EC Unveils First Moves in Pan-European Fight Against Cyberattacks
In what the European Commission called a “first step” toward a unified defense against cybercrime, it proposed tougher laws against attacks on information systems and a more visible role for Europe’s network security agency. Cybercriminality isn’t just a game for young hackers anymore but an activity increasingly activity under the sway of organized crime, said Home Affairs Commissioner Cecilia Malmström. Protecting critical infrastructure such as electricity grids is the long-term goal, but that won’t happen unless current legal loopholes are plugged, she said at a news briefing. Both proposals must be approved by the EU Council and Parliament.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
New forms of cybercrimes are emerging, including botnets such as Conficker, Malmström said. Stuxnet, a worm that infects powers plants and factories, may be the first case of a botnet aimed at industrial targets, she said. The EU’s legal system isn’t set up to deal with large attacks, doesn’t impose penalties strong enough to deter and doesn’t deal with cross-border cooperation, she said.
The proposed directive would retain current penalties against illegal access to an information network, unlawful system interference and illegal data interference, the EC said. It also would criminalize the use of tools such as malicious software for committing those offenses and “illegal interception” of information systems, it said. It would boost cooperation among law enforcement agencies by strengthening a structure of 24/7 contact points and requiring answers to urgent requests within eight hours, it said. EU countries will have to collect basic statistics on cybercrime, it said.
The proposal also would increase penalties to at least two years’ jail, and criminalize instigation, aiding, abetting and attempt of the identified offenses, the EC said. Crimes committed under aggravating circumstances will be subject to at least five years’ imprisonment, it said. Aggravating circumstances are attacks carried out by a criminal organization, through the use of a tool conceived to launch attacks that affect a significant number of information systems or cause considerable damage, or committed by concealing the wrongdoer’s identity and causing prejudice to the rightful identity owner.
A second prong in the EC strategy is to beef up the European Network and Information Security Agency, said Digital Agenda Commissioner Neelie Kroes. ENISA’s term will be extended to 2017 to give the agency additional time and flexibility to tackle cyberthreats, she said.
ENISA will be a go-between for those charged with protecting network security and for enforcement bodies such as courts, the police and data protection authorities, Kroes said. It will handle urgent requests quickly and help EU members and institutions develop an alert system for monitoring Europe’s cybersecurity level, she said. It will also give EU bodies technical advice about establishing a computer emergency response team and will promote risk management and security good practices, she said.
Asked how ENISA will coordinate with NATO, Europol and others fighting cybercrime, Kroes said no one is “in a silo” and everyone must work together. As to whether an EU CERT could be in place before ENISA’s new role is approved by governments and the European Parliament, Kroes said she hopes both are ready in 2012.
Malmström said she'll publish an internal security strategy in late November in which cybersecurity will play a large part. The policy will encourage all EU nations and bodies to set up CERTs, networked with each other and with law enforcement authorities, to improve Europe’s capacity to prevent, detect and respond to cyberattacks, an EC spokeswoman said.
EU lawmakers hadn’t seen the documents at our deadline. But Parliament wants a stronger ENISA and a cybersecurity strategy, said Alexander Alvaro, of Germany and the Alliance for Liberals and Democrats in Europe. The Budget Committee approved Thursday an amendment offered by Alvaro that calls for funding of a policy, he said. A council spokesman said he didn’t know when governments will meet to discuss the matter.
It’s too soon to say if the EC proposals will encounter resistance, a parliamentary spokesman said. But members of many political groups will likely want to ensure that the plans don’t intrude on data protection and privacy rights, he said.