Posted: April 18th, 2024

Attribution and International Cooperation in Cyber Maritime Crime

Attribution and International Cooperation in Cyber Maritime Crime
1.1 Overview of Cyber Maritime Crime
Cyber-attacks on shipping are another concern given that it is the virtual information resources of a ship owner or operator that are potentially more lucrative to attack than the ship itself. In the case of a state attacking another state, acts of aggression or coercion in cyber maritime spaces are preferable due to the decreased likelihood of escalation to physical conflict and the ability to better mask the attacker’s identity. In an international environment, the motivations and varieties of cyber maritime crime are wide and diverse.
When comparing onshore to offshore information systems, the latter are even more susceptible to attacks since in many cases there is a lack of maritime domain awareness in the cyber context, meaning states are unable to identify the physical and virtual information resources relevant to their security and decision making. An example would be a case from 2016 where Iranian hackers gained access to the control system of a small dam 25km north of New York City. The group successfully infiltrated the system with the intention of releasing a significant volume of water but were unable to do so as the dam had been undergoing maintenance at the time. The case emphasized the vulnerability of critical infrastructure to cyber-attacks and potential consequences.
The movement of internet-dependent societal elements has led to an exponential increase in cybersecurity concerns. Cyber warfare is the manifestation of conflict in the digital realm between state, non-state, and private or public organizations. This can take many forms, including the theft of sensitive information or resources and attacks on IT infrastructures. Crimes using the medium of the sea, which have a nexus to cyberspace, may blur the lines between piracy and general criminality as outlined by the United Nations Convention on the Law of the Sea (UNCLOS). These can involve the use of computers and internet technology for illegal access to other people’s computers, storage of illegal information, identity theft, and the violation of privacy.
1.2 Importance of Attribution and International Cooperation
Attribution is essentially the process of tracing the origin of an attack. Solving the identity of the attackers can be very difficult due to their capability to hide their true identity by showing fake information about their location. There are also cases when attacks are not state-sponsored and were conducted by interested parties such as political opposition groups. Knowing the origin of the attack is still very important in the context of preventing friction between two or more countries that are involved in the incident. Evidences of an attack can be misleading, the country under the attack might accuse another but is unsure about the real perpetrator. RP Martin in a study about mainframe security predicts that “large-scale scuffles will break out more often between nations over who is attacking whom”. If an era where cyber attacks are rampant is left unchecked without clear evidence on the perpetrator, this might escalate in a form of retaliation by conducting similar attacks thus creating a cyber war. High-profile cases of attacks involving US government systems in the past have been speculated to have involvement by other countries but since there was no solid evidence, the matter was left unsettled. This would contribute to power politics in a new dimension of warfare. It was believed that the US was behind the Stuxnet attacks on Iran due to the sophistication of the attack but again there was no official accusation. This increasing conflicts of interest necessitates cyber security to be taken more seriously. A simple case where evidence of attacks causes tension is already troublesome, let alone an actual case of state-sponsored attack that is often veiled in great secrecy.
Maintaining security in the globalization age has grown more complex. The event about what took place in Estonia during late April and early May of 2007, where the country encountered an external threat in the form of Distributed Denial of Service (DDoS). The origin of the attack was unclear. It was initiated as an internal attempt by a simple method to shift the location in a political conflict about war grave relocation between Estonia and Russia. But it wasn’t long before the attack “spilled” over Estonia’s cyber border, becoming a serious transnational issue. Due to this, the country that is still in transition from the Soviet era did not have the adequate resources to deal with it. This event is an example of the relative ease where one country can inflict harm upon another in the cyberspace.
2. Challenges in Attributing Cyberattacks
One of the most frustrating difficulties in attributing a cyberattack is the ease with which an attacker can hide his or her identity, or even adopt a false one. This can be done in a number of ways, through use of proxy servers to hide the origin of an attack, through spoofed or stolen identities, or through a false flag operation in which the attacker adopts the identity of another organization or state in order to discredit or implicate it. There is often little opportunity to detect such false or hidden identities in technical data, and an incorrect attribution can have disastrous consequences. Collateral damage may result from a defensive response to an attack on a mistaken target, and there is significant potential for an attack on one state to be blamed on another, leading to escalation of hostilities between them. This situation, where it is extremely difficult to prove that an attribution is correct, and often impossible to do so beyond doubt, was summed up by General Nakasone, the head of US Cyber Command, who stated that “it all comes down to one word. It’s called accountability” (Nakashima and Harris, 2019). Given the technical realities of cyberspace, there will often be no way to achieve accountability for a cyber operation that has violated international law.
