top of page
  • Ananya Joshi and Shreya Singhal

Cyber Warfare Unveiled: Navigating the Budapest and UN Conventions

This article is co-authored by Ananya Joshi, in her 3rd Semester in the B.A.LL.B.(Hons) course at RGNUL, Punjab, and Shreya Singhal, also in her 3rd Semester in the B.A.LL.B.(Hons) at RGNUL, Punjab.


Introduction

The contemporary geopolitical scenario has seen increased usage of cyberattacks, conducted through sophisticated and unorganised means, and adopted by both state and non-state actors, often not resulting in physical harm. Over the years, means of waging war have drastically evolved to include both direct military attacks against each other and interception of online data through cyberattacks. The recent upsurge of violence amidst the prolonged conflict between Israel and the Islamic Resistance Movement, popularly known as Hamas, in the Gaza Strip has been no stranger to cyber warfare. Numerous instances of targeted attacks on the defence, energy and telecommunication sectors of Israel by isolated hackers as well as by organisations such as ‘Anonymous’ and ‘KillNet’ have been reported and documented in recent years.

Due to the emerging nature and novel means of cyber warfare, there is little international jurisprudence on the same. The Council of Europe Convention on Cybercrime, (hereinafter, referred to as the “Budapest Convention”) signed in 2001, and the African Union Convention on Cyber Security and Personal Data Protection, adopted in 2014, are instrumental legislations on the topic, while the United Nations International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (hereinafter, referred to as the “U.N. Convention”) is currently underway.

Various provisions of the Budapest Convention, such as illegal access, illegal data interception, and data and system interference, have been discussed further. In addition, relevant provisions laid down in the Zero Draft of the U.N. Convention, which is yet to be enforced, have been examined.

Budapest Convention: A Novel Legislation on Cybercrime

The Council of Europe Convention on Cybercrime, or the Budapest Convention, signed in 2001, has laid down substantive and procedural provisions relating to various cyber offences. Currently, the Budapest Convention stands as the most prominent treaty on cybercrime and, with an aim to bring national laws in congruence with each other as well as to develop investigative procedures, has streamlined the identification and punishment procedures with regard to cybercrimes.

The Budapest Convention extensively provides for offences of data interception and interference. Article 2 of the Convention criminalises illegal access to a computer system; while Articles 4 and 5 deal with data interference and system interference respectively. A common method of such interference is through “denial-of-service” or DoS attacks. These are attacks on network systems with the intent of shutting them down. Such attacks, if distributed over a period of time or territory, are known as “distributed denial-of-service” or DDoS attacks.

For instance, major cyber operations in Gaza have been conducted by ‘Anonymous’, an online collective on “4chan” that served as a meeting point for anarchists, created in 2003. In 2012, the year that Israel intervened in Gaza through its Operation Pillar of Defense, Anonymous “declared cyber war on Israel's cyberspace”, resulting in a series of “distributed denial-of-service” or DDoS attacks against websites of the Israeli government, and to the personal accounts of senior public officials.

Such DDoS attacks attempted to access the computer systems of Israeli government officials, thus attracting the provisions of Article 2. Further, they damaged and altered the retrieved computer data, which caused hindrance to the functioning of the Israeli computer systems. However, illegal access under Article 2 is somewhat ambiguous and a broadly worded provision, making it difficult to differentiate between legitimate and illegitimate online traffic.

Among other crimes, the Budapest Convention has laid down substantive provisions with regard to computer-related fraud. Article 8 of the Convention provides that any input, alteration or suppression of computer data or any interference with a computer system resulting in loss of property with the fraudulent or dishonest intent of acquiring economic gain shall be penalised. For example, instances of such fraud have been reportedly committed by the Izz ad-Din al-Qassam Brigades, the military wing of Hamas (hereinafter referred to as the IQB), by the Cybercrime Programme Office of the Council of Europe. In 2019, the IQB requested donations in bitcoin to its funds, posting the same on its social media as well as its official websites. It assured donors that such donations would be entirely anonymous and untraceable, and would be used to further their cause, even providing videographic instructions on the method of donation via unique bitcoin addresses. The infrastructure, or cryptocurrency accounts being used for such donations, being as high in number as 150, were discovered and subsequently seized by the U.S. Department of Justice. While the provisions of Article 8 of the Convention are applicable here, it is important to note that cryptocurrency scams are a relatively novel phenomenon.

