Annexes to SEC(2010)1122 - IMPACT ASSESSMENT Accompanying document to the Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on attacks against information systems - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | SEC(2010)1122 - IMPACT ASSESSMENT Accompanying document to the Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ... |
|---|---|
| document | SEC(2010)1122  |
| date | September 30, 2010 |
C Specific objective: To establish effective monitoring systems and data collection
Operational objectives:
C1 To record, produce and provide statistical data on the offences referred to in the Directive.
3.2 Consistency of the objectives with other EU policies and horizontal objectives
Considering the global and borderless nature of cybercrime and cyber attacks, the policy in this area needs to be consistent not only with other EU policies, but also with the policies of international organisations and third countries.66
At the international level, the Council of Europe Cybercrime Convention is the only instrument.67 It provides a comprehensive and coherent framework covering different aspects of criminal and procedural law, as well as of international law enforcement cooperation. The Convention is also open to countries that are not members of the Council of Europe and has already been ratified by i.a. the USA.68 A truly global coordination of anti-cybercrime policies is necessary, as a policy limited to the EU alone would not be able to address all aspects of the problem. The European Commission has declared its full support for the Convention and its ratification by all Member States.69
The FD on attacks, and in particular the fundamental provisions of Articles 2 to 4, build on the Cybercrime Convention, and are in principle identical to the Convention's corresponding Articles. All potential new actions discussed in the present report will have to be defined in view of guaranteeing a good level of coherence with the Convention.
The objectives presented above have been defined in order to complement existing and prospective measures within the EU policies for a secure information society70 and for Critical Information Infrastructure Protection. The Commission policy in this area has recently been presented in the Communication "Protecting Europe from large-scale cyber attacks and disruptions: enhancing preparedness, security and resilience".71 The objectives have also been defined to be consistent with EU policies related to the fight against organised crime, terrorism and security in general.
The Impact Assessment is also consistent with the report on the implementation of the European Security strategy from 2003 (Implementation Report of the ESS, 4 February 2008), which for the first time mentions cyber security and internet-based crimes as one of the global challenges and key threats. The report requests more work to be done in this area, particularly when it comes to "attacks against private or government IT systems in EU Member States". The Impact Assessment responds to this challenge.
4. Policy options
Elements of the various policy options can be pursued independently of the overall option chosen.
4.1 Policy option (1) Status quo / no new EU action
This option implies that the EU will not take any further action to fight this particular type of cybercrime. Ongoing actions, in particular the programmes to strengthen critical information infrastructure protection and improve public-private cooperation against cybercrime, would be continued. This option does not exclude that existing global legislation is strengthened. This option might entail sustained political – and possibly financial – support for actions connected to the implementation of the Council of Europe Cybercrime Convention and its further development.
4.2 Policy option (2) Development of a programme to strengthen efforts to counter attacks against information systems with non-legislative measures
Non-legislative measures would, in addition to the programme for critical information infrastructure protection, focus on cross-border law enforcement and public-private cooperation. These soft-law instruments should aim at favouring further coordinated action at EU level, including:
- strengthening of the existing 24/7 network of contact points for law enforcement authorities by establishing best practice recommendations;
- establishment of an EU network of public-private contact points of cybercrime experts and law enforcement. This network would take the form of a list containing contact details on both public and private contact points.
- elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators, as agreed by the Council of the EU in its conclusions in November 2008, when it invited the Council and the Commission to draft, in consultation with private operators, of a European agreement model for cooperation between law enforcement agencies and private operators.72 The Conclusions stipulated that “the Member States are encouraged to set up standardized system for trusted operational and strategic information exchange between law enforcement and the private sector”. The EU service level agreement aims to create a trusted framework whereby companies and LE can exchange information on cybercrime and exchange best practice.
- supporting the organisation of training programmes for law enforcement agencies on cybercrime investigation. The Commission will be establishing, together with the Member States and the private sector, an EU cybercrime training platform.
