While much has been made of recent efforts to provide parity in prosecutions and punishments for cybercrimes across the 27-nation European Union, less has been said about how it may impact security researchers who use the same hacker tools to perform their work.
Under a proposal approved recently by a European Parliament committee, all of Europe would similarly criminalize a wide range of offenses, from launching a database atttack to spoofing someone’s IP address or illegally accessing accounts. Sentences also would be standardized and range from twoyears to up to five years imprisonment for attacks that cause considerable damage, such as breaching a power station’s network.
Additionally, companies that benefit from a breach, whether deliberately or from lack of supervision, could be held criminally liable.
The EU proposal as now drafted may strengthen and standardize illegal hacker activity, but it also targets their tools – some of which are also used legitimately to test data, network or Internet security.
Specifically, an amendment in the draft approved addresses the tools used to commit cyber attacks, noting that they “represent only a few among many possibilities of attacking information systems”
Then in another amendment, the language references “authorised testing.” The term, it states, “can be interpreted in a way that would require a formal authorization before the security testing of own information systems. This would entirely undermine the effectiveness and practicality of selftests without criminal intent. Further, there should be no criminal liability when the limitation of access to a system is illegal by itself.”
One security professional repeatedly quoted in numerous online publications is Andrew Miller, CEO of Corero Network Security, which includes corporate headquarters in both the United States and Europe.
“Standardising what constitutes a data breach or hack and harmonising the penalties puts cyber attackers on notice. Hackers no longer will be able to count on poor international cooperation to escape accountability,” Miller said. But he then cautioned that targeting tools may be overreaching.
“In an effort to combat cyberattacks, security researchers and ethical hackers are continuously seeking these [hacking] tools to demonstrate weaknesses within an organisation’s network and as a way to reverse engineer solutions to combat hacks. The spotlight should be on the crimes committed with the hacking tools rather the tools themselves, ” he said.
Rik Ferguson, director of security research and communication at Trend Micro, told SC Magazine that the legislation’s language actually is an improvement over an earlier document. “”This new proposal enshrines the concept of ‘intent’ at the heart of any clauses relating to hacking tools and recognises very clearly the dual-purpose nature of many of these tools,”” he said. “… It is certainly possible to legislate for the misuse of any tool with criminal intent, and whether that tool is physical or digital shouldn’t make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.””
The full European Parliament is expected to take up the proposals this summer.