2.1 Technical Difficulties in Attribution
Attribution relies on sufficient evidence to identify the responsible party and ascribe guilt. However, in many instances, the only evidence is fragmentary and circumstantial. In a study on the Stuxnet worm, Clarke and Knake describe how intelligence is often conflicting, and in some cases, it is unclear whether the event was an attack or a system malfunction. This can lead to a situation where a victim state accuses another of cyberwarfare based on tenuous evidence, with the potential for serious consequences. An additional problem arises from the presence of privateer groups and state-sponsored hackers. The former will often launch attacks with the goal of financial gain and will cater services to the latter, with the line becoming increasingly blurry. Therefore, confirming whether an attack is state-sponsored or the actions of an independent group is pertinent to the attributive process, due to potential ramifications in diplomatic and retaliatory actions.
It is useful to compare the process of attributing a cyberattack to the investigation of a transnational crime, for example drug trafficking. In the latter, law enforcement agencies would identify the criminals, establish how the drugs were transported (or method of delivery), any intermediaries involved, and whether it was state-sponsored. This provides a framework for identifying those responsible for the cyberattack. However, the comparison begins to falter due to the technical complexities of cyberspace. Unlike the real world, the borderless nature of the internet and the ability to launch an attack from one country targeting infrastructure in another creates a situation where criminals can attack with impunity. This is further compounded by the fact that in many instances it is difficult to identify the location of the computer used to launch the attack, due to the use of technologies such as Tor routing and compromised systems.
2.2 Jurisdictional Challenges
The legality of acquiring and examining data is often further complicated by the owner of the data, who may also be an ally of the agency seeking to attribute an attack. A good example of this is the USA’s refusal to allow attribution evidence of the Stuxnet to be released, despite its common knowledge. This is further complicated by the nature of the execution of the cyber attack. As demonstrated in the Estonian cyber campaign, attacks are often executed across several different servers located in different countries, and traffic will frequently be redirected numerous times. This makes evidence collection according to international law more complicated, and often forces an examination of the attackers whereabouts and identity rather than attribution of the attack itself.
The problems of attribution are compounded by the specific nature of cyber attacks and the jurisdictional limitations of international law. Attribution relies on the establishment of evidence, and an examination of the authors’ identity and characteristics. This requires an examination of specific data, and an analysis of it being distinct from the tactics used by the attributed authors. Cyber attacks destroy data and evidence, and often imitate the methods of other groups, making it very difficult to establish a firm base for an attribution decision. This in itself is a fundamental challenge, only made worse by the legal and political consequences of a false positive.
2.3 Attribution in State-Sponsored Attacks
In recent years, we have witnessed an alarming increase in the frequency and severity of state-sponsored cyberattacks. The attacks are often carried out through intermediaries or proxy groups, making it difficult to prove state involvement. The complexity of these attacks can surpass even the most sophisticated cybercriminals, as the attackers have the vast resources of a nation-state at their disposal. Attribution is obfuscated through the use of false-flag operations and the sophisticated manipulation of data that can mislead investigators into implicating innocent parties. When the attacks involve a domestic law enforcement or judicial agency in the target state, there may be attempts to disrupt the investigation through intimidation tactics or corrupt behavior. All of these factors contribute to an environment where there is limited deterrence against state-sponsored cyberattacks as the probability of being caught or facing serious consequences is very low. An offensive strategy, whereby states can deter attacks by threatening the use of offensive cyber capabilities and/or force against an attacker, will be largely ineffective against an adversary that believes it can achieve strategic gains through a low-risk cyber operation. Successful international cooperation in cybercrime investigations has the potential to mitigate this problem, so it is important to heed the previously mentioned difficulties involved in cooperation between law enforcement or judicial agencies and the likely strong opposition from an accused state.