4.3. Policy option (3) Targeted update of FD on attacks to address the specific threat of large-scale attacks against information systems
This option implies an introduction of specific targeted (i.e. limited) legislation against large-scale attacks against information systems that are particularly dangerous. Such targeted legislation would be linked to measures to strengthen operational cross-border cooperation against attacks on information systems and an increase of already foreseen minimum penalties. This option would have the form of an update of the existing FD on attacks, and would include the following specific measures identified in the consultation process with stakeholders:
- introduction of legislation against the tools used for attacks against information systems. This would entail the criminalisation of the production, sale, procurement for use, import, distribution or otherwise making available of a tool enabling large-scale attacks against information systems;
- introduction of new aggravating circumstances regarding large-scale attacks, such as the act of putting in place a botnet or a similar tool enabling committing offences mentioned in Article 2 of the current FD, and when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner (so-called identity theft). For example, identity theft-related offence occurs when someone uses someone else's personal data, such as name or credit card number, without the permission of the identified person, to commit fraud or other criminal offences, such as attacks against information systems.
- introduction of an obligation for Member States to respond to an urgent request from both the public and the private sector via the 24/7 network of contact points within a certain time limit. The formulation should be based on Article 4 in the FD 2006/960/JHA73 ("shall ensure that they have procedures in place so that they can respond within at most eight hours to urgent request…"), and should limit the time period of response.
- introduction of a monitoring obligation for Member States to facilitate the collection and provision of data about cyber attacks and cybercrime, including the number of prosecutions and criminal reports. As absence of accurate data is one of the key issues, there is a need for a provision introducing an obligation for Member States to collect and provide the Commission with statistical data regarding cybercrime. This obligation would also be consistent with the aim of EU Action Plan on criminal statistics, which is to to develop statistics that will allow comparisons regarding the structure, levels and trends of crime as well as the various criminal justice measures between Member States and regions within Member States.74
- to limit the frequency of future changes, the proposed measures will be termed technologically neutral. An example of this is the use of the term 'tools' for attacks (instead of the currently used technical term 'botnets'). Moreover, the scope of the FD is geared towards attacks only (and not other cybercrimes), which will reduce the likelihood of future changes.
4.3.1. Policy sub-options
This policy option could have several sub-options.
(a) Three sub-options would be proposed when introducing aggravating circumstances. The purpose of these sub-options is to consider the most appropriate form of penalisation of the criminal activities. The sub-options are not mutually exclusive.
The first policy sub-option would require that Each Member State shall take the necessary measures to ensure that the offences related to large-scale attacks are punishable by criminal penalties of a maximum of at least five years of imprisonment when committed through the use of a mechanism conceived to launch an attack at a large-scale.
The second policy sub-option would require that Each Member State shall take the necessary measures to ensure that the offences related to large-scale attacks are punishable by financial penalties taking into account the estimated proceeds of the crime when committed through the use of a mechanism conceived to launch an attack at a large-scale.
The third policy sub-option would be a combination of the first two, and would require that Each Member State shall take the necessary measures to ensure that the offences related to large-scale attacks are punishable by criminal penalties of a maximum of at least five years of imprisonment and financial penalties taking into account the estimated proceeds of the crime when committed through the use of a mechanism conceived to launch an attack at a large-scale.
The current level of penalties is set between 1 to 3 years of imprisonment (3 years for aggravating circumstances). This level is perceived as not reflecting the gravity of the crime, besides the fact that this level excludes the use in some Member States of special investigative techniques indispensable to the investigations required for this type of crime, such as covert operations.
It is suggested to raise this level to 2, respectively 5 years (aggravating circumstances), which is in line with the legislation in countries that recently modified their legislation (Estonia, France, Germany), or that have a higher level of penalties (UK). Therefore, this sub-option is considered best suited for the aims of this Impact Assessment.
(b) Three sub-options would also be proposed when introducing the obligation on the 24/7 contact points to respond to requests for assistance.
The first policy sub-option would require that Member States shall ensure that they have procedures in place to respond to requests within the shortest delay possible.
The second policy sub-option would require that Member States shall ensure that they have procedures in place so that they can respond within at most eight hours to requests.
The third policy sub-option would require that Member States shall ensure that they have procedures in place so that they can respond within at most eight hours to urgent requests.75 The qualification of 'urgent' should be agreed between law enforcement authorities and the private sector.
4.4. Policy option (4) Introduction of comprehensive EU legislation against cybercrime
This option would entail new and comprehensive EU legislation. In addition to the update set out in policy option 3, this option would add the soft-law measures of policy option 2, and go beyond these by tackling other legal problems related to Internet usage.
