The European Union is looking to update and standardize its anti-hacking legislation. Under a draft law backed by the EU Civil Liberties Committee on Tuesday, hacking IT systems, as well as the possession or distribution of hacking tools, would be a criminal offence throughout the EU, one punishable by 2-5 years in prison.
This latter restriction would be the equivalent of the UK’s “going equipped” statute, whereby suspects are in violation of the law merely by possessing implements necessary to commit an offence. By criminalizing the possession of hacking tools, the proposed law could also hinder the efforts of white and grey hats working on the legal side of the infosec industry. Cyber security expert Mikko Hyppönen, Chief Research Officer at F-Secure in Helsinki, tweeted his disapproval of the draft legislation:
Meanwhile, Senator Leia Organa of the EU member state Alderaan’s Pirate Party, issued this statement about the proposal:
(Kidding.)
Also under the proposal, companies would be liable for cyber attacks committed for their benefit, regardless of whether those attacks were committed deliberately or through a lack of supervision. “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year,” said rapporteur Monika Hohlmeier, of Germany. “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world,” she added.
With all due respect to Madame Rapporteur, the seatbelt analogy doesn’t exactly fit the legislation. I think the proposal she was meaning to support with that analogy is the one that would hold corporations criminally liable for having with inadequate security systems that allowed a security breach which compromises individuals’ personal data. Oh, but that proposal doesn’t exist. It should, though. It would really fit the analogy, and it would be a surefire way to beef up corporate cyber security. But I digress; on with the legislation:
The maximum penalty to be imposed by EU states for violation of the law would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances. “Aggravating circumstances” could include the use of a tool specifically designed to for large-scale (e.g. “botnet”) attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data. IP spoofing, the practice of covering one’s tracks by stealing someone else’s electronic identity, would also be an aggravating circumstance, as would attacks committed by a criminal organization or targeting critical infrastructure.
In liability cases, MEPs say member states should set a maximum penalty of at least three years.
The proposal to update existing EU cyber attack legislation was approved with by 50 votes in favor, 1 against, and 3 abstentions. Rapporteur Hohlmeier aims for a political agreement between the Parliament and Council on the proposed legislation by this summer.