North Carolina Journal of International Law

"Connecting North Carolina to the World of International Law"

Current Limits Regarding the International Prosecution of Cybercrimes

By: Phil Pullen








The probability that the science-fiction doomsday scenarios involving a key piece of critical infrastructure, such as a state’s nuclear arsenal or electric grid, being taken down has risen from “highly unlikely” to “probable” in recent decades, sending shivers down the spine of just about anyone.  It’s not just the fact that companies and governments are struggling to protect their information and infrastructure in the cyber realm that worries citizens, corporate officers, and government officials alike, but also the fact that law enforcement agencies are having difficulty finding and prosecuting the cybercriminals responsible for these types of attacks.[1]  There are a number of reasons why law enforcement agencies around the world have difficulty identifying suspects of cybercrimes, extraditing them to their own country, and collecting enough evidence to secure a conviction.[2]  These include difficulties in identifying jurisdictional boundaries between states, an international inter-law enforcement agency backlog in sharing information related to cybercrimes, and the creation of “cybercrime havens.”[3]  In response, states may now seek to re-invent the longstanding relationships and understandings between their own internal law enforcement agencies and those of other countries.[4]  In the end, states must work together in deciding on what constitutes a cybercrime internationally, facilitating inter-agency collaboration amongst the law enforcement agencies of various states in identifying suspects and collecting evidence, and attracting states to adopt more concrete and rigid international agreements related to cybercrime.

One of the main obstacles law enforcement agencies face in pursuing cybercriminals around the world has been the creation of “safe havens” for cybercriminals in certain states.[5]  Cybercrime “safe havens” are those states which cybercriminals take refuge in after the commission of a cybercrime, or those states cybercriminals initially launch cyber-attacks from.[6]  These particular states provide a soft landing spot for cybercriminals due to their inability or reluctance to cooperate in their investigation and prosecution with other states.[7]  Further, considering how intangible cyber networks around the world are, there is no requirement that one wishing to do harm in one state actually be there physically.[8]  As a result, most cybercriminals attack from within states outside of their targets, and often seek refuge in states that either refuse to cooperate in their investigation, or simply don’t have the means to.[9]  These states, characterized as “safe havens” or “cybercrime havens,” run the gamut from states like Russia, which tolerates and sometimes even encourages cybercrime, to those like the Philippines, which do not have the resources to assist in pursuing cybercriminals.[10]

Even states which are intent on helping other states pursue cybercriminals (like the U.S. and U.K.), nevertheless often fail to help other law enforcement agencies because of weak data gathering ability and complicated extradition laws.[11]  For example, in 2000 a virus called the “Love Bug” was sent around the world, “shutting down business and government computers in over 45 countries and causing billions of dollars in damage.”[12]  The FBI traced the virus to a man named Onel de Guzman, who was located in the Philippines.[13]  However, at the time, the Philippines had no cybercrime law whatsoever, and therefore, what Guzman did technically was not illegal.[14]  As a result, he could not be extradited to the U.S.—where disseminating the virus was a crime—because Filipino extradition treaties require that the accused actually commit a crime in the Philippines.[15]  As a result, no one, including de Guzman, was ultimately prosecuted for the “Love Bug” attack.[16]

Conversely, some states, like Russia, have turned into cyber-crime safe havens because of their general reluctance and unwillingness to assist in the prosecution of cybercriminals.[17]  For example, also in 2000, American businesses including the Central National Bank of Waco, Texas and Nara Bank N.A. of Los Angeles, California)[18] were hacked by two Russian nationals – Alexi Ivanov and Vasiliy Gorshkov.[19]  Although Russia had laws criminalizing hacking at the time, it did not have an extradition treaty for cybercriminals with states like the United States.[20]  Consequently, the hackers were not extradited to the U.S. and were only ultimately captured, and prosecuted, by the FBI during a sting operation in Seattle later that year.[21]  Therefore, although the two scenarios, and states, are ultimately different from one another in the ways in which they are ineffective in contributing to the extradition and prosecution of cybercriminals, the states are similar in that they are both still “cybercrime havens.”[22]

Alternatively, those states with the technical, substantive, and procedural mechanisms to criminalize cybercrimes and extradite cybercriminals, as well as with the desire to work with international partners in prosecuting cybercrimes, are ideal for cooperating with states interested in pursuing cybercriminals.[23]  The push, then, on behalf of countries like the U.S. and U.K. is to help states conform to these requirements.[24]  As a result, according to Megan Stifel, a former attorney with the Department of Justice’s National Security Division, “‘the Justice Department has been working with countries to modernize their substantive laws to criminalize cybercrime activities and help investigators’ acquire the data they need.”[25]  Further, there is an international push for an increase in international agreements related to addressing these concerns.[26]  One example is the Council of Europe’s Convention on Cybercrime, which is “based on the premise that harmonizing national laws will facilitate cooperation between law enforcement officers investigating cybercrime and eliminate the haven scenario by ensuring that cybercriminals can be prosecuted and extradited for prosecution.”[27]

