cybercrime deterrence and international legislation: evidence from distributed denial of service...

Cybercrime Deterrence and International Legislation: Evidence from Distributed Denial of

Service Attack

Kai-Lung Hui (Hong Kong University of Science and Technology)

Seung Hyun Kim (Yonsei University)

Qiu-Hong Wang (Singapore Management University)

MIS Quarterly, Vol. 41, No. 2, pp. 497-523, June 2017

In a Nutshell

(c) Hui, Kim and Wang 20172

We study the empirical effect of international legislation on cybercrime deterrence

Enforcing the Convention on Cybercrime: Reduces the number of DDOS attack victims within the

enforcing countries Redirects DDOS attacks to non-enforcing countries Reduces DDOS attacks largely because of the provision of

international co-operation Implications: Network effect exists in international law enforcement Cyber criminals are rational, meaning economic incentives may

work in deterring cybercrimes The world should work together in cybercrime deterrence!

Cybercrime Causes annual global lost of $400 billion, ranges $375-

575 billion (McAfee, June 2014) Characteristics of cybercrimes Not confined by national boundaries Extremely low cost

E.g., DDoS, cross-site scripting, phishing, … Low observability and hence low probability of apprehension

and punishment Key issue: How to tackle such cybercrime?

3 (c) Hui, Kim and Wang 2017

The Big Picture


Solution

5

Prevention and detection Operate at the individual level Do not ex ante reduce attack motivation

Legislation Heightens the penalty of aggression Depending on implementation, may increase the chance of

apprehension and conviction Applies at the national, or even international level May ex ante affect hacker decisions?


Scope of Legislation

6

Domestic enforcement International cooperation E.g., preserving data for investigating cybercrimes initiated

from or targeting other countries Requires similar treatment of crimes and mutual understanding

of enforcement Cybercrime specific international initiative:

The Convention on Cybercrime (COC)


The Convention on Cybercrime(COC; Europe Treaty Series No. 185)Convention on Cybercrime (COC)


The Convention on Cybercrime Drafted by 41 Council of Europe member states + Canada,

Japan, USA, and South Africa Opened for signature on November 23, 2001 First enforced by Albania, Croatia, Estonia, Hungary, and

Lithuania on July 1, 2004 As of 2015, 49 countries signed and 47 ratified (enforced)

the COC


The COC: 4 Chapters1. Definitions2. National-level measures

Establishing substantive criminal laws on offences (e.g., illegal access and interception, data and system interference, etc.)

Procedural laws Establishment of jurisdictions over offences

3. Principles of international cooperation E.g., extradition arrangement, mutual assistance

4. Scope of application, reservations, etc.


Not confined by national boundaries (Png et al. 2008, Kshetri2013a, 2013b)

Extremely low cost e.g., DDoS, cross-site scripting, phishing, …

Low observability and hence low probability of apprehension and punishment

The unique profiles of cyber criminals (Kshetri 2006, 2010) Minors Juvenile Professional syndicates

Characteristics of cybercrimes


Related Literature

The deterrence effect of perceived threat and punishment at the individual level in an organizational setting (D’Arcy et al. 2009; Johnston et al. 2015)

Supportive evidence on deterrence effectiveness Capital sanctions and execution (Yang 2008)

Gun-carrying laws (Lott 1997a)

Enforcement against rape and other sexual offences (Vaillant2009)

Counter evidence was also recorded (Kirchgassner 2011)

Lack of quality data


COC: Staggered Enforcement

12

31

3 31

5

0 0

3

0 1 0 02

00 0 0

6 5 46

2 3 4

1

6

3 2

5

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Signature Entry into force

2004AlbaniaCroatiaEstoniaHungaryLithuaniaRomania

2005BulgariaCyprusDenmarkMacedoniaSlovenia

2006FranceBosnia &

HerzegovinaNorwayUkraine

2007ArmeniaFinlandIcelandLatviaNetherlandsU.S.A.

