Cybercrime and cybersecurity

For each kind of crime in the analog world, there is an equivalent in the digital world. For instance, theft of property or identity can occur digitally. Hostage taking, ransom holding, attacks on critical infrastructure—these occurrences that amount to crime in the real world have a cybercrime parallel in the virtual world.

Cybercrime laws provide enforcement powers against such violations. Cybercrime may have a wide range of meanings depending on the country, legal instrument and context in which the phrase is used, but in general a country should have laws in place addressing criminal conduct—as provided in the country’s criminal laws—directed against the confidentiality, integrity and availability of computer systems and networks, as well as the data stored and processed on them, and criminal acts carried out through the instrumentality of such systems, networks, and data. This broad approach to the definition of cybercrime is drawn from the World Bank Toolkit on Combatting Cybercrime (World Bank 2017).

Typically, a cybercrime law will criminalize unauthorized access, use or alteration to personal data or ID systems, including the criminalization of:

  • Unauthorized access to ID systems or other databases holding personal data

  • Unauthorized monitoring/surveillance of ID systems or other databases holding personal data or unauthorized use of personal data

  • Unauthorized alteration of data collected or stored as part of ID systems or other databases holding personal data

  • Unauthorized interference with ID systems or other databases holding personal data

Good practices include:

  • Considering maintaining separate laws for cybersecurity and cybercrime. In some countries, cybercrime legislation does not provide sufficient coverage for cybersecurity measures. If the laws are combined, ensuring that cybersecurity of national critical information infrastructure is comprehensively covered and maintained.

  • Clearly stating the penalties for cybercrime violations but also for breach of obligations by critical national infrastructure holders

  • Defining a timeline for reporting cybersecurity incidents to the authorities

  • Establishing clear powers for a computer emergency response teams (CERT) to prevent and investigate cybersecurity breaches

  • Establishing clear powers for a Ministry of Justice’s cybercrime Prosecution unit

  • Considering provisions requiring cybersecurity service providers and products to be licensed and auditable

  • Establishing a legal framework that sets standard for IT security of government information system and databases and their auditing