3. Fostering International Cooperation for Investigations
The legal frameworks and treaties developed in this context are similar to those found generally in international law and establish provisions governing cooperation in specific cases and general measures to take against crime. They also codified some precedents from state practice and decisions in international tribunals. Many of these documents have been produced under the auspices of the United Nations, though there are also regional treaties. An example of a general treaty that has provisions for cooperation in criminal matters would be the UN Convention against Transnational Organized Crime, while an example of a more specific treaty can be found in the bilateral agreement between the United States and the European Union concerning personal data protection when transferred and processed for purposes of prevention, investigation, and prosecution of criminal offenses, resulting in the Data Protection Safe Harbour. Treaty content is reflected in two concepts: aut dedere aut judicare, where states must prosecute the offenders or extradite them to face justice in another state, and the principle of dual criminality, where conduct must be criminal in both states before it may be extraditable. These treaty provisions and others that foster cooperation act as a foundation upon which states can build their strategies for investigating and attributing responsibility to the cyber attacks and incidents mentioned in the previous section. A simple example can be taken from the United States Strategy to Combat Transnational Organized Crime, which aims to build, leverage, and sustain international partnerships to attack networks and instigators while providing for direct action against the specific incidents or attacks conducted by cyber criminals who often act as individuals. It is intended that the effect of international cooperation will lead to an increase in successful investigations and attributions of responsibility, perhaps showing itself in increasing numbers of arrests and successful prosecutions in one state of individuals who perpetrated acts in another. This was similarly observed in various contexts within the realm of maritime crime as discussed in the first section of this cyber-oriented essay.
3.1 Legal Frameworks and Treaties
Different legal frameworks and multilateral treaties have equipped countries with several legal bases for international cooperation, but as pointed out by Williams, they have rarely been used in practice as the principles of sovereignty have been deeply embedded in practice. If a cyber maritime case involves IT or a physical violation of another state’s infrastructure, it may constitute a use of force or an armed attack as described in Article 51 of the United Nations Charter. In the event of such a serious violation of state sovereignty, the victim or a third party may respond with a use of force in self-defense or collective self-defense. However, the threshold for an armed attack on cyber infrastructure is still a matter of debate, and a response in the form of an international armed conflict may, for example, be disproportionate to the violation it seeks to address. This is not an ideal scenario for dispute resolution in a cyber context, and it is preferable that there are other legal bases for cooperation and resolving cyber disputes without escalation. Cyber activities that do not reach the threshold of an armed attack are still subject to general international law, and it gives states a firm legal basis for cooperation. The Lotus case sets out the principle that “restrictions on the independence of states cannot be inferred from the mere fact that states wish to regulate a given field of activity,” but if there is an existing rule on the activity that is accepted by states, it becomes customary international law and creates legal obligations. Customary law and peremptory norms cover a wide range of conduct relevant to cyber maritime activity, such as hacking, data theft, and cyber-espionage, and it provides an acceptable legal basis for cooperation between states in order to prevent and resolve disputes on cyber issues.
3.2 Information Sharing Mechanisms
After discussing the legal frameworks and treaties, it is extremely important to understand the effectiveness and the methods used to share the information between the countries. One very useful mechanism is Mutual Legal Assistance Treaty. MLAT is defined as the treaty an agreement between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public laws or criminal laws. It serves as a way of formal communication between countries; they make a request and provide assistance in investigations and prosecutions. One specific example of the success of MLAT is in between United States and India. India provided all the substantial information on a suspect who was located in the United States, having accessed an Indian website to commit a cybercrime. The United States authorities apprehended the suspect and India was appreciated. This success serves as a one example of one the best cases of international cooperation through the use of MLAT. However, on the other hand, the process can be very slow and the effectiveness of the assistance can vary greatly pending on the dedication of the provider of the information. This can be unfortunate as there have been cases of requests being denied due to the fear of exposing intelligence on methods of national security type offences. All in all, MLAT provides the legal foundation of the formal exchange of information between countries and despite its disadvantages, it is a crucial method in solving cybercrimes. Another formal method of sharing information is through joint investigations between two or more countries. Though they are lengthy and complex, and carry the risk of differing laws and statutes, it is seen as one of the most effective ways of identifying and locating the cybercriminals and gathering necessary evidence.