The identification of the use of botnets for a range of criminal activities including not only large-scale attacks, but also identity theft, hosting of illicit content online, fraud, etc., raises the question whether a new, broader EU legislation on cybercrime should be introduced. Such legislation would also necessitate measures addressing fraud committed online, illegal web content (e.g. by blocking or taking down web pages which sell/rent botnets), the collection/storage/transfer of electronic evidence, and the clarification of jurisdiction rules in cross border cyber incidents. The legislation would run in parallel to the Council of Europe Convention on cybercrime, and would include accompanying, non-legislative, measures mentioned above. The policy option would deal with other cybercrimes than merely large-scale attacks, which may however, facilitate the occurrence of large-scale attacks.
4.5. Policy option (5) Update of the Council of Europe Convention on Cybercrime
This option would require substantial renegotiation of the current convention, which is a lengthy process and goes against the time frame for action that is proposed in this Impact Assessment. The renegotiation would have to focus in particular on those elements introduced in the policy option (3), i.e. the introduction of aggravating circumstances and penalties. At the time of negotiations of the current Convention (before 2001), no agreement could be reached on the issue of penalties, reason for which there is no mention of this in the convention. There is no indication that such consensus could be reached today.
There seems to be no international willingness to renegotiate. Furthermore, any efforts to reopen negotiations can be seen as efforts to undermine the ongoing, but not yet completed ratification process, and therefore be seen as an attempt to undermine the value of the convention.
The current convention entered into force on 1 July 2004, however 10 Member States have not yet ratified it.
It is therefore outside the required time frame for action to consider an update of the Convention a feasible option. Consequently, this option will not be assessed in detail.
5. Analysis of impacts
No significant environmental impacts are at stake in any of the considered policy options, and no particular difficulties in relation with third countries can be expected as a consequence of any of the policy options. The policy options are evaluated on the following categories:
- Economic impact, further subdivided in financial cost (including administrative costs for companies) of the option, and its economic benefit (savings, economic growth).
- Social impact
- Impact on fundamental rights
- Impact on third countries
- Relevance of the measure - contribution to the achievement of the objectives
- Consistency with international law
- Political Feasibility (without magnitudes)
- Proportionality (without magnitudes)
Member States' and stakeholders' views are also mentioned concerning all policy options.
Economic impact
Measures that improve efficiency in fighting crime are likely to produce a general pattern of net positive economic impact. In the short term, there may be a moderate increase in administrative costs due to greater demands on the public system of criminal law (because a more efficient system to fight crime catches and processes more criminals), accompanied by a corresponding effect on the wider economy that must pay those costs. However, in the medium and long term, there should be a substantial reduction in such costs (because a more efficient system to fight and prevent crime deters more criminals and their rehabilitation leads to fewer offences, so that fewer criminals are ‘processed’), bearing in mind that a baseline level of crime is probably unavoidable. At any rate, and especially in the case of crimes as fraud crimes committed via the internet, any possible short-term increase in administrative expenditure is largely compensated by the economic benefits of avoiding the economic costs of such offences listed above.
Inversely, measures that are inefficient in fighting crime will produce a general pattern of negative economic impact. In the long term, this includes inefficient State intervention due to lack of trust in public authorities, undermining trust to deploy or take part in economic activities on the Internet, inefficient use of resources due to individuals adopting self-protecting measures, and unfair distribution of wealth as criminals profit from their activities.
Social impacts
Measures that improve efficiency in fighting crime are likely to produce positive social impacts, such as an increase in security and trust in authorities and interpersonal relations. They contribute to minimising the damage to values which matter to society, reinforce trust in public institutions and the authority of the State, help avoid trauma for victims and widespread fear. In the case of cybercrime, these impacts affect both individuals and corporate citizens. The existence of trust is an essential component of the societal tissue.
A table of symbols is used to establish the magnitude of foreseen impact. It distinguishes "-" for negative impacts or costs and "+" positive impacts or savings. Symbols with both "-" and "+" mean that that both positive and negative impacts are expected.
Small magnitude - / +
Medium magnitude -- / ++
Significant magnitude --- / +++
No impact 0
5.1 Option (1) Status quo / no new EU action
This option would not address the need for further strengthening the efforts to fight cybercrime.
The Council of Europe Convention on cybercrime is a very sound instrument (both contents wise and in implementation) in the area, but new events such as large-scale attacks necessitate EU action. In principle, all EU Member States should ratify the Convention. So far, however, only 15 Member States have done so.
