The salient point of this episode revolves around the intricate relationship between cybersecurity and cyber law, emphasizing the challenges faced in regulating the rapidly evolving digital landscape. I, Joe Carson, host of the Security By Default podcast, engage in a profound dialogue with our esteemed guest, Pamela Victor Ibitamuno, a legal expert with a unique background in penetration testing. Pamela elucidates her journey from experiencing cybercrime victimization to her commitment to merging her passions for law and cybersecurity through the field of cyber law. This discussion critically examines the difficulties legal professionals encounter in comprehending technical aspects of cyber incidents, as well as the pressing need for legal frameworks that genuinely address the complexities of cybercrime rather than merely responding to technological advancements in haste. Ultimately, we explore the necessity for a collaborative approach between legal practitioners and cybersecurity experts to establish effective regulations that safeguard society while fostering innovation.
In this episode of the Security by Default podcast, host Joe Carson engages with Pamela Victor Ibitamuno, a lawyer with a unique background in penetration testing. They discuss the critical intersection of cyber law and cybersecurity, exploring the challenges faced in prosecuting cyber crimes, the importance of understanding intent, and the need for adaptive legal frameworks in the face of rapid technological advancements. The conversation also delves into the role of AI in the legal field and how professionals can stay updated in this ever-evolving landscape.
Takeaways
- Pamela’s journey from penetration testing to cyber law highlights the importance of understanding both fields.
- Legal professionals often struggle to grasp the technicalities of cybersecurity.
- Regulations may not effectively address the problems they aim to solve.
- Cyber crime often transcends borders, complicating prosecution efforts.
- Partnerships between tech companies and governments can enhance cyber crime prevention.
- Misconceptions about hacking can hinder legal processes.
- Intent is a crucial factor in determining the legality of cyber actions.
- The law is lagging behind technological innovations, necessitating updates.
- AI can streamline legal processes but cannot replace human empathy.
- Staying informed through conferences and subscriptions is vital for legal professionals.
Chapters
- 00:00 Introduction to Cyber Law and Its Importance
- 02:57 Pamela’s Journey: From Penetration Testing to Cyber Law
- 06:08 The Intersection of Law and Cybersecurity
- 08:50 Challenges in Cyber Crime Prosecution
- 12:04 The Role of Intent in Cyber Crime
- 14:58 The Need for Adaptive Legal Frameworks
- 17:50 AI’s Impact on Cyber Law
- 20:53 Staying Updated in Cyber Law
- 23:59 Conclusion and Future Outlook
The exploration of cyber law within the context of cybersecurity unfolds through a compelling dialogue between myself, Joe Carson, and Pamela Victor Ibitamuno, a legal expert whose background in penetration testing profoundly informs her perspective. Pamela recounts the genesis of her interest in cyber law, rooted in her experiences as a victim of cybercrime, which ignited her curiosity about the methodologies employed by cybercriminals. This personal narrative sets the stage for a broader examination of the systemic challenges that legal professionals encounter when attempting to navigate the complexities of cyber law. We delve into the critical interplay between legal frameworks and the rapidly evolving landscape of technology, emphasizing the necessity for laws that are not only reflective of current threats but also adaptable to future innovations. A salient point of our discussion revolves around the urgency of establishing cohesive regulatory measures that adequately address the dynamic nature of cyber threats. Pamela articulates the difficulties that arise when legal statutes lag behind technological advancements, particularly in the realm of international cybercrime. The conversation highlights the imperative for legal practitioners to possess a comprehensive understanding of the technical intricacies involved in cybersecurity to ensure effective prosecution and enforcement of laws. Furthermore, we explore the challenges of jurisdictional discrepancies that complicate the investigation and prosecution of cybercriminals, underscoring the need for enhanced international cooperation and standardized protocols to combat these global offenses. As we traverse the complexities of cyber law, we also consider the potential implications of artificial intelligence on legal practices. While acknowledging the advantages of employing AI to streamline legal processes, we emphasize the irreplaceable role of human judgment and empathy in delivering personalized legal counsel. The episode culminates in a thoughtful reflection on the future of cyber law, advocating for a legal system that evolves dynamically in response to technological advancements, thereby fostering a secure and just digital environment. This discussion illuminates the critical need for ongoing collaboration between cybersecurity experts and legal authorities to effectively address the multifaceted challenges posed by cybercrime.
