The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
>> MODERATOR: Hello. (echo) You don't need to hear me twice. Okay. Hello. And good afternoon, everybody. Thank you very much for joining this session. You already win a prize for having been able to find this room down in the bunker, so thank you very much to having made your way here.
It's really a great pleasure to be hosting this session on cyberattacks and e‑evidence, attribution and accountability organized by the Council of Europe. I know it's been a very busy and intense week, so thank you for sticking with it on the Thursday afternoon and joining us for this discussion.
My name is Martha Stickings. I work at the Council of Europe cybercrime program office based in Bucharest in Romania.
I think we are by this point all really rather too familiar with the profound damage that is caused by cyberattacks, and that is damage to individuals who see their human rights violated, to companies and businesses which suffer financial and reputational damage, to public bodies and critical infrastructure. For example, some of the reprehensible attacks that we saw on health care institutions during the pandemic.
Of course, also damage to our democratic institutions through election interference and misinformation.
Taken together, these really mean that cyberattacks undermine the core values of our societies, of democracy, human rights, the rule of law, and of course they pose a threat to international peace and security, and we have unfortunately, a very clear example of that at the moment in the extensive cyberattacks that have been conducted by Russia as part of its aggression against Ukraine.
This situation with respect to cyberattacks is really made more difficult by the chronic challenges that we face in bringing perpetrators of cyberattacks to justice. It's estimated that less than .1% of cybercrimes are successfully prosecuted and this is an accountability gap where criminals are simply not being brought to justice for the offenses that they commit.
A large part of the challenge is the difficulties that we face in securing and accessing the electronic evidence that is critical to correctly attributing these crimes to their perpetrators, to detecting their offenses in the first place, identifying the criminals responsible, and collecting the evidence that is needed to prosecute them. Obtaining electronic evidence is a complex challenge. Electronic evidence is inherently volatile, very easy to be deleted or altered. It's often stored in foreign, multiple, or sometimes unknown jurisdictions, requiring effective international criminal justice cooperation to access. Of course, electronic evidence is frequently held by private sector entities, which means we have to find effective ways for criminal justice systems to be able to cooperate with these companies.
Of course, all of this requires effective safeguards to ensure that government‑to‑government, and public/private cooperation is in line with both rule of law standards and human rights principles.
This really raises a number of different issues, questions around how can we improve the attribution of cyberattacks and other crimes involving electronic evidence, what is needed to ensure that the perpetrators of such acts are held accountable for their crimes, what are the tools that we have available to us to be able to obtain electronic evidence, and how can we guarantee that human rights and rule‑of‑law standards are upheld in our efforts to combat cybercrime?
Now, these not‑so easy questions with simple answers, but fortunately, we have a stellar panel of experts from across the world that can help us to navigate some of these questions. So, really, I'm delighted to be joined here in person by Estoban who is a Prosecutor at the cybercrime unit of the Prosecutor's Office in San Jose in Costa Rica, and as I know we've traveled together and come a very long way to be here. Thank you very much, Estoban.
Online, also we have a number of different speakers which I hope you will be able to see shortly. We have Head of Cyber Strategy and Capacity Development at Interpulse cybercrime directorate. Wendy Bett Director of eyeWitness to atrocities, which is an organization established by the international bar association that combines law and technology to promote accountability for serious international crimes. And last but certainly not least, is Alexander Seger who is Executive Secretary of the Cyber Crime Convention committee and head of the cybercrime program office at the Council of Europe.
The report for the session is Jacquline Fett who is not with us today but will be closely following the discussions and capturing all of the experiences, recommendations and takeaways stemming from this session.
Now, I have to say while we're very fortunate to be able to listen to the experience and expertise of our speakers, we also very much want to hear from you, the audience. We have a dedicated microphone to be hearing from you, and we'll make sure that there is time left at the end of the session for your questions, comments, reflections on what you've heard, so please be thinking of what you might want to ask and don't be shy to bring your experiences and your contributions to the discussion.
Now, I think that's quite enough from me, so now really, it's time to hear from our speakers. To start with, we would like to just delve a little bit deeper into some of the challenges that practitioners face in investigating and prosecuting cyberattacks, and for that I would like to turn first its Pei Ling and ask her to please tell us a little bit about the current threats and trends when it comes to cyberattacks and electronic evidence from the Interpol perspective. So, please, over to you.
>> PEI LING: Hi, are you able to hear me? All right. Okay. Let me just see if I can turn my camera on. All right.
>> MODERATOR: Now we can see and hear you. I think we need the volume up a bit.
>> PEI LING: Is this better now?
>> MODERATOR: Better but I think still up a bit. Please go ahead.
>> AUDIENCE MEMBER: Online the sound is fine.
>> MODERATOR: Okay. Thanks. Pei Ling, please, go ahead. Okay. I think, Pei Ling we don't hear you anymore room anymore. Perhaps if you could try joining with a headset that would be great. In the meantime then, I will turn to Estoban who can talk a bit about the fact that earlier this year, Costa Rica's government faced several weeks ransomeware attacks that required the country to take a state of emergency. Could you tell us a bit of what happened and lessons you've learned to the response of the attack.
>> ESTOBAN: Thank you. Good afternoon. First of all, I want to apologize to you because my English is poor. I will try to do my participation in Spanish, because I suppose that we're going to have a translation. I'm going to speak in Spanish.
Okay. I will try with the bad English because I think we can't hear the translation. As many of you know, my country Costa Rica in the current year during the months of April and May, was a victim of ransomware attacks directed toward national entities and government structures and institutions of great relevance.
The first you a fence committed by the criminal organization (?) was an attack of the computer systems of many public entities, the most affected was the Ministry of Finance and resulted in a great economic loss for the government and for the civilians who use the systems. While the second attack was carried out by the criminal group, Nosaif, the second event attacked the Costa Rica public health system which is highly relevant since it is for the entire country and provides free care for the entire population also.
Now days Costa Rica is still in the recovery phase, however after this catastrophe, we have learned a series of lessons which we consider to be extremely valuable and should be transmitted to the rest of the world. Those are countries, companies, and organizations must invest in cybersecurity. These must be a priority subject and the creation of internal policies is necessary so that the governments, private companies, academia, and cyber society can jointly give response to the need for human technical input to meet such needs taken as a priority to protection of critical government entities.
Law enforcement must have technical staff with the necessary skills to provide attention and investigation to ransomeware crime. Unfortunately, in Costa Rica, we don't have yet a staff with such skills, and it is essential to be able to obtain evidence and elements that will give a good direction to the investigation. This would also make it possible to attribute the commission of crime to a person, and eventually prosecute it in the criminal justice system.
We know that this is extremely complicated due to the greater technology ‑‑ technological sophistication used by criminals and also because of the time that elapses is essential for the recovery of useful evidence for the case. Another thing is that the international cooperation and joint investigations are absolutely necessary.
In a specific case for my country, it was extremely important to have the help for investigators and also for authorities from countries such as the United States, Israel and Spain. Doesn't matter what happened in the World Cup with Spain, they are our friends. They offered to help in a real critical moment, and these countries send human resources and technical tools to Costa Rica. This cooperation was done in an informal, fast, and updated way. I believe this is key to emergency care for ransomeware crimes to combat a crime that uses the same weapons.
Last but not least, countries to the promotion of law enforcement, must seek the creation of timely legislation that allows them to deal with this crime, and covering two previous points, this will facilitate attention to this criminal phenomenon. It should be noted that much of this is already advanced to international agreement such as Convention that can be useful to every one of us in our countries.
>> MODERATOR: Thank you very much, Estoban. I think a number of the challenges that you were mentioning that Costa Rica faced earlier this year very much tie in with some of the broader threats that we see at the regional level but as at the global level, so your experience is, while it was a particularly acute situation in Costa Rica, are unfortunately very much shared experiences.
So, then I think we will try to go back to Pei Ling from Interpol who will indeed be able to sort of complement what Estoban was saying by bringing in a bit of a global perspective from the Interpol side. Pei Ling over to you. I hope we can hear you in the room this time.
>> PEI LING LEE: Good day again, everyone. I hope that my volume is now much better. If I can get an indication of whether the volume is getting better, I think that would be good.
All right, I suppose there are no issues so I think I will comment first. Thank you again for having me. I'm going to use the next few minutes to share more about what we are doing in terms of trends concerning cybercrime. So just to set the stage, very recently specifically during the General Assembly that took place in October in New Delhi, India, we have formerly launched our first Interpol global crime trend report, and this report aims to provide perspectives down to the regional level on crime trends and threats that we see under our global crime programs, including cybercrime.
So, what I will be able to share with you from this report, which is available online as a summary in our four official languages, so I will be able to tell you in terms of cybercrime, what we are seeing globally is ransomeware remains one of the top concerns throughout the world where we see various activities done by cyber criminals and syndicates.
So apart from ransomeware the top are phishing and online scams and computer intrusion such as various kind of hacking offenses. These are the cybercrime trends that our 195 member countries most frequently perceive as posing high, very high threats globally. Then secondly, we're also seeing an increase in prominence of online child sexual exploitation and abuse because this was ranked among the top 10 crime trends that is also perceived to pose a high or very high threat by Member Countries and it is expected by a large proportion of member countries that these crimes, as I mentioned earlier, will continue to increase or significantly increase in the future.
So, before I move on, I will lastly encourage everyone here to take a look at the Global Crime Trend Report which is available online. Within the report itself, we do break it down in terms of particular threats and trends that we see at the regional level.
Moving on, I would like to use the time allocated to talk about some challenges that law enforcement has in addressing cyberattacks and securing digital evidence. So as far as we can see, the challenges for law enforcement can be divided into three main points. The first one is really on having adequate access to relevant information and intelligence. One big problem that we have is cybercrime is often underreported across the various jurisdictions. And what happens in this case is that this is a disadvantage to law enforce am because such underreporting will lead to, firstly, a lack of clear appreciation of the cyber threat landscape, and then this will also have a negative effect in terms of allocation and prioritization of resources by national governments in dealing with cybercrime.
The pandemic has really made clear to us that cybercrime has become a real threat because the attacks has really hugely increased due to the rapid advancement and adoption of digital technologies during the COVID‑19 pandemic, and that more resources should then go into prevention and disruption of cybercrime.
Another challenge that we see on the perspective of secure digital evidence is that law enforce am is seldom the first responders to a cyber incident. On the other hand, we see other national entities such as Computer Emergency Response Teams or CERTs, they usually are the first responders because, you know, organizations and corporations often have legal obligation to report to cyber regulatory authorities. So more than not, national and those dealing with cybersecurity, they have first dibs of the digital crime scene so to speak, and as well as first access to digital evidence. So, this group, this national entity should be of priority in terms of engagement by law enforcement to ensure the proper securing of digital evidence.
Other private entities like corporations also possess most data and technical expertise, and we should also look at cooperating with them.
The second part of the challenge is really on legislative and technical tools that are available to address the issue of securing digital evidence, so currently there are already many existing instruments that deal with, you know, the securing of digital evidence and this runs the gamut from instruments of cooperation like mutual assistance, and conventions like the Bucharest convention and most of us know there is ongoing work with the UN ad hoc committee to come up with an international convention, and this is time to come up with an answer is good international instruments dealing with cybercrime and digital evidence.
But, of course, there is a need for law enforcement to ensure that we have adequate ways to analyze and collect such digital evidence. This brings me to the third and last point. For law enforcement, of course, many jurisdictions have set out specialized units dealing with very specific kinds of cybercrime. But usually, the first responders are what we would call the generalists who are responsible to be the first line of response to the digital crime scene, so there is a need to ensure, you know, that they possess the adequate knowledge and expertise to be able to deal with digital evidence. Because the proper chain of evidence of this digital evidence so that, you know, this evidence can really withstand the scrutiny, for example, at a later stage where there is a need to attribute it to certain actors or to prosecute these actors in proper judicial court.
So, I think in the gist, these are the few challenges that we will highlight. But I think other panelists here will also be able to elaborate on other legislative and international instruments ‑‑ policy instruments to deal with the digital evidence. I look forward to further discussion on cyberattacks and attribution ‑‑ (audio fading) ‑‑ thank you.
>> MODERATOR: Thank you very much, Pei Ling for setting out some of the challenges. I just wanted to give the opportunity to participants both here in the room and also online participants if you have any questions regarding any of the challenges that both Pei Ling and also Estoban were mentioning, or any experiencing from your country that also reflect some of the issues that they've been highlighting in their interventions so far.
