SPRINGER BRIEFS IN CYBERSECURITY Tatiana Tropina Cormac Callanan Self- and Co- regulation in Cybercrime, Cybersecurity and National Security 123 SpringerBriefs in Cybersecurity Editor-in-chief Sandro Gaycken, ESMT European School of Management and Technology, Germany Editorial Board Sylvia Kierkegaard, International Association of IT Lawyers, Denmark John Mallery, Massachusetts Institute of Technology, USA Steven J. Murdoch, University of Cambridge, UK Cybersecurity is a difficult and complex field. The technical, political and legal questions surrounding it are complicated, often stretching a spectrum of diverse technologies, varying legal bodies, different political ideas and responsibilities. Cybersecurity is intrinsically interdisciplinary, and most activities in one field immediately affect the others. Technologies and techniques, strategies and tactics, motives and ideologies, rules and laws, institutions and industries, power and money—allofthesetopicshavearoletoplayincybersecurity,andalloftheseare tightly interwoven. The SpringerBriefs in Cybersecurity series is comprised of two types of briefs: topic- and country-specific briefs. Topic-specific briefs strive to provide a comprehensive coverage of the whole range of topics surrounding cybersecurity, combining whenever possible legal, ethical, social, political and technical issues. Authorswithdiversebackgroundsexplaintheirmotivation,theirmindset,andtheir approachtothetopic,toilluminateitstheoreticalfoundations,thepracticalnutsand bolts and its past, present and future. Country-specific briefs cover national perceptions and strategies, with officials and national authorities explaining the background, the leading thoughts and interests behind the official statements, to foster a more informed international dialogue. More information about this series at http://www.springer.com/series/10634 Tatiana Tropina Cormac Callanan (cid:129) Self- and Co-regulation in Cybercrime, Cybersecurity and National Security 123 TatianaTropina Cormac Callanan Max PlanckInstituteforForeign and Aconite Internet Solutions InternationalCriminal Law Dublin Freiburg Ireland Germany ISSN 2193-973X ISSN 2193-9748 (electronic) SpringerBriefs inCybersecurity ISBN 978-3-319-16446-5 ISBN 978-3-319-16447-2 (eBook) DOI 10.1007/978-3-319-16447-2 LibraryofCongressControlNumber:2015935411 SpringerChamHeidelbergNewYorkDordrechtLondon ©TheAuthor(s)2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpart of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilarmethodologynowknownorhereafterdeveloped. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexempt fromtherelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthis book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained hereinorforanyerrorsoromissionsthatmayhavebeenmade. Printedonacid-freepaper SpringerInternationalPublishingAGSwitzerlandispartofSpringerScience+BusinessMedia (www.springer.com) Foreword The Internet is everywhere. It stretches across all layers of society, involving the civil society, the business community and governments. And it is not just con- sumed, but also operationally used, created, maintained and changed by all these differentactors.Itisenablingthemiftheymasterit,anddisablingordisadvantaging them if it does not work properly. Now all of these actors desire basic values such as security, freedom and pri- vacy,andofcoursetheywouldlikethemimplementedintheInternet,too.Different culturesmayhavedifferentperceptionsaboutprioritiesandinterpretationsofthese values,buttheystillwantthemimplementedinsomeway.Yetimplementingthese values requires changes in this environment. Technologies, business modalities, innovationorwidelyaccepteduse-modelswillhavetoberevisedandremodelledto some extent, and many of these revisions will involve trade-offs with other actors’ interests. Accordingly, the question of who should be the bringer and carrier of this changeisthecornerstoneofaheateddebate.Alotofactorsarereluctanttoengage in change at all, as they benefit from the current, unregulated model and mainly oppose any emergence of other actors. These other actors—mostly disadvantaged entitiesorinstitutionsinformalresponsibilityforaccordingissues—attheirendare tryingtoidentifyandenforceleverstochangetheestablishedlandscape.Theresult is a regulatory and lobbying battle raging behind the colourful outer shell of the web. Theauthorsofthisbrief,TropinaandCallanan,embarkedonthemissiontomap out this contested landscape, its actors, their stakes and interests. This is a chal- lenging undertaking, as many of these entities and their dynamics are not very visible, especially in their entanglements and undercurrents, but Tropina and Callanan managed to identify and analyse them with high granularity. Moreover, the authors provide a profound theoretical analysis of the effectiveness and effi- ciency of different regulatory approaches, focusing in particular on industrial attempts of self-regulation or the more forthcoming variant of public–private co-regulation, deriving general conclusions and creating recommendations with high value for anybody working in or on this field. v vi Foreword At the present time of an ever more contested Internet, this contribution could hardlybemorerelevant,andIassumeitwillhaveanimpactontheongoingprocess and the debates surrounding it. February 2015 Dr. Sandro Gaycken ESMT Berlin Contents 1 Public–Private Collaboration: Cybercrime, Cybersecurity and National Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Tatiana Tropina 1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Cybersecurity, Cybercrime, Cyberwar? Terminology and Misconceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.1 Cybersecurity: Different Dimensions and Blurring Borders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.2 Areas of Public–Private Collaboration on Cybersecurity. . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3 Regulating Cybersecurity: What Are the Options?. . . . . . . . . . 11 1.3.1 Cybersecurity as a Multi-stakeholder Environment: Transformation. . . . . . . . . . . . . . . . . . 12 1.3.2 Self- and Co-regulation: Theoretical Approaches and Practical Implementation . . . . . . . . . . . . . . . . . . 16 1.3.3 Legislating Cybersecurity?. . . . . . . . . . . . . . . . . . . . 19 1.4 Existing Initiatives: From Illegal Content Towards Cyber-Resilience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.4.1 Fighting Cybercrime: Forms of Cooperation. . . . . . . . 21 1.4.2 Cybersecurity: A Call for More Structured Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 1.5 Problems and a Way Forward . . . . . . . . . . . . . . . . . . . . . . . 26 1.5.1 Limitations: Mandate of the Governments in Criminal Law and Security. . . . . . . . . . . . . . . . . . 27 1.5.2 Degree of Governmental Intervention . . . . . . . . . . . . 28 1.5.3 EU NIS Directive: From Voluntary Collaboration to Statutory Regulation? . . . . . . . . . . . . . . . . . . . . . 29 1.5.4 Safeguards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 vii viii Contents 1.5.5 Incentives and Costs. . . . . . . . . . . . . . . . . . . . . . . . 34 1.5.6 Way Forward: Is Statutory Regulation Still an Option?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 1.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2 Evolution, Implementation and Practice of Internet Self-regulation, Co-regulation and Public–Private Collaboration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Cormac Callanan 2.1 The Birth of Self-regulation. . . . . . . . . . . . . . . . . . . . . . . . . 44 2.1.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.1.2 Individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.1.3 Company. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.1.4 Industry Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.1.5 Guided by Regulation (Sometimes Called Co-regulation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.1.6 Multi-stakeholder . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.1.7 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.1.8 Content versus Traffic. . . . . . . . . . . . . . . . . . . . . . . 48 2.1.9 Usenet News . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.1.10 Log Records and Charging. . . . . . . . . . . . . . . . . . . . 50 2.1.11 Traditional Telecom Services . . . . . . . . . . . . . . . . . . 50 2.1.12 Open Telecommunications Market . . . . . . . . . . . . . . 52 2.1.13 Dropping Newsgroups. . . . . . . . . . . . . . . . . . . . . . . 52 2.1.14 Embryonic Self-regulation . . . . . . . . . . . . . . . . . . . . 53 2.1.15 Anecdote. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.1.16 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.2 Self-regulation Matures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 2.2.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 2.2.2 Putting Structure on Self-regulation. . . . . . . . . . . . . . 57 2.2.3 UK French Letter . . . . . . . . . . . . . . . . . . . . . . . . . . 57 2.2.4 UK Child Pornography Laws. . . . . . . . . . . . . . . . . . 60 2.2.5 The Protection of Minors and Human Dignity in Audio-Visual Services. . . . . . . . . . . . . . . . . . . . . 61 2.2.6 US Framework for Global Electronic Commerce . . . . 66 2.2.7 Global Information Networks: Realising the Potential Conference, Bonn Germany. . . . . . . . . . 68 2.2.8 Irish Working Group on Illegal and Harmful Use of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . 70 2.2.9 Electronic Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 2.2.10 Newsgroups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 2.2.11 Web Browsing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 2.2.12 Web Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Contents ix 2.2.13 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 2.2.14 Online Chat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 2.2.15 Child Pornography . . . . . . . . . . . . . . . . . . . . . . . . . 76 2.2.16 Recommendations of the Committee on Illegal and Harmful Use of the Internet. . . . . . . . . . . . . . . . 76 2.2.17 Internet Service Provider Associations. . . . . . . . . . . . 77 2.2.18 Bertelsmann Foundation . . . . . . . . . . . . . . . . . . . . . 79 2.2.19 EC Daphne Programme. . . . . . . . . . . . . . . . . . . . . . 80 2.2.20 EC Safer Internet Action Plan . . . . . . . . . . . . . . . . . 82 2.2.21 The INHOPE (Internet Hotline Providers of Europe) Association . . . . . . . . . . . . . . . . . . . . . . 85 2.2.22 Legislation and Conventions . . . . . . . . . . . . . . . . . . 86 2.2.23 Directive 2000/31/EC on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce . . . . . . . . . . . . . . . . . . . . . . . 87 2.2.24 The Council of Europe Cybercrime Convention . . . . . 87 2.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Annex—Technology Options: Internet Monitoring and Blocking . . . . 90 Appendix I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99