In addition and beyond the Council of Europe Cybercrime Convention, all the considerations developed under paragraph 2.6 must be recalled here, with respect to the crime being expected to remain stable or even grow if no effective deterrence is put in place in the near future.
Taking into account that the fight against large-scale attacks against information systems is a high priority within EU policy, and a crosscutting issue affecting many fields of EU action, the option of not taking further action at the EU level would not provide adequate response to the identified problem.
5.1.1 Economic impact
- financial cost: 0
- economic benefit: 0
No action will reinforce the existing weaknesses in the current legal set-up, leading eventually to legal uncertainty and the incapability to act following events such as large-scale cyber attacks. As a result, business and citizens will gradually lose trust in information technologies and the Internet, which will in turn hamper economic development. The effect particularly on SMEs, is likely to be significant, as their assets tend to be less protected against cybercrime due to their lower means to do so. Indeed, according to a report of the UK's Federation of Small Businesses, cybercrime is becoming an increasingly serious issue for SMEs which lose up to GBP 800 a year on average to cybercrime. According to the same report, 54 per cent of UK SMEs reported being a victim of cybercrime in the last twelve months – 15 per cent falling foul of IT problems caused by viruses and hackers.76
Magnitude of the economic impact: 0
5.1.2 Social impact
Not acting (but continuing the ratification of the Council of Europe Convention) has the disadvantage that it is unclear by what time all Member States will have ratified and acceded to the Convention. The society will be increasingly affected by cybercrime and attacks against their information systems, creating the feeling of insecurity on the Internet.
Magnitude of the social impact: 0
5.1.3 Fundamental rights impact
In this option, interests and rights of individuals and businesses would be negatively affected due to the evolution of cybercrime, as further cases of misuse of personal data and/or stolen identity will occur.
Magnitude of the fundamental rights impact: 0
5.1.4 Effects on third countries
If no new measures are taken to combat cybercrime, the situation will become worse for the EU and third countries. This option also has as a consequence that no new legal, and practical expertise will be built in how to deal with large scale attacks. This expertise could eventually be used to assist third countries in their fight against cybercrime. The status quo can in this sense be considered to have negative effects for third countries in the medium to long term.
Magnitude of the effects on third countries: -
5.1.5 Consistency with international law
The relevance of the measure and consistence with international law as well as proportionality are also considered null, as there is no change in the policy. Therefore, the current difference between the existing FD on attacks and the Council of Europe Cybercrime Convention would remain, such as on the issue of criminalisation of putting at criminals' disposal of tools used to conduct criminal attacks, where the current FD on attacks is not as advanced as the Cybercrime Convention.
5.1.6 Stakeholders' views
This option was not deemed to be satisfactory by the stakeholders given the growing number of large-scale attacks against information systems, loss of personal data and fraud committed on the Internet.
5.1.7 Political feasibility
Given the dynamics of cybercrime and the need to take action, the political feasibility of non-action is low, as it would go against current EU policy and international developments.
5.2 Option (2) Development of a programme to strengthen the efforts to counter attacks against information systems with non-legislative measures
5.2.1 Economic impact
- financial cost: -
- economic benefit: +
The financial cost of this option is linked, first, to the strengthening of a law enforcement network of contact points by making them permanent and responding within a certain time limit to requests for cooperation and, second, to the establishment of a similar network including also the private sector. Given that the majority of Member States already have their law enforcement contact points and some private sector contact points in place, the additional cost by those lagging behind (about a third) is expected to be moderate.
The average cost related to the setting up of a permanent contact point is estimated at around EUR 219,000 per Member State (see Annex 1). The cost is low, as it is principally linked merely to making the existing contact points truly permanent and responsive within a defined time limit. Contact points that are not truly permanent cannot be expected to be able to react to assistance requests within a guaranteed time limit. The cost of the measure obliging a permanent contact point to respond within a time limit is expected to be negligible and covered under the overall cost, as the contact points are merely expected to reply whether a solution will be forthcoming from their side or not. The contact points are not expected to provide the actual solutions within the time limit, particularly when such solutions are complex and require the involvement of other authorities (e.g. only during working hours).