Transcript
Hi, everyone. Welcome back to another episode of the Security By Default podcast.
I’m the host of the show, Joe Carson, chief evangelist and also advisor CISO at Segura, and it’s a pleasure to be here with all of you.
I’m always looking around for interesting topics, great, exciting ideas, thought leadership, and bring in guests who we can really add interesting insights for you. And today’s topic’s an interesting one.
It’s one that’s kind of, quite kind of, let’s say, always kind of, you know, sitting on two sides of the fence where physically where we’re looking at the security aspects of things, but also the legal side of things. I think it’s really important that we talk about the topic of cyber law.
So I brought on a guest who’s got a background and experience from a legal perspective and legal side of things. So, Pamela, welcome to the show. Welcome to the episode.
If you want to give the guests a bit of knowledge about you as a person, maybe your origin, how you got into the industry, did you start in cyber, or did you start from a legal side of things and some interesting things about yourself.
Pamela Victor Ibitamuno:Okay, so my name is Pamela Victor Ibetamno and I’m a lawyer. And I started the journey with penetration testing after university. I for my penetration testing.
But I just learned a few things about penetration testing and it really got me interested because, like, I’m a very curious person. I ask a lot of questions.
I think one of the things that really made me want to get deeper was after I lost my bitcoins, because I was savage, and the same person I had gotten it from had my wallet address and my private keys and was able to like, hack back into my wallet and then transferred the bitcoins that I had into their wallets. So I already also had another experience where I was impersonated. Someone impersonated me use my identity and got money from different people.
And people always thought that I was the one that did that. So I’m like, how do I, how do these bad guys think, like, what really goes on on their minds?
How do they come up with all these strategies to be able to cover their tracks without people knowing that they are the ones that did these stuffs? I’m like, okay, one way you can actually secure is to think like the bad guys. Let’s, let’s, let’s do this. Let’s see what happens.
And that was how I started with like, penetration testing. And then, like, after a few months, I had to stop and go to the law school in my country to become a lawyer.
And I was just thinking about how to like merge my interest, like my interest in the cyber space and also like my passion for law. And I just didn’t want to like go outside of the legal field field. I’m like, okay, you know what?
I, there’s still a need for someone like me that has my interest, that has my passions, my talents and let’s see how we can merge this thing together. So I’m like, okay, what opportunities are there? And I’m like, you know what, let’s, let’s look into cyber law.
And that was how the cyber law journey started for me. Yeah.
So I’ve worked with technology law firms and like Stefan non governmental organizations in Africa and I’m currently studying for my master’s in cyber law here in the United Kingdom. Like I’ve been also invited by the United nations and Council of Europe to sit on global discussions for cyber, cybercrime and Internet governance.
And I’m so excited to be on today with Joseph King Carsten.
Joseph:Thank you. It’s a pleasure. I mean it’s great to have you here.
One of the things that’s really interesting is that from your journey didn’t usually when I speak to a lot of lawyers and I sit in panels and we have discussions, their background was very much on the law side of things. And then they, they kind of moved into the cybersecurity aspect of things. Yours is very much reversed.
You started off in penetration testing and also, you know, had been victim of crimes and then followed your passion in getting into the, the, the cyber law side. That’s a very different than most of the legal aspects that I’ve kind of had interactions with in the past.
Where do you see what’s one of the big fundamentals when you think about your experience in from a security also having victim as well and law, what do you think? Where’s the overlapping areas? Where do you see the interactions and the correlation between the two?
Pamela Victor Ibitamuno:Okay, so one of the overlapping areas is the difficulty for like legal professionals to really understand the technicalities like really happens. So there’s this difficulty in really regulating. So it feels like we’re trying to come up with laws, we’re trying to come up with regulations.
And we are doing this so quickly to make sure that there’s a regulation. But are the regulations actually solving the problems that’s been there or are they like creating more problems because there’s this haste? Okay.