2008ItalySlovakia

2009GermanyMoldovaSerbia

2010AzerbaijanMontenegroPortugalSpain

2011U.K.

2012AustriaBelgiumGeorgiaJapanMaltaSwitzerland

2013AustraliaCzech RepublicDominican

Republic

2014MauritiusPanama

2015LuxembourgPoland TurkeyCanadaSri Lanka


COC: Delay in Establishing Authorities

Country Enforcement date

Establishmentof Responsible

Authorities Albania 01/07/2004 19/06/2006Armenia 01/02/2007 16/07/2008Bosnia and Herzegovina 01/09/2006 15/11/2011Bulgaria 01/08/2005 12/09/2005Croatia 01/07/2004 09/01/2009Cyprus 01/05/2005 05/08/2009Estonia 01/07/2004 08/10/2007Slovenia 01/01/2005 20/12/2006Republic of Macedonia 01/01/2005 13/10/2006

Article 24 –authority responsible for extradition or provisional arrest

Article 27 –authorities responsible for mutual assistance

Article 35 – 24/7 Network


COC: Difference in adoption

Article 4 – Data interference

Article 6 – Misuse of devices

Article 11 – Attempt and aiding or abetting

Article 14 – Scope of procedural provisions

Article 22 – Jurisdiction Article 29 – Expedited

preservation of stored computer data

14

Country Article 4 Article 6 Article 11 Article 14 Article 22 Article 29

Australia* Austria* Azerbaijan* Belgium* Bulgaria Canada* Czech Republic*

Denmark Finland France Germany* Japan* Latvia** Lithuania Montenegro* Norway Poland* Slovakia Switzerland* Turkey* Ukraine U.K. * U.S.A.


Research Questions

Does the enforcement of the COC help deter cybercrime? Do establishment of responsible authorities and the

reservation of Articles matter?

If the COC does reduce cybercrime, how does the enforcement of other countries affect a country’s victimization?


Theoretical Foundation: GDT & RATPotential criminals as rational actors who would weigh the benefits and costs before committing a crime (Becker 1968; Mookherjee and Png 1994)

Criminal motivationGeneral deterrence theory (GDT) – improperbehavior can be deterred by raising the certainty and severity of punishment. (Gibbs 1975)

Crime victimizationRoutine activity theory (RAT) – crime is shaped by environmental factors, particularly the presence of a motivated offender and suitable target, and the absence of a capable guardian (Cohen and Felson1979).

16

“someone whose mere presence serves as a gentle reminder that someone is looking” (Hollis-Peel et al.

2011).


Potential Contributions

Pioneering evidence on whether international legislation helps curb cybercrime and how the deterrence effect is affected by implementation.

A formal test of enforcement externality and find cybercrime enforcement can be complementary and drives cyber-attacks to non-enforcing countries.

Evidences that hackers are rational and strategic The innovative use of backscatter data and linking

international legislation and the Internet topology to analyze cyber attack path.


COC: Does It Matter? 2007: Russian convicted for attacking Estonia’s

government services Estonia enforcement: 2004

2010: Programmer in USA convicted for attacking rollingstone.com in 2008 USA enforcement: 2007

2011: German convicted for cyber-extorting six online bookmakers Germany enforcement: 2009


COC: Does It Matter? From Hackforums:“I live in a small town in Romania. Until 1 months ago I

thought is no danger in hacking...I've got only a warning because I was under 18...then I realized why this happened: that was because we just joined...European Union and there are new laws in IT...from now I take care because...it never knows when the cops catch you...”

“...the law follows the same guidelines for all countries in the european union and they're very strict about that”“There are conventions...within European Union borders he can be transported due to the crime, because of the European Unions conventions about partnership in law”

“...I would rethink your theory on Croatia not having cybercrime laws: The cybercrime convention is a European directive to which Croatia is a member state...As of 2007, Croatia integrated this into local laws...All of the offences proscribed in the Cybercrime Convention (to which Croatia is a State Party and which has been in force in Croatia since 1 July 2004), with the exception of offences that can generally be described as cyberterrorism, are incorporated into the domestic legal framework”


The Deterrence of the COC when the victim country has not enforced COC

A

B

C

D

Hacker

zombie

zombie

zombie

zombie

Victim' infrastructure

COC country

Non-COC country

?

