Cyberspace has upended the way we interact and most of us are constantly hooked to it, creating value, and doing many other things. More people with their computers and a multitude of other devices are present in cyberspace, increasing both the size and diversity of the web, enhancing as well as novel cyber risks for users.
Numerous policies and regulatory measures have been proposed and also adopted lately to advance the security of users, through data protection as well as in the areas of financial services, maritime, aviation, medical devices and electronic communications.
Directors and company officers also face risks of personal claims for negligence or breach of fiduciary duty here. In the US, direct legal action has been taken against company directors, due to a cybersecurity breach. In the EU, the NIS2 directive also mandates management bodies of relevant organisations to review cybersecurity risk-management measures being implemented, oversee their implementation, and make them personally liable for failures with respect to the implementation of cybersecurity risk-management measures.
From a data protection perspective, the responsibilities of the data controllers are most relevant in the context of cybersecurity. Aside from the obligation to have processes and solutions that are data protection by design at heart, controllers and processors also must effectively implement appropriate technical and organisational measures to protect the personal information they intend to collect and process.
A careful reading of these provisions does not exclude active and preventive cyber defence measures. Active cyber defence generally involves cyber defence and security strategies in real time that go beyond simply preventive measures like using a firewall or antivirus.
However, is active self-defence legitimate in cyberspace? Self-defence provisions originate from land-based cases. They are recognised by most legal systems, and as a legal principle in international law. In Malta, legitimate self-defence is found in our Criminal Code. A careful read of Articles 224 and Article 227 of the Criminal Code limits self-defence only to cases of homicide or bodily harm.
Would this preclude a company or an individual in Malta to claim justifiable self-defence in cyberspace? I would dare say that at the outset that would seem to be the case, albeit it all depends on the actions pursued and the novel nature of cyberspace coupled with our legislative regime is not helpful here.
Let’s for the sake of argument say that the act of cyber self-defence resulted in unauthorised access (or attempting to gain such access) to a third-party device of the potential intruder. The way our computer crime provisions are drafted this would not legitimise nor excuse such an act.
Now consider this scenario. Using a ‘honey pot’ to identify intruders, their IP addresses, possibly Mac addresses, etc, I block them out of my system to stop the unauthorised access. This is deemed to be an active act of cyber defence. Would this measure be breaking any criminal law provisions?
Criminal Code limits self-defence only to cases of homicide or bodily harm- Ian Gauci
In today’s day and age, should some form of active cyber self-defence be allowed in specific circumstances, and should there be ad-hoc and clearer provisions at law?
Global cyber security threats have increased in recent years, with more sophisticated attacks as well as use of novel technologies. When companies are hacked, aside from the legal and regulatory permutations, the costs of rectifying the breach and recovering from downtime can spiral into millions. Cybercrime cost global economies around $787,671 per hour in 2021.
Over the course of the year, this amounts to $6,899,997,960 lost worldwide to cyber criminals. The average cost of a cyber breach in 2022 was $4.35 million. It is predicted that cybercrime costs impacting the global economy will to rise to $10.5 trillion by 2025.
One of the key reasons for these staggering figures is the lack of successful detection, investigation, and prosecution of cybercrime. The unharmonised nature of national and international laws, difficulties to identify, locate, prosecute, and arrest cybercriminals, lack of experts and technological factors that amplify the reach and scope of cybercrime are all limiting factors.
Another important limitation is the timeliness factor. In a hypothetical cyber self-defence activity, action can be preventive and prompt, when lawful enforcement comes in, most of the time any activity is ex-post the intrusion, with the crime already perpetrated and harm inflicted.
Given the prevailing scenario, unless the potential victims have the luxury to pre-determine and ascertain each and every case of cyber self-defence with a multitude of diverse permutations and assume the risks for that, they have no other avenues but to pay licence fees and resort to third party vendors and technical solutions to mitigate any possible intrusion, vulnerability or data breach and resort to the lawful enforcement community and cybercrime legal provisions only as a last resort.
The last resort is still wanting here. Criminal law’s main intent has always been to deter criminals and as much as possible prevent the infliction of harm. In cyberspace this is not the case. Other cybercrime prevention strategies ought to be considered.
Could this possibly include a study and consultation on the possibility to lay down ad-hoc legislative measures introducing the notion of legitimate use of cyber self-defence in certain pre-determined instances, thus paving the way for the new paradigm of activity in cyberspace?
Ian Gauci is managing partner of GTG, a technology-focused corporate and commercial law firm. This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.