Today’s sociocultural system is demanding the people to be online, transferring money, marketing products, corresponding with counterparties, or storing business data in cloud systems and in many other daily business functions.
The invisible border separating the real and virtual worlds vanished a long time ago. Just as the outstanding scientist Stephen Hawking puts it “We are all now connected by the Internet, like neurons in a giant brain”; the Internet connects people and creates a virtual and living environment built on ones and zeros; called the Cyberspace.
The advent of the Cyberspace has brought about numerous security risks both for the users and the security agencies of nation states. Attackers using cyberspace can inflict crucial damage by targeting financial institutions, accessing and leaking national secrets or compromising the physical security of critical infrastructure exposing states to cyber-attacks, such as the Stuxnet worm which targeted Iran's nuclear facilities and many more which are not even publicly disclosed. Some of the other globally known instances may be summarized as follows;
In 2014, one of the biggest banks in the world lost 2.7 million customer data, damaging its credibility and reputation.
In 2016, the leading ride hailing company famous with its application was hacked and personally identifiable information (PII) of 57 million drivers and customers was stolen.
It became public in 2017 that one of the leading audit firms (which was ranked as the best cybersecurity firm in 2012) have been hacked since 2016 and 143 million US customers and 400.000 European customers’ PII was stolen.
In 2016 it became public that the Turkish Social Security Institution (SGK) was hacked for an unknown period of time and vast amount of PII was stolen, incurring an estimate of TRY 6 million damage.
It is quite challenging to identify the cyber attackers, because they rarely leave traces behind them. In most cases, cyber attackers do not need expensive or exceptional instruments to conduct adversarial action. As a matter of fact, facilitating the access to public IT resources and its growing importance in the operation of both public institutions as well as private organizations result in increased vulnerability. With the exception of few attack types, such as distributed denial-of-service (“DDoS”) attacks, most cyber threats exploit the security holes of the target system and exploit the lack of sufficient countermeasures. Most of the time victims are not even aware of these weakness in their defenses which makes it quite difficult to foresee, disarm, and deter cyber adversaries and gives the attackers an asymmetric advantage.
Therefore, the key indicator of how seriously nations are prone to cyber threats lies in countries’ own cyber capabilities awareness. Unfortunately, the developments in the cybersecurity policies, legislation and national capabilities of Turkey a long way to go and a huge potential to fulfil. However, Turkey is an interesting case, since as of 2017; 66,8% of Turkish citizens have Internet access (97th place globally), yet the country has been the 5th biggest originator of cyber-attacks all across the world in the past. Hence, we believe that Turkey has a huge potential in R&D and HR which are essential for long-term success in cyber operations, if government planning can be merged with the private sector efforts.
Cyber-attacks were often handled as minor issues that require the application of civil law and public order actions and some of them turn into national security issues if left unattended. Cybercrime was first introduced in Turkish Criminal Code with an amendment on 1991 defining "Information Technology Crimes" as illegally obtaining software and other electronic data from a computer or the use, transmission or copying of such with the aim to harm any party. Later on, the definition was even expanded on 2004 and the concept of Cybercrime was implemented.
In addition to such limited pieces of legislation including some other provisions, the Turkish administration drafted and started to publish Action Plans in 2012. Despite some setbacks in first years, it passed by without a solid plan, leaving aside any action in 2016, and it was decided to activate legal arrangements concerning cybersecurity and draft a Cybersecurity Law which has not yet even proposed to the General Assembly. Since it takes usually years for a draft law to be enacted, we have to be realistic and be ready to wait for many years to come.
Hence, there's a whole heap of work to be done in Turkey, we should take real steps as soon possible to catch up with international innovations and technological developments in order to be able to prevent cyber-attacks and maintain a safer and stable economy. Accordingly, legislations should be enacted expeditiously and meticulously in order to cover cybercrimes and deter cyber-attackers.
Even in the presence of all possible national legislations and government policies, we believe that sustainable security and safety in cyberspace will be not be fully utilized until governments agree on an internationally recognized basis for legal actions and address the legal problematic of “jurisdiction” and “attribution of a crime” which constitutes a huge obstacle for all legal practitioners and law enforcement agencies fighting cybercrime.
By Efe Kınıkoglu, Partner, Moral Law Firm