cybercrime deterrence and international legislation: evidence from distributed denial of service...
TRANSCRIPT
Cybercrime Deterrence and International Legislation: Evidence from Distributed Denial of
Service Attack
Kai-Lung Hui (Hong Kong University of Science and Technology)
Seung Hyun Kim (Yonsei University)
Qiu-Hong Wang (Singapore Management University)
MIS Quarterly, Vol. 41, No. 2, pp. 497-523, June 2017
In a Nutshell
(c) Hui, Kim and Wang 20172
We study the empirical effect of international legislation on cybercrime deterrence
Enforcing the Convention on Cybercrime: Reduces the number of DDOS attack victims within the
enforcing countries Redirects DDOS attacks to non-enforcing countries Reduces DDOS attacks largely because of the provision of
international co-operation Implications: Network effect exists in international law enforcement Cyber criminals are rational, meaning economic incentives may
work in deterring cybercrimes The world should work together in cybercrime deterrence!
Cybercrime Causes annual global lost of $400 billion, ranges $375-
575 billion (McAfee, June 2014) Characteristics of cybercrimes Not confined by national boundaries Extremely low cost
E.g., DDoS, cross-site scripting, phishing, … Low observability and hence low probability of apprehension
and punishment Key issue: How to tackle such cybercrime?
3 (c) Hui, Kim and Wang 2017
The Big Picture
4 (c) Hui, Kim and Wang 2017
Solution
5
Prevention and detection Operate at the individual level Do not ex ante reduce attack motivation
Legislation Heightens the penalty of aggression Depending on implementation, may increase the chance of
apprehension and conviction Applies at the national, or even international level May ex ante affect hacker decisions?
(c) Hui, Kim and Wang 2017
Scope of Legislation
6
Domestic enforcement International cooperation E.g., preserving data for investigating cybercrimes initiated
from or targeting other countries Requires similar treatment of crimes and mutual understanding
of enforcement Cybercrime specific international initiative:
The Convention on Cybercrime (COC)
(c) Hui, Kim and Wang 2017
The Convention on Cybercrime(COC; Europe Treaty Series No. 185)Convention on Cybercrime (COC)
7 (c) Hui, Kim and Wang 2017
The Convention on Cybercrime Drafted by 41 Council of Europe member states + Canada,
Japan, USA, and South Africa Opened for signature on November 23, 2001 First enforced by Albania, Croatia, Estonia, Hungary, and
Lithuania on July 1, 2004 As of 2015, 49 countries signed and 47 ratified (enforced)
the COC
8 (c) Hui, Kim and Wang 2017
The COC: 4 Chapters1. Definitions2. National-level measures
Establishing substantive criminal laws on offences (e.g., illegal access and interception, data and system interference, etc.)
Procedural laws Establishment of jurisdictions over offences
3. Principles of international cooperation E.g., extradition arrangement, mutual assistance
4. Scope of application, reservations, etc.
9 (c) Hui, Kim and Wang 2017
Not confined by national boundaries (Png et al. 2008, Kshetri2013a, 2013b)
Extremely low cost e.g., DDoS, cross-site scripting, phishing, …
Low observability and hence low probability of apprehension and punishment
The unique profiles of cyber criminals (Kshetri 2006, 2010) Minors Juvenile Professional syndicates
Characteristics of cybercrimes
10 (c) Hui, Kim and Wang 2017
Related Literature
The deterrence effect of perceived threat and punishment at the individual level in an organizational setting (D’Arcy et al. 2009; Johnston et al. 2015)
Supportive evidence on deterrence effectiveness Capital sanctions and execution (Yang 2008)
Gun-carrying laws (Lott 1997a)
Enforcement against rape and other sexual offences (Vaillant2009)
Counter evidence was also recorded (Kirchgassner 2011)
Lack of quality data
11 (c) Hui, Kim and Wang 2017
COC: Staggered Enforcement
12
31
3 31
5
0 0
3
0 1 0 02
00 0 0
6 5 46
2 3 4
1
6
3 2
5
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Signature Entry into force
2004AlbaniaCroatiaEstoniaHungaryLithuaniaRomania
2005BulgariaCyprusDenmarkMacedoniaSlovenia
2006FranceBosnia &
HerzegovinaNorwayUkraine
2007ArmeniaFinlandIcelandLatviaNetherlandsU.S.A.
