The EU has drafted a new directive that includes harsher penalties for those convicted of hacking.
The European Parliament last week approved a draft of the proposal and will vote on it in July.
Those found guilty of the following types of illegal hacking will face at least two years in prison, if they do so with criminal intent and cause serious harm, if they breach a security measure while doing so, and if they neglect to tell a system operator all about the vulnerability in a timely manner:
- Illegal, intentional access to an information system.
- Illegally interfering with data.
- Illegally intercepting communications. This includes recording communications and covers the time spanning data transfer from the sender to the receiver, by cable or wireless, and the devices and technologies that record, including software, passwords and codes.
- Intentionally producing and selling tools used to commit these offenses.
The proposal calls for a minimum of five years imprisonment for attacks against critical infrastructure and also applies if an attack is carried out by a criminal organisation or if it causes serious damage.
Botnet creators and herders will face at least three years in prison under the new directive.
The directive, approved by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, also stipulates that EU member states respond within 8 hours, maximum, 24 hours a day, 7 days a week, to urgent security requests from other member states experiencing cyber attacks, to at least let somebody know how and when they plan to answer the request for help.
The directive also calls for penalties for actions such as hiring hackers to disrupt the competition, in which case companies could lose their public benefits or even get shut down.
The directive is clear about distinguishing attacks that lack criminal intent, which would cover testing or protection of information systems and thereby shield whistleblowers.
That's reassuring. Pen testing and whistleblowing are essential activities that deserve legal protection.