The European Union (EU) has been making moves towards protecting
people involved in the electronic sphere since 2001 with the Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment.
This initiative was considered to be successful in achieving its objectives and
was signed and ratified by non Member States such as the USA, Canada and Japan,
which shows just how important the level of protection afforded to combating
these issues was at the time. It meant that legislation was finally allocated
to a growing issue and countries were forced to come to terms with the problems
that ignorance may cause.
The Decision was soon followed by the ePrivacyDirective in 2002,
which provided for the obligation of providers of electronic communications services to ensure
the security of their services and maintain the confidentiality of client
information; and the 2011 Directive on the Combating of Sexual Exploitation of
Children Online and Adult Pornography,
which better addressed developments in the online environment, such as
grooming. The newest Directive is the one which shall be the focus of this
essay – the 2013 Directive on Attacks against Information Systems
(hereafter the Directive); this directive has the purpose of tackling
large-scale cyber attacks by requiring that Member States strengthen their
national cyber crime laws and introduce tougher criminal sanctions for
breaches. This essay will assess the merits and drawbacks that come with the
new Directive, the increase in the minimum penalties, as well as new malware
advancements such as DDoS (Distributed Denial of Services) attacks and botnets.
Directive to replace Framework Decision
The Directive was first proposed in
2010 with the idea of it replacing the EU Council Framework Decision2005/222/JHA,
which criminalised a number of acts relating to attacks against information systems.
As already discussed, the fast paced nature of the development of the
information technology systems meant that the change from a decision to a
directive was essential. It is important to note here the differences between a
decision and a directive: A decision refers to an issued statement which is
binding only to those whom it is addressed and is directly applicable; a
directive, on the other hand, is a legislative act which sets out a goal that all
EU countries must achieve – how this is done is up to the individual countries.
The move from one to the other in this case was based on Article 83(1)(a)
of the Treaty on the Functioning of the European Union (TFEU) which states that
the European Parliament and Council may establish minimum rules concerning the
definition of criminal offences and sanctions in the areas of particularly
serious crime with a cross-border dimension when there is a need to combat them
on a common basis. The Directive retains numerous provisions of the Framework
Directive, as well as stating various offences relating to illegal access to
information systems and interference with these systems and their data.
However, the Directive’s build upon the Framework Decision was greatly welcomed
and saw the introduction of the outlawing of ‘botnets’ and malicious software.
Botnets are networks of computers which are infected with malicious software and controlled
as a group without the owner’s knowledge, usually to send spam email messages,
spread viruses, attack computer and servers, and commit other kinds of crime
and fraud.
The Directive also mentions the illegality of the use of passwords obtained
through unsavoury means.
The move towards the notion of a directive to cover this issue was important to
create harmony between the Member States by binding them to implement
legislation in their own national legal order, which would increase cooperation
and the likelihood of criminals being caught and punished for their crimes.
This notion, as well as what exactly a directive entails, will be discussed
later in the essay.
Penalties and Sanctions
Prior to the Directive, it was
generally left to the discretion of the Member States to decide how to sanction
cyber crimes and any crime to do with the information technology sphere.
However, the Directive is working to tackle this to make it more uniform. As
well as the introduction of new offences, stricter penalties are introduced in
the Directive. Penalties are to include a minimum sentence of two years for any
attempt at a breach of an information system. Attacks by organised criminal
groups and those which cause significant damage or affects key infrastructure networks
[like power-plants, government institutions or transportation networks] can
have even tougher sanctions of a minimum five years imprisonment. The use of
Botnets also has a minimum sentence of three years if their use results in
financial cost or loss of personal data.
We can also see penalties such as the exclusion from entitlement to public
benefits and aid; temporary or permanent disqualification from the practice of
commercial activities; placing under judicial supervision; judicial winding-up;
temporary or permanent closure of establishments which have been used for
committing the offence, as well as many others. The purpose of these penalties
is to make them effective, proportionate and dissuasive to those who
intentionally and illegally access information systems, launch illegal system
interference or launch illegal data interference. This means that those who
commit cyber crimes will not go unpunished and with one common set of rules,
people will not be able to hide behind the national laws of their country,
which was previously easy to do because of the transnational character of
cybercrime [i.e. crimes that occur in one country, but have an affect on
another, or many others.] The Directive also introduces the possibility of
serving punishment on companies who breach obligations of supervision or
control which allow a person under their authority to commit any offence listed
in the Directive.