2008ItalySlovakia
2009GermanyMoldovaSerbia
2010AzerbaijanMontenegroPortugalSpain
2011U.K.
2012AustriaBelgiumGeorgiaJapanMaltaSwitzerland
2013AustraliaCzech RepublicDominican
Republic
2014MauritiusPanama
2015LuxembourgPoland TurkeyCanadaSri Lanka
(c) Hui, Kim and Wang 2017
COC: Delay in Establishing Authorities
Country Enforcement date
Establishmentof Responsible
Authorities Albania 01/07/2004 19/06/2006Armenia 01/02/2007 16/07/2008Bosnia and Herzegovina 01/09/2006 15/11/2011Bulgaria 01/08/2005 12/09/2005Croatia 01/07/2004 09/01/2009Cyprus 01/05/2005 05/08/2009Estonia 01/07/2004 08/10/2007Slovenia 01/01/2005 20/12/2006Republic of Macedonia 01/01/2005 13/10/2006
Article 24 –authority responsible for extradition or provisional arrest
Article 27 –authorities responsible for mutual assistance
Article 35 – 24/7 Network
13 (c) Hui, Kim and Wang 2017
COC: Difference in adoption
Article 4 – Data interference
Article 6 – Misuse of devices
Article 11 – Attempt and aiding or abetting
Article 14 – Scope of procedural provisions
Article 22 – Jurisdiction Article 29 – Expedited
preservation of stored computer data
14
Country Article 4 Article 6 Article 11 Article 14 Article 22 Article 29
Australia* Austria* Azerbaijan* Belgium* Bulgaria Canada* Czech Republic*
Denmark Finland France Germany* Japan* Latvia** Lithuania Montenegro* Norway Poland* Slovakia Switzerland* Turkey* Ukraine U.K. * U.S.A.
(c) Hui, Kim and Wang 2017
Research Questions
Does the enforcement of the COC help deter cybercrime? Do establishment of responsible authorities and the
reservation of Articles matter?
If the COC does reduce cybercrime, how does the enforcement of other countries affect a country’s victimization?
15 (c) Hui, Kim and Wang 2017
Theoretical Foundation: GDT & RATPotential criminals as rational actors who would weigh the benefits and costs before committing a crime (Becker 1968; Mookherjee and Png 1994)
Criminal motivationGeneral deterrence theory (GDT) – improperbehavior can be deterred by raising the certainty and severity of punishment. (Gibbs 1975)
Crime victimizationRoutine activity theory (RAT) – crime is shaped by environmental factors, particularly the presence of a motivated offender and suitable target, and the absence of a capable guardian (Cohen and Felson1979).
16
“someone whose mere presence serves as a gentle reminder that someone is looking” (Hollis-Peel et al.
2011).
(c) Hui, Kim and Wang 2017
Potential Contributions
Pioneering evidence on whether international legislation helps curb cybercrime and how the deterrence effect is affected by implementation.
A formal test of enforcement externality and find cybercrime enforcement can be complementary and drives cyber-attacks to non-enforcing countries.
Evidences that hackers are rational and strategic The innovative use of backscatter data and linking
international legislation and the Internet topology to analyze cyber attack path.
17 (c) Hui, Kim and Wang 2017
COC: Does It Matter? 2007: Russian convicted for attacking Estonia’s
government services Estonia enforcement: 2004
2010: Programmer in USA convicted for attacking rollingstone.com in 2008 USA enforcement: 2007
2011: German convicted for cyber-extorting six online bookmakers Germany enforcement: 2009
18 (c) Hui, Kim and Wang 2017
COC: Does It Matter? From Hackforums:“I live in a small town in Romania. Until 1 months ago I
thought is no danger in hacking...I've got only a warning because I was under 18...then I realized why this happened: that was because we just joined...European Union and there are new laws in IT...from now I take care because...it never knows when the cops catch you...”
“...the law follows the same guidelines for all countries in the european union and they're very strict about that”“There are conventions...within European Union borders he can be transported due to the crime, because of the European Unions conventions about partnership in law”
“...I would rethink your theory on Croatia not having cybercrime laws: The cybercrime convention is a European directive to which Croatia is a member state...As of 2007, Croatia integrated this into local laws...All of the offences proscribed in the Cybercrime Convention (to which Croatia is a State Party and which has been in force in Croatia since 1 July 2004), with the exception of offences that can generally be described as cyberterrorism, are incorporated into the domestic legal framework”
19 (c) Hui, Kim and Wang 2017
The Deterrence of the COC when the victim country has not enforced COC
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
Non-COC country
?
