At the 13th International Criminal Law Congress in Queenstown Judge Stein Schjolberg of Norway presented a paper on and the arguments for an International Criminal Tribunal for Cyberspace.
Stein Schjolberg is an extraordinary Court of Appeal Judge in Norway. He was appointed as a Judge in 1984 and as the Chief Judge of Moss Tingrett Court from 1994-2010. Until 1984 he served as a prosecutor and Assistant Commissioner of Police in Oslo.
Judge Schjolberg is an international expert on cybercrime, and one of the founders of the global harmonization on computer crime legislation. He was a Fulbright-Hays Scholar at Stanford Research Institute (SRI International) in 1981-1982. In cooperation with INTERPOL he organized the First INTERPOL Training Seminar for Investigators of Computer Crime in Paris, 1981. Judge Schjolberg has served as an expert on cybercrime for several international institutions.
He has published widely on computer crime and cybercrime legislation, in addition to court technology issues. He was appointed by the National Center for State Courts, United States, as a member of the International Think Tank on Global Court Technology in 1999-2001.
Judge Schjolberg was in 2007-2008 appointed by ITU in Geneva as the Chairman of the global High-Level Experts Group (HLEG) on cybersecurity, including almost 100 experts from around the world. The HLEG published two reports in 2008, The Chairman´s Report and the Global Strategic Report on Cybersecurity. Judge Schjolberg was awarded the ITU Silver Medal, in recognition of his contribution as the Chairman of the HLEG.
Judge Schjolberg is the Chair of the EastWest Institute (EWI) Cybercrime Legal Working Group. This post is an outline of his September address. His website is Cybercrime Law. This note outlines Judge Schjolberg’s paper
The Need for an International Criminal Tribunal for Cyberspace
At the moment there is no recognised international substantive cybercrime law although the European Convention on Cybercrime (see below) is a start. The difficulty is that several Governments, international organisations and vital private institutions in the global information of financial infrastructures have been targeted by global cyber attacks in the recent years.
These cyber attacks of the most serious global concern that intentionally cause substantial and comprehensive disturbance of critical communications and information infrastructure should be within the jurisdiction of an International Criminal Tribunal. Other cybercrimes such as illegal access, illegal interception, data interference, system interference, misuse of devices, forgery, fraud and offences related to child pornography could also be included in the statute. Those acts may be prosecuted domestically as well as internationally whenever the conduct is considered as cybercrime of global concern. Any intrusions upon religious or political values in cybercrime legislation is a matter that Judge Scholberg considers should be avoided.
Judge Scholberg considers
“the International Tribunal should have the power to prosecute persons committing or ordering to be committed the most serious violations of international cybercrime law, namely the following acts committed wilfully against computer systems, information systems, data, information or other property protected under the relevant international criminal law; by destroying damaging or rendering unusable critical communication and information infrastructures, causing substantial and comprehensive damage to or interference with national security, civil defence, public administration and services, public health and safety, or banking and financial services.”
In 2010 four main working groups were established in order to make recommendations for new international legal responses to cybercrime. The United Nations initiated a comprehensive study of the problem of cybercrime. The Twelfth United Nations Congress on Criminal Prevention and Criminal Justice in Salvador Brazil April 2010 recommended in the Salvador Declaration, article 42, to invite the UN Commission on Crime Prevention and Criminal Justice to convene an open ended intergovernmental expert group to conduct a comprehensive study on the problem of cybercrime as well as the response to it. The recommendation was adopted by the Commission, and by the United Nations General Assembly in its Resolution 65/230. This comprehensive study is to examine the topics “with a view to examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime”.
On June 27th 2010 the EastWest Institute established a cybercrime legal working group in order to advance consideration of a treaty or a set of treaties on cybersecurity and cybercrime. The members are independent non-governmental global experts on cybersecurity and cybercrime. The working group is to develop recommendations for potential new legal mechanisms on combating cybercrime and cyber attacks and develop a consensus building set of proposals related to international law. The group had its first meeting in Brussels on March 1-2 2010. To obtain the widest range of input it is desirable to include in such working groups the global private sector and industry in the process of establishing a global treaty or a set of treaties on cybersecurity and cybercrime.
The United States and the European Union established a working group in cybersecurity and cybercrime at the EU/US summit in November 2010. The group is tasked with developing collaborative approaches to a wide range of cybersecurity and cybercrime issues. Among its efforts is advancing the Council of Europe Convention on Cybercrime, including a programme to expand accession by all EU member States, and collaboration to assist States outside the region in meeting its standards and becoming parties.
Commonwealth leaders at a meeting for Law Ministers and Attorneys General from 44 countries in Sydney July 2011 recommended that the Commonwealth Secretary establish a multi-disciplinary working group of experts. The purpose of this group is to
“review the practical implications of cybercrime in the Commonwealth and identify the most effective means of international co-operation and enforcement, taking into account, amongst others, the Council of Europe convention on cybercrime, without duplicating the work of other international bodies”.
The Convention on Cybercrime
The 2001 Council of Europe Convention on Cybercrime was an historic milestone in the war against cybercrime and came into force on 1 July 2004. 32 States have ratified the Convention. However, Russia has not signed the Convention and has made a statement that they do not accept all of its articles. However by ratifying or acceding to the convention, States agree to ensure that their domestic laws criminalise the conduct described in the substantive criminal law section.
The Convention on Cybercrime is an example of a legal measure. Although of a regional nature it could well be that other countries might consider the possibility of acceding to the Convention or use the convention as a guideline or at least as a reference for developing their internal legislation and by implementing the standards and principals it contains in accordance with their own legal system and practice.
However the Convention, it should be remembered, is based upon criminal cyber conduct of the late 1990s. New methods of conduct in cyberspace underpinned by criminal intent must be addressed by the criminal law. Phishing, botnets, spam, identity theft, crime in virtual worlds, terrorist use of the internet and massive co-ordinated cyber attacks against information infrastructures must be considered.
Governmental and vital private institutions in the global information and financial infrastructure have been targeted by global cyber attacks. In 2011 the UK Government was a target when cyber attacks were launched on Whitehall and the defence industry. Both the Canadian and South Korean Governments suffered global cyber attacks. In Australia the computer system in the Parliament was accessed in March 2011 by global cyber attacks and the Prime Minister’s and several Ministers’ computers may have been compromised. The European Union has been targeted by cyber attacks and the Commission of the European Union and in 2011 the EU External Actions Service became the victim of a large scale cyber attack that severally affected email systems. The French Government experienced cyber attacks on the countries finance economy and unemployment ministry in 2010 and 2011 over a 2 month period before the G20 meeting and in private industry the UK and US Stock Exchanges have been the targets of global cyber attacks aimed to spread panic and leading global financial markets. The parent company of NASDAQ in New York has been one of the victims and in conjunction with Wikileaks, global cyber attacks were launched against Visa, Mastercard and Paypal.
These are only a few examples that some countries demonstrate that critical information infrastructures maybe under attack. The issue of cyber attacks and the nature of cyber crime and the threat to critical information infrastructure is not imaginary. It is here and now. Cyber attacks on sensitive national information infrastructure are rapidly emerging as one of the most alarming national security threats that may be faced by a State and are becoming matters of global concern.
Setting Up the International Criminal Tribunal for Cyberspace
Judge Scholberg has proposed a Tribunal to deal with criminal global cyber attacks against critical Government and private industry information infrastructures, or where such cyber attacks endanger peace. He proposed one way that this could be achieved is by expanding the jurisdiction of the International Criminal Court whilst recognising that any such ratification would have to be accepted by China, Russia, and the United States to have any realistic effect. He considered that some form of Tribunal is currently the only global alternative. It may be that in the future the global community could then try for a more permanent global court solution for cyberspace.
