Πέμπτη 18 Ιουλίου 2013

Attacks against information systems. The new Directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA


Ioannis Iglezakis
Assistant Professor, Faculty of Law, Aristotle University


Attacks on information systems are everyday reality for big online companies, such as Facebook, Apple and Twitter etc., but also for SME’s, and individuals. Cyber-attacks are also targeted against governmental information and national infrastructure. Particularly, denial-of-service attacks through the use of botnets have become a threat for critical infrastructure or for particular functions in the public or private sector. New methods of cybercrime have evolved that employ large-scale attacks, which have a major impact on the functioning of information systems.

On EU level, attacks against information systems were regulated by the Framework Decision 2005/222/JHA. The Framework Decision aimed at the approximation of criminal law systems and the enhancement of cooperation between judicial authorities concerning:
  • illegal access to information systems;
  • illegal system interference;
  • illegal data interference.

It also provided for the criminalization of instigating, aiding, abetting and attempting to commit any of the above offences; it laid down criteria for determing the liability of legal persons and the sanctions that may apply; further, it provided provisions for jurisdiction and exchange of information between Member States. However, the legal approximation on the basis of this Decision was not satisfactory. In a Commision’s Report to the Council (COM(2008) 448 final), it was found that the transposition of the decision was not yet complete. Further than that, in light of the evolution of cybercrime, the Commission considered taking new measures to combat the use of botnets for criminal purposes, to strengthen criminal liability, and to promote the use of contact points between Member States.

Subsequently, the EU Commission submitted a Proposal for a Directive on attacks against information systems in 30.9.2010. The proposal takes into account the new methods of committing cybercrimes, especially the use of botnets. In more particular, it penalizes the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences. It includes aggravating circumstances, e.g. the large-scale aspect of the attacks and concealing the real identity of the perpetrator. It introduces ‘illegal interception’ as a criminal offence. Further, it introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points; finally, it ensures that an adequate system is in place for the recording, production and provision of statistical data on cybercrime in Member States.

The Directive was adopted by the European Parliament on July, 4, in first reading. With the adoption of this Directive, the EU has taken one step further in the fight against cybercrime (see: New minimum rules step up the fight against cybercrime).

Philip James, Partner and Joint Head of Technology at Pitmans, said: “[T]hose organisations that have average to good awareness of cyber threats, technologies and methodologies will most likely benefit from cyber information sharing across all forms of the potential victim food chain. However, those organisations which are the most sophisticated have, arguably, perhaps the least to gain by relaying information. However, to combat the threat, it is essential that all organisations share cyber data to enable national, international, vertical and horizontal, co-operation to challenge and overcome cyber risk. There will also need to be meaningful metrics devised to measure whether companies are in fact sharing useful information and, indeed, what the benefits are to recipients of such information and, in particular, how (if at all) those companies at the more advanced end of the food chain are benefitting from sharing.”

“Cyber-attacks pose a threat to the protection of personal data”, Nigel Parker, Senior Associate at Allen & Overy, told DataGuidance. “[I]t can be expected that the Directive will be welcomed by both law enforcement and data protection authorities, as it should serve hopefully to dissuade attacks, as well as to ensure that cyber-criminals, including those whose attacks target personal data, will face the threat of prosecution, imprisonment and financial penalties. […] Financial institutions are, and have long been, a prime target for cyber-attacks [and they] can sometimes be frustrated by the failure of law enforcement to take effective steps to respond to attacks. The introduction of stronger penalties and requirements for improved cooperation will be welcomed by financial institutions.” See: (EU: Proposed Directive to harmonise penalties for cyber attacks)


President of the Council (Justice and Home Affairs), Minister of Justice Morten Bødskov, says:
"Attacks against information systems pose a growing challenge to our so-cieties. Such attacks can cause serious damage both in the Member States and the Union and the methods used to commit these offences are increasingly sophisticated. I am therefore very pleased that the European Parliament, the Council and the Commission have agreed on new minimum rules concerning the definition of criminal offences and the sanctions in the area of cybercrime. In my opinion the new rules step up the fight against cyber-crime significantly and I am grateful for the extensive work and excellent cooperation shown from all parties involved."

Member of the Parliament and Rapporteur, Monika Hohlmeier (EPP), Committee on Civil Liberties, Justice and Home Affairs (LIBE), says:
"The outstandingly constructive and close dialogue that we have had with the Danish Presidency on this Directive has proved to be the bedrock for a broad compromise between Council, Parliament and Commission. While we started the negotiations on sanctions against cybercrime with very different positions, the Danish Presidency has skillfully managed to address the concerns of all sides and broker a balanced agreement. I particularly applaud their openness and understanding for Parliament's request for necessary flanking measures which will allow us to fight cybercrime more effectively in the future. This compromise is an example for an excellent interinstitutional debate and cooperation and will help to step up the fight against serious and harmful cybercrime in the EU and eventually lead to an improved cyber security for all our citizens."


It should be noted that since Greek law did not ratify the Cybercrime Convention nor introduced any provisions transposing the Framework Decision 2005/222/JHA, it is necessary to transpose the provisions of the Directive to the full extent.

Finally, it is anticipated that the Directive on attacks against information systems will contribute essentially to harmonization of criminal law provisions in the Member States as far as attacks against information systems are concerned. It sets minimum requirements, but it contains elaborated provisions, which take into account the existing technological reality and the need to provide for appropriate sanctions.