>> AUDIENCE MEMBER: Good afternoon. I think when it comes to cybercrime and cyber issues, the challenges transcends nations. What I'm trying to say is that the challenges that might be in Europe might be worse in Africa. What might not be bad in Africa might be worse in Europe. The level of cyberattacks from the African continent to the rest of the world is probably minimum because we still are a continent predominantly offline. The infrastructure of Africa is suffering cyberattacks interest across the world. I work in the cyber office, I didn't introduce myself, apologies. So basically, some of the challenges that we face, are twofold. One of the major challenges we face is the monetary threshold. If I have a case reported in Zambia, somebody loses $2,000, that's a lot of money back home. That's a lot of money. But if I request information and probably assistance from another agency, $2,000 is an amount of money, they wouldn't put the associates just to track down a criminal who has stolen what? $2,000. So at the end of it, more like still playing cat and mouse because in Africa that amount is huge, and imagine somebody steals $100 from maybe 50 persons, and when you aggregate the amount, it's about $3,000 but again the issue of where is this suspect located, say in Brussels or France, so how much amount are other agencies going to put efforts to track down that criminal over $3,000 which in those jurisdictions is negligeable, so it's become a huge setback, a huge drawback when investigating crimes that transcend borders and where issues of mutual assistance comes in.
Of course, there is still a threshold of amount of money that our colleagues in the area would follow. Maybe say 1,000, $100,000, yes, that would commit ‑‑ following that, by the end of it, or what about the one who lost $1,000, you end up with being helped.
My second challenge is on the issue of ransomeware. As you can, tell, the capability of Africans to create these sophisticated ransomeware codes is minimal, and of course others can buy it from the dark net. The issue is, as law enforcers, are we trained enough to analyze the malware, and probably we do like reverse engineer to understand this behavior. We don't. Most of the cases of ransomeware are unreported because an organization can suffer a serious cyberattack, but they would not report to the police knowing that the police will do nothing because they don't have the capacity to investigate that case. They'll only report it for the sake of recordkeeping in the case that some of the data that has been compromised is financial in nature, so as they return their taxes, they must justify why some information is missing, and that's why the police come in to report to the police to say we had a cyberattack and this is report for the police. But at the end of the day, if left uncheck, it becomes a playground for cybercriminal knowing that in as much as we can get some money from this organization, another organization, nothing will be done about it because the law enforcers have no capability.
So, I still feel there is a need to enhance capacity building and training to ensure that some of these gray areas that we face in our investigations are tackled, not as a single nation but more as a combined effort. Thank you.
>> MODERATOR: Please.
>> AUDIENCE MEMBER: Hello. My name is Dr. Harol from Nigeria. I'm just adding a comment on what the gentlemen did. Not only the law enforcement. We also need to educate the Judges and the lawyers on issues of handling cybercrimes. In my country, we have similar problems. The Judges themselves and the lawyers are not well equipped on the challenges of fighting cybercrimes or handling cybercrime cases, and also difficulty of the digital evidence, as you said. There is a need to be capacity building in the area of policy, digital policies an tools and instructions and training and so on. Thank you.
>> AUDIENCE MEMBER: Thank you. My name is Desrai from Ethiopia. I came from the judiciary, and it is a good presentation by the panelists. This cybercrime, actually we have a law which regulates cybercrimes in Ethiopia. It's called computer crimes law, and also there are some provisions and different legislation, but as the previous comment said, that the knowledge on how to investigate, how to prosecute, how to adjudicate cybercrimes is not as per the impact of the crimes, therefore getting in capacity building in this area is very important.
Having said that, I have two requirements, and the first one is on gathering of evidence. Because this cybercrime is going to be adjudicated by the judiciary by the court, so therefore the gathering of the evidence should be in line with international and national procedural guidance, and that means that the judiciary should be notified as what is going to be, what type of data will be gathered and from whom because we need to balance the right of privacy, and that means the data should be protected, and also it needs to be used for the justice sector. Therefore, what are the experiences maybe of Costa Rica or Interpol in gathering data or evidence for the justice sector, this is the first one.
The second one is, this cybercrime may be committed by persons who are not easily identified, and it is known that the cybercrime, some call it cyber war, and even countries want to use different mechanisms to sabotage the election, to attack the basic infrastructure of other countries. Countries as per may not participate in such type of acts, but they may deploy a private party, and these private parties may sit in one country having different passports, and therefore identifying, capturing, apprehending. Therefore, the cooperation between different countries, I think, is very critical, and beyond politicization, beyond politics, and I think countries should work because that was from the cybercrime is very high, and therefore what should be taken as insight in order to get cooperation? Thank you.
>> MODERATOR: Thank you very much. I see we have two other questions, but I will come back to you after the next speaker if that's okay. Thank you very much for those contributions, which just goes to show what a good audience we have because, in fact, you have preempted a number of issues that we will be discussing in the latter part of the session, but just to really highlight, I think, a few of the very important challenges that have been raised from the floor. I think it's a very good reminder that, of course, while we do see some global threats, we see regional trends, and of course the exact experience of every country is different, and so it's always going to require a tailored approach to make sure that criminal justice responses do reflect the specific situation in each country and the individual challenges that are faced.
And that in a sense then ties in nicely to the points about the importance of capacity building for criminal justice practitioners. That is precisely what we do at the Council of Europe, the Cybercrime Program Office is work with countries across the world to strengthen capacities to be able to respond to cybercrime from the police side, magistrate, prosecutor side, judicial side, and also working with policymakers and legislators. And we always really very much want to make sure that then all of that support is specifically tailored to the situation in individual countries.
So, I think now we have a pretty good grounding in terms of what the problems, what the difficulties are, so I think we need to start thinking about what some of the solutions available are and what some of the tools that we have at our disposal to be able to address these challenges are, and particularly to be able to secure electronic evidence both effectively to make sure it can be used in criminal justice proceedings, and as well as efficiently to make sure that it can be accessed quickly when it's needed.
Legislation is, of course, always going to be at the foundation of an effective criminal justice response to cybercrime. We were hearing that already from our speaker from Ethiopia, so I'd like to then give the floor to Alexander Seger who will be able to tell us a little bit about the tools provided by the Budapest Convention and additional protocols. Please, Alexander, the floor is yours.
