EU to vote on harsher penalties for hackers

Filed Under: Featured, Law & order, Security threats

Gavel and EU, image courtesy of ShutterstockThe EU has drafted a new directive that includes harsher penalties for those convicted of hacking.

The European Parliament last week approved a draft of the proposal and will vote on it in July.

Those found guilty of the following types of illegal hacking will face at least two years in prison, if they do so with criminal intent and cause serious harm, if they breach a security measure while doing so, and if they neglect to tell a system operator all about the vulnerability in a timely manner:

  • Illegal, intentional access to an information system.
  • Illegally interfering with data.
  • Illegally intercepting communications. This includes recording communications and covers the time spanning data transfer from the sender to the receiver, by cable or wireless, and the devices and technologies that record, including software, passwords and codes.
  • Intentionally producing and selling tools used to commit these offenses.

The proposal calls for a minimum of five years imprisonment for attacks against critical infrastructure and also applies if an attack is carried out by a criminal organisation or if it causes serious damage.

Botnet creators and herders will face at least three years in prison under the new directive.

The directive, approved by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, also stipulates that EU member states respond within 8 hours, maximum, 24 hours a day, 7 days a week, to urgent security requests from other member states experiencing cyber attacks, to at least let somebody know how and when they plan to answer the request for help.

EU cyber attack, image courtesy of ShutterstockThe directive also calls for penalties for actions such as hiring hackers to disrupt the competition, in which case companies could lose their public benefits or even get shut down.

The directive is clear about distinguishing attacks that lack criminal intent, which would cover testing or protection of information systems and thereby shield whistleblowers.

That's reassuring. Pen testing and whistleblowing are essential activities that deserve legal protection.


Image of EU and gavel and Euro attack courtesy of Shutterstock.

, ,

You might like

6 Responses to EU to vote on harsher penalties for hackers

  1. gmd · 507 days ago

    the penalties are not proportional to the damage caused or potential financial gain:-( The emphasis of the law is to shut down protesters, not cyber criminals:-(

  2. PSV Davey · 507 days ago

    Actually I'm not the least bit in favour of the EU instructing its member states what sentences to implement. They are supposed to be sovereign states! But that's a political, not a technical point.

    As to the technicalities - well, the law is bound to be badly implemented. Remember Sony trying to prosecute people under DMCA for "avoiding a security measure" by holding down the shift key to prevent Sony's (itself illegal) root kit from being installed from CDs?

    And how about "Intentionally producing and selling tools used to commit these offences."? Any stock Linux distribution could be used to commit those offences, and to my knowledge they've been intentionally produced by many people for years.

    It's bound to end in tears.

  3. Sam · 507 days ago

    These should be minimum penalties. They should specify maximums of three or four times as much depending on the damage.

    'Intentionally producing and selling tools ...' should be 'Intentionally producing, selling or distributing tools ...'

    These rules do nothing to strengthen the penalties for sending spam, providing malware links, the malware itself, or any other kind of seduction that could lead to abuse of the user's device, theft of information, etc.

    Good start but not nearly enough. But first they have to catch the crooks!

  4. MikeP_UK · 507 days ago

    I know of at least one UK-based software 'business' that would fall foul of this directive - and so it would be interesting to see how things develop.

  5. Del · 507 days ago

    Yes, cannot target US nationals but can anyone elsewhere

  6. herzco · 507 days ago

    "if they do so with criminal intent and cause serious harm"

    Won't this mean that most small-time hackers will use this phrase as a get-out-of-jail-free card? Not easy to determine intent. I am concerned that they will use this to their advantage and remain perpetually unpunished.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.