EU plans tougher penalties for hackers

Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the European Parliament’s Civil Liberties Committee.

Possessing or distributing hacking software and tools would also be an offence and companies would be liable for cyber attacks committed for their benefit.

Last week’s proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favour, one against and three abstentions.

“We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations,” said rapporteur Monika Hohlmeier (the MEP responsible for preparing the report). “The financial damage caused for companies, private users and the public amounts to several billions each year.”

The proposal would establish harmonised penal sanctions against perpetrators of cyber attacks against an information system – for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offence, MEPs say.

The maximum penalty to be imposed by Member States for these offences would be at least two years’ imprisonment and at least five years where there are aggravating circumstances, such as the use of a tool specifically designed for large-scale (eg, ‘botnet’) attacks or attacks causing considerable damage (eg, by disrupting system service), financial costs or loss of financial data.

Using another person’s electronic identity (by ‘spoofing’ their IP address, for example), to commit an attack and causing prejudice to the rightful identity owner would also be an aggravating circumstance, for which MEPs say Member States must set a maximum penalty of at least three years.

MEPs also propose tougher penalties if the attack is committed by a criminal organisation and/or if it targets critical infrastructure such as the IT systems of power plants or transport networks.

However, criminal sanctions would not apply to ‘minor cases’, ie, when the damage caused by the offence was insignificant.

The proposal also targets tools used to commit offences – the production or sale of devices such as computer programs designed for cyber-attacks or which find a computer password by which an information system can be accessed would constitute criminal offences.

The Rapporteur is hoping for a political agreement between Parliament and Council on the Directive by the summer.

Meanwhile, the European Commission is planning to establish a new European Cybercrime Centre at Europol in The Hague, which will become the focal point in the EU’s fight against cybercrime.

The centre, due to become operational by January 1, 2013, will pool expertise and information, support criminal investigations and promote EU-wide solutions, while raising awareness of cybercrime issues across the EU.

In addition to the analytical and operational support already provided by Europol, the European Cybercrime Centre will serve as the European information hub on cybercrime, developing cutting-edge digital forensic capabilities to support investigations in the EU and building capacity to combat cybercrime through training, awareness-raising and delivering best practice on cybercrime investigations.

In addition, the centre will build a community of experts from all sectors of society to combat and prevent cybercrime and online child sexual abuse.

Europol says the scale of cybercriminal activity is presenting a considerable challenge to law enforcement agencies and the total cost of cybercrime to society is significant. A recent report suggests that victims lose around 290 billion euro each year worldwide as a result of cybercrime, making it more profitable than the global trade in marijuana, cocaine and heroin combined.

Director of Europol, Rob Wainwright, said: “The establishment of the European Cybercrime Centre will be a landmark development in the EU’s