>> ALEXANDER SEGER: Many thanks, Martha, Nina online and all the other speakers, but as thanks to the participants and their questions raised a few minutes ago. Here in Europe, I'm speaking from Strasberg, we have war, Russian against Ukraine, violation of war, torture, rape, murder, atrocities against civilians and war crimes. This is accompanied by cyberattacks of civilian infrastructure and cybercrime, committed by state actors but as non‑state actors that is criminal organizations at the service of the Russian regime. This is something that was underlined yesterday by the Ambassador of Ukraine to the Council of Europe and signed the new second additional protocol to the Budapest Convention on cybercrime.
And of course, many states, organizations, and individuals are being targets of ransomeware attacks. And Costa Rica hats a story to tell in this report and many other countries also too. Indeed, how best to obtain the evidence needed, the electronic evidence needed to ensure accountability and how to bring offenders to justice?
Not only with respect to cybercrime and cyberattack, but as other crimes where evidence is on computer systems, and I think also evidence of war crimes. I believe that with the framework of the Budapest Convention on cybercrimes, we have something available that is highly relevant and if I say, a framework, I mean common standard that means the Budapest Convention itself, the guidance notes, and the protocols, but as the assessments and followed by the cybercrime convention committee, and then as Martha pointed out, the capacity‑building activities by the cybercrime office of the Council of Europe based in Bucharest or Romania but from where we support well over 140 countries worldwide to charge for prosecutors to work on legislation, enhance cooperation with service providers and so on.
This framework of the Budapest Convention is relevant globally because of the geographic reach, and we have now 68 parties to that treaty. Yesterday Brazil joined this treaty. A few months ago in July, Nigeria also became a party. And well over 120 countries around the world have aligned the domestic legislation with this treaty. You also now have 30 states that signed a second additional protocol dealing with enhanced cooperation and disclosure with evidence and Croatia, Moldova, Slovenia, Slovakia, Ukraine, and United Kingdom also signed this second additional protocol.
So, this framework provides the tools, the tools for an effective criminal justice response to bring offenders to justice, and as I said, it's not just the treaties and the protocols, but it's also the capacity‑building activities that go with it.
So, this is how if it applies in practice. If there is a cyberattack, a cybercrime, the first question is, is there an offense? What is the offense under the domestic law of the country but as of other countries that may be involved in this offense or where the evidence may be located?
The Budapest Convention lists a very limited number of offenses, 10, offenses against and by means of computers, illegal access to computers, data system interference, and some others.
The cybercrime committee has adopted a number of guidance notes to show how these limbed number of offenses it's listed there, in combination, can be used to criminalize infrastructure attacks, distributed denial of service attack, and also ransomeware offenses. Yesterday, and I put this in the chat, yesterday they adopted a guidance note on ransomeware and first protocol on xenophobia and racism criminalizing aspects of hate speech, carefully phrased to ensure it's compatible to right of freedom of expression.
Equally, maybe even more important than criminalizing certain content is the question of electronic evidence. Because we know without evidence, you cannot ‑‑ there is no justice and you cannot bring enough evidence to justice. You need the evidence. How to obtain the evidence, the electronic evidence that may be all over the place and on computers in multiple jurisdictions, how can we obtain this evidence that also meets evidentiary standards incremental proceedings? And here the Convention on cybercrime provides for law enforcement powers with the necessary powers to order the preservation of computer data, to search and seize computer data and systems with regard to electronic evidence, to intercept traffic data and content data and so on. There are clear provisions for see ‑‑ provisions that party have to provide in their domestic law in order to secure and collect electronic evidence. Not just electronic evidence in relation to cybercrime, but any evidence, any crime where evidence is in a computer system. That includes and may include a rape case, somebody is raped, a real‑life rape, but the location data may point at a certain suspect, and that location data on the phone is electronic evidence, or also evidence in relation to war crimes as we now experience in Ukraine. A lot of the evidence in relation to war crimes is evidence on computer systems. And these ‑‑ the provisions of the Budapest Convention and also of the new second edition protocol promote international cross‑border cooperation, and that means in the case of the second additional protocol to go directly to a service provider in another party to ask for subscriber information. One of the questions just raised from the audience was, would another cooperate through mutual resistance if the value or the damage being is a few hundred dollars or Euros, if it's very limited? Under this new second additional protocol, you don't have to go through mutual assistance to obtain subscriber information to find out who is the owner of a certain social media account, or who has been using an Internet protocol address from where an offense was committed. Then the second protocol, can you go directly to a service provider in the other party to obtain that information and can you order a service provider in another party to obtain that subscriber information, so the issue of mutual assistance to heavy machinery of mutual assistance, that is not really necessary here under this new protocol.
There are also provisions on cooperation in emergency situations when life is at risk, like a child is exploited or terrorist attack going on where you need even content data, there is also a provision in the new protocol on how you can obtain this content data on a computer system without delay and without necessarily having to go through the very heavy mutual assistance procedure.
As I said, if you want to see how this plays out in terms of substantive criminality of the offenses, in terms of procedural powers, in terms of international cooperation provisions, have a look at the note on ransomeware adopted yesterday by the committee and of course online. All of this has to be accompanied by a strong system of human rights and rule of law safeguards, and this new second additional protocol, by the way, about 25% of the text is about data protection because we have to make sure if we have efficient data across borders, we have to make sure that the human rights and law of rule requirements are still met. It's very important.
As I said, and maybe also part of this framework is capacity building, which is crucial for Americans and we work with many countries in Africa for that matter giving priority to the countries that have requested succession to the Budapest Convention. We developed a number of guides on electronic evidence, developed standard operating procedures for electronic evidence, guides in Cryptocurrency, training materials for around the world and so on.
In conclusion, we believe that the framework of the Convention on cybercrime remains the most relevant global framework to obtain electronic evidence that is needed to attribute cyberattacks to ensure accountability and bring offenders to justice, and because this convention, because this framework is picked up by capacity‑building programs, we're also able to assist you and other criminal justice authorities to apply the tools of this framework in practice.
And with that, back to you, Martha.
>> MODERATOR: Thank you very much, Alexander, for setting out some of the very practical provisions and tools that the Budapest Convention provides to State's Parties, not only for their domestic action to combat cybercrime, but as very importantly, in terms of providing clear structured modalities for effective international cooperation.