?

?

COC country

Non-COC country

Router


A

B

C

D

Hacker

zombie

zombie

zombie

zombie


COC country

COC country

Non-COC country

√

?

√√

COC country

Router

The Deterrence of the COC when the victim country has enforced COC


The Reinforcement of the COCwhen only two countries enforced COC

A

B

C

D

Hacker

zombie

zombie

zombie

zombie


COC country

COC country

Non-COC country

Non-COC country

? √

?

?

Router


A

B

C

D

Hacker

zombie

zombie

zombie

zombie


COC country

COC country

√

√

√

√

COC country

COC country

√

Router

The Reinforcement of the COCwhen four countries enforced COC


The Displacement of the COCTargeting enforcing country?

A

B

C

D

Hacker

zombie

zombie

zombie

zombie


COC country

COC country

Non-COC country

√ √

?

COC country

√

Router

Router


The Displacement of the COCTargeting non-enforcing country!

A

B

D

C

Hacker

zombie

zombie

zombie

zombie


COC country

COC country

Non-COC country

?

?

COC country

?

Router


Study Setting Distributed denial of service (DDOS) attack in 106

countries in 177 days in 2004-2008

Why DDOS attack? Most prevalent cyber attack causing great damage Unambiguously criminalized by the COC Conducted on a network of electronic devices international

cooperation is relevant


Hypotheses 1: the deterrence effect of the COC

H1a (Enforcement): COC enforcement reduces the number of DDOS attack victims in the enforcing countries.

H1b (Establishing Responsible Authorities): Among enforcing countries, establishing the authority responsible for reacting to external requests for international co-operation reduces the number of DDOS attack victims more than those that have not established such an authority.

H1c (Reservation on international co-operation):Reservation on Article 29 (expedited preservation of stored computer data) increases the number of DDOS attack victims in the enforcing countries.


Hypotheses 2: the externalities of the COC

H2a (Network effect): The effect of COC enforcement on the number of DDOS attack victims in the enforcing countries is stronger as the enforcement in other countries increases.

H2b (Displacement): Enforcement of the COC will cause cybercrime displacement; non-enforcing countries will receive more DDOS attacks as the enforcement in other countries increases.


Attack Data

Country-level DDOS attack data on a daily basis From the Cooperative Association for Internet Data Analysis (CAIDA) Responses sent by DDOS attack victims to spoofed traffic for at least a

week-long period in each quarter between 2004 and 2008 (“backscatter” data)


Model-Free Evidence


The Model (Fixed-effects OLS)

Cumulative domestic legislation Lit

Control variables, xit

Country and day fixed effects, μi and τt

Continuous country-specific time trends, γit Spatial correlation consistent standard errors (Driscoll and Kraay, 1998)

31

H1a. Enforcement indicatorH2b. Displacement effect

H2a. Network effect

Externality

H1b. Enforcement indicators with or without the responsible authoritiesH1c. Enforcement indicators with various reservations

the extent of enforcement in other countries ω-i, t


Control Variables Socio-economic: unemployment rate, gross domestic product

(GDP) per capita in PPP, number of higher education students

IT Infrastructure: number of Internet hosts, number of Internet users, number of integrated services digital network (ISDN) subscribers, percentage of digital main lines

Others: domestic legislations, land area

Governance quality: control of corruption, government effectiveness, political stability and absence of violence/terrorism, regulatory quality, rule of law, voice and accountability


Descriptive statistics (106 countries, 16429 observations)

