In 1982, science fiction author William Gibson was the first to use the term “cyberspace.” His vision was akin to Cline’s “OASIS,” or the metaverse, but today the term has more nuanced meaning. Cyberspace is more than just 'the' internet: it encompasses all internets, and intranets, and does more to describe our modern-day, technologically-assisted connectedness than any one network does on its own. Our use of the internet has long outgrown simple information exchange. Once upon a time, the goal of the internet was just to enable to sending of data from one place to another. But now, with its continued integration into our lives, we can say that most of us live online, in part, together in cyberspace.

The internet is where we go to talk to our friends or families. It is where we buy our food and other living essentials. For a lot of people, it is how we earn our keep – regardless of whether you work in an office or not, almost all jobs make use of the internet in some way. And where there is money, crime is never far away. Cybercrime has turned out to be a very significant disruption to economies and to businesses worldwide. In fact, the economic loss felt globally due to cybercrime is projected to hit $10.5 trillion USD in 2025.

You read that right. This year marks the end of the projected increases in financial loss due to cybercrime as calculated by Cybersecurity Ventures in their 2016 “Hackerpocalypse” report. By comparison, if this figure were reported as a country’s GDP, it would rank third in the world behind the United States and China. There is more money lost annually due to cybercrime than is earned by any two European countries combined.

Cybercrime is almost as broad a definition as crime is in general. It includes things like information stealing and redistributing, copyright infringement, , , hacking and more. Further, criminals are always in search of new ways to make a quick buck, and the ease of access provided to them via cyberspace means

It is fair to say that criminals have been much quicker on the ball with their exploits of the internet than authorities have been with their governance of it. For a long time, countries and crime agencies not only lacked the skills to combat this crime wave, they crucially lacked the legalistic infrastructure to tackle it. But with the modernisation of legislature all over the world, the tide is beginning to change, and nowhere is that better exhibited than in the European Union member states.

In this article we will hold recent European Union (EU) legislation as an example and delve into some of the legal techniques and strategies that have been adopted by countries in their efforts to combat cybercrime and to hold cybercriminals accountable.

Defense and Mitigation

We typically see governments forming public sector cybersecurity agencies as opposed to contracting within the private sector, typically because of the sensitivity of the data involved in national security affairs - though countries like Russia and China have been criticised for their sponsorship of so-called private entities to carry out cyberattacks in the national interest. On the whole, a cybersecurity unit being integrated as a governmental agency provides better security over data as the databases can be owned directly by the government, and this also means they can more easily transfer this data between governmental departments.

There is also a great deal of collaboration in cybersecurity between members of the EU, NATO and the UN. There is also some evidence of collaboration between Russia and China, and between Russia and Iran. Collaboration on cybersecurity matters allows for sovereign entities to share data, software and skilled labour between each other, but is also a critical legislative capability. Cybercrime, carried out through cyberspace, is an international problem; therefore, the legislation that enables countries to defend themselves must also be termed to enable them to exact their jurisdiction beyond their own borders.

Additionally, governments require staff to man their agencies, and so we often see considerable investment into training programs designed to develop new talent. This is partly an education issue, where the skills needed to become a cybersecurity professional are not part of a standard school curriculum, and is partly an economic necessity: at present, the private sector is able to offer far larger salaries in this area than the public sector, so offering training as well as providing work experience is seen as a viable method for the government to fulfill its staffing requirements while also creating an alternative route into the industry for prospective candidates.

 Not only with regards to international treatise that might enable collaboration, or with the creation, funding and governance of new public sector agencies, but also in defining what data 'is'. Who it belongs to, how it must be treated, how it can be used, and so on. Only with this defined can real steps be taken in the protection of people in cyberspace.

Legislation

A landmark moment in European legislative history occurred in 2012 when the General Data Protection Regulation (GDPR) was proposed in a commission meeting led by then-Directorate-General for Justice Viviane Reding. This body of legislative work covered many of the bases - defining data, outlining its rightful treatment, and affording rights to data privacy to all European citizens. When it came into force in 2018, the echoes were felt in every country in Europe. The United Kingdom, for example, enacted the Data Protection Act 2018 to bring itself in accordance with the new EU ruling. Italy also issued amendments to its “Codice in materia di protezione dei dati personali” - the code regarding the protection of personal data, to bring it in line with GDPR. Soon enough, every member of the EU would enact legislation that enables the application of GDPR within their country.

The GDPR is an extra-territorial law. What this means is that, even for entities established outside of the EU, they must still exhibit compliance with respect to the treatment of personal data and/or data monitoring if it regards a citizen of an EU member state. That is why we have all collectively had to click "deny" on cookie pop-ups every day since 2018 no matter the website.

Being a regulation, it applies directly to all member states - this is an improvement over the directive that GDPR sought to replace. However, in order to achieve consensus, there are more than 30 areas within the GDPR in which countries are permitted to implement alternative legislation to that which is proposed by the regulation.

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

-General Data Protection Regulation

As of January 2025, the new Digital Operational Resilience Act (DORA) will also begin to be applied, having already come into force in 2023. This act is focused primarily in the protection of the financial private industries in EU member nations, identifying that attacks made against these institutions can have devastating effects on the economy, as well as exposing some of the most sensitive data of affected individuals.

Conclusion

The European Union leads the way when it comes to ensuring the rights of its citizens over the treatment of their personal data and their privacy and security in cyberspace. The regulation, which aimed to give accountability to those who committed malpractice over data protection, as well as improve the resilience of the European economy, has had earth-shattering ramifications, and brings individuals a step closer to enjoy rights on the internet in much the same way as they do rights in the real world. If it can continue on this path, it might set a good example for other countries and international unions across the world, which would better enable international collaboration in the fight against cybercrime for years to come.

Sources

https://cybersecurityventures.com/hackerpocalypse-original-cybercrime-report-2016/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

https://english.elpais.com/international/2024-02-12/ukraine-claims-russia-uses-its-cooperation-with-china-to-carry-out-cyberattacks.html

https://www.economist.com/middle-east-and-africa/2024/08/15/irans-electronic-confrontation-with-israel

https://gdpr-info.eu/

https://www.garanteprivacy.it/codice

https://www.gov.uk/data-protection

https://ec.europa.eu/commission/presscorner/detail/en/memo_14_60

https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.