You were mentioning also at the end, the importance of combining the strong legal framework also with capacity building, and picking up on one of the themes that I think is already recurring in the session. In that respect, I think it would be great to hear also from Estoban again, where Costa Rica has been a state party to the Budapest Convention for a number of years now and is also one of the countries that have moved ahead and signed the second additional protocol to the Convention. It would be very useful to hear a bit from you in terms of how Costa Rica has been making use of the powers contained within the Convention, particularly, of course, in light of the recent ransomeware attacks.
>> ESTOBAN: I will try in Spanish with the help of the translator. It is very important to be aware of the fact that such distant countries like countries in Africa and my own country, my home country of Costa Rica are seeing the same trend in cybercrime which are often economic in nature. Therefore, it is very important to make use of tools such as the Budapest Convention, and these tools give to developing countries the means to be able to effectively prosecute cybercrime.
And more specifically when talking about ransomeware crimes, it becomes even more so important because as other speakers have already highlighted, we face main challenges here. The first one is to effectively attribute the issue, who is the author or perpetrator of the offense, and second how to secure the electronic evidence.
And much of the electronic evidence is going to be located in a different country. And through the legal tools, it is now easier to promote the fact that a state or signatory state to the Convention can share and manage the gathering of electronic evidence in a direct way. And therefore, it is even more so important that the second additional protocol to the Convention comes into force.
Because from the prosecutor's perspective, the second additional protocol gives a series of very important tools as Alexander said earlier. And not only to collaborate directly between different state parties, but as to be able to manage the electronic evidence. This is so important and this is quite a novelty when dealing with emergency cases like ransomeware crimes. Also, I would like to say that personally I agree to the idea that safeguards need to be revised on a national level. Because, unfortunately, we're facing a very recent attack of crimes, and we are trying to handle them with legal means that come from the previous century.
Fortunately, the second additional protocol compels state parties to revise their domestic legislation and adapt it to meet the current needs. And now to conclude, I'm considering the fact that there are people representing law enforcement agencies in our audience today, and I challenge you to make our legislative bodies in our home countries to adopt this legislative reform.
>> MODERATOR: Thank you very much, Estoban. Always good to end with a very clear call to action. Everybody in the room, if your countries haven't already done so, you have your homework. We here at the Council of Europe are very happy also here to support you in that process of developing, amending your domestic legal frameworks to harmonize them with the standards set out in the Budapest Convention and also in the additional protocols.
I just want to briefly then come back to Pei Ling who was mentioning earlier mutual legal assistance as one of the tools that Interpol make us of in its work to combat cybercrime. But are there some other networks, different technical tools also that Interpol is able to draw on to support effective international cooperation? Please, Pei Ling?
>> PEI LING LEE: Hello again. Think there is a lot of discussion so far about using really formal forms of cooperation, such as mutual league assistance. I think we need to recognize that there are other, should I say, less formal instruments for cooperation among law enforcement. As we speak now, you know, there are countries with strong bilateral relations, or multilateral relations with, for instance, with we bring countries or other countries within the region, so this can continue as a form of facilitating information exchange on informal basis, and once you have gather enough information about a particular crime or a particular criminal or actor or group, then that's where you can then tap on, you know, formal forms of cooperation like mutual league assistance, even if you don't have strong bilateral or multilateral relationships with a certain country that you would like to request for information, there are various 24/7 networks that are established. There is one 24/7 network under the Budapest Convention. There are also similar 24/7 networks for cybercrime units established by Interpol as well as by the G7, so these are useful points of contact that countries can make us of to get, you know, a prompt assistance into cybercrime and to look at, you know, attribution of cyber criminals.
What I would like to highlight is the other programs Interpol has in place to facilitate data exchange and sharing of information among member countries. We have established at the request of member countries, online platforms to facilitate information sharing, both generally as well as specifically (audio fading) for operations.
What we have here first is cybercrime ‑‑ (audio fluctuating) ‑‑ often as special cyber exchange general knowledge about what they see, trends and threats of information. That's one. The other one is we also recognize the need for a good online platform for member countries as well as private sector partners with formal data-sharing agreements with, and we recognize to have a secure and program for the sharing of data related to cybercrime operations that they are mounting or that they are coordinating at the national, regional, or even global level, so we have established a cybercrime collaborative policeman for operation or CCP operation, and I will give more information about this platform that are publicly available so that the rest of you can go and take a look at this information. This is restricted access but secure platform that allows the sharing of files, data more restricted such as police data, and allows for the creation of workspaces whereby member countries or even Interpol if we are leading on such operation, we can create workspaces to such that the sharing of information is restricted to the groups that are invited into those workspaces.
This platform has proven to be very successful and beneficial for the coordinating of operations, such as African cyber search operation that we have recently conducted within the African Region, so that particular operation saw the participation of more than 20 member countries, including counterparts from Afrapol to report on technical operations, arrest and seizure operation, an as we speak now, I think there is still very active exchanges of information within the workspace.
So, I think this is what I share at this moment in time. But in closing we stand ready to provide technical assistance and support to our Member Countries in these various areas, and we are also continuing to play an active role in portraying the global law enforcement perspective at various international platforms such as the ad hoc committee, which aims to establish an international cybercrime Convention.
>> MODERATOR: Thank you very much, Pei Ling. I think it's always good to be reminded that while the formal structured forms much cooperation, such as mutual league assistance are very important, of course also there are many different channels that are available to you, to criminal justice practitioners to be able to cooperate effectively with your peers in different countries. You're already hearing about the 24/7 network established under Article 35 of the Budapest Convention, but of course countries that are both parties to the Convention and observers to the Convention, which are those countries that have been invited to exceed to the Convention, they are members of the cybercrime Convention committee, and that provides really an excellent opportunity to be able to share experiences, build contacts, and really get to know your peers in the now 67 or 68 countries that are State's Parties to the Budapest Convention, which and they really span the whole world. There is a huge amount of knowledge and experience that can be drawn on there. Now I would like to move to a very specific example of electronic evidence.
Alexander was alluding to it earlier in his intervention about the importance of electronic evidence in being able to investigate allocations of war crimes, for example, those that are currently being committed in the context of the Russian aggression against the Ukraine.
