Elusive cyber-attackers to face five years’ jail

cyber_security.jpg

As the EU comes close to an agreement on punishing cyber criminals, with a minimum sentence of up to five years, security experts argue that trying to convict criminals who cannot be caught in the first place is a waste of time. 

The EU's justice ministers will this morning (10 June) agree to draft rules which define cyber crimes and minimum sentences for the worst offenders.

The draft laws have spurred little disagreement in EU quarters so far, with many countries eager to sign off on the proposed Directive on Attacks against Information Systems. Once they have done so, they will enter into talks with the European Parliament.

The EU's justice ministers will this morning (10 June) agree to draft rules which define cyber crimes and minimum sentences for the worst offenders.

The draft laws have spurred little disagreement in EU quarters so far, with many countries eager to sign off on the proposed Directive on Attacks against Information Systems. Once they have done so, they will enter into talks with the European Parliament.

Security experts are unimpressed by the EU's efforts to set out sentencing terms for cyber crimes and argue that policy wonks would be better off focusing on understanding cyber crime and getting more resources to fight it.

"We have quite enough laws to convict cyber criminals but we don't have enough policemen to catch them and we don't have enough organisations that can work across border to catch them," Richard Clayton, a professor at the University of Cambridge, told EURACTIV.

Clayton points out that most countries have signed up to the Council of Europe's Convention on Cybercrime, which sets out best practice on punishing cyber crimes.

Nevertheless, ministers will today sign off on the draft directive, with the exception of Denmark, which will not sign the agreement.

Crimes outlined in the proposed legislation are illegal access to IT systems, interference with these systems, stealing or deleting data and the interception of non-public data transfers.

For less serious offences like access to information, criminals could face a minimum two-year sentence, but if they have reached a significant number of computers or have targeted critical infrastructure, like airports or nuclear power plants, then they should face a minimum of five years inside, according to today's draft agreement.

Last month, Google and Sony were targeted by as yet unidentified hackers who stole customers' personal information.

The little information available about hackers shows that they usually work in large networks across territories, that they in large part come from Russia, Eastern Europe, China and the US, with some dotted in the EU, and that they are very difficult to catch, let alone convict.

In the US, the FBI is struggling to control a huge crime wave in cyber fraud. One known group of hackers is called LulzSec and in spite of the hackers' efforts to promote their crimes online, police have not managed to track them down.

In the EU, a Russian-based attack brought Estonia to a standstill in 2007. In the UK, the Ministry of Defence has dealt with more than 1,000 "potentially serious" cyber attacks in the past year.

Spanish attackers are notorious for lottery fraud while Romanians have mastered auction fraud, whereby people lose money by buying non-existent products online.

"Cybercriminals have correctly assessed their chances of being caught as very very low," Clayton added.

Currently EU member states co-operate informally on catching cyber attackers. Europol, the EU's criminal intelligence agency, facilitates information-sharing between police in different countries.

Recognising the gap in tracking cyber criminals, the EU announced it wants to set up a European Cyber Crime Centre by 2013 to coordinate operations across borders and provide training to law enforcement authorities.

A Commission official insisted that today's agreement was just one step in a bigger strategy to fight cyber crime.

Claire Davenport

"The EU cannot do it alone. We need global cooperation to tackle cybercrime," Thomas Boue, a regulatory expert at the Business Software Alliance, said in an interview.  

"We need more international co-operation. Police forces need to talk to each other more. Everyone is chasing the same set of criminals which is a waste," Dr. Richard Clayton, a cyber security expert from the University of Cambridge, told EURACTIV.

"The European Commission has contributed to the development of cybercrime training courses and centres of excellence in the last 10 years, but the demand has never been greater. I would therefore be happy to discuss how we can take this further," Cecila Malmström, the EU commissioner for home affairs, said in a speech delivered at a cybercrime conference in Budapest in April. 

In March 2009, the European Commission adopted a Communication on Critical Information Infrastructure Protection – 'Protecting Europe from large scale cyber-attacks and cyber-disruptions: enhancing preparedness, security and resilience', which set out an Action Plan to protect critical information infrastructures by making the EU more prepared for and resistant to cyber attacks and disruptions.

The 2010 Digital Agenda for Europe stressed the importance of trust and security and highlighted the pressing need for all stakeholders to join forces and develop effective and coordinated mechanisms to respond to new and increasingly sophisticated cyber risks.

On 30 September 2010, the Commission adopted a proposal to strengthen and modernise the European Network and Information Security Agency (ENISA).

  • 2013: EU to open centralised cybercrime centre.

Subscribe to our newsletters

Subscribe

Want to know what's going on in the EU Capitals daily? Subscribe now to our new 9am newsletter.