Article 32(b) of the Budapest Convention provides that a party may “access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.” In essence, the aforesaid provision enables a member state to investigate extraterritorially, in another state, without permission or notification. The provision has attracted criticism in recent years.

Further, in the Explanatory Report on the Convention, the provision was debated at length, but it was concluded that a comprehensive framework on the procedure of providing unilateral access would not be possible at the time. In addition to this, in a Guidance Note on Article 32 published by the Council of Europe, cross-border access to data was clarified to mean unilateral access without mutual assistance. Article 32(b) has been heavily criticised by member states, most notably by Russia, on the grounds of alleged violation of the security and sovereignty of member states.

Thus, a reservation or restriction to the provision is desirable, and it is apparent that the Budapest Convention does not address several contemporary concerns relating to cybersecurity.

 

U.N. Convention: A Blueprint for a Safe Cyberspace

The U.N. Convention is an initiative to deal with the growing concerns related to cybercrime and online warfare. In the backdrop of the recent upsurge of unrest in the Gaza Strip, it becomes pertinent to ensure safety in the cyber realm. After months of negotiation and deliberation over the issue of cybersecurity, the UN released its “Zero Draft” in June 2023, to be discussed in August of the same year. In the event of adoption by the UN General Assembly, the convention will become the first binding instrument of the U.N. on issues related to cybercrime. 

The proposed “Zero Draft” aims to prevent and combat cybercrime through international cooperation for the benefit of developing countries, as explicitly mentioned in Article 1 of the Convention, which lays down the purpose of the Convention. However, the draft does not lay down the ways by which the developing states will be made technologically efficient to deal with any form of cyberattack, leading to asymmetries in the cyber capacities of various states. 

Article 4 of the U.N. Convention aims to protect the sovereignty and territorial integrity of each state. Friction between Israel and Palestine has threatened the sovereignty and territorial integrity of both states. Article 7 of the U.N. Convention deals with such illegal interception, which is done with dishonest intention. However, the same becomes a point of contention among various states as the Article does not answer what is the necessary level of data access that should have been fulfilled to make one liable. There has been a divergence in the codification by different nations wherein some penalize the interception of every data while others penalize the interception of data protected by law.

In such cases, aggravating and mitigating factors should be considered while determining the liability of the offender. In 2020, Hamas employed means of illegal interception to access the confidential data of Israeli soldiers, which can be considered an aggravating factor of cybercrime. There was an interference with the cell phones of the soldiers, which is a key domain of the state; and the same can also be considered a gross violation of Article 5 of the U.N. Convention which ensures respect for human rights, especially the right to human dignity and privacy.

Moreover, all existing legislations are to be respected by the treaty, and, hence, Article 17 of the Convention, which enforces the applicability of all international conventions and protocols, ensures that other conventions like the Budapest Convention are duly followed. However, there have been two-fold concerns over the same, firstly, that till date the Budapest Convention has been signed by just 68 states, thereby, excluding all the other nations from being liable under the statute; and, secondly, that, in order to implement the cybercrime treaties, jurisdiction has to be well- defined and established, as it is pertinent to check the liability of inter-territorial offenders.

In addition, Article 18 of the U.N. Convention also lays down the liability of the legal person who would be responsible for any criminal act, and the same should be subjected to effective, proportionate, and dissuasive criminal or non-criminal sanctions, including monetary sanctions. If made applicable, it is possible to impose such sanctions on the cyber militants of Hamas and Israel, the implementation of which will be ensured by Article 59 of the U.N. Convention.

 

Conclusion

As exemplified by numerous cyberattacks conducted by state and non-state actors over the past few decades, it is apparent that there is a need for more stringent mechanisms to combat the evolving and complex means of cyber warfare.

A regulatory framework for addressing cybercrime exists in the form of the Budapest Convention, including provisions such as Article 2 which provides for illegal access; Article 8 which provides for computer-related frauds; and Article 32(b) that allows transborder access to data. However, the Convention leaves much to be addressed due to novel and complex means of cyber warfare having evolved since 2001, when it was first signed. The United Nations Convention, if thoroughly negotiated and signed, will serve as a comprehensive and authoritative legislation on the topic.

It is imperative that states cooperate on a global level in order to give effect to the existing provisions of the Budapest Convention. Cooperation between states on issues relating to cybersecurity is expected to increase with the implementation of the U.N. Convention, which, once properly deliberated upon and negotiated, is expected to pave the way forward for a more secure cyberspace.

74 views0 comments

Comments


bottom of page