And for that, I would like to turn to Wendy, as eyeWitness has developed a system to allow human rights developers to capture photos or videos of human rights violations that can be easily then authenticated by a court. Wendy, it would be great if you could just tell us a little bit about this tool and some of the methods that you use to capture electronic evidence of these crimes. Over to you.
>> WENDY BETTS: Yes. Thank you. Can you hear me?
>> MODERATOR: Very well, yes.
>> WENDY BETTS: Perfect. As Martha said, my name is Wendy Betta and Direct eyeWitness to atrocities and based in London and work with human rights defenders around the world, specifically to increase the potential evidentiary value of digital photos and videos they are taking related to war crimes and other serious interim additional crimes. We're not working on cybercrime specifically but working on other evidence. We do this by providing a free mobile camera app that allows the users to record photos and videos in a way that facilitates their actual admissibility as evidence in court. Once the photos and videos are taken, the user submits those to eyeWitness and we store that footage to safeguard the chain of custody until it can be used in an investigation or trial. Then, finally, we have cataloging and indexing the footage that we received so that it can be more easily used in access by law enforcement.
Through this overall approach, we aim to bring the gap between the frontline responders that are collecting information and investigators who are then in a position to use the footage to seek justice.
So, speaking to you today kind of very broadly about the challenges be of using digital evidence or digital information as evidence of war crimes, but since digital evidence is basically any information relevant to a case that can be collected, stored, or transmitted in electronic format, this is a very broad topic that could be a conference of its own because we're talking about things ranging from mobile phone records to radio intercepts to social media posts. So, to fit in the time allotted, I'm going to narrow the focus a bit to the medium that we work with, which is digital photo and video.
So, the idea behind eyeWitness arose in 2011 and this came out of the confluence of two events. This is really with we saw the proliferation of smart phones globally and rise of social media platforms, and these trends resulted in people being able to record and share information on war crimes or other serious human rights violations in a way that the legal community and law enforcement hasn’t seen in the past. We saw the first widespread citizen recording of conflict in Syria starting in 2011. And now we're really seeing the trends crystallize further in Ukraine. And I think we have all seen so much footage circulating on social media, coming out of Ukraine and other conflict zones, and areas of unrest that seem like it's a ready source of evidence of the types of crimes that are being reported.
What we came to realize in 2011 and certainly true today, footage in the metadata, so I'm talking about the location, date, time it was taken, when recorded with a standard mobile phone camera, can easily be edited before it's posted online or before it's sent to investigators.
Even if the information is accurate when it's posted, as is the information from many human rights defenders, the fact that it can be changed is ‑‑ it means that all of this footage being will need to be verified to the abuse in investigations and trials. Even footage that won't go to court will need some level of analysis done to it to be useful to investigators.
However, the process of verifying photos and videos that are taken on a standard mobile camera and then circulated online is very labor intensive and very time consuming, and in the end may not even be conclusive.
So, again, starting back in 2011, two different but related tracks of work have developed to address the challenges to demonstrating the authenticity of photo and video so they can be used as evidence. So, the first approach was the creation of specialized tools for human rights defenders to use to ensure the authenticity of the footage they collect. The tools collectively are known control‑and‑capture tools because they are recording and embedding the information needed to demonstrate authenticity at the moment the image is captured, and that information remains in a controlled system.
The second approach that was developed, or the development of various methodologies to verify and authenticate footage captured using standard mobile cameras and circulated online. Now this latter category of information circulated online or publicly available is what is known as Open-Source information, so the basic definition of Open Source is publicly available information that any member of the public can observe, purchase, or request without requiring special legal status or unauthorized access.
So, this definition comes from a set of standards known as the Barkley protocol that provides set of guidelines for Open-Source investigation. Going back to eyeWitness we pursued the first track I mentioned. The eyeWitness app is a controlled capture tool and app is recording where and when the footage is taken on a way that does not will he lie on the photographer to provide the informs, and importantly cannot be changed by the photographer or any other third party who may have access to the device. The app is also then designed to ensure the footage itself cannot be edited either by the photographer or any third party that may be able to access the device. The app user then uploads a copy of the footage to a server that eyeWitness maintains. Both the design of the app together with the transmission to the server and storage protocols once the footage is in or possession, allow us to trace the lifespan of the footage from the time it was created by the app until it's used in an investigation or goes to court and so that is how we can ensure to the courts that no one has had access to this information to be able to make any changes to it.
So, the challenge I was just talking about really is primarily the challenge of tracing the proves none of footage to demonstrate that it is authentic. There are a number of other challenges related to using digital photo evidence as relation to serious crimes. I'm going to touch briefly on four specific challenges. So, the first is just the sheer volume of information and rate at which it's being created. So, the amount of information available makes it difficult and in some cases really impossible to sort through all of the available footage to identify items that might be of relevance to an investigation or a case.
So, by way of example, eyeWitness has received more than 27,000 photos and videos taken with the eyeWitness app from Ukraine since the end of February. This is easily 5 times or 6 times more than we would normally receive in a year. And so even though we can verify the authenticity of this footage because of the design of the app, it will still take tremendous human resources to catalog and index all of the information so that investigators can understand the content without having to view each individual piece, and I did a quick calculation yesterday, and I think it would take one person working full time for nearly a year just to catalog this footage alone. And then start to think about all of the Open-Source footage that needs to be found, verified, as well as cataloged. So, it's a tremendous challenge.
There are tools being developed to address this, often relying on artificial intelligence, but these then come with their own set of challenges that, again, can be a much longer discussion.
The second challenge I'll mention is access, so a lot of photos and videos showing information related to war crimes are posted to social media platforms, and in some cases this footage is taken down because the algorithms that monitor the terms of footage will flag because sometimes the footage is graphic and other times it's flagged before the footage is even posted online. Indeed, the social media platforms have a duty to protect their users, so this process makes perfect sense. However, some of this footage actually could be important potential evidence. So, the questions of how to preserve the footage, identify relevant pieces, and access it for trials and cases that might take place years later, have been the subject of ongoing discussions among the stakeholders in the field for a number of years now.
The third challenge is fair trial standards and this topic came up early in the discussion from some of the audience members. The technology involved in collect willing, verifying, and preserving digital evidence can be very complicated to understand, and all parties to the proceedings from the prosecution to the defense to the judges must understand it equally. If you have judges that are too skeptical of some of the technology, you might have good information dismissed. Conversely, if you have judges that are too easily impressed by the technology, poor information can be admitted.
