Under the proposed new legislation, EU member states will have new and more up-to-date legal instruments to combat cyber-crime.
Existing rules stipulate that illegally accessing and interfering with computers, servers and data is punishable as a criminal offence. The proposed directive will maintain and strengthen current provisions. But it will also specifically address and punish those who build, use and sell tools and software designed to carry out cyber-attacks.
In recent years, criminal organisations have waged large-scale illegal operations against sensitive information infrastructure in different EU countries. These coordinated sabotage actions were made possible by the use of specific tools, such as malware and botnets.
Malware is malicious software which is installed on a computer, usually without the owner's consent, to carry out a variety of fraudulent operations, such as stealing data or remotely manoeuvring the machine.
Once a computer is following orders from unknown users, it turns into a "zombie", in electronic jargon. Hundreds or sometimes thousands of zombies called into action simultaneously from a unique centre of control become a dangerous virtual army, nicknamed a 'botnet' and capable of causing serious disruption to private and public information infrastructure.
The most notorious attack in Europe was carried out in 2007 against Estonia, which is one of the EU's most digitised countries. Offenders, identified by Tallinn's authorities as being on the payroll of neighbouring Russia, were able to block a number of official Estonian websites. They were able to freeze for a period online banking, the payment of pensions and a series of other delicate operations, therefore affecting both the authorities and citizens.
"With the help of malicious software, it is possible to take control of a large number of computers and steal credit card numbers, find sensitive information or launch large-scale attacks. It is time for us to step up our efforts against cyber crime, [which is] also often used by organised crime," EU Home Affairs Commissioner Cecilia Malmström explained in a note.
Every year sees the emergence of new, more dangerous botnets, capable of disrupting electronic services across the world. According to facts provided by the Commission, since 2008, a new type of malware known as Conficker has attacked several countries around the world. Reportedly, defence services in France, Germany and the UK experienced serious disruptions after being attacked by this botnet in the first few months of 2009.
More recently a new type of malware, called Stuxnet, is said to be infecting plants, factories and pipelines, with possible consequences for industrial production.
The proposed new EU rules particularly target the use of malware or botnets. To combat these operations, member states will be required to cooperate more effectively in the field of cyber defence, and will be obliged to provide immediate replies to urgent requests.
A new role for ENISA
As part of the package proposed today, the Commission is also presenting a draft regulation aimed at strengthening and prolonging the mandate of the EU agency dedicated to network security, ENISA.
Under the new rules, the agency will step up its efforts to boost cooperation across member states in the field of virtual security, as well as continuing to carry out EU-wide campaigns to raise awareness of cyber risks.
This is precisely what the digital industry is asking the European authorities to do. More widespread awareness of the hidden dangers of information networks will facilitate the use of the best defence tools and block contagion of infected software, thus limiting the impact of online fraud.
"The EU's institutions and governments must work ever [more] closely together, to help us understand the nature and scale of the new cyber threats. We need ENISA's advice and support to help design efficient response mechanisms to protect our citizens and businesses online," said the EU commissioner in charge of telecommunication networks, Neelie Kroes.