The never-ending conflict between right and wrong in cyberspace

“3v32y7h1n9 15 h4ck4813”

The above expression may seem an unreadable meaningless wizard spell at the first sight, but actually its hidden meaning reaches beyond-measure depth. It embodies the wise quote “Everything is Hackable” written in Leet or what so-called 1337, which is a special ciphered parlance whereby hackers can communicate in the underworld of internet. The indications behind the existence of this neatly devised language suffices to unleash researchers' wild imagination of the unprecedent degree of sophistication and interconnectedness that the future of cyber domain has in store, especially in light of the 4th industrial revolution and the 6th generation of telecommunication.

This article throws light on a never-ending conflict between right -security- and wrong -crime- in cyberspace. It unveils contemporary answers to a count of oft-deliberated questions starting with a clarification on the several hallmarks of this pair, followed by a close inspection on the interaction between major laws and the cyberspace. Eventually, as we should shoulder part of the burden, the article moots a multidisciplinary approach to overcome practical hurdles ensued from the misuse of digital technology.

(1) The Crux of Cybersecurity and Cybercrime:

(A) Cybersecurity

At the outset, it deserves a remark that there are two main doctrines in defining cybersecurity. The narrow doctrine, which merely concerns strategies devised for tackling hacking crimes committed via or against the internet-connected systems. Whereas the other -broad doctrine- has more capacious scope. It stretches to encompass the entirety of technological, legal, educational, societal, financial, political tactics and tools crafted for entrenching all components of the cyber domain. These components should be reached by a multidimensional protection to at minimum cover the tangible and intangible infrastructure that interconnects information and communication technology (ICT) systems, data and, users.

Such tactics and tools must be effective to immunise ICT against illegitimate onslaughts emanating from physical activities or digital ones -i.e., cyber bullying and hacking- to warrant a reliable and safe digital environment for stakeholders. It therefore becomes salient that the second doctrine is more compatible with interests that stakeholders strive for. As will be seen shortly afterwards, the prementioned components are inextricably connected, therefore; policy makers cannot dismiss the severity of other non-hacking activities that undermine the confidence on cyberspace. This can be a reason for which the UK has adopted the broad doctrine in its 2016-21 National Cyber Security Strategy. Nevertheless, it is not the single reason. The rationale behind the unprecedent global attention that cybersecurity garnered can be deduced if we contemplate its necessity for the 4th industrial revolution that the globe is standing on its cusp. Given that automation is the core of such revolution, robust cybersecurity measures represent an indispensable defence line that preserves the confidentiality of personal data. Only thereby can businesses persuade their clients and preserve the demand on digital services. Otherwise, cyberspace will become a paradise for spies and the public may lose confidence in it, the aggregate demand may then abruptly decline. A vivid example that still lingers in our minds is the digital exodus from WhatsApp into other messaging apps. Such one-way movement was triggered by recently announced amendments of data privacy terms that in turn left users in awe about their data’s privacy. This shows how important cybersecurity for clients-businesses side. In another side, nations are compelled to consistently upgrade their cybersecurity measures to strengthen their national security against external malicious threats. These threats, at most, take aim at sensitive concealed data to satisfy the attackers’ political or military agenda. The bitter truth lies in the huge gap between nations’ capacities. Some 3rd world countries cannot afford cutting-edge technology that outperforms available hacking toolkits in developed countries, which may render them impotent to thwart transboundary advanced cyberattacks. This gap can be remedied through an international co-operation that provides a technological aid for developing countries.

At different scales, stakeholders should install the following two widely acceptable categories of technical measures in tandem to reach an optimal security:

(I) Proactive Measures:

• Preventative Controls: Algorithms that preclude unauthorised intruders e.g., data encryption keeps data humanly unreadable in case of illegitimate access.
• Deterrent Controls: Tools that prolong the process of accessing to data to make it unattractive target e.g., two-factor authentication.
• Deflection: it redirects attacks to fake programming scripts instead of real ones e.g., honeypots: traps with unexploitable glitches.

(II) Reactive Measures:

• Detection Controls: Algorithms that swiftly notify server’s administrator on any suspicious network traffic.
• Logging solutions: Tools devoted for saving prespecified data as an evidence such as executed programmes, uploaded files, recognised devices and IP addresses.
• Mitigation Controls: Tools designed to reduce the attack impact e.g., offline data backups.

 In practice, ideal protection might become elusive in contexts where these measures consider objectionable ascribed to the fact that they run counter to the convenience that a large proportion of customers expects. So that some businesses prefer to deploy medium-strength security to not avert its customers. it is however technologically immature practice as it risks the system.

(B) Cybercrime

Since there is no unanimity on a meticulous definition of cybercrime, the article directly presents a synthesised, contemporary, and slightly different explanation to the cybercrime concept. Basically, a behaviour typifies as a cybercrime when it satisfies a tripartite test the components of which must accumulate. This test comprises (A) actus reus, (B) mens rea, and (C) Causality.

Concerning component (A), it refers to digital versions of conventional offences. Put differently, it implies illegitimate conducts committed via or against ICT systems irrespective of whether they are internet-connected systems. Hacking activities, criminalised under Computer Misuse Act 1990, epitomize a widespread cybercrime in which a hacktivist can either use technology -SQL injection, Bypass, XSS injection, and so forth- or resort to social engineering “psychological manipulation” to gain an unauthorised access to other networked E-Systems. Furthermore, hacking includes Denial of Services (DoS) attacks that bring a system down by flooding immeasurable packages of connection requests. Cybercrimes further extends to cover cyberbullying, cyber-sexual harassment, cyber-deception and others. Regardless of the nature of this conduct, it always bears several traits beside its presumed illegitimacy. It can be international activities as their impact can transcend boundaries, and therein an unavoidable hurdle lies. Cyber criminals oftentimes flee from justice since long distances and anonymity takes its toll on the smoothness of investigations. Thereupon, obtaining a conclusive evidence that prove beyond any reasonable doubt that a specific conduct is attributable to a suspect is akin to be impossible in practice. Lastly, this conduct shall be intentional to be punishable. Otherwise, if an innocent user inadvertently trespassed onto website admin panel, the user would not be punished for this act.

In respect of component (B), it boils down to two categories. The first concerns corollaries immediately ensued from an e-crime, which its legal weight varies depending on the crime type. “Result Crimes” is conditioned upon the occurrence of a prohibited result e.g. DoS attacks carry punishment when only the in-target system ceases to work -result-. In contrast, a mere illegitimate act suffices to give a rise to “Conduct Crimes” e.g. crimes relating to obtaining an access to secret data do not stipulate further harms to occur such as altering data. The 2nd category streamlines ulterior motives -what so-called criminal intent-. Although laws oftentimes do not stipulate a specific incentive, empirical studies denoting that criminals strive for, among others, (A) Reaping financial gains by stealing the particulars of visa cards, cryptocurrencies or, intruding on trade secrets of market competitors, (B) Applying external political or military agenda by breaking into sensitive data that a country heavily relies on for its national security sake or, by manipulating in electronic election results, (C) Dispelling depression caused by societal pressure surrounding the attacker, especially that surged during in Covid19 lockdowns due to the exponential growth of unemployment rates. Some criminals feel content when they manage to hack a system even if aimless.

Apropos of component (C), it refers to the ability of adducing an admissible conclusive evidence that substantiates the connection between (A) and (B) components. Meaning that component (A) was a proximate or cause-in-fact cause for component (B). The erstwhile mentioned reactive measures -e.g. logging solutions- suit to be a valid foundation upon which an attorney can establish the case against suspects. Eventually, it is noteworthy that there is a prolonged disputed case where criminal liability for a cybercrime might exceptionally not arise due to a legal vacuum. This case appears when a Deep-Learning algorithm yields an inaccurate autonomously made decision that violates the criminal law. For example, assuming that such algorithm omitted a company’s database without being humanly instructed, criminal section of the case is likely to be closed without conviction since the autonomy severed the causality between human act and the subsequent harm.

(2) The Legal Ramifications of Mis/use of Digital Technology

(A) Some of the Most Affected Law Areas 

The distinctive peculiarity of personal data protection laws and the unparalleled position they occupy may dictate to be analysed at the onset. This analysis shows the reciprocal relationship between both; (A) how law may alas increase cybercrime and (B) how law attempts to abate it. The availability of ready-to-run hacking tools has recently encouraged the cybercrime until it turned into uncontainable rampant terminal illness. Official survey indicates that upward of 47% of UK-based businesses reported that they experienced frequent data breaches during 2020. This unprecedent growth ensued from two simultaneous factors; the first is the unstable mental situation associated with covid19 lockdowns, hackers then desired to feel satisfied by performing such act. Nevertheless, the second reason only matters at this context as it is ascribed to a demerit of Cookie Laws. Businesses exert considerable efforts to provide personalised quick services tailored to their clients. This technique often attracts more clients; therefore, the company can expand its wealth inflow. Technically, a personalisation algorithm can only perform its task if it gleans predetermined data from users’ Cookies -under this law-. However, hackers can easily inject an espionage Java code into personalisation algorithms to transfer a copy of received cookies, which can be deciphered and therefore gain an access into victims’ devices. Data controllers will then be held liable for these “Cookie Injection Attacks” and will be compelled to compensate data subjects. Even this non-envisaged financial burden would not be less pernicious than harms blackening the controllers’ market reputation if they dabble in computer security sector. This situation urged for a legislative reform through data protection laws to legislate more decisive cybersecurity-related duties in the presence of which businesses can insofar protect stored data and perform high-returning technological activities in tandem. Different laws, such as art. 32(1) GDPR, categorically recommend adopting “Encryption” as a countermeasure to reduce the likelihood of illegitimate data exposure. If businesses rigorously comply with these laws, nations will experience a quantum leap not only in halting illegitimate data sales in online black market, but further in preserving a secure sphere for data industry -Data Analysists, FinTech, RegTech, so forth-. However, this measure is not devoid of counterproductive consequences. Hackers adjusted the encryption strategy for their sake, they encrypt their messages to remain hardly traceable or readable by detectives, which makes investigations difficult to yield good results.

Although scholarly debates on the irreversible interplay between technology and data protection seem in its zenith currently, it is due to march on another affected law zone where financial and economic regulation belong. Financial regulation is premised upon a cardinal maxim -confidentiality- in the absence of which financial system would collapse. It basically means that financial intermediaries shall save the secrecy of foregoing and ongoing activities and the personal information of former and existing customers. This confidentiality cultivates a common belief among the public that the financial system led by aptly deft practitioners can provide a private sphere for investments and savings.

Unfortunately, financial intermediaries encounter mighty waves of cybercrimes shaking the roots of confidentiality and leaving it in ruins. Statistics showed that 40M visa cards were hacked then were deactivated only in three weeks. This provokes legal hardships around a large proportion of transactions that were suspended and, the declining performance of innocent practitioners who were psychologically pressured due to a crime come up out of the blue. These matters forced the UK financial conduct authority (FCA) to deem cybersecurity as a regulatory priority. Intermediaries are expected to craft a framework that outright covers proactive and reactive steps would be activated when necessary. i.e., reporting incidents; regulators need to obtain real-time data to adjust cybercrime-related laws with social and legal exigencies. Regulator may accordingly toughen punishments if there is a growth in threatening levels. This consideration may ultimately reinforce the utility that digitalisation plays in retaining the confidentiality in two paths: (1) superseding traditional services with quicker automated ones, (2) business can ergo re-allocate capitals into investing in digital security instead of the costs of physical traditional services. This basically how the mis/use of technology affect financial regulation. Beside that the relation can be also viewed from an economic perspective. Digital technology has been an economic tipping point by which international society could apply the long-established theory of economic integration that General Agreement of Trade in Services (GATS) strive to attain. Internet and other means of wireless telecommunication quicken the cross-border flow of digital services regardless of how distant the supplier and receivers are. However, technology poses two economic hurdles in relation with decentralised cryptocurrencies. First, it eases assets circulation in black markets, which rises the count of illicit transaction. Second, terrorism groups can receive digital donations without being thwarted by law enforcement agencies. This explains why some jurisdictions stand diehard against cryptocurrencies and other technologies under national security exception of GATS. 

At last, it is noteworthy that technology has its dual effects on human rights. From the positive side, voters can cast their ballots electronically. Then, elderly or, busy, or vulnerable individuals who could not approach polling stations can exercise their political rights i.e. 2020 U.S.A presidential election. However, Governments may intrude on its political opponents using technology under the unacceptable pretext of national security, which violates not only the ethics of politics, but also constitutional laws.

(B) An abridged multidisciplinary recommendation

Tackling the perils rampant across the cyber domain and taming the illegitimate digital behaviours are an international affair. Justice cannot prevail without an overarching centralised governance by means of international co-operation handling the different fronts. Nations shall modernize legislations to accommodate the ongoing developments i.e. the U.K should amend provisions of computer misuse act to unleash IT experts to freely conduct cybersecurity research without being under threat of conviction. Plus, nations shall supply law enforcement agencies with security experts in collaboration with the private sector to redress the weaknesses of the digital infrastructure, devising accurate tracing tools and, breaking into the criminals’ digital society to be aware of their plots in advance. Most important, educating those minors, who cannot be punished yet criminals, who interested in hacking activities to exploit their untapped potentials in a good manner such as registering cultural gatherings in universities to train their cyber skills. Businesses might be advised to insure on their strictly confidential databases against data breaches if there is no financial capability to purchase updated security tools.