Unlocking the future of legal defence in cyberspace

 

 Joining Mr. Hickton in a panel discussion were esteemed representatives from Belgian law enforcement, Mrs. Catherine Van de Heyning, public prosecutor, and Mrs. Caroline Frère (FCCU), litigation lawyer Mr. Thomas Declerck (Allen & Overy (Belgium) LLP) and assistant professor and researcher Mrs. Laura Drechsler, fostering a unique cross-disciplinary exchange on the future of legal cyber defence strategies. The lively debate that ensued was expertly guided by moderators Mrs. Sofie Royer, Research expert at CITIP (KU Leuven) & Guest professor at UAntwerpen and ULiège and Mr. Renaud Vercaemst (Dedicated criminal lawyer at Livorno Law Firm).

 

What are the legal defences in cyberspace in the face of often invisible attacks? And what, therefore, is the framework for the future of legal defence? These inquiries were at the forefront of the event, delving into the pivotal realm of cyber law and its role in combatting cybercrime. In Belgium, corporate IT security audits reveal that 98% of companies report facing risks, 66% have suffered an attack in the last two years and, of these, 87% have suffered financial damage or loss of reputation due to cyberattacks. In fact, 28% of companies fear that their risk level could drive them into bankruptcy. All this has consequences for both public and private companies.

Mr. Pieter Timmermans, CEO of VBO FEB, set the stage with his introductory speech, touching upon these pressing issues. The subsequent keynote and a roundtable discussion explored the legal frontiers in combating cybercrime, fostering vital discourse and constructive dialogue.

 

An ever-growing range of threats

Risks and attacks increase every year. There are even fears that a massive cyberattack could trigger a major global crisis on a scale comparable to the COVID pandemic – and we are not prepared for such an attack, just as we were not prepared for a virus that spread worldwide, leading to devastating consequences.

Facts and figures 

• The United States is the target of 45.95% of cyberattacks worldwide. The United Kingdom, Canada, Germany and France make up the top 5.
• 77% of attacks originate from China, Russia, North Korea, Iran, and from countries in Africa.
• Damage caused by cybercrime is expected to hit $10 billion per year by 2025.

 

More connection and sophistication mean more risk

What makes the situation more challenging is that more and more objects are connected via the Internet of Things, meaning the risk of an exposure to attack multiplies.

Also on the rise is the number of criminals with new strategies and technologies – for example, AI now allows voice recordings and images to be generated to create fake videos.

“While the arrival of AI in all our activities increases the sophistication of cyberattacks, the real battle will begin in 2024.”  (Mr Pieter Timmermans, CEO, VBO FEB).

Criminals are using increasingly sophisticated tools and resources to achieve one of two main goals. Firstly, they are wanting to extort as much money as possible from individuals and companies through techniques such as phishing, ransomware and the theft of data that can be sold on the dark web. Alternatively, they are looking to attack the public sector to gain access to and destabilise democracies – for example, via national security information.

 

In response: prevention and a global approach  

In the event of such an attack affecting the internet and our systems, responsible governance in both private companies and public institutions means ensuring data integrity, service continuity and confidentiality.

Prevention remains the best defence, starting with the detection of vulnerabilities in systems. But it also means breaking down barriers: opening up a dialogue between public authorities and the business world is essential. After all, how can we respond to a massive attack without a global approach?

“In the face of major challenges and major threats, we need major responses.”, said Mr David Hickton, Founding Director, Institute for Cyber Law, Policy, and Security University of Pittsburgh.

Attacks – and the response to them – transcend not only the public/private divide, but also borders. In addition to public/private collaboration, given the scale of the threat, international collaboration is essential. All parties under threat (companies, organisations and nations) can better defend themselves by sharing as much information and as many effective cybersecurity strategies as possible.

 

The means to fight: institutions, laws, tools

In Belgium, we have the CCB (Centre for Cybersecurity Belgium), the national authority responsible for supervising, coordinating and implementing solutions. Each nation has their own institutions.

But, in addition to national initiatives, we need, at the very least, European cooperation, which could take the form of a cyber defence agency, and to strengthen the diplomatic dialogue on cybersecurity – in other words we need “cyber diplomacy”.

In addition, as Mr David Hickton pointed out, laws and countermeasures are flourishing in the USA and Europe, among others:

• CFAA – Computer Fraud and Abuse ACT
• Obama-Xi 2014 Agreement
• European Union Agency for Cybersecurity (ENISA)
• 2019 EU Cybersecurity Act
• 2020 EU Cybersecurity Strategy
• NIS (2016) and NIS2 (2023) directives

There are also international strategies designed to connect US and EU efforts, like the Annual United States-European Union 9th Cyber Dialogue, the EU-US Joint Cyber Safe Products Action Plan and the International Counter Ransomware Initiative (2023).

Is it enough? Not yet. In the future, it will be necessary to legislate for AI and Quantum because existing laws do not cover the use or consequences of these types of technologies. Above all, technologies evolve rapidly – and much faster than legislation. We need to anticipate, where possible, future technological developments and consequences so that an act identified as criminal today will also be criminal in the future.

 

Forms and challenges of cybercrime

We need to distinguish between cyber-enabled crime (using computer/computer technology to commit their criminal acts, which even small-time drug dealers do) and cyber-dependent crime like ransomware.