Judge Scholberg considered that under Chapter 7 of the United Nations Charter, the UN Security Council could establish an International Criminal Tribunal for Cyberspace for the investigation prosecution and sentencing for global cyber attacks. He considered that the framework of the United Nations charter was the most effective means for this, given that it would be binding on all members of the United Nations.
There are precedents for such activity. The Security Council asserted its rights, authority and jurisdiction based on the Charter when it established the International Criminal Tribunal for Rwanda and the International Criminal Tribunal for the former Yugoslavia. In the case of the International Criminal Tribunal for Cyberspace, the UN Security Council would have the authority to refer cases to it and could request an investigation.
Judge Schjolberg considers cyberspace the fifth common space after land, sea, air, and outer space. There is great need for co-ordination, co-operation and legal measures among all nations. Superintendance of behaviour with global consequences to information or information infrastructure is largely uncoordinated and limited to local or domestic law. Judge Scholberg considers that it is necessary to make the international community aware of the need for a global response to urgent and increasing cyber threats and acts of cyber warfare.
An International Criminal Tribunal for Cyberspace would be fully independent and would be established to ensure that the gravest global cyber attacks in cyberspace do not go unpunished.
Judge Schjolberg considered that the chamber of an International Criminal Tribunal for Cyberspace should consist of 16 permanent Judges all appointed by the United Nations. These Judges could be divided between 3 trial chambers and 1 appeals chamber. Judges would be appointed for a period of less than 4 years.
Another alternative may be that 5 of the permanent judges be appointed from each of the 5 veto holding permanent members of the United Nations Security Council. He considered that the seat of the International Criminal Tribunal could be the Hague or Singapore or both.
Prosecution of International Cybercrime
The prosecutor would be a separate part of the International Criminal Tribunal for cyberspace and be responsible for the investigation and prosecution of the most serious cyber attacks or cybercrimes of global concern. The prosecutor’s office should be independent not only of the Security Council, but also of any state or any international organisation or other organs of the Tribunal. The prosecutor should not seek or receive instructions from any Government or from any external source but could be advised by the prosecutor’s advisory board that may consist of 5 prosecutors appointed from the 5 veto wielding permanent members of the UN Security Council.
Judge Schjolberg proposes another possibility. Perhaps the advisory board members could have the power of each to veto any indictments before the International Criminal Tribunal for Cyberspace. However, abstention should not be regarded as a veto.
Procedural matters would not be subject to a veto and the veto should not be used to prevent a decision by the prosecutor to open any investigation or to avoid discussion of an issue.
The prosecutor’s office would be assisted in the investigation of cyber attacks by global enforcement through co-ordination with Interpol and a global virtual task force.
The Global Assembly of Interpol has approved the establishment of the Interpol Global Complex for Innovation (IGCI) which includes a digital crime centre based in Singapore. It is expected to go into full operation in 2014 and to employ a staff of 300 people.
The Interpol Digital Crime Centre (IDCC) would be active in 3 main areas – cybercrime investigative support, research and innovation and cybersecurity. The IDCC is expected to
“serve as a global hub for cybercrime issues, co-ordinating with national cybercrime investigators and authorities in Interpol’s member countries and with private partners in the technology industry. The IDCC will bring all affected groups together to generate innovative solutions leading to the ultimate goal of creating a secure cyber world”.
In addition the prosecutor’s office would have the power to seek the most efficient assistance from experts in a global virtual task force established with key stake holders in the global information and communications technology industry, the financial services industry, the private sector, non-governmental organisations, academia and global law enforcement through Interpol. Experts could be sourced from Google, Facebook, You Tube, Apple, Microsoft and similar organisations. The global virtual task force should work together in a strong partnership to co-ordinate integrate and share information for the prevention and effective combating of global cybercrimes and deliver real time responses to cyber attacks. Their goal should be to ensure that all global means and resources available are used to prevent identify and take real time actions against cyber threats.
Judge Schjolberg’s proposals are an example of the incremental growth of international institutions designed to deal with conduct that has a global impact. It seems that there is a recognition of the problem by the international community. Judge Scholberg’s proposed solution is on the table. We await further developments or proposals with interest.