legal norms on the other.

Another effective mechanism that can be implemented within the framework of such an international organization may be a regular expert assessment of the level of cybersecurity within the national jurisdictions of the member States (by analogy with the system of mutual assessments of national AML/CFT systems in the FATF). For such activities, a separate working group may be established in the organization, engaged in the implementation of such assessments, regularly conducting audits in randomly selected Member States, as well as compiling a safety rating among the member parties.

At the same time, it is especially important to build all the activities of the proposed organization on the basis of the basic principles of international law. In particular, it is necessary to emphasize separately the requirement for participating States to respect the sovereignty of other members. The provision on the need to respect the sovereignty of member States and respect for it should be separately enshrined in the statute of an international organization regulating its activities.

Thus, it seems that the creation of an international organization with such a working structure can significantly stimulate the formation and further development of an international legal system for countering cybercrime. At the same time, according to the author, it is especially important that the activities of such an organization extend far beyond specific regions and potentially cover as many states as possible. In this regard, it would be advisable to ensure the work of the organization within the framework of the UN. It is also important to provide special conditions for the membership of developing countries and to provide them with all possible assistance in the implementation of the organizational and legal measures being developed.

On the one hand, the author is aware of the exceptional complexity in creating a global international legal system of information security. Differences in national approaches to legal regulation and levels of technological development, as well as political contradictions, can slow down the process of forming a global legal system of cybersecurity. In this regard, it seems more likely in the near future to create international legal regional centers for countering cybercrime, formed on the basis of many regional organizations. On the one hand, such a direction of development can become an effective solution to the problem of international cybercrime, which will simplify the processes of interstate investigations, as well as bring together national legislation within individual regions. However, taking into account the global scale of the existing information system, it still seems necessary to provide an optimal basis for the development of a common international legal system that is not limited to individual regions.

At the same time, the creation of a specialized international organization seems to be one of the most promising directions in solving this issue. The history of the development of international law clearly demonstrates that the creation of various specialized international organizations – such as the International Maritime Organization, the International Civil Aviation Organization, the International Telecommunication Union, etc. – significantly contribute to the optimization of the development of international legal regulation in specific areas of life. Within the framework of such organizations, States jointly analyze common problems, develop international treaties that take into account the positions of interested parties, and contribute to the convergence of national regulatory approaches. In this regard, given the global scale of the spread of digital technologies and the multidirectional nature of the threats associated with it, it seems particularly relevant to create a similar organization in the field of global cybersecurity.