Just as we need to distinguish between what we might call “cyberwar” (to control or destabilise states) and economic cybercrimes aimed at extracting money through illegal means.

The perpetrators of cybercrime, whatever form it takes, should go to prison for the damage caused. A theft, whether committed via the internet or in a physical shop, remains a theft and should be punishable.

Even so, investigation and dismantling cybercrimes are made more complex by the schemes devised by criminals.

These include:

• military hacking, which involves stealing technological secrets or infiltrating or attacking communication systems. These practices are comparable to espionage, which has been around since long before the internet.
• theft of information on industrial technologies, including the theft of nuclear reactor plans, or research on emerging steel technologies.
• attacks that impact elections: this has been seen in the UK and the Czech Republic, as well as in the USA in 2016.
• fake news, which can be used to infiltrate the media to undermine faith in democracy.
• commercial crime aimed at extracting money.
• attacks on national security and critical infrastructures, such as telecommunications and hospitals.
• attacks on public services.

Furthermore, cybercriminals may work in conjunction with “classic” criminal gangs or with governments, for example Russia or China.

It is easy to understand why the USA is one of the countries most affected: it is attractive to cybercriminals because of its nuclear strength and its high R&D investment.

If we do not fight digital attacks, a Cyber 9/11 could be on the horizon because everything is connected: the chemical industry, telecoms, defence, healthcare, food, transport and much more.

One recent and real-world example of the damage cybercrime can cause is Russia’s war-time attacks on Ukraine’s mobile phone network, which was taken out by digital means.

 

What about privacy?

How do we respect people’s privacy, but at the same time control what people do? Private documents used to be written on paper. Today, digital documents and files can be considered private.

At the same time, legal authorities should be able to access digital documents and data, just as they would any other documents, for a criminal investigation.

Our panelists questioned encryption as a fundamental right for everyone in any circumstances. As judicial authorities must be able to have access to some data as part of investigations, there should be a balance between privacy and the means of investigation. And this kind of calculus needs to be transparent.

 

Proportionate responses to the threat

It is necessary to gather a lot of evidence to accuse someone of criminal activity.

However, it is a battle worth fighting. It is important for companies to be able to report threats to authorities on an international level.

This includes ransomware cases. According to the participants in the round table, as for whether to pay criminals who demand ransom, the best solution is to consult the authorities. As a rule, companies should not pay ransomware demands unless they absolutely need to. It is worth noting that refusing to pay out for attacks should reduce criminal activity because it will become less profitable. Additionally, paying does not guarantee that criminals will keep their word.

Even if a company chooses to pay, the attack should still be reported to the authorities so that they can investigate. Provide as much information as possible – the sooner the better – about this ransom demand or payment.

Companies should also share their experiences to help establish regulations, but often they choose not to admit publicly to having been the victim of a cyberattack.

It is crucial that companies and organisations that have been attacked tell not only the legal authorities, but also their contacts (customers, suppliers, etc). This allows the company’s business circle to be on guard and may also provide the attacked company and the authorities with additional information on what happened to the extorted data. In the aftermath of an attack, it is also possible to benefit from the help of cyber consultants.

It is worth noting that while we are seeing more and more attacks, cybercriminal networks are also being dismantled more often. Certainly, because there is no shortage of tools to fight or punish cybercriminals or non-cooperating countries. Mr. Hickton quoted the following US examples:

• -Criminal enforcement (DoJ)
• – Licensing
• – Debarment
• – Sanctions (Commerce/Treasury)
• – WTO (USTR)
• – Negotiations (state)

And to track down some high-level criminals, the FBI will go as far as offering substantial rewards.

 

Do too many laws kill business?

The question is whether the law stands in the way of economic progress. Companies must now consider a range of legislation, such as the GDPR, the Cloud and AI Acts , in the day-to-day business environment. However, given what is at stake – and the very real threat of cybercrime – this compliance appears to be a small price to pay.

According to the panelists, even if there are a lot of regulations, it does not kill the business. Behind every piece of legislation, there are issues to understand.

Again, the purpose is to find the right balance between overabundance of laws and entrepreneurial freedom. At the same time, the business (customers, suppliers…) demands more security. Laws are therefore a necessary evil.

Considering cyberattacks are a form of modern warfare, an appropriate response is required in the form of more collaboration, more coalitions, appropriate law enforcement, tougher sanctions and a significant increase in resources.

 

What about legal frontiers in the battle against cybercrime?

Faced with cybercrime that knows no borders, the authorities are fighting it without always having an appropriate and legal response that takes into account the borders and the right to sovereignty of each country.

Furthermore, in an era where companies become more powerful than governments, there is a way to enhance public-private cooperation. The fight against cybercrime requires, as our panellists recommend, a maximum co-construction between authorities and companies, in particular. Only if companies share their experiences openly better regulations will emerge.

Yet there remains reluctance on the part of the private sector to be transparent regarding the cyberattacks suffered but also to share their information with the public sector or the authorities.

 

In conclusion

What can we say at the end of this day of learning about the future of legal defence in cyberspace?

There is no shortage of legal avenues in the fight against cybercrime – the question is how best to navigate them?

Clearly, there is currently a lack of resources to effectively investigate and combat all threats and attacks.

There is also a challenge in terms of implementing effective prevention in a democracy so that individual rights, such as privacy, are also safeguarded.

• #cyberdiplomacy
• #cyberlaw