Explanatory Memorandum to COM(2010)517 - Attacks against information systems - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2010)517 - Attacks against information systems. |
|---|---|
| source | COM(2010)517  |
| date | 30-09-2010 |
The purpose of the proposal is to replace Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems i. The Framework Decision responded, as stated in its recitals, to the objective of improving cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services of the Member States, by approximating the rules of the criminal law in the Member States in relation to attacks against information systems. It introduced EU legislation to deal with offences such as illegal access to information systems, illegal system interference and illegal data interference, as well as specific rules on the liability of legal persons, jurisdiction and exchange of information. Member States were required to take the necessary measures to comply with the provisions of the Framework Decision by 16 March 2007.
On 14 July 2008, the Commission published a report on the implementation of the Framework Decision i. In the conclusions to the report, it was noted that significant progress had been made in most Member States and that the level of implementation was relatively good, but that implementation in some Member States was not yet complete. Further on in the report, it was stated that several "emerging threats have been highlighted by recent attacks across Europe since adoption of the Framework Decision, in particular the emergence of large-scale simultaneous attacks against information systems and increased criminal use of so-called botnets." These attacks were not the centre of attention when the Framework Decision was adopted. In response to these developments, the Commission will consider actions aimed at devising better responses to the threat (see next section for the explanation of a botnet).
The importance of taking further action to step up the fight against cybercrime was underlined in the 2004 Hague Programme on strengthening freedom, security and justice in the European Union as well as the 2009 Stockholm Programme and its respective action plan i. Furthermore, the recently presented Digital Agenda for Europe i, the first flagship initiative adopted under the Europe 2020 strategy, recognised the need to address the rise of new forms of crime, in particular cybercrime, at European level. In the action area focused on trust and security the Commission is committed to measures to combat cyber attacks against information systems.
On the international level, the Council of Europe Convention on Cybercrime ("Cybercrime Convention"), signed on 23 November 2001, is regarded as the most complete international standard to date, since it provides a comprehensive and coherent framework embracing the various aspects relating to cybercrime.[5] So far, the Convention has been signed by all 27 Member States, but it has been ratified by only 15 Member States.[6] The Convention entered into force on 1 July 2004. The EU is not a signatory to the Convention. Given the importance of this instrument, the Commission actively encourages the remaining EU member states to ratify the Convention as soon as possible.
- General context
With regard to cybercrime, the main cause of this phenomenon is vulnerability resulting from a variety of factors. Insufficient response by law enforcement mechanisms contributes to the prevalence of these phenomena, and exacerbates the difficulties, as certain types of offences go beyond national borders. Reporting of this type of crime is often inadequate, partly because some crimes go unnoticed, and partly because the victims (economic operators and companies) do not report crimes for fear of getting a bad reputation and of their future business prospects being affected by public exposure of their vulnerabilities.
Furthermore, variations in national criminal law and procedure may give rise to differences in investigation and prosecution, leading to differences in how these crimes are dealt with. Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools ('malware' and botnets), while offering offenders anonymity and dispersing responsibility across jurisdictions. Given the difficulties of bringing a prosecution, organised crime is able to make considerable profits with little risk.
This proposal takes into account the new methods of committing cybercrimes, especially the use of botnets. The term botnet indicates a network of computers that have been infected by malicious software (computer virus). Such a network of compromised computers ('zombies') may be activated to perform specific actions, such as attacking information systems (cyber attacks). These zombies can be controlled – often without the knowledge of the users of the compromised computers – by another computer. This controlling computer is also known as the command-and-control centre. The persons who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack may be in a different location from the offender himself.
Attacks carried out by a botnet are often executed on a large scale. Large-scale attacks are those attacks that can either be carried out with the use of tools affecting significant numbers of information systems (computers), or attacks that cause considerable damage, e.g. in terms of disrupted system services, financial cost, loss of personal data, etc. The damage caused by large-scale attacks has a major impact on the functioning of the target itself, and/or affects its working environment. In this context, a big botnet is understood to have the capacity to cause serious damage. It is difficult to define botnets in terms of size, but the biggest botnets witnessed have been estimated to have between 40,000 and 100,000 connections (i.e. infected computers) per period of 24 hours.[7]
- Existing provisions in the area of the proposal
At EU level, the Framework Decision introduces a minimum level of approximation of Member States' legislation to criminalise a number of cybercrimes, including illegal access to information systems, illegal system interference, illegal data interference, and instigation, aiding and abetting and attempting to do so.
Although the provisions of the Framework Decision have generally been implemented by the Member States, the Decision has a number of shortcomings due to the trend in the size and number of the offences (cyber attacks). It approximates legislation only on a limited number of offences, but does not fully address the potential threat posed to society by large scale attacks. Nor does it take sufficient account of the gravity of the crimes and sanctions against them.
Other EU initiatives and programmes in force or planned go some way to addressing problems related to cyber attacks or issues, such as network security and the safety of Internet users. They include actions supported by the programme Prevention of and Fight against Crime i, Criminal Justice i programme, the Safer Internet i programme and the Critical Information Infrastructure Initiative i. In addition to the Framework Decision, another relevant legal instrument in force is Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography.
At administrative level, the practice of infecting computers, turning them into botnets, is already prohibited under EU privacy and data protection rules i. Notably national administrative agencies are already cooperating under the European Contact Network of Spam Authorities. Under those rules, Member States are required to prohibit the interception of communications on public communications networks and publicly available electronic communications services without the consent of the users concerned or legal authorisation.
This proposal is compliant with those rules. Member States should pay attention to improving the cooperation between administrative and law enforcement authorities for cases subject to both administrative and criminal sanctions.
- Consistency with other policies and objectives of the Union
The objectives are consistent with EU policies on combating organised crime, increasing the resilience of computer networks, protecting critical information infrastructure and data protection. The objectives are also consistent with the Safer Internet Programme which was set up to promote safer use of the Internet and new online technologies, and to combat illegal content.
This proposal was subjected to in-depth scrutiny to ensure that its provisions were fully compatible with fundamental rights and, in particular, with the protection of personal data, freedom of expression and information, the right to a fair trial, presumption of innocence and the rights of the defence, as well as the principles of legality and proportionality of criminal offences and penalties.
- Consultation of interested parties
A broad range of experts in the field have been consulted in a number of different meetings dealing with various aspects of the fight against cybercrime, including the judicial follow-up (prosecution) of these crimes. They included, in particular, representatives of Member States' Governments and the private sector, specialised judges and prosecutors, international organisations, European agencies and expert bodies. A number of experts and organisations have subsequently sent in submissions and provided information.
Key messages resulting from the consultation are:
- the need for the EU to act in this field;
- the need to criminalise forms of offences not included in the current Framework Decision, in particular new forms of cyber attacks (botnets);
- the need to eliminate obstacles to investigation and prosecution in cross-border cases.
The input received during the consultation has been taken into account in the Impact Assessment.
External expertise has been obtained during various meetings with stakeholders.
Various policy options have been examined as a means of achieving the objective.
- Policy option i: Status Quo / No new EU action
This option means that the EU will not take any further action to combat this particular type of cybercrime, i.e. attacks against information systems. Ongoing actions are due to be continued, in particular the programmes to strengthen critical information infrastructure protection and improve public-private cooperation against cybercrime.
- Policy option i: Development of a programme to strengthen the efforts to counter attacks against information systems by means of non-legislative measures
Non-legislative measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim to promote further coordinated action at EU level, including strengthening of the existing 24/7 network of contact points for law enforcement agencies; establishment of an EU network of public-private contact points involving cybercrime experts and law enforcement agencies; elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators; and support for the organisation of training programmes for law enforcement agencies on the investigation of cybercrime.
- Policy option i: Targeted update of the rules of the Framework Decision (new Directive replacing the current Framework Decision) to address the threat from large-scale attacks against information systems (botnets) and, when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner, the efficiency of Member States' law enforcement contact points, and the lack of statistical data on cyber attacks.
This option provides for the introduction of specific targeted (i.e. limited) legislation to prevent large-scale attacks against information systems. Such strengthened legislation would be accompanied by non-legislative measures to strengthen operational cross-border cooperation against such attacks, which would facilitate the implementation of the legislative measures. The aim of these measures would be to enhance the preparedness, security and resilience of critical information infrastructure and exchange best practice.
- Policy option i: Introduction of comprehensive EU legislation against cybercrime
This option would entail new comprehensive EU legislation. In addition to introducing the soft-law measures in policy option 2 and the update in policy option 3, it would also tackle other legal problems related to Internet use. Such measures would cover not only attacks against information systems, but also issues such as financial cybercrime, illegal Internet content, the collection/storage/transfer of electronic evidence, and more detailed jurisdiction rules. The legislation would operate in parallel with the Council of Europe Convention on Cybercrime, and would include the accompanying, non-legislative measures mentioned above
- Policy option i: Update of the Council of Europe Convention on Cybercrime
This option would require substantial renegotiation of the current Convention, which is a lengthy process and is at odds with the time frame for action that is proposed in the Impact Assessment. There seems to be no international willingness to renegotiate the Convention. Updating of the Convention therefore cannot be considered a feasible option, as it falls outside the required time frame for action.
Preferred policy option: combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3)
Following the analysis of the economic impact, social impacts, and impacts on fundamental rights, options 2 and 3 represent the best approach to deal with the problem and achieve the objectives of the proposal.
In preparing this proposal, the Commission carried out an Impact Assessment.
Contents
- LEGAL ELEMENTS OF THE PROPOSAL
- BUDGETARY IMPLICATION
- 2. CONSULTATION OF INTERESTED PARTIES AND IMPACT ASSESSMENT
- Collection and use of expertise
- Impact Assessment
- Preferred policy option: combination of non-legislative measures (option 2) with a targeted update of the Framework Decision (option 3)
- This Directive confines itself to the minimum required in order to achieve those objectives at European level and does not go beyond what is necessary for that purpose, taking into account
- 5. ADDITIONAL INFORMATION
- Summary of the proposed action
The Directive, while repealing Framework Decision 2005/222/JHA, will retain its current provisions and include the following new elements:
- On substantive criminal law in general, the Directive:
A. Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offences.
B. Includes aggravating circumstances:
- the large-scale aspect of the attacks - botnets or similar tools would be addressed by introducing a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be an aggravating factor when crimes listed in the existing Framework Decision are committed;
- when such attacks are committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner. Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be consistent with existing legislation on the protection of personal data i.
C. Introduces illegal interception as a criminal offence.
D. Introduces measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points i:
- an obligation to comply with a request for assistance by the operational contact points (set out in Article 14 of the Directive) within a certain time limit is proposed. The Cybercrime Convention does not specify a binding provision of this kind. The aim of this measure is to ensure that the contact points indicate within a specified time whether they are able to provide a solution to the request for assistance, and by when the requesting point of contact can expect such a solution to be found. The actual content of the solutions is not specified.
E. Addresses the need to provide statistical data on cybercrimes by making it obligatory for the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing Framework Decision and the newly added illegal interception.
The Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only cases which are not minor in the process of transposition of the directive into national law. This element of flexibility is intended to allow Member States not to cover cases that would in abstracto be covered by the basic definition but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology. This possibility to limit the scope of criminalisation should not however lead to the introduction of additional constitutive elements of offences beyond those that are already included in the Directive, because this would lead to the situation that only offences committed with the presence of aggravating circumstances are covered. In the process of transposition, Member States should refrain in particular from adding additional constitutive elements to the basic offences such as e.g. a special intention to derive illicit proceeds from crime or the presence of a specific effect such as causing a considerable damage.
- Legal basis
Article 83 i of the Treaty on the Functioning of the European Union i.
- Subsidiarity principle
The subsidiarity principle applies to the actions of the European Union. The objectives of the proposal cannot be sufficiently achieved by the Member States for the following reasons:
Cybercrime and, more specifically, attacks against information systems have a considerable cross-border dimension, which is most obvious in large scale attacks, as the connecting elements of an attack are often situated in different locations and in different countries. This requires EU action, in particular to keep abreast of the current trend towards large scale attacks in Europe and in the world. Action at EU level and an update of the Framework Decision 2005/222/JHA have also been called for in the Council Conclusions of November 2008[16], as the objective of effectively protecting citizens from cybercrimes cannot be sufficiently achieved by Member States alone.
Action by the European Union will better achieve the objectives of the proposal for the following reasons:
The proposal will further approximate the substantive criminal law of Member States and the rules on procedure, which will have a positive impact on the fight against these crimes. Firstly, it is a way of preventing offenders from moving to Member States in which legislation against cyber attacks is more lenient. Secondly, shared definitions make it possible to exchange information and collect and compare relevant data. Thirdly, the effectiveness of prevention measures across the EU and international cooperation are also enhanced.
The proposal therefore complies with the subsidiarity principle.
- Proportionality principle
The proposal complies with the proportionality principle for the following reason:.
This Directive confines itself to the minimum required in order to achieve those objectives at European level and does not go beyond what is necessary for that purpose, taking into account
the need for accuracy of criminal legislation.
- Choice of instruments
Proposed instrument: Directive.
Other means would not be adequate for the following reason:
The legal basis requires a Directive.
Non-legislative measures and self-regulation would improve the situation in certain areas where implementation is crucial. However, in other areas where new legislation is essential, the benefits would be modest.
The implications of the proposal for the Union budget are small. More than 90% of the estimated cost of EUR 5,913,000 would be borne by the Member States and there is the possibility of applying for EU funding to reduce the cost.
- Repeal of existing legislation
The adoption of the proposal will lead to the repeal of the existing legislation.
- Territorial scope
This Directive is addressed to the Member States in accordance with the Treaties.