Upon returning to the office after a couple of days off, I found my inbox bulging at the seams with perspectives on the change in the punishment for cyber crimes across Europe.
According to the BBC report, European politicians agreed a draft directive outlining minimum jail terms for some crimes. These include: three years in jail for those found guilty of running a botnet; five years for those who do serious damage to systems; and five years to be served by those who attack computers controlling a nation's critical infrastructure.
Following the sentencing of three UK-based members of the LulzSec hacking group in May of this year, I guess that there needs to be some policy on how long should be served for hacking and so-called ‘cyber' crimes.
The European Commission's directive stated that the emergence of attacks against information systems or the illegal entering of or tampering with information systems has risen steadily in Europe.
The changes to the directive that was originally created in 2005 state the penalisation of illegal access, illegal system interference and illegal data interference, and seek to specify what malware and botnets are, and calls on better intelligence sharing with nations obliged to collect basic statistical data on cyber crimes.
Cecilia Malmström, EU Commissioner for Home Affairs, said: “The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions. Member states will also have to quickly respond to urgent requests for help in the case of cyber attacks, hence improving European justice and police cooperation.
“Together with the launch of the European Cybercrime Centre and the adoption of the EU cyber security strategy, the new directive will strengthen our overall response to cyber crime and contribute to improve cyber security for all our citizens.”
The worst thing for the EC now would be divided laws among its 29 members, and instead to have one set of rules on how to react and to penalise those found guilty of internet crimes. Perhaps the next stage would be to determine what the word cyber actually means?
Etay Maor, fraud prevention manager at Trusteer, said that the concern is that in many cases, the people running the botnets and hijacked computers do not reside at the place where the crime takes place and those caught are money mules in most cases, and not the bot masters or ring leaders.
“Until the day that we see tight cooperation between national law enforcement and criminals brought to justice, it is up to organisations and users to prevent fraud,” he said.
John Yeo, EMEA director of SpiderLabs at Trustwave, called the move "another example of adding to the ever growing patchwork of cyber risk laws", and was especially critical of the descriptions of terms.
Amichai Shulman, co-founder and CTO of Imperva, said: “I think that standardising penal law with respect to cyber crime is an important corner stone in the true battle against criminal attacks.
“I don't think that setting up minimal jail time is by itself going to be a deterrent or going to affect whether perpetrators are actually getting caught. However, explicitly referring to botnet operators as criminals does make prosecution easier and hence is a deterrent (to the point where we believe that criminal prosecution is a deterrent for any criminal activity). It also encourages law enforcement agencies to actually catch perpetrators as they have higher confidence that prosecution will lead to conviction.”
Echoing what Maor said, the problem here is that cyber crime is a global problem and while European cohesion will aid in the fight, a total collaborative effort seems unlikely.