A cyber cooperation agenda with the US

Mohamed Naufar, Mohamed Anwar Mohamed Riskan and Ahamed Milhan Hayathu Moahmed were charged in December 2020 in federal court in Los Angeles for actions related to the Easter bombings in Sri Lanka in 2019, according to a US Department of Justice statement issued on 8 January

Opportunities for effective policy intervention are described as policy windows. Some are unpredictable, like an epidemic or some scandal. But some policy windows are predictable, especially in countries which hold elections based on a regular schedule.  

It is well known that the assumption of duties by a new President in the US is a policy window. When the new President’s positions and approach are fundamentally different from his predecessor’s, the opportunities afforded by the policy window are even richer.

Everyone who has an interest in influencing the actions of the US Government knows this. Therefore, every incoming administration is inundated with policy briefs and notes. The challenge is to get one’s voice heard. For the Government of a small and distant country such as Sri Lanka this is tough. In these circumstances, various parties, including some hucksters, make their pitches for our Central Bank and other funds, promising access.

A niche strategy is less challenging. Every incoming US President appoints around 4,000 senior officials. Instead of aiming for the inner circle where the competition for attention is most intense, there is merit in aiming for officials likely to be appointed to positions responsible for more esoteric subjects. Cyber cooperation is one area with such potential.

Cybercrime

Mohamed Naufar, Mohamed Anwar Mohamed Riskan and Ahamed Milhan Hayathu Moahmed were charged in December 2020 in federal court in Los Angeles for actions related to the Easter bombings in Sri Lanka in 2019, according to a US Department of Justice statement issued on 8 January. All three persons are in custody but are yet to be charged here.    

The 70-page affidavit submitted by the FBI reflected the work of Sri Lankan, as well as US investigators. The data relevant to the case was transferred under the provisions of the Budapest Cybercrime Convention to which the US and Sri Lanka are parties. Sri Lanka is the only South Asian country among the total of 65 which are party to the Convention. It is noteworthy that only Japan, the Philippines and Sri Lanka are among the signatories from East, South East and South Asia. Expediting the above case under Sri Lankan law using what is likely to be high-quality evidence assembled for the US indictment would be a concrete indication of our engagement in actions against terrorism. If for some reason, it is difficult to process the case in Sri Lanka (why else have charges not been brought here?), there may be merit in cooperating with the US case. In either case, Sri Lanka would get on the radar of key decision-makers responsible for cyber matters. 

The above illustrates a successful recent instance of multilateral cooperation about cybercrime contributing to action against terrorism. In 1998, a Sri Lankan investigation of credit-card fraud which was assisted by the FBI is said to have triggered further investigations that led to the taking down of a major multi-country child pornography network.  

But we must look to the future. Some of the greatest threats to our economy and society come from inherently global or placeless cybercrime.

In 2016, the Federal Reserve Bank of New York cleared five transactions made by criminals who had hacked into the Bangladesh Bank (that country’s central bank). On 4 February 2016, the Fed’s system sent $ 20 million to Sri Lanka and $ 81 million to the Philippines. A sharp-eyed employee of the Sri Lanka bank noticed a typo in the instructions and initiated a query that led to the $ 20 million being saved.  Most of the money that went to the Philippines could not be recovered. No arrests have been made.

The massive losses suffered by a developing country and the failure to locate the culprits illustrates the enormity of the cybercrime challenges faced by all countries, especially those with weak cyber defence capabilities. Building defences against transnational crime, and for effective investigations, is an area with much potential for cooperation.    

The CLOUD Act 

For several years, Microsoft and US law enforcement authorities were deadlocked on access to electronic evidence needed for a case against US individuals in a US court which happened to be stored on a foreign server. The US authorities insisted that Microsoft, as a US company, was duty bound to yield the evidence. Microsoft argued that it was bound by the laws of the country where the server was located and could not provide the evidence.  

The solution that was worked out was the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, which creates a framework for bilateral agreements that would allow the US and certified countries to lawfully access data kept in each other’s territories.  

These foreign countries must meet baseline human rights standards and provide important privacy and rule of law protections in their domestic law that govern law enforcement requests. Additionally, any legal obligation to comply with a foreign order issued pursuant to a bilateral agreement under the CLOUD Act will arise only under the laws of a foreign government that entered into a bilateral agreement with the US.

This could serve as an effective response to the rising pressure for data localisation, which has serious implications for the business models of global platform companies. Large economies may be accommodated by the platform companies, but it is unlikely that small economies such as Sri Lanka will get what they want.  

These countries may find themselves excluded from services if they insist on data localisation. Certification under the CLOUD Act will raise data protection standards. It could also make Sri Lanka an attractive location for locating data centres.