The cost of the establishment of an EU network of public-private contact points of cybercrime experts and law enforcement would be negligible, as it would consist essentially of a list containing contact details on both public and private contact points which already exist on both sides, but their existence is not known to the other side.
The cost of the elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators can be estimated at EUR 30,000 for the Commission, as was the case of the elaboration of the above-mentioned recommendations for public private partnership in Council Conclusions of November 2008.77 This cost is related to the organisation by the Commission of consultations and an expert meeting with all stakeholders. The additional costs for the stakeholders are expected to be negligible, as they have already agreed to this measure in principle by supporting the recommendations in the Council Conclusions. Their agreement was based on the necessity of the measure and its low cost.
As a result, the impact on the economy is expected to be small, as benefits from the Internet (e.g. greater business opportunities in the IT sector, growth in employment and productivity of the economy) will be offset by financial losses caused by cybercrime, such as cyber attacks. These losses can be potentially very high, as according to a recent study, cost savings globally through business use of e-commerce reached more than a trillion euro a year.78
Therefore, all potentially positive impacts of these measures are diminished by the non-binding nature of the measures (i.e. permanent contact points for the private sector) and by the absence of an obligation to react swiftly to urgencies (for both law enforcement agencies and the private sector).
Concerning the financial cost of training programmes, the European Commission has, since 2001, lead efforts to develop standardised training programmes for law enforcement agencies and judicial authorities on cybercrime investigation and the admissibility of electronic evidence respectively. The cost of additional training foreseen in this policy option is estimated to reach almost EUR 4 million in the next two years, but the cost for the Member States is estimated at less than EUR 1 million (20%) in total, given the high level of co-funding by the Commission.79 This measure is estimated independently of national training programmes run without the Commission's financial support, for which data are not available. Nevertheless, any Member State can apply for EU funding to cover for training costs which would arise from the application of the proposed non-legislative measures.
Magnitude of the economic impact: -/+
5.2.2 Social impact
The number of PCs attacked or perpetrators identified is not expected to decline significantly by a non-binding reinforcement of a network of contact points. Therefore, the social impact in terms of improving the security and trust of citizens by the actions of existing law enforcement contact points can be considered low without an obligation for the contact points to react to requests within a certain time limit. A similar situation exists within the private sector. Consultations on the above-mentioned recommendations on public-private partnership revealed that even though large private stakeholders currently operate their contact points, they are operational only during working hours. Without the guarantee of timely response by the contact points, the security and trust of citizens is not expected to be enhanced.
As for the elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators, the social impact could potentially be significant if all parties were fully committed to effective public-private cooperation in tackling cybercrime, including cyber attacks (e.g. in complying with the above-mentioned recommendations adopted by the JHA Council Conclusions). However, the voluntary nature of such an agreement is expected to produce a low impact in terms of security and trust. Similarly to the issue of permanent contact points, the non-legally binding nature of the agreement would not deliver the desired social impacts. Indeed, these measures will not impose effective, proportionate and dissuasive penalties on perpetrators of cyber attacks, as they will not reinforce the existing legislative measures.
The organisation of training programmes for law enforcement agencies on cybercrime investigation, in order to improve best practice exchange and cooperation among law enforcement agencies, are also likely to have positive social impact. They provide opportunities to exchange experience and encourage operational cooperation, which in turns translates into more efficient investigation and prosecution of cybercrime and a more visible response by law enforcement agencies. The resulting personal contacts and trust are also essential for a more effective law enforcement cooperation and public-private partnership. The positive social impact of the EU cybercrime training platform will also reach beyond the EU, as the training material is currently being shared internationally (e.g. among Interpol members). The EU-funded material has become a global reference for cybercrime training.
The effect of EU support for cybercrime training is in its capacity to bring together the best cybercrime trainers and training material in Europe, and to share this expertise with countries, which would not otherwise be able to have access to such expertise. EU funding also serves to update the training material to keep abreast of the fast-evolving techniques used by cyber criminals. The EU is being assisted by Europol, Interpol and the Council of Europe, which all contribute to the development of cybercrime training platform in Europe, and consequently in the world. However, EU funding is used primarily to start up the process. It is expected that the private sector and universities will be able to sustain this process in the future.
Magnitude of the social impact: ++
5.2.3 Fundamental rights impact
Public-private cooperation on cybercrime incidents and fighting against ID theft includes usually anonymous statistical, technical or economic data. However, in a significant number of cases it may also include the collection, storage and exchange of some personal data (such as IP-addresses, names, etc.), This is as such an interference with the fundamental rights to the protection of private life and protection of personal data (Articles 7 and 8 EU Charter). The processing of personal data, including the possible transborder exchange of information, must fully respect the applicable provisions in the EU and in EU Member States for the protection of personal data.
Any planned interference affecting these fundamental rights, in particular the protection of personal data, must demonstrably shown that this interference can be justified: the interference can only be justified, if it is in accordance with the law (this excludes taking non-legislative measures) and is necessary in a democratic society in the interests of a legitimate aim listed in Article 8 (2) ECHR, such as national security or public safety.
The fight against cybercrime will make some intrusions in the right of personal data protection which is strictly necessary in a democratic society. This interference applies both to the exchange of information among law enforcement agencies and between the public and the private sector when assistance requests are made through contact points or when standard EU service level agreements for law enforcement cooperation with private sector operators are established. This interference and the personal data processed for that purpose must however be clearly defined and be proportionate in relation to the purposes for which personal data are collected and/or further processed.
As a result, only the exchange of fully anonymous information has no negative fundamental rights impact in terms of the right to private life and the right to protection of personal data. However, depending on the concrete measures and the amount of personal data processed, there will be a negative fundamental rights impact in terms of the right to private life and the right to protection of personal data. This concern was also raised by private sector stakeholders during consultations mentioned above in section 1.2. In any case, any interference with the fundamental rights to the protection of private life and protection of personal data in relation to law enforcement and public-private cooperation on cybercrime incidents has to be minimized by applying existing EU and national legislations particularly on personal data protection.
Magnitude of the fundamental rights impact: -/+
5.2.4 Effects on third countries
The effect of this policy option and the programme will be to bring about the creation of networks and knowledge, which in turn will be helpful in combating cybercrime. Through its various programmes and relations with third countries, the EU could also put the newly-gained expertise at the disposal of countries, which would not otherwise be able to have access to such expertise.
Overall, impact on third countries is expected to be positive.
Magnitude of the effects on third countries: ++
5.2.5 Relevance of the measure
This policy option contributes moderately to the achievement of objective B by introducing measures promoting international assistance in cases of urgency in a Member State and by improving the exchange of information and best practice (training) among Member States. The policy option’s contribution is low to the achievement of objectives A and C
Magnitude of the relevance: ++ (objective B)
+ (objectives A and C)
5.2.6 Consistency with international law
This policy option has no impact on international law (the Cybercrime Convention), as it is a non-legislative option.
Magnitude of the consistency: 0
5.2.7 Proportionality
This option is in line with the principle of proportionality since it does not introduce new obligations for Member States. The non-legislative measures such as recommendations and exchange of best practice would leave a large scope for national decision to Member States.
5.2.8 Stakeholders' views
Both law enforcement agencies and the private sector agreed on the necessity to create their respective permanent contact points by endorsing EU expert meeting recommendations, one of which stated: "Law enforcement permanent contact points – and private sector equivalents – should be established in order to improve the clarity and efficiency of request and response processes. The private sector equivalent should also provide an 'out of hours' service in order to respond to urgent law enforcement requests. The qualification of 'urgent' should be agreed between law enforcement and the private sector." The cost of this measure was thoroughly discussed with the stakeholders and not deemed substantial. These recommendations were also agreed in form of Council Conclusions on 27-28 November 2008.80
Concerning the elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators, this is a measure that does not imply significant financial costs for both LEAs and the private sector, as this agreement would be voluntary. A comparison could be made again to the recommendations on public-private partnership against cybercrime adopted by JHA Council Conclusions of 27-28 November 2008. The Conclusions contain eight recommendations that were deemed necessary and not costly to implement by the stakeholders.81
5.2.9 Political feasibility
The political feasibility of this policy option is high, as it does not involve changes in the legislative framework.
5.3 Option (3) Targeted update of FD on attacks to address the threat from large-scale attacks against information systems
5.3.1 Economic impact
- financial cost: - -
- economic benefit: ++
An update of the current FD targeted at stronger penal measures against perpetrators of the most damaging manifestations of attacks – large-scale attacks against information systems – is likely to have positive financial and economic effects. This option is likely to reduce the financial cost caused by large-scale attacks coming from the European Union and third countries, which in turn will have a positive economic impact in terms of the continued growth of the Internet economy (estimated at more than EUR 300 billion in Europe) and the economy as a whole.