33

Variable Unit Mean Std. dev. Min Max SourceCOC enforcement 1 = enforce; 0 = not enforced 0.152 0.3587 0 1 COECOC signature 1 = signed; 0 = not signed 0.414 0.4925 0 1 COEReservations Number of reservations 0.142 0.6098 0 6 COECPHRFF enforcement 1 = enforce; 0 = not enforced 0.085 0.2789 0 1 COE

Cumulative domestic legislation Number of legislations/revisions 1.123 2.464 0 36 COE, UNODC,

ITU, GCLDVictim IP addresses 817.137 5,013.3900 0 91,755 CAIDA

…per 1,000 Internet hosts 2.216 13.9751 0 621.359 Self-computedInternet hosts Per 1,000 inhabitants 87.377 156.7580 0 1,039.270 CIAUnemployment rate % economically active people 8.173 5.7605 0.400 37.300 GMIDGDP in PPP Thousand dollars per capita 18.878 16.0343 0.620 84.249 GMIDHigher education students Per 100 inhabitants 3.213 1.6346 0.033 6.713 GMIDInternet users Per 1,000 inhabitants 356.875 259.8545 2.197 911.319 GMID% digital main lines % of telephone main lines 95.996 10.5286 34.000 100 GMIDISDN subscribers Per 1,000 inhabitants 16.822 32.4338 0 177.903 GMIDLand area sq. km per 1,000 inhabitants 34.899 83.6094 0.142 617.118 GMIDControl of corruption Normalized index 0.373 1.0340 -1.459 2.591 WGIGovernment effectiveness Normalized index 0.481 0.9271 -1.236 2.374 WGIPolitical stability and absence of

violence/terrorism Normalized index 0.142 0.9014 -2.550 1.586 WGI

Regulatory quality Normalized index 0.495 0.8625 -1.647 1.983 WGIRule of law Normalized index 0.361 0.9703 -1.734 2.014 WGIVoice and accountability Normalized index 0.299 0.9390 -1.770 1.826 WGI% Internet users covered by

others’ enforcement 0.120 0.101 0 0.285 Self-computed

% AS connections to other enforcing countries 0.162 0.199 0 0.889 CAIDA


Identification Strategies Similar to DID, but staggered enforcement over time Upward bias due to reverse causality 2SLS instrumented by the enforcement of Protocol No.

12 to the Convention for the Protection of Human Rights and Fundamental Freedoms

Falsification test replacing the enforcement indicator by signature

Effective enforcement relies on responsible authorities Article 29 serves as an indirect assessment of the merit

of international co-operation.


Results – Test of H1: COC deterrence effect


How to differentiate the externality?

B

COC country

A

C Non-COC country

D ECOC country

AS1

AS2

AS3

AS4

AS5

AS6AS7

AS8AS9 AS10

Non-COC country

4/6 AS connections are between COC countries

2/6 AS connections are between COC countries

COC country

AS 12AS 11

The differential externality ω-i, t No. AS connections to other enforcing countries divided by the number of AS connections to all other countries

The differential externality ω-i, t No. AS connections to other enforcing countries divided by the number of AS connections to all other countries


Results – Test of H2: Network Effects


Summary of Results


Really Deterrence? Kaspersky

(Q2, 2011)


Implications Hackers indeed take into consideration expected cost of

punishment So, on top of preventive measures such as IDS, or

advanced security intelligence systems, maybe the government can do more

Timely finding because conventional approaches, such as bandwidth overprovisioning or perimeter controls, are gradually losing the battle

Also curb insider threats which is difficult to prevent or detect


Implications International cooperation matters a lot! Note that DDOS is notoriously difficult to track If COC enforcement works on DDOS, then we have good

reason to believe it should work well on other cybercrimes (e.g., cyber extortion, phishing)


Concluding Remarks COC enforcement is effective from victim-side data At least 11.8% reduction in DDOS attack

Getting attacker side data will be a big leap forward, but data are difficult to come by

Our sample – 2004 to 2008, which predates DDOS attacks motivated by political ideologies or patriotism North Korea vs. South Korea and USA in 2009

China vs. USA in 2013

Taiwan and Philippines in 2013
