Cybercrime Deterrence and International Legislation: Evidence from Distributed Denial of Service Attacks
1. Cybercrime Deterrence and International
Legislation: Evidence from Distributed Denial of
Service Attack
Kai-Lung Hui (Hong Kong University of Science and Technology)
Seung Hyun Kim (Yonsei University)
Qiu-Hong Wang (Singapore Management University)
MIS Quarterly,Vol. 41, No. 2, pp. 497-523, June 2017
2. In a Nutshell
(c) Hui, Kim and Wang 20172
We study the empirical effect of international legislation
on cybercrime deterrence
Enforcing the Convention on Cybercrime:
Reduces the number of DDOS attack victims within the
enforcing countries
Redirects DDOS attacks to non-enforcing countries
Reduces DDOS attacks largely because of the provision of
international co-operation
Implications:
Network effect exists in international law enforcement
Cyber criminals are rational, meaning economic incentives may
work in deterring cybercrimes
The world should work together in cybercrime deterrence!
3. Cybercrime
Causes annual global lost of $400 billion, ranges $375-
575 billion (McAfee, June 2014)
Characteristics of cybercrimes
Not confined by national boundaries
Extremely low cost
E.g., DDoS, cross-site scripting, phishing, …
Low observability and hence low probability of apprehension
and punishment
Key issue: How to tackle such cybercrime?
3 (c) Hui, Kim and Wang 2017
5. Solution
5
Prevention and detection
Operate at the individual level
Do not ex ante reduce attack motivation
Legislation
Heightens the penalty of aggression
Depending on implementation, may increase the chance of
apprehension and conviction
Applies at the national, or even international level
May ex ante affect hacker decisions?
(c) Hui, Kim and Wang 2017
6. Scope of Legislation
6
Domestic enforcement
International cooperation
E.g., preserving data for investigating cybercrimes initiated
from or targeting other countries
Requires similar treatment of crimes and mutual understanding
of enforcement
Cybercrime specific international initiative:
The Convention on Cybercrime (COC)
(c) Hui, Kim and Wang 2017
7. The Convention on Cybercrime
(COC; Europe Treaty Series No. 185)
Convention on Cybercrime (COC)
7 (c) Hui, Kim and Wang 2017
8. The Convention on Cybercrime
Drafted by 41 Council of Europe member states + Canada,
Japan, USA, and South Africa
Opened for signature on November 23, 2001
First enforced by Albania, Croatia, Estonia, Hungary, and
Lithuania on July 1, 2004
As of 2015, 49 countries signed and 47 ratified (enforced)
the COC
8 (c) Hui, Kim and Wang 2017
9. The COC: 4 Chapters
1. Definitions
2. National-level measures
Establishing substantive criminal laws on offences (e.g.,
illegal access and interception, data and system interference,
etc.)
Procedural laws
Establishment of jurisdictions over offences
3. Principles of international cooperation
E.g., extradition arrangement, mutual assistance
4. Scope of application, reservations, etc.
9 (c) Hui, Kim and Wang 2017
10. Not confined by national boundaries (Png et al. 2008, Kshetri
2013a, 2013b)
Extremely low cost
e.g., DDoS, cross-site scripting, phishing, …
Low observability and hence low probability of
apprehension and punishment
The unique profiles of cyber criminals (Kshetri 2006, 2010)
Minors
Juvenile
Professional syndicates
Characteristics of cybercrimes
10 (c) Hui, Kim and Wang 2017
11. Related Literature
The deterrence effect of perceived threat and
punishment at the individual level in an
organizational setting (D’Arcy et al. 2009; Johnston et al. 2015)
Supportive evidence on deterrence effectiveness
Capital sanctions and execution (Yang 2008)
Gun-carrying laws (Lott 1997a)
Enforcement against rape and other sexual offences (Vaillant
2009)
Counter evidence was also recorded (Kirchgassner 2011)
Lack of quality data
11 (c) Hui, Kim and Wang 2017
12. COC: Staggered Enforcement
12
31
3 3
1
5
0 0
3
0
1
0 0
2
00 0 0
6
5
4
6
2
3
4
1
6
3
2
5
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Signature Entry into force
2004
Albania
Croatia
Estonia
Hungary
Lithuania
Romania
2005
Bulgaria
Cyprus
Denmark
Macedonia
Slovenia
2006
France
Bosnia &
Herzegovina
Norway
Ukraine
2007
Armenia
Finland
Iceland
Latvia
Netherlands
U.S.A.
2008
Italy
Slovakia
2009
Germany
Moldova
Serbia
2010
Azerbaijan
Montenegro
Portugal
Spain
2011
U.K.
2012
Austria
Belgium
Georgia
Japan
Malta
Switzerland
2013
Australia
Czech Republic
Dominican
Republic
2014
Mauritius
Panama
2015
Luxembourg
Poland
Turkey
Canada
Sri Lanka
(c) Hui, Kim and Wang 2017
13. COC: Delay in Establishing Authorities
Country Enforcement
date
Establishment
of Responsible
Authorities
Albania 01/07/2004 19/06/2006
Armenia 01/02/2007 16/07/2008
Bosnia and Herzegovina 01/09/2006 15/11/2011
Bulgaria 01/08/2005 12/09/2005
Croatia 01/07/2004 09/01/2009
Cyprus 01/05/2005 05/08/2009
Estonia 01/07/2004 08/10/2007
Slovenia 01/01/2005 20/12/2006
Republic of Macedonia 01/01/2005 13/10/2006
Article 24 –
authority
responsible for
extradition or
provisional arrest
Article 27 –
authorities
responsible for
mutual assistance
Article 35 – 24/7
Network
13 (c) Hui, Kim and Wang 2017
14. COC: Difference in adoption
Article 4 – Data
interference
Article 6 – Misuse of
devices
Article 11 – Attempt and
aiding or abetting
Article 14 – Scope of
procedural provisions
Article 22 – Jurisdiction
Article 29 – Expedited
preservation of stored
computer data
14
Country Article 4 Article 6 Article 11 Article 14 Article 22 Article 29
Australia*
Austria*
Azerbaijan*
Belgium*
Bulgaria
Canada*
Czech
Republic*
Denmark
Finland
France
Germany*
Japan*
Latvia**
Lithuania
Montenegro*
Norway
Poland*
Slovakia
Switzerland*
Turkey*
Ukraine
U.K. *
U.S.A.
(c) Hui, Kim and Wang 2017
15. Research Questions
Does the enforcement of the COC help deter
cybercrime?
Do establishment of responsible authorities and the
reservation of Articles matter?
If the COC does reduce cybercrime, how does the
enforcement of other countries affect a country’s
victimization?
15 (c) Hui, Kim and Wang 2017
16. Theoretical Foundation: GDT & RAT
Potential criminals as rational actors who would weigh the
benefits and costs before committing a crime (Becker 1968;
Mookherjee and Png 1994)
Criminal motivation
General deterrence theory
(GDT) – improper
behavior can be deterred
by raising the certainty and
severity of punishment.
(Gibbs 1975)
Crime victimization
Routine activity theory
(RAT) – crime is shaped
by environmental factors,
particularly the presence
of a motivated offender
and suitable target, and
the absence of a capable
guardian (Cohen and Felson
1979).
16
“someone whose mere
presence serves as a gentle
reminder that someone is
looking” (Hollis-Peel et al.
2011).
(c) Hui, Kim and Wang 2017
17. Potential Contributions
Pioneering evidence on whether international
legislation helps curb cybercrime and how the
deterrence effect is affected by implementation.
A formal test of enforcement externality and find
cybercrime enforcement can be complementary and
drives cyber-attacks to non-enforcing countries.
Evidences that hackers are rational and strategic
The innovative use of backscatter data and linking
international legislation and the Internet topology to
analyze cyber attack path.
17 (c) Hui, Kim and Wang 2017
18. COC: Does It Matter?
2007: Russian convicted for attacking Estonia’s
government services
Estonia enforcement: 2004
2010: Programmer in USA convicted for attacking
rollingstone.com in 2008
USA enforcement: 2007
2011: German convicted for cyber-extorting six online
bookmakers
Germany enforcement: 2009
18 (c) Hui, Kim and Wang 2017
19. COC: Does It Matter?
From Hackforums:“I live in a small town in Romania. Until 1 months ago I
thought is no danger in hacking...I've got only a warning because I was under
18...then I realized why this happened: that was because we just
joined...European Union and there are new laws in IT...from now I take care
because...it never knows when the cops catch you...”
