On Wednesday 22 February the United States and The Netherlands signed a “declaration of intent” on the cooperation on fighting cyber crime. Reading the news reports three things struck me.
A good thing
Of course up front I declare that the fact that two countries signing a treaty (well, a declaration of intent. This is weaker than a treaty, isn’t it?) to cooperate, share knowledge and best practices concerning cyber crime, is news of progress in dealing with the cross border difficulties countries and agencies run into on a daily basis.
Cyber crime or security treaty?
All headlines I’ve read claim that a cyber crime “treaty” was signed. First I focus on the cyber crime.
1)Even the official communication of the Dutch government mentions cooperation on cyber crime. However looking at the statements of Secretary of Homeland Security Napolitano and Minister Opstelten of Security & Justice mainly focussed on cooperation on protecting vital infrastructure, so e.g. in making scada (supervisory control and data acquisition) systems more secure. If this is the case, we are talking cyber security and not cyber crime.
2) It isn’t a treaty, but a declaration of intent, so an intention to cooperate. So nothing is binding in any way. So we will just have to wait what comes from it. The everyday priorities and cross border cyber crime? The official Dutch government publication speaks of ‘cooperation’ (translation WdN).
Hacking is mentioned as an example of instances in which forensic investigative best practices can be exchanged, but in relation to vital infrastructure. So, is the reference wrong? Did the minister(y) mix up the two concepts? It does not appear that there is more in the text, as it is only an intent to cooperate.
Next to that hacks of these kind, i.e. on vital infrastructure, are often discussed as potential acts of cyber war. That would make that the topic also surpasses security and into the realm of cyber defence. This form of cooperation does not seem intended here.
Bilateral versus multilateral treaty
3) The other comment that I want to make, is that it is a shame that in a cross border environment as cyber crime and cyber security it apparently is still impossible or (too) hard to negotiate a cyber treaty, well declaration of intent, for 27 member states of the EU with the US. The bilateral nature of the declaration means that as soon as there is third country involved in the attack, hack, etc., cooperation ends as the limit of the treaty is reached and it is no longer effective.
This declaration of intent is a not more than a good first step, but the challenges for countries and their national jurisdictions are still stretched beyond what a national jurisdiction can achieve on the Internet as to the topics discussed here.
Wout de Natris, De Natris Consult
24 February 2012, Leiderdorp