Oleg Abdurashitov
Head of Public Affairs, APAC
The soaring cybercrime rates in the region puts increasing pressure on high-tech crime divisions of the cyber agencies and police units in ASEAN. The governments in the region respond to cyberspace challenges by bringing all-things-cyber under fewer, more competent and resourceful agencies. They also increasingly turn to regulatory measures, with many countries introducing or planning to introduce omnibus cybersecurity legislation or passing amendments to existing computer and technology crime laws.
Mostly, these laws are aimed at building capacity and framing institutional environment to address traditional cybercrime, cyberterrorism and attacks on critical infrastructure, as well as introduce basic procedures for incident reporting and information sharing. But in many cases the provisions of these fresh cyber laws also include articles criminalizing “false” or “distorted” information (Thailand), ‘information inciting any mass gatherings, or disturbing security and order’ (Vietnam) and similar definitions. Some of them are broad to the extent that the technology industry raised concern that this might lead to ‘a perception that cyber security legislation is being misused for censorship’ (Asia Internet Coalition).
Decades ago, before widespread demands to tackle ‘fake news’ and ‘negative information’, strict regulation policies as another instrument were used for limiting freedom of speech. The problem with information laws enforcement is not the very existence of regulatory constraints in the multiracial and multi-religious societies, as some may argue. Rather, grouping information crimes and ‘genuine’ cybercrimes, such as banking fraud, data theft, and network disruption under the same cyber legislation and within the same cyber division may create a set of very practical obstacles to building truly resilient cyber ecosystems.
While both type of crimes employ networks and computers, the information crimes are made of words and messages, and the hacks are made of code and commands. One targets the thoughts and actions of an individual, the other goes after the logic and functions of a machine. While distribution of ‘fake news’ or tampered content may start with a hack, or theft of confidential information or identity, not all acts defined as criminal are committed through getting illicit access to IT systems in the first place. This difference is easy to overlook on a regulatory level, but it is fundamental to understanding why cybercrime may require different approach than content violations.
Here are some of the practical challenges cyber agencies with a broad scope of responsibilities will face. On a technology side, they will have to make tough decisions while procuring content monitoring solutions or threat/malware lookup toolkits. Given the budget constraints, very few agencies have the ability to purchase both services to run on a national scale. But this critical choice defines what information the law enforcers will be getting, and what actionable intelligence will be there for them to pursue. Training people to use these tools and technologies, design investigations, identify, collect and preserve digital forensics evidence also takes time, even with the several capacity building platforms available for police officers in the region.
Fighting numerous violations in online and social media will also divert the already stretched human resources of ASEAN cyber divisions. Corporate demand for cyber professionals is running wild and high, and results in acute shortage of people with skills and expertise. Cybercrime investigators will have to prioritize between targeting cunning hackers or people who post hateful or misleading messages on social networks, as they may simply have not enough specialists to focus on both.
Even more importantly, fighting content crimes implies practices and incentives not necessarily compatible with fighting the 'traditional' cybercriminals. The content platforms are looking for ways to cooperate with the local law enforcement agencies to act on content takedown notices (see, for example, Google Transparency Report) to comply with the local regulations. The vast centralized knowledge on their users that content platforms collect may also greatly reduce the burden of collecting additional evidence.
More often than not, pursuing cybercriminals requires a very different set of technologies, expert knowledge, tools and design of public-private cooperation mechanisms. Cybercrimes are massively under-reported, sometimes because the victim may not even be aware of the attack. The number of parties involved in cybercrime is usually greater than that of content production and distribution; the evidence is piecemeal, usually scattered across many platforms and geographies, that not always willing or even able to share the required data with investigators. Finally, differences of cybercrime legislation further complicate cross-border investigations, especially given the private sector’s somewhat greater role in reporting cybercrimes and assisting investigations.
As cyber investigators know all too well, hunting down advanced cyber actors may take years of laborious investigation in several jurisdictions and, in the end, fail to deliver court-admissible evidence. No wonder that overwhelmed law enforcement officers are inclined to choose the area where the results are more certain and often accompanied by political rewards. This is partly the reason why content prosecution often gets more media spotlight than ‘genuine’ cybercrime fight.
In the end, the true cost of running cybercrime and content crime operation under the same branch of law enforcement, as it is commonplace today, comes with depleted resources of cyber divisions – and in the end, less security for users. While the society undoubtedly benefits from a healthier and better informed online discussions, it also does so from safety of digital transactions, integrity of personal data and availability of numerous cyber-enabled public services.
Moving forward, the ASEAN countries may need to seek some level of legal or institutional separation between content crimes and cyber- and cyber-enabled crimes. Singapore, the current chair of ASEAN, has set an example by addressing different types of cyberspace misuse with different sets of legislation and nodal agencies. As the ASEAN Declaration to prevent and combat cybercrime, adopted in November 2017, acknowledges ‘the importance of harmonization of laws related to cybercrime and electronic evidence’, the need for a broad multi-stakeholder dialogue on what cyber legislation is focusing at is ever more important.