The European Commission (EC) is to create a new directive on attacks on information systems following a rise in attacks across the continent.
It claimed that the problem to be addressed is that in recent years, the number of attacks against IT systems or ‘the illegal entering of or tampering with information systems' has risen steadily in Europe and new concerns, such as the massive spread of malicious software creating botnets, have emerged.
It has also claimed that its 2005 framework decision, which attempted to coordinate laws across Europe on hacking, viruses and denial-of-service attacks, needs to be updated and replaced with a directive.
According to out-law.com, a statement said: “[The framework decision] currently in force was a first step towards addressing the issue of attacks against IT systems. Technological advances and new methods employed by perpetrators call for an improvement of EU rules.
“In addition, the entry into force of the Lisbon Treaty on 1st December 2009 provides considerable advantages for new legislation to be adopted in the field of Justice and Home Affairs from now on. Legislation will no longer need to be approved unanimously by the EU Council of Ministers (which represents national governments). Instead, it will be adopted by a majority of Member States at the Council together with the European Parliament. A single country will not be able to block a proposal.”
The proposed directive will retain its current provisions, including the penalisation of illegal access, illegal system interference and illegal data interference. It will include the following new elements: penalisation of the use of tools (such as malicious software – e.g. botnets – or unrightfully obtained computer passwords) for committing the offences; introduction of 'illegal interception' of information systems as a criminal offence; improvement of European criminal justice/police cooperation by strengthening the existing structure of 24/7 contact points, including an obligation to answer within eight hours to urgent requests; and the obligation to collect basic statistical data on cyber crimes.
It also said that the proposed directive raises the level of criminal penalties to a maximum term of imprisonment of at least two years, while instigation, aiding, abetting and attempt of those offences will become penalised as well.
Also once adopted, the directive will raise the level of criminal penalties of offences committed under aggravating circumstances to a maximum term of imprisonment of at least five years from the previous two years.