The document discusses national and international responses to cybercrime. It provides background on computer fraud statistics in the UK and Ireland. It discusses early cases of unauthorized computer access in the UK, including R v Gold & Schifreen, and how this led to the Computer Misuse Act of 1990. It then covers the Council of Europe Cybercrime Convention, which aims to harmonize cybercrime laws. Ireland has signed this convention. The document also discusses recommendations and guidelines from organizations like the OECD concerning cybersecurity policies and information sharing.

1. CYBERCRIME LEGISLATION
International Cybercrime
PART 1

2. NATIONAL AND INTERNATIONAL
RESPONSES TO CYBERCRIME
This Chapter is based on Chapter 9 of IT LAW by Ian J Lloyd. Additions have been
made to flesh out the Irish LAW sections.

3. INTRODUCTION
In the 1960s the UK embarked on an extensive motorway building programme. In the
1990s and 2000s Ireland did the same.
There were many benefits to these programmes but there were some direct negative
consequence.
What were these?

4. COMPUTER FRAUD IN THE UK
The office for national statistics published figures relating to almost every aspect of
life.
In 2016 they attempted to access the scale of Cyber Fraud in the UK. They conducted
a crime survey for England and Wales and it was found that 5.8 million fraud and
computer misuse incidents occurred over a 12 month period.
3.8 million of these were fraud incidents and 2 million were classed as computer
misuse incidents.

6. COMPUTER FRAUD IN THE UK
The police force in the UK does not accept cyber crime reports from individuals. They
require the complaint to come from a bank or financial institution.
The organization Action Fraud has been setup as the single point to collate reports of
Fraud from members of the public.

7. ACTION FRAUD UK
Statistics on CyberCrime for 2019
https://www.actionfraud.police.uk/data
Find the stats from Northern Ireland related to Cybercrime for 2019.

8. CYBERCRIME IN IRELAND
In Ireland less than 5% of cybercrime cases are reported to the Garda Cyber Crime
Bereau.
Speaking at the conference Cyber Fraud in a Digital Age at University College Cork
in January 2018 Det Supt Mick Gubbins of the Garda Cyber Crime Bureau
appealed to company owners and individuals to contact them when they find
themselves under attack by criminals.
He said support services are ready and in place for persons impacted by cyber
crime.
Det Supt Gubbins said one third of Irish and Northern Irish businesses have suffered a
data security breach in the past year.

9. QUESTION
If I am in a building and someone leaves the door unlocked in one of the rooms, I
enter the room and take a picture of documents on the desk. Has a crime been
committed?
If I am on a computer network and someone does not have any software enabled to
block other users from accessing the computer, I enter their system and take a copy of
their files?
Has a crime been committed?

10. R V GOLD & SCHIFREEN [1988]
(HL).
Robert Schifreen and Stephen Gold, using conventional home
computers and modems in late 1984 and early 1985,
gained unauthorized access to British Telecom's Prestel interactive view
data service.
While at a trade show, Schifreen, by doing what later became known
as shoulder surfing, had observed the password of a Prestel engineer:
the username was 22222222 and the password was 1234. This later
gave rise to subsequent accusations that BT had not
taken security seriously.
Armed with this information, the pair explored the system, even
gaining access to the personal message box of Prince Philip, Duke of
Edinburgh.

11. R V GOLD & SCHIFREEN [1988]
(HL).
Unknown to Schifreen and Gold, the Prestel computer network operated
on a distributed basis and was intended to act as a hot standby in the
event of the UK going to war — in the event that the primary UK
military computers were down, the Prestel network could be used to
control and launch the UK's nuclear missiles.
Following discussions with GCHQ and MI6, it was decided to investigate
Schifreen and Gold's activities, notwithstanding that, as freelancers for
Micronet, a joint venture between BT and a major publishing house, the
pair had informed their superiors of their discovery.
Prestel installed monitors on both of the pair's modem connections and,
acting on the information obtained, decided it was in the best interests
of national security to arrest them.