EU Law
The directive on attacks against information systems was addressed to all 28
Member States and so all will have to take measures in order to implement the
goals of the Directive within the national system. The aim of applying a
directive in this manner is to increase the level of cooperation between the
Member States and bringing national laws into line with each other, thus
creating a united front in matters of conflict. At the moment, Denmark will not
be bound by the Directive as they have neither signed nor ratified it, but the
UK and Ireland, as well as the rest of the Member States, have decided to apply
it; Member States have to take all necessary action to comply with the
Directive by 4th September 2015.
Following publication of the
Directive in the Official Journal of the European Union, it shall enter into
force twenty days following.
Two years later, by 4th September 2017, will see a report submitted
to the European Parliament and the Council. It will assess what steps have been
taken by the Member States in order to comply with the Directive and possible
further legislation needed to make it more effective. At this stage, the
Commission will also take into account further technical and legal developments
in the field of cybercrime within the scope of the Directive.
Similarities and Advancements
The Directive is similar to the
Framework Decision in many ways and therefore does not require Member States to
change a great deal of their existing legislation. The definition of cyber
crime has remained the same, as well as rules governing liability of legal
persons and jurisdiction. However, some of the additions of the Directive may
prove slightly more difficult for Member States to initially identify, impose or
maintain; the mention of botnets, identity theft and the need to respond
urgently to requests from other member states, are but a few. There are
discrepancies as to a few of the definitions of terms used – for example
exactly how many systems are required to create a botnet – the Directive
mentions a ‘significant number’
of computers, but of course this is ambiguous and notions of this definition
would differ from person to person. There is also the question of what exactly
constitutes prejudice to identity owners.
All these ambiguous definitions will be ironed out over time, but it is likely
to cause some complications and misunderstandings within the first stages of
implementation. The question of being able to respond to ‘urgent’ requests from
other Member States within eight hours is also likely to cause a few problems
and complications; however they again should be made a little clearer and
easier as time goes on. With this there is the issue of what exactly is
‘urgent’, to which is it presumed with Member States will use their discretion,
and also the fact that legal proceedings take a long time and eight hours may
not be long enough to collect the relevant data needed to answer the question
at hand.
Although undisputed that Member States should respond within a
reasonable time frame, eight hours seems a little unrealistic if information
gathered is to be reliable and a viable source. Given many countries have
already criminalised many of the offences mentioned in the Directive, the
implementation of the Directive in all Member States will ensure cooperation
between national authorities and also hopefully make fighting cybercrime easier
and more effective. The idea is to bring Member States in line with each other
and hopefully change the situation as it presently stands – there are presently
countries who have signed the EU Convention on Cybercrime but still have not
ratified it. With the internet playing such a predominant role in society, it
is important that it is one of the top priorities in Europe.
Botnets and DDoS
As the Directive mainly focuses on
Botnets and the malicious attacks associated with them, it also seems
appropriate to mention DDoS attacks. As already mentioned, a Botnet is a group
of maliciously infiltrated, internet connected computers without the knowledge of
the computers owner. The most common reason for these takeovers is DDoS attacks,
which are a subcategory of DoS attacks (Denial of Services). The distributed
form of the attacks occur when distributed computers are used from different
locations to attack a particular victim/server; the attacks are an attempt to
make a server or a network unavailable to its users by temporarily interrupting
or suspending services of the host,
usually through overwhelming it with traffic from multiple sources
which consume its resources, forcing target computers to reset or obstructing
the communication media between the indeed users and the victim so they can no
longer adequately communicate, rendering it unusable.
The
consequence of the server being unusable is loss of money and status of the
organisation or website which is being attacked. When used in conjunction with
Botnets, the individual controls the botnets remotely to allow for maximum
protection and target the maximum number of computers or most effectively
attack a specific target.
In simple terms DDoS attacks either crash services and/or flood services. It is
also possible that DDoS attacks or botnet can be traded on the black market – a
week long DDoS attack, capable of making a small company go offline, can cost
as little as 100 Euros.