?
?
COC country
Non-COC country
Router
20 (c) Hui, Kim and Wang 2017
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC country
√
?
√√
COC country
Router
The Deterrence of the COC when the victim country has enforced COC
21 (c) Hui, Kim and Wang 2017
The Reinforcement of the COCwhen only two countries enforced COC
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC country
Non-COC country
? √
?
?
Router
22 (c) Hui, Kim and Wang 2017
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
√
√
√
√
COC country
COC country
√
Router
The Reinforcement of the COCwhen four countries enforced COC
23 (c) Hui, Kim and Wang 2017
The Displacement of the COCTargeting enforcing country?
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC country
√ √
?
COC country
√
Router
Router
24 (c) Hui, Kim and Wang 2017
The Displacement of the COCTargeting non-enforcing country!
A
B
D
C
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC country
?
?
COC country
?
Router
25 (c) Hui, Kim and Wang 2017
Study Setting Distributed denial of service (DDOS) attack in 106
countries in 177 days in 2004-2008
Why DDOS attack? Most prevalent cyber attack causing great damage Unambiguously criminalized by the COC Conducted on a network of electronic devices international
cooperation is relevant
26 (c) Hui, Kim and Wang 2017
Hypotheses 1: the deterrence effect of the COC
H1a (Enforcement): COC enforcement reduces the number of DDOS attack victims in the enforcing countries.
H1b (Establishing Responsible Authorities): Among enforcing countries, establishing the authority responsible for reacting to external requests for international co-operation reduces the number of DDOS attack victims more than those that have not established such an authority.
H1c (Reservation on international co-operation):Reservation on Article 29 (expedited preservation of stored computer data) increases the number of DDOS attack victims in the enforcing countries.
27 (c) Hui, Kim and Wang 2017
Hypotheses 2: the externalities of the COC
H2a (Network effect): The effect of COC enforcement on the number of DDOS attack victims in the enforcing countries is stronger as the enforcement in other countries increases.
H2b (Displacement): Enforcement of the COC will cause cybercrime displacement; non-enforcing countries will receive more DDOS attacks as the enforcement in other countries increases.
28 (c) Hui, Kim and Wang 2017
Attack Data
Country-level DDOS attack data on a daily basis From the Cooperative Association for Internet Data Analysis (CAIDA) Responses sent by DDOS attack victims to spoofed traffic for at least a
week-long period in each quarter between 2004 and 2008 (“backscatter” data)
29 (c) Hui, Kim and Wang 2017
Model-Free Evidence
30 (c) Hui, Kim and Wang 2017
The Model (Fixed-effects OLS)
Cumulative domestic legislation Lit
Control variables, xit
Country and day fixed effects, μi and τt
Continuous country-specific time trends, γit Spatial correlation consistent standard errors (Driscoll and Kraay, 1998)
31
H1a. Enforcement indicatorH2b. Displacement effect
H2a. Network effect
Externality
H1b. Enforcement indicators with or without the responsible authoritiesH1c. Enforcement indicators with various reservations
the extent of enforcement in other countries ω-i, t
(c) Hui, Kim and Wang 2017
Control Variables Socio-economic: unemployment rate, gross domestic product
(GDP) per capita in PPP, number of higher education students
IT Infrastructure: number of Internet hosts, number of Internet users, number of integrated services digital network (ISDN) subscribers, percentage of digital main lines
Others: domestic legislations, land area
Governance quality: control of corruption, government effectiveness, political stability and absence of violence/terrorism, regulatory quality, rule of law, voice and accountability
32 (c) Hui, Kim and Wang 2017
Descriptive statistics (106 countries, 16429 observations)
33