12. QUESTION
What do you think was the outcome of this case?

13. COURT PROCEEDINGS
After some months of deliberation, it was decided to charge the pair under section 1 of
the Forgery and Counterfeiting Act 1981, with defrauding BT by manufacturing a "false
instrument," namely the internal condition of BT's equipment after it had processed
Gold's eavesdropped password.
Tried at Southwark Crown Court, they were convicted on specimen charges (five against
Schifreen, four against Gold) and fined, respectively, £750 and £600.
Although the fines imposed were modest, they elected to appeal to the Criminal Division of
the Court of Appeal. Their counsel cited the lack of evidence showing the two had attempted
to obtain material gain from their exploits, and claimed the Forgery and Counterfeiting
Act had been misapplied to their conduct.
They were acquitted by the Lord Justice Lane, but the prosecution was appealed to
the House of Lords.

14. HOUSE OF LORDS DECISION
In 1988, the Lords upheld the acquittal. Lord Brandon said;
“We have accordingly come to the conclusion that the language of the Act was not
intended to apply to the situation which was shown to exist in this case. The
submissions at the close of the prosecution case should have succeeded. It is a
conclusion which we reach without regret. The Procrustean attempt[2]
to force these
facts into the language of an Act not designed to fit them produced grave
difficulties for both judge and jury which we would not wish to see repeated. The
appellants' conduct amounted in essence, as already stated, to dishonestly
gaining access to the relevant Prestel data bank by a trick. That is not a criminal
offence. If it is thought desirable to make it so, that is a matter for the legislature
rather than the courts.”

15. COMPUTER RELATED CRIME
In the early days of computer-related conduct a variety of issues arose as criminal
charge were required to be brought under traditional legal headings.
Incidents where damage was caused by a person to the contents of a computer were
successfully prosecuted under the Criminal Damage Act 1971 until the “R v Gold”
case.
Rightly or wrongly this was seen as conferring a form of legal immunity on hackers.
The Computer Misuse Act was introduced in the UK in 1990. This is the cornerstone of
the UK system to this day.

16. THE COUNCIL OF EUROPE
CYBERCRIME CONVENTION
It became apparent that national legislation might be of limited effectiveness.
An International effort began beginning with the Council of Europe Cybercrime Convention in
2001.
The drafting of the document was a long process. It took 4 years and 50 meetings of a
Committee of Experts on Cybercrime in Cyberspace.
Attributes that must be found in the national laws of the signatory states are specified. It’s a
matter for each state to implement the provisions in domestic law.
The legislation did cause some concern from “Treatywatch” such as the treaty being ratified
in countries run by dictators who could then try to prosecute people in other country’s. To
date 60 member states have signed the convention. It is becoming the model for legislation in
the sector.
Questions: Has Ireland signed and if so when did it sign?

17. COUNCIL OF EUROPE CYBERCRIME
CONVENTION
Activity: Review the Council of Europe Cybercrime convention.
What aspects of this convention have been implemented by Ireland?

18. WHAT IS A LAW, ACT, DIRECTIVE,
REGULATION, RECOMMENDATIONS,
DECISIONS?
Computer Misuse ACT
European Cybercrime Convention
General Data Protection Regulation
Criminal Justice (Offences Relating to Information Systems) Act 2017
Treaty on the Prohibition of Nuclear Weapons
Directive 2013/40/EU on attacks against Information Systems
Council Recommendations — ‘Promoting the use of and sharing of best practices on
cross-border videoconferencing in the area of justice in the Member States and at EU level’
JOINT DECISION OF THE EUROPEAN COMMISSION on the participation of the European
Union in various organisations for cooperation to prevent and counter terrorism.

19. WHO ARE THE OECD?
The organisation for Economic Co-operation and Development (OECD)

20. OECD
Over three decades, the OECD has played an important role in promoting policies
and instruments for innovation and trust in the digital economy. The adoption of this
Recommendation by the OECD Council in September 2015 was the successful result of
a multi-stakeholder process initiated in 2012 by the OECD Working Party on Security
and Privacy in the Digital Economy (SPDE) to review the 2002 Recommendation of the
Council concerning Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security.

21. OECD GUIDELINES FOR THE
SECURITY OF INFORMATION
SYSTEMS
These Guidelines aim to:
− Promote a culture of security among all participants as a means of
protecting information systems and networks.
− Raise awareness about the risk to information systems and
networks; the policies, practices, measures and procedures
available to address those risks; and the need for their adoption
and implementation.