“...the law follows the same guidelines for all countries in the european union and
they're very strict about that”“There are conventions...within European Union borders
he can be transported due to the crime, because of the European Unions conventions
about partnership in law”
“...I would rethink your theory on Croatia not having cybercrime laws:The cybercrime
convention is a European directive to which Croatia is a member state...As of 2007,
Croatia integrated this into local laws...All of the offences proscribed in the Cybercrime
Convention (to which Croatia is a State Party and which has been in force in Croatia
since 1 July 2004), with the exception of offences that can generally be described as
cyberterrorism, are incorporated into the domestic legal framework”
19 (c) Hui, Kim and Wang 2017
20. The Deterrence of the COC
when the victim country has not enforced COC
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
Non-COC
country
?
?
?
COC country
Non-COC
country
Router
20 (c) Hui, Kim and Wang 2017
22. The Reinforcement of the COC
when only two countries enforced COC
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC
country
Non-COC
country
? √
?
?
Router
22 (c) Hui, Kim and Wang 2017
24. The Displacement of the COC
Targeting enforcing country?
A
B
C
D
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC
country
√ √
?
COC country
√
Router
Router
24 (c) Hui, Kim and Wang 2017
25. The Displacement of the COC
Targeting non-enforcing country!
A
B
D
C
Hacker
zombie
zombie
zombie
zombie
Victim' infrastructure
COC country
COC country
Non-COC
country
?
?
COC country
?
Router
25 (c) Hui, Kim and Wang 2017
26. Study Setting
Distributed denial of service (DDOS) attack in 106
countries in 177 days in 2004-2008
Why DDOS attack?
Most prevalent cyber attack causing great damage
Unambiguously criminalized by the COC
Conducted on a network of electronic devices international
cooperation is relevant
26 (c) Hui, Kim and Wang 2017
27. Hypotheses 1:
the deterrence effect of the COC
H1a (Enforcement): COC enforcement reduces the number of
DDOS attack victims in the enforcing countries.
H1b (Establishing Responsible Authorities): Among
enforcing countries, establishing the authority responsible for
reacting to external requests for international co-operation
reduces the number of DDOS attack victims more than those
that have not established such an authority.
H1c (Reservation on international co-operation):
Reservation on Article 29 (expedited preservation of stored
computer data) increases the number of DDOS attack victims
in the enforcing countries.
27 (c) Hui, Kim and Wang 2017
28. Hypotheses 2:
the externalities of the COC
H2a (Network effect): The effect of COC enforcement on the
number of DDOS attack victims in the enforcing countries is
stronger as the enforcement in other countries increases.
H2b (Displacement): Enforcement of the COC will cause
cybercrime displacement; non-enforcing countries will receive
more DDOS attacks as the enforcement in other countries
increases.
28 (c) Hui, Kim and Wang 2017
29. Attack Data
Country-level DDOS attack data on a daily basis
From the Cooperative Association for Internet Data Analysis (CAIDA)
Responses sent by DDOS attack victims to spoofed traffic for at least a
week-long period in each quarter between 2004 and 2008 (“backscatter”
data)
29 (c) Hui, Kim and Wang 2017
31. The Model (Fixed-effects OLS)
Cumulative domestic legislation Lit
Control variables, xit
Country and day fixed effects, μi and τt
Continuous country-specific time trends, γit
Spatial correlation consistent standard errors (Driscoll and Kraay, 1998)
31
H1a. Enforcement indicator
H2b. Displacement effect
H2a. Network effect
Externality
H1b. Enforcement indicators with
or without the responsible
authorities
H1c. Enforcement indicators with
various reservations
the extent of enforcement
in other countries ω-i, t
(c) Hui, Kim and Wang 2017
32. Control Variables
Socio-economic: unemployment rate, gross domestic product
(GDP) per capita in PPP, number of higher education students
IT Infrastructure: number of Internet hosts, number of Internet
users, number of integrated services digital network (ISDN)
subscribers, percentage of digital main lines
Others: domestic legislations, land area
Governance quality: control of corruption, government
