Quantcast

Proposed EU Law Wants To Make Possession of Hacking Tools A Crime

How will White Hats carry out penetration testing?

Get the WebProNews Newsletter:


Proposed EU Law Wants To Make Possession of Hacking Tools A Crime
[ Technology]

The European Union is looking to update and standardize its anti-hacking legislation. Under a draft law backed by the EU Civil Liberties Committee on Tuesday, hacking IT systems, as well as the possession or distribution of hacking tools, would be a criminal offence throughout the EU, one punishable by 2-5 years in prison.

This latter restriction would be the equivalent of the UK’s “going equipped” statute, whereby suspects are in violation of the law merely by possessing implements necessary to commit an offence. By criminalizing the possession of hacking tools, the proposed law could also hinder the efforts of white and grey hats working on the legal side of the infosec industry. Cyber security expert Mikko Hyppönen, Chief Research Officer at F-Secure in Helsinki, tweeted his disapproval of the draft legislation:

Did I understand this correctly? EU wants to improve computer security…by making penetration testing illegal? What? http://t.co/yLWKlN52 7 hours ago via Twitterrific ·  Reply ·  Retweet ·  Favorite · powered by @socialditto

Meanwhile, Senator Leia Organa of the EU member state Alderaan’s Pirate Party, issued this statement about the proposal:

(Kidding.)

Also under the proposal, companies would be liable for cyber attacks committed for their benefit, regardless of whether those attacks were committed deliberately or through a lack of supervision. “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year,” said rapporteur Monika Hohlmeier, of Germany. “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world,” she added.

With all due respect to Madame Rapporteur, the seatbelt analogy doesn’t exactly fit the legislation. I think the proposal she was meaning to support with that analogy is the one that would hold corporations criminally liable for having with inadequate security systems that allowed a security breach which compromises individuals’ personal data. Oh, but that proposal doesn’t exist. It should, though. It would really fit the analogy, and it would be a surefire way to beef up corporate cyber security. But I digress; on with the legislation:

The maximum penalty to be imposed by EU states for violation of the law would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances. “Aggravating circumstances” could include the use of a tool specifically designed to for large-scale (e.g. “botnet”) attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data. IP spoofing, the practice of covering one’s tracks by stealing someone else’s electronic identity, would also be an aggravating circumstance, as would attacks committed by a criminal organization or targeting critical infrastructure.

In liability cases, MEPs say member states should set a maximum penalty of at least three years.

The proposal to update existing EU cyber attack legislation was approved with by 50 votes in favor, 1 against, and 3 abstentions. Rapporteur Hohlmeier aims for a political agreement between the Parliament and Council on the proposed legislation by this summer.

Proposed EU Law Wants To Make Possession of Hacking Tools A Crime
Top Rated White Papers and Resources
  • Ralph Pickering

    Ridiculous. This could see IT staff using tools like password recovery tools for Word documents criminalised, and without stretching the imagination too far, could include people like myself who back up their DVDs to a home theatre system (bypassing the copy protection in the process). While there may be a problem with increasing IT crime, there are existing laws that cover such crimes. As with equipment used to commit burglary, there are legitimate reasons to own such tools, and all this will achieve is to criminalise a large number of law-abiding people (or otherwise make their jobs more difficult), whilst having not the slightest impact on actual cybercriminals who often work from outside the EU. I suspect that serious criminals operating from within the EU will be utterly unaffected by this legislation, although it may catch a few script-kiddies – the low-hanging fruit of the cyber-crime world.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom