Infosec professionals looking at the ever-growing number of cyber attacks they face may think there’s nothing that can stop the flood of online threats.
However, without the Budapest Convention, which was born 20 years ago this month, it might be worse.
Officially known as the Council of Europe’s Convention on Cybercrime, it was the world’s first international agreement to fight online criminal activity.
Its anniversary is being celebrated on Tuesday with a European press conference discussing 20 years of action against cybercrime and an upcoming addition to the pact.
“The Convention has had a global impact,” the Council said in a news release issued at that press conference. “It has helped strengthen and harmonize countries’ legislation on cybercrime, enhance the effectiveness of international co-operation in investigating and prosecuting crimes committed via the Internet, and to foster partnerships between the public and private sectors.”
The Council of Europe will also celebrate the anniversary at its annual international conference, which starts November 16th, to strengthen the fight against cybercrime. Participating countries will discuss the relationship between crime and cryptocurrencies, ransomware, detection of online child abuse materials and more.
“This treaty [the Convention] was really ahead of its time in thinking about this issue,” said Christopher Painter, former White House senior director for cyber policy and currently president of the Global Forum on Cyber Expertise.
“Even countries that have not signed the Budapest Convention, many have emulated its provisions to make sure they have strong substantive laws. So it’s had that effect. It’s increased international co-operation in this area. There have been a number of capacity-building projects in this area as well.
“I think it’s been a tremendous success in raising awareness” about cybercrime and getting legislatures to act, he said.
“Fighting cybercrime requires international co-operation, which is why the Budapest Convention is so important. It requires countries to have strong laws. it requires countries to have capabilities.
“We need to step up on enforcement efforts,” he admitted, “we need to step up the priorities of these cases, we need to step up in the amount of resources and personnel we devote to them.”
But, he added, “without the Convention we’d be in far worse shape. We wouldn’t have those laws, we wouldn’t even be able to go after those people [cybercrooks]. We need to be doing a better job doing it, but that doesn’t mean the instrument that enables you to do is any way flowed. We need to do more.”
One of the key assets Convention members get access to is a 24/7 network of contacts in countries where nations can ask for help, particularly in getting internet service providers to hold onto data for prosecution or investigation.
On its website about the Budapest Convention the Council of Europe noted an unnamed small, poor country, said it couldn’t negotiate all the bilateral agreements it would need to obtain electronic data rapidly from every country from which it might need assistance. However, once it acceded to the Convention, dozens of partner countries were instantly bound to provide assistance. This prospect of immediate connections to possible assistance was a crucial factor in this country’s decision to seek accession.
The network is important. For example, the Council of Europe notes, between January and September 2019 the U.K. reported 77 preservation requests from 18 parties to the Convention. During that period the U.K. made 169 outgoing preservation requests to 27 parties.
Painter noted that in 2000 — two years before the Convention was adopted — the Philippines had no cyber law to prosecute the author of the ILoveYou worm that infected over 10 million Windows computers.
Adopted on Nov. 8, 2001 by the Council of Europe, the Convention was opened for signatures in Budapest on November 23rd of that year and officially came into force on July 1, 2004.
Since then it has been signed and/or ratified by 66 nations. However, a number of significant countries have not signed, including Russia, China, Brazil and North Korea.
The Convention serves as a guideline for any country developing comprehensive national legislation against cybercrime, and as a framework for international co-operation between nations that recognize the convention.
And it is about to be expanded. Last month the draft of a Second Protocol to be added to the Convention was approved, whose goal is to enhance co-operation and disclosure of electronic evidence for possible criminal prosecutions. It provides for direct co-operation with service providers and entities providing domain name registration services to obtain the disclosure of information for identifying suspects, expedited forms of co-operation for the disclosure of subscriber information and traffic data, expedited co-operation and disclosure in emergencies, additional mutual assistance tools and data protection and other rule-of-law safeguards.
It is expected to be officially added to the Convention on November 17th.
However, the Convention may face a serious challenge. In January, debate will start in the United Nations on a Russian-sponsored motion to create a UN cybersecurity treaty. Russia has long opposed the Budapest deal, arguing its provisions violate a nation’s sovereignty.
Whether an agreement on a UN treaty can be reached isn’t clear, said Painter. Nor is it clear if there is a consensus on what that treaty would look like. Many nations will try to ensure it is at least consistent with Budapest, he said.
“The Budapest Convention still may be the strongest articulation around,” of international cybersecurity practices, he said, “even if you have a UN convention.”