EU Plan to Standardize Punishments Also Could Impact Security Research

While much has been made of recent efforts to provide parity in prosecutions and punishments for cybercrimes across the 27-nation European Union, less has been said about how it may impact security researchers who use the same hacker tools to perform their work.

EUWhile much has been made of recent efforts to provide parity in prosecutions and punishments for cybercrimes across the 27-nation European Union, less has been said about how it may impact security researchers who use the same hacker tools to perform their work.

Under a proposal approved recently by a European Parliament committee, all of Europe would similarly criminalize a wide range of offenses, from launching a database atttack to spoofing someone’s IP address or illegally accessing accounts. Sentences also would be standardized and range from twoyears to up to five years imprisonment for attacks that cause considerable damage, such as breaching a power station’s network.

Additionally, companies that benefit from a breach, whether deliberately or from lack of supervision, could be held criminally liable.

The EU proposal as now drafted may strengthen and standardize illegal hacker activity, but it also targets their tools – some of which are also used legitimately to test data, network or Internet security.

Specifically, an amendment in the draft approved addresses the tools used to commit cyber attacks, noting that they “represent only a few among many possibilities of attacking information systems”

Then in another amendment, the language references “authorised testing.” The term, it states, “can be interpreted in a way that would require a formal authorization before the security testing of own information systems. This would entirely undermine the effectiveness and practicality of selftests without criminal intent. Further, there should be no criminal liability when the limitation of access to a system is illegal by itself.”

One security professional repeatedly quoted in numerous online publications is Andrew Miller, CEO of Corero Network Security, which includes corporate headquarters in both the United States and Europe.

“Standardising what constitutes a data breach or hack and harmonising the penalties puts cyber attackers on notice. Hackers no longer will be able to count on poor international cooperation to escape accountability,” Miller said. But he then cautioned that targeting tools may be overreaching.

“In an effort to combat cyberattacks, security researchers and ethical hackers are continuously seeking these [hacking] tools to demonstrate weaknesses within an organisation’s network and as a way to reverse engineer solutions to combat hacks. The spotlight should be on the crimes committed with the hacking tools rather the tools themselves, ” he said.

Rik Ferguson, director of security research and communication at Trend Micro, told SC Magazine that the legislation’s language actually is an improvement over an earlier document. “”This new proposal enshrines the concept of ‘intent’ at the heart of any clauses relating to hacking tools and recognises very clearly the dual-purpose nature of many of these tools,”” he said. “… It is certainly possible to legislate for the misuse of any tool with criminal intent, and whether that tool is physical or digital shouldn’t make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.””

The full European Parliament is expected to take up the proposals this summer.

Suggested articles

Discussion

  • Michael Argast on

    If you outlaw guns, only criminals have guns. If you outlaw security research tools, the same story applies. Many commercial products that are designed to help an organization secure themselves against attacks could be made illegal under this mandate. The end result is that organizations end up less secure, which has significant negative implications for the health of the EU overall.

    Next up, encryption technologies. Only 'bad guys' don't want you to know what they're talking about. 

    After that, a legislated EU-wide database for passwords. For 'law enforcement' reasons. After all, you shouldn't be afraid to have the police review your Facebook page if you don't have anything to hide.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.