There’s a trend in technology, there’s this innovation AI is there we need the regulation. So there’s this hate case to come up with a regulation. And it feels like we just want us to have that regulation.
So we know that, okay, there’s a regulation, but are we really handling, is it really tackling the problems that have made that regulation, the need for that regulation to arise?
So that is another thing and another thing that I have also seen play out is the difficulty for judges to really appreciate, like for forensic investigations, forensic evidence in court evidence, sometimes the fact that you can have a very good case, then like because of the delay in the judicial system, you can lose data and the cyber criminal goes scot free. Nothing is done. So we’ve seen cases where a lot of people have been tried, but not so many of them have been convicted.
So I think that is another overlapping area. And one thing I really also find interesting is that when it comes to security, when it comes to cyber security, it is not just for the government.
Yes, the government is really regulating. I feel like there has to be some sort of partnership that makes it easier.
There’s also issues of extradition when the crimes have committed in different countries. So like there are lots of things that have to be treated and really looked into.
Joseph:Absolutely. One of the things I do find that most, most cybercrime is cross border, which always makes it very challenging.
Which means that typically it’s not a single law enforcement can, you know, completely investigate the crime alone. They tend to have to have international cooperation.
And that definitely does mean that from a jurisdiction perspective and also from a timeline perspective, to your point that a lot of the digital crimes can take much, much longer to go through the criminal justice system.
And also then the challenge is about the chain of custody of evidence is how do you make sure that it’s non reputative when it comes into the law side of things.
Because how can you prove who was sitting behind the keyboard on the computer at the exact time when many cases it might be committed from a cyber cafe or an Internet cafe, which has many people touching that computer over that space of time. So the jurisdictions definitely a massive challenge. And also chain of custody is a major challenge as well.
Pamela Victor Ibitamuno:Yeah, I think there’s something interesting about Microsoft that so many other companies can learn from.
Like I think Microsoft has been, they are doing a lot to like get cybercriminals, not just like convict them, like getting sanctions, but also getting orders from the courts to restrain them. One of the things that I really find interesting about Microsoft is the fact that they are also building like partnerships with governments.
I think There was the recent case where they had a cyber criminal in Egypt. And because of the relationship that they had with the government of Egypt, they reached out and they were able to get that.
So I think like different, other technology companies can have that partnership with the government of different countries. So it’s easier and form that relationship. Yeah, so it’s also, also helps. And then I think another thing I just thought about is the issue of hacking.
So there’s still this misconception about hacking. Like once you say you’re a hacker, everybody looks at you like you’re a bad guy.
Joseph:It’s the branding side that we have, which everyone assumes that the term hacker with a context is malicious.
Pamela Victor Ibitamuno:Exactly. And I think that is another issue that the law is facing.
In some jurisdictions they are able to differentiate ethical hacking from malicious hacking, but in so many jurisdictions they are still the same. And even in the jurisdictions where they have been able to differentiate ethical hacking from malicious hacking, there’s still an overlap.
So there’s one thinking about criminal law is that the first thing you have to like prove that this is actually unlawful, and then the act that has been committed is unlawful. And then you also have to prove that the elements for a crime have been found in that act that has been committed.
And then like one of the things that constitutes the ingredients or the ingredients of crime is that be an accessory and menstruate, depending on the jurisdiction. So like for here in, in my, my home country, there has to be menst here in England, so there has to be menstrual and artistry.
Like the menstruate is the act itself, the act committed. The menstruation rather is the intention. Mix that up the intention of committing a crime and then the actors raise the act that has been committed.
So, so you have to prove that this person had the intention of committing that crime and then he went ahead to commit that crime in itself. So normally for different crimes you have to prove that there’s a mens re and artistry.
But I think that the cybercrime is treated differently because they only require that there’s disprove of the actus Ray. And then the menstruate is not really considered. And I’m like, it’s crime. Even if it was committed on the Internet, it’s still crime.
So why is, why is the elements of crime not playing out? There has to be that this person had that intention to commit a crime because I might have committed this, like not intentionally.
Maybe I was doing it for the good of the society.
Maybe I was hacked into a system to find vulnerabilities and it’s for the good of the public and because I did that out of my good intention, I’m non prosecuted. It doesn’t really make sense. Sense.
But because there’s also a difficulty in proving the mystery, I think sometimes some security researchers might be confused and they’re like, doesn’t mean that I really have to prove that I had the intention. But in criminal proceedings it is less for the prosecution to prove.
So like it is not the responsibility of the cyber security professional to prove that had the intention. And that also makes it difficult for prosecutions to prove. So there’s a tendency that the actual criminals can also like go scot free.
I feel like there has to also be a lot done like some trainings for prosecutors and the judges to be able to appreciate these things. If not, it’s going to continue going in circles and we will not be able to go forward from this.
Joseph:So yeah, yeah, absolutely.
For me, I mean I’ve been in that situation myself a number of times as a security researcher and it’s been fortunate enough to that because of my connections and peers, they know that my motivations intentions have always been for the, you know, making the world a safer place. But that’s not always the case.
I remember there’s been the cases in the US where the journalists by simply hitting the F11 on the, on the browser shows the HTML code and that action then led to basically it being considered a hacking crime. But the motive was there in order to make the, you know, it was the intentions was to make it safer and to report vulnerability and disclosure.
So it’s always like the case that. I think you’re absolutely right that not just the action but the motivation has also to be very important.
Was this person’s intention to report a problem.
It’s almost like a whistleblower in many cases that they’re showing that there’s this risk and abuse potential risk to society and therefore they’re reporting it. One of my favorite panels I’ve ever sat on was many, many years ago over.
It was about 12 years ago in Estonia and, and it was the national cert in the panel. It was actually a panel of law enforcement, different law enforcements from around the world.
And then there was the panel of hackers and that was interesting because we were having conversation about responsible vulnerability, disclosure about how to make sure you’re doing it without breaking the law. Because in many cases you might be in a gray area, a very, very fine line about whether you’re stepping over it or not.
And it was a really, it was a fascinating panel. I’d love to run it again because it was so intriguing and that a lot has changed over the years.
One question I’ve got for you is that, you know, one thing is, is how far back is the law with technology?
Because we’re seeing technology advance so quickly, especially in the last year or two, we’ve seen the law getting to the point where, for example, we’ve had AI acceleration so quick and so fast.
How outdated is the law and how, how can we address it so that we can make sure it’s much more dynamic and adaptive and agile to the technology advancements?
Pamela Victor Ibitamuno:Okay, so like recently there was the, the Council of Europe had like a convention. And one of the things is that the AI acts.
But the thing is it also depends on different jurisdictions to like adopt this and also implement their own laws that govern their own jurisdiction.
So I’m going to be talking from the jurisdictions that I’m in, like there is currently not one rectified document that is an act that governs artificial intelligence. We have ethics, we have policies, but there’s no act that really governs artificial intelligence.
But I think it’s something that is being worked on in the moment. Another thing is the procedures of making laws. So it’s not something that just happens.
It has to go through different phases before it becomes like passed and becomes a law. So yeah, I think that is another thing. The law is, from my perspective, I feel like the law is still backward.
It’s still trying to catch up with a lot of things that is happening and more innovations would still keep on happening.
But there’s something that I, I always say it is not that the lawmakers have to keep on making laws every time new technology comes, but how vast can it be that it is left for the judiciary to be able to interpret these laws to apply to the given situations, be able to cater for the given situations at hand? So that is another thing.
But another thing is that some judges are not able to appreciate the law very very and to, to do justice to what is really happening because like some of them are aged in trying to get used to this technologies.
One hand, should there be judges that been specifically trained to tackle technological, technological problems or could it be general judges that have to sit down there and just apply legal principles to the given law? Should there be a specific technological court? I think that is subject to.
But I think this is, this is really what I think because there’s no way that we can just keep on bringing up new laws. The issue is going to be enforceability.
So can we draft laws that can be wide to cater for situations and leave it to the judges to interpret to the judiciary to interpret these laws in the best way possible to do justice to whatever situation or difficulty that arises in court? Yeah. And then also lead as precedents for other situations that can come up too? Yes. Like I said, this is also subject to.
Joseph:Yeah, yeah. I’ve, I mean years ago I worked, I was one of the technical reviewers on the EU gdpr, which was very interesting experience for me.
And I always go back, I think it was a very good kind of, you know, regulation and focus and a good starting point.
I always go back and think about things that if I was to do it again and be part of that process, what I would do differently because a lot of the interpretation was around things about the interpretation of personal information and personal identifiable information. I think that was an area that we could have had a lot more clear transparency and context around. Definitely improvements.
I do like the evolution that then happened with the EU AI act because it took much more rather than a technology based approach, it took an impact based approach and I like that much more because it was. Doesn’t matter how much the technology advances and how it changes, but how it has an impact to society from a criticality perspective.
So that was a much more.
Definitely a, A more kind of broader term to your point is that it’s able to catch a lot of different scenarios by having that type of definition into the risk of life and the impact of society and taking it from a risk based approach rather than looking, it’s almost looking at the technology and trying to regulate the technology.
But that’s not what we’re doing or what we’re trying to do in is really look at the technology and think about how harmful can it be to society if we don’t put the right rules in place to make sure.
That’s my, my concern about AI in general at the moment is that there is no rules and without the rules then if it’s abused very quickly then sometimes it’s hard to go back, it’s hard to retrofix things later and that’s always a challenge. What, what’s some of the, you know, areas do you think around?
When we look at the crossover, the future outlook of the legal side and the law side, where do you see this direction you’re seeing? One thing is potentially is AI helping a lot more with actually people going and having AI cyber law bots be able to help interact and educate them.
Do you see that as something that is a good thing or a bad thing? Or what’s your view around having a lot more automation? Or are people getting more personalized legal counsel, especially around AI?
Pamela Victor Ibitamuno:Okay, so I think it’s. There are pros and cons.
What I’m thinking is that it could be of an advantage if we’re able to use AI to like track criminals and able to automate legal processes. Certain things that the AI may not be programmed to do. Example, giving specific legal advices.
There are things that can be automated, like documentation processes, coming up with maybe going through scrutinizes and scrutinizes very bulky documents. All those things can be automated. But like really giving personalized advices, doing personalized legal advices.
Because you as a lawyer, you understand the situation based on your appearance and like you understand emotions, you understand how this.
Joseph:Empathy, Empathy and.
Pamela Victor Ibitamuno:Yeah, you understand empathy and ethics and you know how something can impact on an individual negatively or positively, you can see it. So I think like when it comes to that, those processes cannot be automated. I think there was recently an argument about the AI becoming.
Being able to represent. Cleansing. Yeah, and being able to go to court and defend like cleanse. And it was said that the AI cannot.
One does not have a legal personality, it’s not a legal person. Companies building the AI set to like be legal persons. But the AI is not an illegal person and cannot go to court.
The AI has been qualified, did not write bar exams. Like it cannot go to court to like represent people in court.
But when it comes to like automating processes, it could really be of a great advantage to lawyers and help us even in our practice of law. Really certain things that the AI cannot do, like really giving personalized legal advices based on the situations.
Because every case, their situations can be similar. They can be very similar, but they are not still the same.
Joseph:I completely agree.
I think I’ve been seeing, and also for me it comes down to the context and accuracy of data, is that, you know, the machine learning and the data that a lot of these systems.
One of the things that when I was part of the EU AI act, we did this workshop and working group which is around the acceptable use of law enforcement using AI based systems. And when you get into that situation, even the same in law, is that you always had to be right every single time.
The moment that system is ever wrong, it puts into question all of the previous cases or all the previous advice. That system has ever given. And that’s one of the challenges.
I remember the case in the, in the US where one of the legal counsels used AI to create cases and information to advise and end up creating hallucinations, referencing cases that didn’t even exist.
I remember the case you’re referring to recently where somebody was actually using a deepfake as a legal counsel and reading off basically AI transcriptions. It gets into is, you’re absolutely right, is that there is, it has to be accountable.
There has to be people that’s accountable for the impacts and results of the decisions from a legal system. So it can’t be done by a, you know, a non real person who is not accountable. So I think that’s what’s important. And you’re absolutely right.