Equally important is for the defendant to receive a fair trial, their counsel must have the resources to adequately interrogate the technologies as well as having the access to the technologies themselves to build their own cases.
And then the third challenge I'll mention is simply practicality. Some war crimes cases will end up in international court or courts and countries with a long history of using technology in the courtroom, many will not and indeed justice should be undertaken as locally as possible to the affected community. But this means that courts may not always have the facilities to accommodate the presentation of digital material in the courtroom. Some of our initial research when we were starting eyeWitness and looking into the use of video evidence in some locations, we found that it was not necessarily a gap in the evidence code that was going to be a problem but rather that there was just not always the means for actually playing a video in court. So, as we look at the use of digital evidence, we need to ensure that courts around the world are equally able to leverage this information in their trials. I'll leave it there because I know there are more questions and comments to be made.
>> MODERATOR: Thank you very much, Wendy, for the extremely concrete example of some of the different tools that are available to be able to collect evidence from also members of the general public that can then be crucial in this case international proceedings with respect to war crimes and other very serious human rights violations.
But I think some of the techniques that you were mentioning, some of the challenges also that you were mentioning are relevant also in the context of many other types of crime where electronic evidence is absolutely critical, and I know for example, a number of countries now have been developing online tools, mobile apps, which their citizens can use to be able to report cybercrimes that have affected them, and these are very valuable tools in helping to combat the issue of underreporting, which as Pei Ling was mentioning earlier, continues to be a very significant challenge, and also very interesting to hear about some of the concrete steps that can be taken to ensure that evidence ‑‑ electronic evidence that is collected is then admissible in court, because of course, that's absolutely crucial that the evidence can absolutely be used as part of the criminal proceedings if it is going to be able to support processes of attribution and accountability.
Now, we just have a few minutes left, so I would like to open the floor back to the participants, and I absolutely want to start with you who waited very patiently from earlier on in the session. Please, the floor is yours. Please, if you could start by introducing yourself, that would be great.
>> AUDIENCE MEMBER: Thank you, Martha. My name is Silas and am Director in cybersecurity expert association of Nigeria. I heard in fact that it's been a very engaging session with all the comments coming from the speakers and I applaud the organizers. I was just thinking in we look at things, really talking about controls from the preventative angle or deterrent angle, so in the issue of cybercrimes and in this world where we have a lot of cyber criminals from everywhere, you know, what are steps being taken to deter, and not in terms of punishments like in a court of law, but how do we discourage people from doing that path? How do we stop people who want to come into that line?
Also, how do we skill, you know, user awareness? Because the frequent targets are not just organizations but they're individuals like you and I. How do we scale up the efforts around this to make sure that the success rates of these crimes or of these cyberattacks are less.
You know, I'm speaking from Nigeria, you know, from the perspective where a lot of people are victims because they don't know better, and I'm also speaking from the angle that a lot of people are getting involved in these things due to various societal issues, including poverty, you know, there are people who do not have access to education, and so because of the barriers to entry, the cybersecurity industry, they feel like they don't have a choice than to just those doing negative stuff and start doing that. How do we reduce the barriers to entry and create a society where people do not feel marginalized and forced to do negative things. I think I'll stop there for the sake of time.
>> MODERATOR: Thank you very much for that question. I will just take one more, and then we will have the answers. Perhaps I will just go first to the one right at the back because again you were waiting from earlier. Thank you.
>> AUDIENCE MEMBER: Thank you. My name is Tamaru from Ethiopia. I am cybersecurity risk analyst. I would like to talk about the cybercrime. Cybercrime is very sophisticated currently, and then in order to collect cyber evidence or digital evidence, it's very difficult to collect due to most of all European countries use Open-Source software vulnerable to attack, then as IGF, how IGF tries to support the developing countries like Ethiopia in order to collect evidence of digital evidence. Currently our country of Ethiopia has no punishing strategy or laws for Cyberspace or cyberattacks, then how IGF supports us in order to punish unethical hackers or emotional hackers. Thank you.
>> MODERATOR: Thank you very much. I'll take your question as well and then we'll go back to the panel. Please.
>> AUDIENCE MEMBER: Good afternoon. My name is Ismael from Gambia. I'm a cybersecurity analyst and also Chair for cybersecurity community called Cemcon. So, I mean in Gambia we don't have any law with regards to data security and data protection and also capacity is a problem especially with law enforcement. From 2017 until now, our community you know supports law enforcement with regards to investigation, you know, because we have this cybersecurity experts, some of us are working for other institutions.
My question is back home you have some of the crimes like scamming and phishing and don't have social media, WhatsApp and other platforms and this evidence actually on those. So back only we came up with strategy by obviously creating awareness and also involving the communities, you know, and the people to report some of the incidents to us because the government doesn't have any database of reporting some of these incidents, and we support them the best way that we can. You know, how does this and international regulations actually involve the Civil Society and some of the expert communities, you know, to be able to report some of these incidents and also be able to verify and authenticate some of this evidence that is collected, you know, or probably sent to us by the victims? These victims include politicians, you know, businessmen and obviously local market vendors, so how does international regulation help us with this? Thank you.
>> MODERATOR: Thank you very much. I think we have an excellent group of questions to bring. A if he that I noted, the importance of bringing in the victim's perspective and making sure that also victims and their needs are really factored into the criminal justice response to cybercrime, so that's one issue. The second issue is the importance of awareness raising, of education, making sure that people understand the nature of some of the cybercrimes that could affect them, as well of course, as where and who to contact to try to get support after being victimized.
Thirdly, then a question on the involvement of Civil Society about reporting, authenticating evidence, and lastly the question of capacity building and capacity‑building support.
So, I think I will start then with Estoban, briefly I think you wanted to touch on the awareness‑raising issue.
>> ESTOBAN: Exactly. I want to try to answer the question from the representative of Nigeria. I think that is a very important question. I think that the countries in principality, the law enforcement need to know the key in this case of crimes is the prevention. We need to make some campaigns in the schools, with the kids to teach them to don't be a victim, and also to don't be a criminal. This is the key I think in this case of crimes.