The European Union has developed its own formal information sharing network in the fight against cybercrime. This comes in the form of the European Union Cybercrime Taskforce. The ECTF is the platform for cooperation between Member States’ law enforcement agencies and EU bodies in the fight against cybercrime. It is staffed by liaison officers and experts seconded from EU and non-EU countries, and from a number of different organisations with different missions and mandates. These officers work together to share information and work on specific crime projects and in doing so, help to convert expertise and knowledge into new investigative leads. The ECTF has many working groups focused on specific types of cybercrime and holds regular meetings to share and analyse information pertinent to cybercrime investigations. This cooperative effort is observed to be efficient and effective and it has delivered concrete results. Though the success of the ECTF is focused in Europe, it serves as a good model of what can be achieved through formal networks of like-minded people and a mirror model could be applied at an international level.
3.3 Interpol and Other International Organizations
The Asia/Pacific Group on Money Laundering (APG) is a sub-regional organisation working under the umbrella of the Financial Action Task Force (FATF) in the global fight against money laundering and terrorist financing. The APG is an autonomous and collaborative international organisation consisting of 41 member jurisdictions within the Asia/Pacific region. The members of the APG have agreed to implement common AML/CFT standards to ensure that the socio-economic well-being of the people in the Asia/Pacific region is improved through a safer and more secure financial environment. This is to ensure the region will not be a safe haven for criminals. Such criminal elements have been noted for conducting cyber attacks to fund illegal activities or to use cyber extortion tactics to gain valuable assets. The APG’s work is beneficial to Interpol’s efforts in mitigating cyber maritime crime, given the types of criminal cyber acts it entails often result in money laundering and are coupled with the perpetrators’ need to transfer and use illicit funds.
Interpol’s various initiatives have had a significant and direct influence on the international policing of cybercrime. For example, it held a ‘Global Conference on Cyber Space’ with the UK government in 2011, aiming to identify new approaches to addressing evolving cyber threats and fostering cooperation.
Interpol is the world’s largest international police organisation, with 186 member countries. It acts as a secure point of contact for countries’ police forces, providing investigative and other policing support. Based on information provided by member countries, it assists in the identification and location of suspects, particularly those who have committed transnational crimes (including cybercrime). The process of country-issued ‘Red Notices’ can also be used at the national police level, in effectively seeking the location and arrest of an individual wanted by a member country (Interpol 2013b).
4. Prosecutions in Cyber Maritime Crime
The extent to which it will be practical for one state to investigate cybercrimes occurring on board a foreign vessel will depend on the willingness of the state in which the vessel is registered to provide assistance. Deakin and May have highlighted the potential dual criminality issues as any preserved data on the vessel could be subject to investigation by both the flag state and the state investigating an alleged offense against international law. This could lead to conflicting requests for evidence and perhaps simultaneous operations that may compromise the integrity of the possible prosecution. With regard to evidence collection and preservation, the issues mirror that of onshore cybercrime. However, the additional factor of dealing with evidence and suspects located in and around the world’s oceans will require an adaptation of existing principles and likely further collaboration between law enforcement agencies at an international level.
Under the current framework of customary international law, there are no specific conditions allowing states to exercise their jurisdiction over cybercrime in the high seas or foreign vessels. The application of existing principles is variable, and cybercrime presents issues that are not entirely consistent with traditional crimes. A UN resolution adopted in 2017 saw a step forward when the General Assembly urged states to ensure their domestic legislation allows for the prosecution of cybercrime, including when committed against ships. This will be an ongoing process that will require further international cooperation; it is not inconceivable that the future may see an international agreement as to when states exercise their jurisdiction over cyber maritime crime.
OutOfRange Prosecutions of Cybercrimes and the Rights of Sovereign States is an example of where the USA has attempted to prosecute those who have committed crimes on board foreign vessels. Favoring to protect its own interest, it states that Part 5 of the Federal Criminal Code applies extraterritorially to conduct outside the United States constituting an offense under this Code when the persons and the resulting harm are intended for the United States.
The lack of clear jurisdictional guidelines in cyber maritime offences and the transnational nature of the internet have led to confusion as to who has the authority to prosecute these offences. Firstly, a state must have jurisdiction over a crime before it can prosecute it. There are 4 ways in which a state can assert jurisdiction over a crime: territorial, nationality, passive personality, and protective principles. It is generally agreed between states that they do not have rights to jurisdiction over vessels in passage. Therefore, most crimes on board ships in international waters will fall under the nationality jurisdiction of the state in which the vessel is registered. Specific guidelines on when a state may try those who have committed an offence on board a foreign vessel are not clear. Traditional international law holds that a state may not exercise its authority in the territory of another state. Therefore, while it is generally easier to identify when a state has jurisdiction over crimes in its own territorial waters, the issue becomes clouded when it is called to do so.
4.1 Jurisdictional Issues in Prosecutions
In the case of MV Saiga, the vessel was arrested for discharging oil into the territorial sea of Guinea, and it was alleged that the vessel was seized by Nigerian militia and taken from the Nigerian exclusive economic zone to an area in international waters, and then to the Guinea territorial sea where the vessel discharged a significant quantity of oil. The case was seen as a test for the modern approach to piracy. It was held that an isolated incident of pollution could never constitute an act of piracy, as it was not an act of depredation and there was no specific mention that it was for private ends.
The current international legal concept of universal jurisdiction is primarily codified in the United Nations Convention on the Law of the Sea (UNCLOS). Article 105 of UNCLOS permits states to seize a pirate ship or aircraft on the high seas, or in any other place outside the jurisdiction of any state, that is an unwarranted act of aggression against another, providing that the acting state does not have to claim the pirates were stateless. But piracy does not necessarily have to involve acts of aggression. In fact, the definition of piracy under Article 101 consists of wrongful acts of violence, detention, or any act of depredation committed for private ends on the high seas against another ship or on a fixed platform, etc. Duration is irrelevant.
4.2 Evidence Collection and Preservation
Investigators and law enforcement officers are aware of the necessity of preserving evidence. Witmer suggests a four-part system of traditional evidence applied to cyber-attacks. This system consists of the evidence being (1) relevant, (2) material, (3) competent, and (4) admissible in court. Witmer also extends this by applying the Association of Chief Police Officers guidelines for the collection and preservation of computer-based evidence. It is necessary to get the evidence to show that the data was altered intentionally, as this could distinguish between an act of sabotage or just a system failure. A good way to do this is to capture volatile data. This is data which is stored in memory and lost when the computer is turned off or the plug pulled out. Any alteration, processing, or deletion of data occurs in computer memory before it occurs to the data storage medium. Thus, to capture evidence of such an act, it is important to get a record of the system state, the data in the storage medium, and the data which is still in transit. Any evidence of cybercrime must be obtained in a manner that satisfies the requirements for admissibility in a court of law. In order for it to be considered as admissible evidence, an accurate audit trail which shows who has had control over the evidence and the time in which the control was taking place. This evidence needs to be presented in a clear and chronological way and be easily and accurately interpreted. This is important to verify its integrity and authenticity.
4.3 Collaboration between Law Enforcement Agencies
For the purposes of this essay, we will mainly be looking at the situation in the context of cyber maritime crime in the Asia Pacific region. Currently, the information on collaboration between cyber policing agencies in the Asia Pacific is very limited. This is reflective of the fact that transnational cyber crime is still a relatively new area and is also particularly difficult to police. That said, there are several means by which collaboration can take place, and seeing what has worked in other areas of policing can give an indication as to what might be effective in the cyber crime realm.
Cross-border policing has had a long history in the traditional law enforcement environment and has had many success stories in preventing and detecting crime. Agencies such as Interpol and the FBI have shown that sharing intelligence and joint operations can be very effective. The success of these agencies in the traditional law enforcement role has prompted some countries to consider how to best promote collaboration in the cyber policing realm.

Check Price Discount

Study Notes & Homework Samples: Contexts for Pre-School Education within Australia and Globally »The Impact of Technology on the US Health Care Economy