States face additional barriers to prosecuting cybercriminals because of jurisdictional concerns as well.[28]  The inherent nature of cyber-attacks force states to discard traditional jurisdictional models, which are primarily based on territoriality, and adopt new jurisdictional boundaries to deal with this growing threat.[29]  Since states generally only have jurisdiction over their own territory, they face the challenge of establishing jurisdiction over criminals who can commit crimes within the territory of the state, without actually ever being physically present there themselves.[30]  As a result, many states have begun enacting laws which allow them to extend their criminal prosecutorial arms outside of their territorial borders.[31]

Increasingly, the United States is expanding its reach over cybercrimes committed outside of its territorial boundaries.[32]  Congress has, in fact, has passed laws which permit enforceability of domestic laws outside the territorial boundaries of the United States.[33]  An example is Section 1029 of the USA PATRIOT Act of 2001, which permits the Department of Justice to have jurisdiction over “[a]ny person who, outside the jurisdiction of the United States, engages in any act that, if committed within the jurisdiction of the United States would constitute an offense” under the section.[34]  Similarly, many states within the U.S. have passed laws permitting the exterritorial application of their own criminal laws.[35]  In North Carolina, for example, “cyberstalking is committed even when the person who sent electronic mail or communication is outside of North Carolina[.]”[36]  Internationally, the United Kingdom passed the Computer Misuse Act of 1990, which requires that the cybercrime be significantly linked to the United Kingdom in some manner.[37]  If the cybercrime is significantly linked to the U.K. then the crime would not have to have occurred in the U.K., and the act itself does not have to be a crime in the territory where it took place.[38]  As these examples illustrate, states are dealing with this jurisdictional issue by simply allowing themselves to have jurisdiction over individuals who commit crimes outside of their territory.  However, the level of encroachment of these types of laws remains to be seen.

Finally, the law enforcement agencies of various states still do not do a great job of sharing information with one another.[39]  And even when they do, this information sharing takes a great deal of time, and is extremely attenuated.[40]  Generally, states seeking information on cybercriminals from other states use Mutual Legal Assistance Treaties (MLATs), which “govern[] data exchange across international jurisdictions.”[41]  However, these treaties were created in the 1970s and have not yet been modified to satisfy the needs of information sharing in the twenty-first century (i.e. the types and speed with which information must be shared).[42]  It generally takes about 10 months for the U.S. alone to respond to other state’s MLAT information requests, and it’s generally a longer period of time for states responding to U.S. MLAT requests.[43]  The concern is that once this information is received from the other state, the cybercriminal who committed the crime there has long since disappeared and destroyed any evidence left along the way.[44]  “Using an MLAT to conduct a search of residences or offices in a foreign country weeks or months after targets learn of an investigation is futile [. . .] [t]he evidence is long gone before agents actually hit the door to conduct a search,” said Edward McAndrew, a partner at Ballard Spahr who represents victims of cybercrimes.[45]

Ultimately, whether it be expanding jurisdictional limits or establishing new treaties between states, interstate cooperation is key to addressing this growing international threat.  Moreover, states who are not traditionally victims of cybercrimes, and those who may continue to not be victims, still need to become more involved in the process of prosecuting these cybercriminals.


[1] See Roger Grimes, Why it’s so hard to prosecute cyber criminals, CSO (Dec. 6, 2016, 3:00 AM), [].

[2] Id.

[3] See id.; Susan Brenner & Joseph Schwerha, Cybercrime Havens, 17 Bus. L. Today 2 (2007); Bradley Barth, Cybercriminals find many safe havens, SC Media (Nov. 1, 2016), [].

[4] See Brenner & Schwerha, supra note 3.

[5] Id.

[6] See id.

[7] See id.

[8] See id.

[9] Id.

[10] Brenner & Schwerha, supra note 3.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Brenner & Schwerha, supra note 3.

[17] Id.

[18] Art Jahnke, Alexey Ivanov and Vasiliy Gorshkov: Russian Hacker Roulette, CSO (Jan. 1 2005, 7:00 AM),–russian-hacker-roulette.html

[19] Brenner & Schwerha, supra note 3.

[20] Id.

[21] Id.

[22] Id.

[23] Barth, supra note 3.

[24] Id.

[25] Id.

[26] See Brenner & Schwerha, supra note 3.

[27] Id.

[28] Adel Azzam Saqf Al Hait, Jurisdiction in Cybercrimes: A Comparative Study, 22 J. of L., Pol’y, & Globalization 76 (2014) (hereinafter Jurisdiction in Cybercrimes).

[29] See Id. at 78.

[30] Id. at 75.

[31] Id. at 78-80.

[32] Id. at 78.

[33] Id.

[34] Jurisdiction in Cybercrimes, supra note 28, at 78.

[35] Id. at 79

[36] Id. at 79.

[37] Id. at 80.

[38] Id.

[39] See Barth, supra note 3.

[40] See id.

[41] Id.

[42] Id.

[43] Id.

[44] Id.

[45] Barth, supra note 3.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *