Last week there came new announcements from the European Commission (EC) on dealing with cyber attacks.
Proposed law from the EC would make possessing or distributing hacking software and tools an offence, while cyber attacks on IT systems would become a criminal offence, punishable by at least two years in prison.
Once announced, it was approved by 50 votes in favour, one against and three abstentions; illegal access, interference or interception of data would be treated as a criminal offence.
In terms of punishment, the maximum penalty to be imposed by a member state for such offences would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed for large-scale (such as botnet) attacks, or for attacks that cause considerable damage (by disrupting system service), financial costs or loss of financial data.
Also, using another person's electronic identity, for example by spoofing their IP address to commit an attack and cause prejudice to the rightful identity owner, would also be an aggravating circumstance. MEPs say that member states must set a maximum penalty for this of at least three years in jail.
A company that sponsors a hacker for offences committed for their benefit, whether deliberately or through a lack of supervision, would also face penalties such as exclusion from entitlement to public benefits or a judicial winding-up order.
Finally, the proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber attacks, or which find a computer password by which an information system can be accessed, would constitute a criminal offence.
Rik Ferguson, director of security research and communication at Trend Micro, said: “In typical EU style, the document is convoluted; 33 proposals, 13 of them new and the rest amendments, but all in all it is a rational, well-thought-out document.
“It calls for harmonisation of penalties for cyber crime throughout the union and for the harmonisation of the definition of what exactly constitutes a crime. It introduces Europol as a central intelligence hub for national law enforcement agencies and promotes the sharing of best practices.
“It also recognises the importance of critical national infrastructure and places legal obligations on nations of ‘adequate standards' of protection of information systems. It also states that the more risk inherent in the compromise of a system, the higher should be the budget spent on protecting it. The document also introduces the very democratic concept that if access to a system is illegally withheld, then entering that system without authorisation will not constitute a crime.”
In regard to custodial sentences, Ferguson said that a jail term should not be directly proportionate to the ‘means' of committing a crime, but rather the outcome of the criminal actions, and these proposals fall somewhere in between.
“As for the proposals related to hacking tools, the legislation actually does a very good job of amending and clarifying the terms of the earlier document in this regard. This new proposal enshrines the concept of ‘intent' at the heart of any clauses relating to hacking tools and recognises very clearly the dual-purpose nature of many of these tools,” he said.
“For example, the simple ‘possession' of these tools is no longer in the scope of the document (amendment 22) despite what the press release from the European Parliament says; and the terms 'purpose' and 'intent' have been amended to read 'clear purpose' and 'clear intent'. It is certainly possible to legislate for the misuse of any tool with criminal intent, and whether that tool is physical or digital shouldn't make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.”
Andrew Miller, chief operating officer at Corero Network Security, said the proposed legislation was a positive step in the international effort to rein in cyber criminals.
He agreed that standardising what constitutes a data breach or hack and harmonising the penalties will put cyber attackers on notice. “Hackers no longer will be able to count on poor international co-operation to escape accountability,” he said.
“However, a point of concern is the provision against the creation and distribution of hacking tools. In an effort to combat cyber attacks, security researchers and ethical hackers are continuously seeking these tools to demonstrate weaknesses within an organisation's network and as a way to reverse-engineer solutions to combat hacks. The spotlight should be on the crimes committed with the hacking tools rather than the tools themselves.”
In a similar announcement, the EC proposed simpler and more effective rules to close the loopholes that criminals exploit. It claimed that by strengthening existing laws on seizing assets gained from serious or organised crime, this will be an effective way of fighting crime and acting as a deterrent.