The European Parliament today passed, by 50 votes to 1 (with 3 abstentions), a draft proposal to update existing legislation relating to the definition and prosecution of cyber crimes within the European Union. In the words of the European Parliament:
“Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.“
While at first glance, this single paragraph abbreviation of the proposes additions and amendments may appear alarming in some respects, the legislation itself (2010/0273 (COD)) seems much more reasonable.
In typical EU style, the document is convoluted, 33 proposals, 13 of them new and the rest amendments… but all in all it is a rational well thought-out document. It calls for harmonisation of penalties for cybercrime throughout the Union and for the harmonisation of the definition of what exactly constitutes a crime. It introduces Europol as a central intelligence hub for national law enforcement agencies and promotes the sharing of best practices. It also recognises the importance of critical national infrastructure and places legal obligations on nations of “adequate standards” of protection of information systems. It also states that the more risk inherent in the compromise of a system, the higher should be the budget spent on protecting it. The document also introduces the very democratic concept that if access to a system is illegally withheld, then entering that system without authorisation will not constitute a crime.
In relation to the harmonisation of prison terms, the proposal is a minimum sentence of two years for cyber crimes, unless aggravating factors such as the use of a tool “designed to affect significant numbers” (read “botnet”), crimes committed as a part of an organised criminal operation, or attacks against critical infrastructure are present, in which case, the proposed jail term is five years. It is my personal view that a jail term should not be directly proportionate the *means* of committing a crime, but rather the outcome of the criminal actions, these proposals fall somewhere in between. Having said that though it seems that no length of jail term is sufficient to deter the ambitious and determined cybercriminal, as evidence by the long terms faced by some of the recent arrests in the US.
As for the proposals related to hacking tools, the legislation actually does a very good job of amending and clarifying the terms of the earlier document in this regard. This new proposal enshrines the concept of “intent” at the heart of any clauses relating to hacking tools and recognises very clearly the dual purpose nature of many of these tools. For example the simple “possession” of these tools is no longer in the scope of the document (amendment 22) despite what the press release from the European Parliament says; and the terms “purpose” and “intent” have been amended to read “clear purpose” and “clear intent”. It is certainly possible to legislate for the misuse of any tool with criminal intent and whether that tools is physical or digital shouldn’t make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.
One amendment that did stand out for me was the changing of the term “Instigation” to the term “incitement” with relation to an offence. While I can clearly appreciate the need for such a change, especially in the light of activities undertaken by AntiSec, Anonymous et al, to characterise this amendment as simply a “linguistic” one is disingenuous at the very least.
The Rapporteur aims for a political agreement between Parliament and Council on this Directive by the summer.