Systems may also be compromised by a trojan (malware programme which carries
out actions determined by the malware causing loss/theft of data and system
harm)
or hackers can break into systems using automatic tools. There are many different
ways to hack into computer systems and cause damage to these platforms, which
were intended for a good purpose. As attackers get more knowledgeable about the
ways around protection services and firewalls, the next logical step is, of
course, legal protection. There have been many cases in recent times where
these advances can be demonstrated.
Case Law
If we look at case law, the protection
of people on the internet has been long awaited and is essential if the
internet is to develop further. In 2005, Jeanson James Ancheta became the first
person to be charged for controlling large numbers of hijacked computers
(botnets). Although this is an American case, because of their involvement in
the ratification of the Framework Directive, it is relevant to our
understanding. A similar event occurred in 2009, where a Mr Schiefer was
sentences to a 48 month prison sentence after he used botnets to steal the
identity of thousands of people and wire tapping computers. These both being US
cases, there is also relevant case law in Europe which backs up the need for a
stricter stance on cyber crime.
July 2012 saw the shutdown of the Grum botnet,
which was responsible for 18 billion emails ever day and 17.4% of global spam
traffic. February 2013 saw Microsoft and Symantec put an end to the Bamital
botnet, which redirected computer users to a website where they would cash in
on the traffic and online advertising network, netted an estimated £640,000
while in operation.
December 2013, Greek police arrested two individuals who were connected with
the spam botnet “Lecpetex” which used Facebook to target as many as 250,000
computers and use them to mine a Bitcoin-like currency called Litecoin.
The malware affected users in the UK, Europe and North and South America. This
was the biggest case ever handled by the Greek Cyber Crime Unit at the time
according to Greek news site, the “Greek Reporter”. A very prevalent case is
that of Matjaz Skorjanc, who was arrested in Slovenia in 2010 after it was
found he introduced the malware “Mariposa”, which hijacked 12.7 million
computers from over 190 countries.
He received a 58 month prison sentence and ordered to pay a 4000 Euro fine, as
well as forfeiting his home and car, which it was alleged he bought with the
money received from the event. It should also be noted that many cases of
cybercrime go unreported, especially when the victims have a reputation to
uphold, this could include banks, as reporting such things may result in even
greater reputational damage. Therefore although there is a large amount of case
law on these subjects and it is likely that these are only a fraction of the
real number of cases which occur.
Identity Theft
Although not covered as extensively as
Botnets, identity theft is still a problem in the cyber sphere, and with the
crime rate for this increasing it is important to demonstrate a united
legislative front through way of implementation through the Directive. According
to article 9(5) of the Directive, Member States are required to ‘take the
necessary measures to ensure that when [..illegal system access or interference..]
is committed by misusing the personal data of another person, with the aim of
gaining the trust of a third party, thereby causing prejudice to the rightful
identity owner... may be regarded as aggravated circumstances unless those
circumstances are already covered by another offence, punishable under national
law.’
In other words – identity theft: the misuse of personal data to gain the trust
of a third party, and prejudice to the rightful identity owner. Prior to the
Directive, many countries did not have existing legislation specifically
tailored towards identity theft, but were left to fall under general criminal
laws such as fraud prevention legislation. With identity theft, as with many
criminal acts, there is an intention to cause some kind of harm and therefore
it was considered that it should be given a clearer distinction for criminalisation.
Big Brother State?
From the above, we can see that there
are many important decisions made by the courts which show how important it is
to have case law and legislation to protect users of the internet. Case after
case can be found on the use of Botnets and the damage they cause to
individuals and companies alike. However, some may argue that the protection on
the internet is too much and may actually infringe rights of users in an
attempt to keep them out of harms way. The recent case of Edward Snowden brings
to light the fact that it is not just civilians who are accessing computer
information of unsuspecting members of the public, it also happens on a regular
basis by government officials. The US, UK, Sweden, France and Germany all have
the means to tap into the main internet cables of their country and collect all
the traffic which occurs at any given time – this is done by lawful
interception facilities and standardised interfaces.