I think that yes, a lot of the systems can be quickened through automated processes. You know, the documentation, the filing, the notes, a lot of those can be accelerated. Absolutely. But what it gets into is just to kind of.
For example, I did a lot of int in response last year and when my interactions in the second half of last year, a lot of the interactions with the criminals was basically used to be used to chat directly with them in negotiations and basically ransom demands. You’re you know, talking about recovery side of things. And the second half you’re now started talking to AI chatbots, not the criminals directly.
So you’ve now got this intermediary who you’re talking to. And those chat bots, they don’t care and they don’t care about who’s the victim. They don’t care about how much data, what the type of data is.
There was no empathy, they just had the number and it was very, very difficult. There’s then no negotiations. It’s basically just an answer and question.
So this is really, I think in the legal system is that, yeah, accountability, inability, empathy needs to be part of the entire process because at the end of the day it’s, it’s, you know, it’s humans we’re talking about it. It’s not, you know, it’s, it’s, it has a big impact and it’s hard to reverse.
These things are if even more problematic to change later once the decision’s already been made. So a question for yourself is, you know, how do you stay up to date? What’s the resources you use? How do you get your knowledge?
You mentioned you participate in some of the United nations working groups. What’s the things you do to stay up to date?
Pamela Victor Ibitamuno:Okay, not working groups like this recent United nations put up the OCTOPUS conference that was held like some couple of weeks ago and it was a gathering of different expats like the governments, non governmental organizations, private sector and people that are actively working in the industry.
Like bringing their, their knowledge from different jurisdictions and how each jurisdiction has been able to tackle some things and what other jurisdictions can learn from that jurisdiction.
And talking about AI and cybercrime and like different issues when it comes to gender, different issues in different jurisdictions, sharing their perspective and how other jurisdictions can learn from them.
And then like the IGF was just basically about Internet governance, different jurisdictions too, but it was a bit different abroad because it wasn’t just talking about cyber law or cyber crime, talking about data governance, like from different sectors and how different industries have faced some challenges and what other industries can also learn from them. One way I, I actually stay updated is like online like trying to read articles. And then I think another thing I did was to set my, my Gmail.
So like I subscribe for some articles and then it just pops up on my Gmail.
Like whenever a country maybe does anything really related to a new cyber criminal law, I get updates on my Gmail or maybe the country is signing into like the Malabo Convention for in other necessary laws. Like it just pops up and I go through, just read it and I.
Joseph:Guess almost like an RSS feed, go back to old school methods to stay up to date in the modern, modern world, which works great. I do the same. I’ve got lots of RSS feeds that comes in so it allows me to kind of tailor my news and kind of social inputs as well.
So it’s been fantastic having you on the show and it’s really insightful and really great hearing some of your thoughts and ideas around some of the major challenges. It is a very complex area, cyber law and when you combine it with cybersecurity, that is a massive challenge.
And it’s great to have people like yourself really tackling it and looking at it and trying to be creative and innovate. And one is, you know, make, make sure that we make the world a safer place.
What’s the best way for the audience if they, if they do want to connect with you or have questions later? What’s the best way that they can reach out to you?
Pamela Victor Ibitamuno:Okay, I’m on LinkedIn and I’m on Twitter and Instagram. For like Twitter and Instagram it’s legalpamela and then LinkedIn it’s Pamela Victor.
Joseph:Fantastic.
I’ll make sure that in the show notes that we’ll I’ll put the links in so it’s easier for the audience to to find you so that we’ll add those links in the show notes. It’s been fantastic having you on.
Many thanks and hopefully we’ll get to meet at a conference or somewhere in the future and have a more in depth chat. So thank you for being on the show and it’s been a pleasure. So for the audience, this is Pamela bringing you all the updates and latest on cyber law.
So for everyone, this is the Security by Default podcast. Tune in every two weeks for the latest episodes, latest news and guests.
And hopefully at the end, making you more knowledgeable, making you be able to take this information back and apply it to your day job. And also, you know, hopefully stay safe and make the world a safer place. Thank you. Take care and stay safe.