Variable Unit Mean Std. dev. Min Max SourceCOC enforcement 1 = enforce; 0 = not enforced 0.152 0.3587 0 1 COECOC signature 1 = signed; 0 = not signed 0.414 0.4925 0 1 COEReservations Number of reservations 0.142 0.6098 0 6 COECPHRFF enforcement 1 = enforce; 0 = not enforced 0.085 0.2789 0 1 COE
Cumulative domestic legislation Number of legislations/revisions 1.123 2.464 0 36 COE, UNODC,
ITU, GCLDVictim IP addresses 817.137 5,013.3900 0 91,755 CAIDA
…per 1,000 Internet hosts 2.216 13.9751 0 621.359 Self-computedInternet hosts Per 1,000 inhabitants 87.377 156.7580 0 1,039.270 CIAUnemployment rate % economically active people 8.173 5.7605 0.400 37.300 GMIDGDP in PPP Thousand dollars per capita 18.878 16.0343 0.620 84.249 GMIDHigher education students Per 100 inhabitants 3.213 1.6346 0.033 6.713 GMIDInternet users Per 1,000 inhabitants 356.875 259.8545 2.197 911.319 GMID% digital main lines % of telephone main lines 95.996 10.5286 34.000 100 GMIDISDN subscribers Per 1,000 inhabitants 16.822 32.4338 0 177.903 GMIDLand area sq. km per 1,000 inhabitants 34.899 83.6094 0.142 617.118 GMIDControl of corruption Normalized index 0.373 1.0340 -1.459 2.591 WGIGovernment effectiveness Normalized index 0.481 0.9271 -1.236 2.374 WGIPolitical stability and absence of
violence/terrorism Normalized index 0.142 0.9014 -2.550 1.586 WGI
Regulatory quality Normalized index 0.495 0.8625 -1.647 1.983 WGIRule of law Normalized index 0.361 0.9703 -1.734 2.014 WGIVoice and accountability Normalized index 0.299 0.9390 -1.770 1.826 WGI% Internet users covered by
others’ enforcement 0.120 0.101 0 0.285 Self-computed
% AS connections to other enforcing countries 0.162 0.199 0 0.889 CAIDA
(c) Hui, Kim and Wang 2017
Identification Strategies Similar to DID, but staggered enforcement over time Upward bias due to reverse causality 2SLS instrumented by the enforcement of Protocol No.
12 to the Convention for the Protection of Human Rights and Fundamental Freedoms
Falsification test replacing the enforcement indicator by signature
Effective enforcement relies on responsible authorities Article 29 serves as an indirect assessment of the merit
of international co-operation.
34 (c) Hui, Kim and Wang 2017
Results – Test of H1: COC deterrence effect
35 (c) Hui, Kim and Wang 2017
How to differentiate the externality?
B
COC country
A
C Non-COC country
D ECOC country
AS1
AS2
AS3
AS4
AS5
AS6AS7
AS8AS9 AS10
Non-COC country
4/6 AS connections are between COC countries
2/6 AS connections are between COC countries
COC country
AS 12AS 11
The differential externality ω-i, t No. AS connections to other enforcing countries divided by the number of AS connections to all other countries
The differential externality ω-i, t No. AS connections to other enforcing countries divided by the number of AS connections to all other countries
36 (c) Hui, Kim and Wang 2017
Results – Test of H2: Network Effects
37 (c) Hui, Kim and Wang 2017
Summary of Results
38 (c) Hui, Kim and Wang 2017
Really Deterrence? Kaspersky
(Q2, 2011)
39 (c) Hui, Kim and Wang 2017
Implications Hackers indeed take into consideration expected cost of
punishment So, on top of preventive measures such as IDS, or
advanced security intelligence systems, maybe the government can do more
Timely finding because conventional approaches, such as bandwidth overprovisioning or perimeter controls, are gradually losing the battle
Also curb insider threats which is difficult to prevent or detect
40 (c) Hui, Kim and Wang 2017
Implications International cooperation matters a lot! Note that DDOS is notoriously difficult to track If COC enforcement works on DDOS, then we have good
reason to believe it should work well on other cybercrimes (e.g., cyber extortion, phishing)
41 (c) Hui, Kim and Wang 2017
Concluding Remarks COC enforcement is effective from victim-side data At least 11.8% reduction in DDOS attack
Getting attacker side data will be a big leap forward, but data are difficult to come by
Our sample – 2004 to 2008, which predates DDOS attacks motivated by political ideologies or patriotism North Korea vs. South Korea and USA in 2009
China vs. USA in 2013
Taiwan and Philippines in 2013
42 (c) Hui, Kim and Wang 2017