>> MODERATOR: Thank you very much, Estoban. Also, then I would turn to our online panelists, and perhaps first of all I will come back to Wendy, I think, particularly with the issue of involvement of Civil Society authenticating evidence reporting could be relevant to your work, but please feel free to respond to any of the questions that were raised.
>> WENDY BETTS: Yes. Thanks. So, Civil Society is playing a very important role in investigating a lot of these types of crimes, and particularly because of the access and their ability to get to the information before professional law enforcement, professional investigators can get there, but then they do face the problem of how do they authenticate and verify the information that they're finding, and this is not just photo and video that we've taken as I mentioned, but you have Civil Society organizations conducting Open Source research and they're trying to verify and authenticate social media posts and social media profiles and other types of publicly available information that are out there. And so, as I mentioned it's very time consuming and labor intensive and can be difficult for Civil Society who may not have access to the resources and tools that could be available to law enforcement. So, again, I would point to some of the standards that have recently been developed and some of the guidelines for how Civil Society can best engage in this work in a manner that would most likely facilitate the use of the work that they're doing in actual investigations and trials later. So, again, resources like the Berkeley protocol and Open-Source investigation is really one of the leading standards. There are organizations such as mnemonic and Belinkat that have developed very specific methodologies for authenticating and verifying different types of digital information, so those are some resources for some practical tips and tools on how to do that kind of work for Civil Society specifically.
>> MODERATOR: Thank you very much, Wendy. And then I would turn to Pei Ling if you have any final contributions in response to the questions from the floor. I would ask you please to be very brief because I know we're already a little bit over time.
>> PEI LING LEE: Okay. I guess I will just end with a few simple points. One is I think specifically on the question of, you know, so‑called evidence or information gathered by Civil Society organizations. While these are useful, but I think from the law enforcement perspective, earlier mentioned the chain of evidence, so I think the areas in different national jurisdictions have different respective procedural measures with regard to obtaining, securing, and preserving digital evidence.
So, while Civil Societies could be one potential source of the collection of such evidence, there is a need to respect the procedural measures of each specific country. But on a related note, I think these issues and areas are currently being examined by the UN ad hoc committee and in terms of participation and inputs by multistakeholders, including nonprofit and Civil Society organizations, the ad hoc committee has also been very active in engaging these various groups through the intersessional consultations that they have been conducting in between their formal sessions, and as well as through the participation of various, you know, non‑member state organizations, including Interpol as permanent observer. I think moving forward, we should continue to monitor the developments at the ad hoc committee whereby these various issues and as well as other issues raised by the participants of today's workshop will be very keenly discussed in the lead‑up to the development of the international convention, which could be a potential additional international instrument that we could tack on to deal with the issue of cyberattacks and digital evidence.
>> MODERATOR: Thank you very much, Pei Ling. And then finally, I would like to give the last word to Alexander, please, the floor is yours.
>> ALEXANDER SEGER: Thank you. I believe all the other speakers online and in person have already raised all of the important things. I fully agree with prevention and awareness is fundamental. Cybersecurity measures, common sense measures to protect your systems are fundamental, but at the same time, we do need effective criminal justice response because if victims do not see that they cannot obtain justice, that they can't be effective investigation, prosecution but as at the end an outcome by a court, they will lose their trust in the rule of law and so on and that will also then have other negative consequences. We have to work towards a more criminal justice response. We believe on our side, we can contribute by having countries participate in the cybercrime convention committee and work on the Budapest Convention and we're also looking very much forward to the outcome of the ad hoc committee at the United Nations level to see what will happen there, and hopefully some sort of consensus can be found also there. Finally, I believe that capacity building is a way to bring stakeholders together to bring everyone up to speed, and so forth. So, I think that is, if you look for the common denominator between all the things mentioned today, it's capacity‑building activities, which I believe can function also across political differences that some countries and organizations may have. Thank you to all the speakers. I learned a lot, I took lots of notes also from what people said, including Wendy from eyeWitness. Back to you, Martha.
>> MODERATOR: Thank you very much, Alexander. Indeed, in terms of capacity building just two quick tools from the Council of Europe side I would like to mention. One is that the cybercrime program office has prepared a tool on criminal justice statistics, on cybercrime and electronic evidence, which then can be quite useful in terms, of course, of assessing what the situation actually is in each country, and therefore being able to allocate resources and prioritize accordingly. Because, of course, we would all wish to have more resources than we do, so we have to make use of what is available to us, and I think that can really help make the prioritization effective.
One other thing upcoming, just coming back to the point on victims, we're currently in the process of preparing a mapping study on cybercrime victims to really try to get a bit of a better understanding of what the landscape is, what are some of the characteristics of victims and how are different people affected in different ways by cybercrimes and other crimes involving electronic evidence. Please keep an eye on our website and that will be available soon.
Just to conclude then with one or two key takeaways, that I have picked out of the discussion. I think we all got the message loud and clear that electronic evidence is absolutely crucial when it comes to attribution and adaptability for cybercrimes and other crimes involving evidence. Indeed, perpetrators of these crimes are brought to justice and therefore reinforcing confidence in the criminal justice system and its ability to ensure the victims are able to access the justice they deserve.
We heard again very strongly about the importance of having a solid legal framework with the necessary safeguards, and about how the Budapest Convention and second additional protocol really provide standards that countries cross the world can draw on to ensure that they have the provisions not just in their domestic legislation to be able to support an effective criminal justice support to cyberattacks but as to be able to cooperate effectively internationally.
And that cooperation was of course a theme that came across the interventions of the panelists, but as from the floor in terms of the importance of cooperation at the domestic level, at the regional level, at the international level, and of course between not only different parts of the criminal justice system but between public and private sector entity. Of course, there is always a work in progress. There is always more that can be done to improve cooperation.
Lastly, the point about capacity building and the importance of ensuring that practitioners really do have the skills and expertise that they need in order to be able to fulfill their role in ensuring that indeed perpetrators of cybercrimes can be brought to justice.
So, I would like to finish there by thanking all of our speakers, Estoban who is here, all of the speakers online, Wendy, Pei Ling, Alexander, thank you very much. Also, of course, to all of you for being here, for sticking with us even though we went a bit over time and for spending time in a bit of a stuffy bunker listening to us on a Thursday afternoon. Thank you very much and take care.