Although considered lawful, it has raised questions as to the ethics of
security and surveillance technologies, and how far the Directive has gone in
order to protect citizens. The New Directive allows those party to it to use
their discretion and take “necessary action to ensure” various things such as
the protection of the nation and its people. The problem itself lies not with
the directive, as this explicitly states that it is not for ‘minor’ acts, but
more for large scale problems – however the definition of minor acts itself is
open to interpretation by each government, making it a bit arbitrary and open
to abuse.
The problem is the amount of power that the government processes and
the possibility of the abuse of that power. Having access to the central servers
and databases of the internet, and the ability to tap computers could
potentially lead to the abuse of this to obtain information or statistics that
would not otherwise be readily given up. The monitoring of internet use is one
step closer towards total surveillance and the feared ‘big brother’ or ‘nanny’
state and the removal of basic protection against misuse of information.
It has already been reported that a number of countries, including the US and
UK, are already monitoring e-mails (looking out for key ‘trigger’ words,
friends of suspects or those from unsavoury backgrounds) and data traffic from
many unsuspecting civilians computers, but the directive affords a little more
discretion and flexibility to countries, causing an arguable expansion in their
already seemly unregulated power. The states often argue that pre-emptive
surveillance is there for protection but in fact it infringes the right of the
people to have the government not interfere in family and private life.
Increased Co-operation
The
effect of the EU Directive worldwide should also be considered. As previously
discussed, the Directive hopes to make it so perpetrators of these kinds of
cybercrimes cannot use the national laws of less developed Member States to
avoid prosecution. However, many people who are responsible for attacks in
recent times reside outside of the EU, and so the Directive will have little or
no effect on their activities. This then becomes an issue of international law
and jurisdiction, which makes it more complex to arrest and sanction those
responsible. If a criminal hides in a country which is not a Member State, it
becomes a question of whether that country will allow EU officials to detain
and question the suspect – something which is unlikely to occur.
This can be
seen in the example of the previously mentioned Edward Snowden case, -who
sought refuge in Russia, a Non Member-State, who did not give permission for
European Officials to enter the territory to arrest Snowden. Of course there
may also be questions of jurisdiction between Member States – as it stands,
each Member State has jurisdiction for offences committed on its territory or by
one of its nationals. Where several Member States have jurisdictional rights
over the same matter, cooperation is essential in deciding which State will
conduct proceedings
against the perpetrator.
The Directive introduces the importance of the
exchange of information, with regards to the exchange of information,
obligations remain the same in the Directive, but a response time is added:
eight hours to reply to urgent requests from other Member States. There are
some reservations held about this time limit though, although eight hours may
be feasible for a reply, this reply was unlikely to be substantive or useful
because of lack of time for proper investigations and compilations of
information. With
many different task delegations afforded to cybercrime and information
technology, eight hours would more likely result in fragmented bits of
incomplete information – a more realistic time frame would be around
twenty-four hours, according to most Member States.
To conclude, the new Directive is set
to replace the existing Framework Decision of 2005. It has come at an
appropriate time as, although the Framework Decision is not old, rapid
advancement in the area of information technology means that the legislation
must also match this rapid development. Recent times have seen the increasing
problems which are caused by malware such as botnets and large scale cyber
attacks which threaten to cripple key information infrastructures of many
countries, possibly at the same time. The unity that the Directive hopes to
create will mean a more rapid response time and a greater level of compliance
and cooperation between Member States who have signed and ratified the
agreement. By 4th September 2015 the new Directive will be
implemented in the national systems of all Member States (with the exception of
Denmark), but it is inevitable that new provisions will be needed by this time
already.
The review in 2017 will act as a forum to propose new developments in
the legislation and it will hopefully be the case that advances will keep up to
date with the problems posed by technology and malicious software. The law will
realistically always struggle to keep up with those who abuse the freedom
granted by the internet, but as long as legislation acts as some form of
deterrent by imposing tough sanctions on those who do take advantage, then it
can be considered a success.
The introduction of Directive 2013/40/EU is a
positive thing that will increase safety and security on the internet, both for
the individual and nations as a whole. It seems that the main aim of this
Directive, as with any directive, is unanimity between the Member States. This
can be seen through all Member States being addressees (and thus must implement
the directive within their national legal order), the tougher, uniform
penalties imposed for such offences, and the overall cohesion it hopes to
create between the Members. This Directive is another step towards uniform laws
throughout Europe due to the globalised nature of modern society.