22. OECD GUIDELINES FOR THE
SECURITY OF INFORMATION
SYSTEMS
− Foster greater confidence among all participants in information systems and
networks and the way in which they are provided and used.
− Create a general frame of reference that will help participants understand security
issues and respect ethical values in the development and implementation of coherent
policies, practices, measures and procedures for the security of information systems
and networks.
− Promote co-operation and information sharing, as appropriate, among all
participants in the development and implementation of security policies, practices,
measures and procedures.
− Promote the consideration of security as an important objective among all
participants involved in the development or implementation of standards.

23. OECD GUIDELINES FOR THE
SECURITY OF INFORMATION
SYSTEMS
The OECD as far back as 1986 had published a report on “Computer Related Crime:
Analysis of Legal Policy” This identified a range of actions related to computers that
should attract criminal sanction.
In 1992 the OECD adopted a recommendation concerning the Guidelines for the
security of Information Systems.
Many of the guidelines are aimed at computer users.
An implementation plan for the Guidelines was published in 2003.

24. OECD
FOR THE OECD GUIDELINES FOR THE SECURITY OF
INFORMATION SYSTEMS AND NETWORKS: TOWARDS A CULTURE OF SECURITY
This was published in 2003
The implementation of the Guidelines
After their adoption, the OECD monitored their implementation and organised events to
share experience and best practices across governments and with the business community
and civil society.
This resulted in a report on the Promotion of a Culture of Security for Information Systems
and Networks in OECD Countries in 2005.
An OECD-APEC Workshop on Security of Information Systems and Networks was held in
Seoul in September 2005

25. PRINCIPLES
The following nine principles are complementary and should be read as a whole. They
concern participants at all levels, including policy and operational levels.
1) Awareness
2) Responsibility
3) Response
4) Ethics
5) Democracy
6) Risk assessment
7) Security design and implementation
8) Security management
9) Reassessment

26. 30% PROJECT OR ANY PROJECT
Developing a website.
It collects information from people.
What do we need to take into consideration?
What plans do we need to have in place if something goes wrong.
What are we pro-actively doing?

27. 1) AWARENESS
Participants should be aware of the need for security of information systems and
networks and what they can do to enhance security.
Awareness of the risks and available safeguards is the first line of defence for the security
of information systems and networks. Information systems and networks can be affected by
both internal and external risks.
Participants should understand that security failures may significantly harm systems and
networks under their control. They should also be aware of the potential harm to others
arising from interconnectivity and interdependency.
Participants should be aware of the configuration of, and available updates for, their system,
its place within networks, good practices that they can implement to enhance security,
and the needs of other participants.

28. 2) RESPONSIBILITY
All participants are responsible for the security of information systems and networks.
Participants depend upon interconnected local and global information
systems and networks and should understand their responsibility for the
security of those information systems and networks. They should be
accountable in a manner appropriate to their individual roles. Participants
should review their own policies, practices, measures, and procedures
regularly and assess whether these are appropriate to their environment.
Those who develop, design and supply products and services should address
system and network security and distribute appropriate information
including updates in a timely manner so that users are better able to
understand the security functionality of products and services and their
responsibilities related to security.

29. 3) RESPONSE
Participants should act in a timely and co-operative manner to prevent, detect and
respond to security incidents.
Recognising the interconnectivity of information systems and networks and the
potential for rapid and widespread damage, participants should act in a timely
and co-operative manner to address security incidents. They should share
information about threats and vulnerabilities, as appropriate, and implement
procedures for rapid and effective co-operation to prevent, detect and respond
to security incidents. Where permissible,

30. 4) ETHICS
Participants should respect the legitimate interests of others.
Given the pervasiveness of information systems and networks in our
societies, participants need to recognise that their action or inaction may
harm others. Ethical conduct is therefore crucial and participants should
strive to develop and adopt best practices and to promote conduct that
recognises security needs and respects the legitimate interests of others.

31. 5) DEMOCRACY
The security of information systems and networks should be compatible with
essential values of a democratic society.
Security should be implemented in a manner consistent with the values
recognised by democratic societies including the freedom to exchange
thoughts and ideas, the free flow of information, the confidentiality of
information and communication, the appropriate protection of personal
information, openness and transparency.