effectiveness, political stability and absence of
violence/terrorism, regulatory quality, rule of law, voice and
accountability
32 (c) Hui, Kim and Wang 2017
33. Descriptive statistics
(106 countries, 16429 observations)
33
Variable Unit Mean Std. dev. Min Max Source
COC enforcement 1 = enforce; 0 = not enforced 0.152 0.3587 0 1 COE
COC signature 1 = signed; 0 = not signed 0.414 0.4925 0 1 COE
Reservations Number of reservations 0.142 0.6098 0 6 COE
CPHRFF enforcement 1 = enforce; 0 = not enforced 0.085 0.2789 0 1 COE
Cumulative domestic legislation
Number of
legislations/revisions
1.123 2.464 0 36
COE, UNODC,
ITU, GCLD
Victim IP addresses 817.137 5,013.3900 0 91,755 CAIDA
…per 1,000 Internet hosts 2.216 13.9751 0 621.359 Self-computed
Internet hosts Per 1,000 inhabitants 87.377 156.7580 0 1,039.270 CIA
Unemployment rate % economically active people 8.173 5.7605 0.400 37.300 GMID
GDP in PPP Thousand dollars per capita 18.878 16.0343 0.620 84.249 GMID
Higher education students Per 100 inhabitants 3.213 1.6346 0.033 6.713 GMID
Internet users Per 1,000 inhabitants 356.875 259.8545 2.197 911.319 GMID
% digital main lines % of telephone main lines 95.996 10.5286 34.000 100 GMID
ISDN subscribers Per 1,000 inhabitants 16.822 32.4338 0 177.903 GMID
Land area sq. km per 1,000 inhabitants 34.899 83.6094 0.142 617.118 GMID
Control of corruption Normalized index 0.373 1.0340 -1.459 2.591 WGI
Government effectiveness Normalized index 0.481 0.9271 -1.236 2.374 WGI
Political stability and absence of
violence/terrorism
Normalized index 0.142 0.9014 -2.550 1.586 WGI
Regulatory quality Normalized index 0.495 0.8625 -1.647 1.983 WGI
Rule of law Normalized index 0.361 0.9703 -1.734 2.014 WGI
Voice and accountability Normalized index 0.299 0.9390 -1.770 1.826 WGI
% Internet users covered by
others’ enforcement
0.120 0.101 0 0.285 Self-computed
% AS connections to other
enforcing countries
0.162 0.199 0 0.889 CAIDA
(c) Hui, Kim and Wang 2017
34. Identification Strategies
Similar to DID, but staggered enforcement over time
Upward bias due to reverse causality
2SLS instrumented by the enforcement of Protocol No.
12 to the Convention for the Protection of Human
Rights and Fundamental Freedoms
Falsification test replacing the enforcement indicator by
signature
Effective enforcement relies on responsible authorities
Article 29 serves as an indirect assessment of the merit
of international co-operation.
34 (c) Hui, Kim and Wang 2017
35. Results – Test of H1: COC deterrence effect
35 (c) Hui, Kim and Wang 2017
36. How to differentiate the externality?
B
COC country
A
C Non-COC
country
D E COC country
AS1
AS2
AS3
AS4
AS5
AS6
AS7
AS8
AS9 AS10
Non-COC
country
4/6 AS connections
are between COC
countries
2/6 AS
connections are
between COC
countries
COC country
AS 12AS 11
The differential externality ω-i, t
No. AS connections to other
enforcing countries divided by the
number of AS connections to all
other countries
The differential externality ω-i, t
No. AS connections to other
enforcing countries divided by the
number of AS connections to all
other countries
36 (c) Hui, Kim and Wang 2017
37. Results – Test of H2: Network Effects
37 (c) Hui, Kim and Wang 2017
40. Implications
Hackers indeed take into consideration expected cost of
punishment
So, on top of preventive measures such as IDS, or
advanced security intelligence systems, maybe the
government can do more
Timely finding because conventional approaches, such as
bandwidth overprovisioning or perimeter controls, are
gradually losing the battle
Also curb insider threats which is difficult to prevent or
detect
40 (c) Hui, Kim and Wang 2017
41. Implications
International cooperation matters a lot!
Note that DDOS is notoriously difficult to track
If COC enforcement works on DDOS, then we have good
reason to believe it should work well on other cybercrimes
(e.g., cyber extortion, phishing)
41 (c) Hui, Kim and Wang 2017
42. Concluding Remarks
COC enforcement is effective from victim-side data
At least 11.8% reduction in DDOS attack
Getting attacker side data will be a big leap forward, but
data are difficult to come by
Our sample – 2004 to 2008, which predates DDOS attacks
motivated by political ideologies or patriotism
North Korea vs. South Korea and USA in 2009
China vs. USA in 2013
Taiwan and Philippines in 2013
42 (c) Hui, Kim and Wang 2017