Infosec professionals looking at the ever-growing number of cyber attacks they face may think there’s nothing that can stop the flood of online threats.
However, without the Budapest Convention, which was born 20 years ago this month, it might be worse.
Officially known as the Council of Europe’s Convention on Cybercrime, it was the world’s first international agreement to fight online criminal activity.
Its anniversary is being celebrated on Tuesday with a European press conference discussing 20 years of action against cybercrime and an upcoming addition to the pact.
It will be followed by an international conference that starts November 16th to strengthen the fight against cybercrime. Participating countries will discuss the relationship between crime and cryptocurrencies, ransomware, detection of online child abuse materials and more.
“This treaty [the Convention] was really ahead of its time in thinking about this issue,” said Christopher Painter, former White House senior director for cyber policy and currently president of the Global Forum on Cyber Expertise.
“Even countries that have not signed the Budapest Convention, many have emulated its provisions to make sure they have strong substantive laws. So it’s had that effect. It’s increased international co-operation in this area. There have been a number of capacity-building projects in this area as well.
“I think it’s been a tremendous success in raising awareness” about cybercrime and getting legislatures to act, he said.
“Fighting cybercrime requires international co-operation, which is why the Budapest Convention is so important. It requires countries to have strong laws. it requires countries to have capabilities.
“We need to step up on enforcement efforts,” he admitted, “we need to step up the priorities of these cases, we need to step up in the amount of resources and personnel we devote to them.”
But, he added, “without the Convention we’d be in far worse shape. We wouldn’t have those laws, we wouldn’t even be able to go after those people [cybercrooks]. We need to be doing a better job doing it, but that doesn’t mean the instrument that enables you to do is any way flowed. We need to do more.”
Painter noted that in 2000 — two years before the Convention was adopted — the Philippines had no cyber law to prosecute the author of the ILoveYou worm that infected over 10 million Windows computers.
Adopted on Nov. 8, 2001 by the Council of Europe, the Convention was opened for signatures in Budapest on November 23rd of that year and officially came into force on July 1, 2004.
Since then it has been signed and/or ratified by 66 nations. However, a number of significant countries have not signed, including Russia, China, Brazil and North Korea.
The Convention serves as a guideline for any country developing comprehensive national legislation against cybercrime, and as a framework for international co-operation between nations that recognize the convention.
And it is about to be expanded. Last month the draft of a Second Protocol to be added to the Convention was approved, whose goal is to enhance co-operation and disclosure of electronic evidence for possible criminal prosecutions.
However, the Convention may face a serious challenge. In January, debate will start in the United Nations on a Russian-sponsored motion to create a UN cybersecurity treaty. Russia has long opposed the Budapest deal, arguing its provisions violate a nation’s sovereignty.
Whether an agreement on a UN treaty can be reached isn’t clear, said Painter. Nor is it clear if there is a consensus on what that treaty would look like. Many nations will try to ensure it is at least consistent with Budapest, he said.
“The Budapest Convention still may be the strongest articulation around,” of international cybersecurity practices, he said, “even if you have a UN convention.”