32. 6) RISK ASSESSMENT
Participants should conduct risk assessments.
Risk assessment identifies threats and vulnerabilities and should be sufficiently
broad-based to encompass key internal and external factors, such as technology,
physical and human factors, policies and third-party services with security implications.
Risk assessment will allow determination of the acceptable level of risk and assist
the selection of appropriate controls to manage the risk of potential harm to
information systems and networks in light of the nature and importance of the
information to be protected. Because of the growing interconnectivity of information
systems, risk assessment should include consideration of the potential harm that
may originate from others or be caused to others.

33. 7) SECURITY DESIGN AND
IMPLEMENTATION
Participants should incorporate security as an essential element of information
systems and networks.
Systems, networks and policies need to be properly designed, implemented and
co-ordinated to optimise security. A major, but not exclusive, focus of this effort is the
design and adoption of appropriate safeguards and solutions to avoid or limit
potential harm from identified threats and vulnerabilities. Both technical and
non-technical safeguards and solutions are required and should be proportionate to
the value of the information on the organisation’s systems and networks. Security
should be a fundamental element of all products, services, systems and networks,
and an integral part of system design and architecture. For end users, security
design and implementation consists largely of selecting and configuring products and
services for their system.

34. 8) SECURITY MANAGEMENT
Participants should adopt a comprehensive approach to security management.
Security management should be based on risk assessment and should be dynamic,
encompassing all levels of participants’ activities and all aspects of their operations. It
should include forward-looking responses to emerging threats and address
prevention, detection and response to incidents, systems recovery, ongoing
maintenance, review and audit. Information system and network security policies,
practices, measures and procedures should be co-ordinated and integrated to create
a coherent system of security. The requirements of security management depend upon
the level of involvement, the role of the participant, the risk involved and system
requirements.

35. 9) REASSESSMENT
Participants should review and reassess the security of information systems
and networks, and make appropriate modifications to security policies,
practices, measures and procedures.
New and changing threats and vulnerabilities are continuously discovered.
Participants should continually review, reassess and modify all aspects of
security to deal with these evolving risks.

36. IMPLEMENTATION PLAN
• Enacting a comprehensive set of substantive criminal, procedural and mutual
assistance legal measures to combat cybercrime and ensure cross-borders
co-operation. These should be at least as comprehensive as, and consistent with,
the Council of Europe Convention on Cybercrime (2001).
• Identifying national cybercrime units and international high-technology assistance
points of contact and creating such capabilities to the extent they do not already
exist; and
• Establishing institutions that exchange threat and vulnerability assessments [such as
national CERTs (Computer Emergency Response Teams)].
• Developing closer co-operation between government and business in the fields of
information security and fighting cybercrime.

37. REVIEW THE “2015
DIGITAL-SECURITY-RISK-MANAGEME
NT PAPER”
An update from the OECD in 2015, how does it differ from the 2003
recommendations?
This is located on Blackboard.

38. 2003 VS 2015
2003
1) Awareness
2) Responsibility
3) Response
4) Ethics
5) Democracy
6) Risk assessment
7) Security design and implementation
8) Security management
9) Reassessment
2015 General Principles
1) Awareness, skill and empowerment
2) Responsibility
3) Human rights and fundamental values
4) Co-operation
2015 Operational Principles
5) Risk assessment and treatment cycle
6) Security measures
7) Innovation
8) Preparedness and continuity

39. 2003 VS 2015
The major change is that the focus of the Principles has been reoriented from the
“security of information systems and networks” to the security risk to the economic
and social activities relying on the digital environment.

40. SECURITY RISK TO THE ECONOMIC
AND SOCIAL ACTIVITIES

41. CULTURE OF SECURITY
A focus on security in the development of information systems and networks and
the adoption of new ways of thinking and behaving by all participants when using
information systems and communicating or transacting across networks.

42. CULTURE OF SECURITY
To promote a “Culture of Security” among all participants who develop, own, provide,
manage, service and use information systems and networks, whether those
participants are from government, business or civil society. These guidelines have
been the basis for considerable implementation efforts at the national level, and are
the basis for Resolution A/RES/57/239 adopted by the 57th session of the United
Nations General Assembly.

