Sophos Cloud Optix
The EU has drafted a new directive that includes harsher penalties for those convicted of hacking.
The European Parliament last week approved a draft of the proposal and will vote on it in July.
Those found guilty of the following types of illegal hacking will face at least two years in prison, if they do so with criminal intent and cause serious harm, if they breach a security measure while doing so, and if they neglect to tell a system operator all about the vulnerability in a timely manner:
- Illegal, intentional access to an information system.
- Illegally interfering with data.
- Illegally intercepting communications. This includes recording communications and covers the time spanning data transfer from the sender to the receiver, by cable or wireless, and the devices and technologies that record, including software, passwords and codes.
- Intentionally producing and selling tools used to commit these offenses.
The proposal calls for a minimum of five years imprisonment for attacks against critical infrastructure and also applies if an attack is carried out by a criminal organisation or if it causes serious damage.
Botnet creators and herders will face at least three years in prison under the new directive.
The directive, approved by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, also stipulates that EU member states respond within 8 hours, maximum, 24 hours a day, 7 days a week, to urgent security requests from other member states experiencing cyber attacks, to at least let somebody know how and when they plan to answer the request for help.
The directive also calls for penalties for actions such as hiring hackers to disrupt the competition, in which case companies could lose their public benefits or even get shut down.
The directive is clear about distinguishing attacks that lack criminal intent, which would cover testing or protection of information systems and thereby shield whistleblowers.
That’s reassuring. Pen testing and whistleblowing are essential activities that deserve legal protection.
Image of EU and gavel and Euro attack courtesy of Shutterstock.
the penalties are not proportional to the damage caused or potential financial gain:-( The emphasis of the law is to shut down protesters, not cyber criminals:-(
Actually I'm not the least bit in favour of the EU instructing its member states what sentences to implement. They are supposed to be sovereign states! But that's a political, not a technical point.
As to the technicalities – well, the law is bound to be badly implemented. Remember Sony trying to prosecute people under DMCA for "avoiding a security measure" by holding down the shift key to prevent Sony's (itself illegal) root kit from being installed from CDs?
And how about "Intentionally producing and selling tools used to commit these offences."? Any stock Linux distribution could be used to commit those offences, and to my knowledge they've been intentionally produced by many people for years.
It's bound to end in tears.
These should be minimum penalties. They should specify maximums of three or four times as much depending on the damage.
‘Intentionally producing and selling tools …’ should be ‘Intentionally producing, selling or distributing tools …’
These rules do nothing to strengthen the penalties for sending spam, providing malware links, the malware itself, or any other kind of seduction that could lead to abuse of the user’s device, theft of information, etc.
Good start but not nearly enough. But first they have to catch the crooks!
I know of at least one UK-based software 'business' that would fall foul of this directive – and so it would be interesting to see how things develop.
Yes, cannot target US nationals but can anyone elsewhere
"if they do so with criminal intent and cause serious harm"
Won't this mean that most small-time hackers will use this phrase as a get-out-of-jail-free card? Not easy to determine intent. I am concerned that they will use this to their advantage and remain perpetually unpunished.