43. THE ROLE OF GOVERNMENT
Government has a responsibility to provide leadership in developing a culture of
security. It should provide this leadership in each of its roles related to information
systems and networks that include the development of public policy, as owner and
operator of systems and networks, and as a user of such systems and networks.
Of particular note in this regard is government’s responsibility for (a)
awareness-raising; (b) ensuring the provision of education and training; and (c) the
provision of information resources to the public, an activity that also assists
government in fulfilling its other roles.

44. THE ROLE OF GOVERNMENT
Government should recognize the increasing need for a comprehensive policy and
institutional infrastructure to ensure public safety, security and economic
well-being in response to the threats and vulnerabilities associated with globally
interconnected information systems and networks. Governments are further
encouraged to respond by establishing new or amend existing policy that may
incorporate principles of the Guidelines. In doing so, principles in the Guidelines may
need to be aligned with the
national situation in the area, and ongoing or planned national initiatives. Such
initiatives may include policies to combat cyber crimes, such as:

45. THE ROLE OF GOVERNMENT
• Enacting a comprehensive set of substantive criminal, procedural and mutual
assistance legal measures to combat cybercrime and ensure cross-borders
co-operation. These should be at least as comprehensive as, and consistent with, the
Council of Europe Convention on Cybercrime (2001).

46. EU INITIATIVES
Within the EU there is limited legislation in the criminal field. These have typically
been left to the individual nation states.
The EU has adopted a Directive on combatting sexual abuse and exploitation of
children.
A general “Directive on Attacks against Information Systems” was adopted in August
2013.
The Directive on security of network and information systems (NIS Directive) is the first
EU-wide legislation on cybersecurity and came into force in 2016. (link below)

47. EU INITIATIVES: ACTIONS HAVING A
HIGH PRIORITY
In February 2013 the EU commission outlined its legislative priorities within the IT
Security field entitled “An Open, Safe and Secure Cyberspace”
1. Achieving cyber resilience
2. Drastically reducing cybercrime
3. Developing cyber defence policy and capabilities related to the Common Security
and Defence Policy (CSDP)
4. Develop the industrial and technological resources for cybersecurity
5. Establish a coherent international cyberspace policy for the European Union and
promote core EU values

48. ENISA
The EU has established “European Union Agency for Network and Information
Security (ENISA)”
ENISA is a centre of expertise for cyber security in Europe. The Agency is located in
Greece with its seat in Heraklion Crete and an operational office in Athens.

49. ENISA

50. ENISA
• Identifying national cybercrime units and international high-technology assistance
points of contact and creating such capabilities to the extent they do not already
exist; and
Establishing institutions that exchange threat and vulnerability assessments [such as
national CERTs (Computer Emergency Response Teams)].
Developing closer co-operation between government and business in the fields of
information security and fighting cybercrime.

51. EUROPEAN CYBERCRIME CENTRE
(EC3)
Established in January 2013 as a component of the European Police Agency
“It will support member states and the EUs institutions in building operational and
analytical capacity for investigations and cooperation with international partners.”
The purpose of EC3 is to make the businesses and the EU safer through increased,
insight knowledge and awareness raising.

52. EC3

53. INCREASED, INSIGHT KNOWLEDGE AND
AWARENESS RAISING.
Public Awareness and Prevention Guides
Internet Organised Crime Threat Assessment (IOCTA) Annual Report.

54. INTERNET ORGANISED CRIME
THREAT ASSESSMENT (IOCTA)
Each year, Europol’s European Cybercrime Centre (EC3) publishes the Internet
Organised Crime Threat Assessment (IOCTA), its flagship strategic report on key
findings and emerging threats and developments in cybercrime — threats that impact
governments, businesses and citizens in the EU.

55. Activity: Make a summary of the
IOCTA 2020 Report
Create a summary of these sections (one slide for each student)
Not text heavy/images if possible.
Chat in your Breakout groups. You have 15 minutes.
Group 1 pg 11-22
Group 2 pg 23-33
Group 3 pg 34-41
Group 4 pg 42-53
Group 5 pg 54-59

56. CONCLUSION ON CYBERCRIME
Computer crime has occupied much legislative time around the world.
The widespread adoption of the Council of Europe's convention on cybercrime
indicates that this initiative has struck a cord.