Moreover, the obligation for the contact points to react within a certain time frame would limit the possibility for attacks coming from outside the European Union to cause financial damage due to the lack of, or delayed response, by such contact points.
There would only be a limited cost related to the obligation on the Member States to ensure the permanency of their contact points, the time limit for the contact points’ response to requests for assistance, and the collection and provision of statistics on attacks against information systems. Such statistics will include security breaches, crime reports and prosecuted cases.82
The average cost related to the setting up of a permanent contact point is estimated at around EUR 219,000 per Member State (see Annex 1). The cost is low, as it is principally linked merely to making the existing contact points truly permanent and responsive within a defined time limit. Contact points that are not truly permanent cannot be expected to be able to react to assistance requests within a guaranteed time limit. The cost of the measure obliging a permanent contact point to respond within a time limit is expected to be negligible and covered under the overall cost, as the contact points are merely expected to reply whether a solution will be forthcoming from their side or not. The contact points are not expected to provide the actual solutions within the time limit, particularly when such solutions are complex and require the involvement of other authorities (e.g. only during working hours).
The cost of other measures, such as the introduction of legislation against the tools used for attacks against information systems and the introduction of new aggravating circumstances regarding large-scale attacks cannot be quantified since they are included in the general costs of the criminal justice system of each Member State. Similarly, although it can be expected that higher penalties will make at least some Member States willing or able to provide additional resources to investigate and prosecute cybercrime, these costs cannot be quantified at this stage. However, the Estonian example has shown that a legislative change has been followed by higher resources, such as in the establishment of an international centre of excellence in Tallinn in 2008.
The total administrative costs of this policy option would amount to approximately EUR 5,960,655 (see Annex 2)
Magnitude of the economic impact: --/++
5.3.2 Social impact
The scale of the social impact in terms of individuals’ security and trust in cyberspace is expected to be positive and significant. Harsher criminal penalties for the production, sale, procurement for use, import, distribution or otherwise making available of a tool enabling large-scale attacks against information systems, and when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner (so-called identity theft), are expected to reduce the number of such attacks originating in the European Union. Moreover, this measure will also provide a timely and visible response the public's current high concern about public security, including cybercrime. A survey has shown that a majority of EU citizens show concern about personal data protection issues.83
The obligation for Member States, not only to set up permanent contact points, but also to respond to information requests within a time limit in urgent cases is expected to speed up the authorities' reaction and consequently limit the extent of negative social impact – e.g. personal feeling of insecurity due to the possibility of personal data loss – a large-scale cyber attack may otherwise have. In addition, the actual implementation of the obligation by the Member States should facilitate cooperation among the permanent contact points also on non-urgent cases, and enhance citizens' trust in the capacity of the Member States and the EU as a whole to deal collectively with cyber attacks and cybercrime in general.
Finally, a non-legislative measure, including the organisation of training programmes for law enforcement agencies on cybercrime investigation in order to improve best practice exchange and cooperation among law enforcement agencies, are also likely to have positive social impact. They provide opportunities to exchange experience and encourage operational cooperation, which in turns translates into more efficient investigation and prosecution of cybercrime and a more visible response by law enforcement agencies. The resulting personal contacts and trust are also essential for a more effective law enforcement cooperation and public-private partnership
Magnitude of the social impact: +++
5.3.3 Fundamental rights impact
In so far as this option suggests the introduction of new criminal provisions and harsher penalties, it must be ensured that these provisions are drafted in line with the principles of legality and proportionality of criminal offences and penalties, as foreseen in Article 49 of the EU Charter. Careful attention must furthermore be paid not to criminalise lawful behaviour in the efforts to legislate against the tools used for attacks. This could not only impede lawful business activities (see Article 16 EU Charter), but could also endanger the free exercise of political rights and activities, such as freedom of expression (Article 11 EU Charter). This potentially negative impact will be mitigated by a provision authorising the use of the tools, including botnets, not for the purpose of committing an offence, such as testing or protection of a computer system. An interference with the fundamental rights to the protection of private life and protection of personal data in relation to law enforcement and public-private cooperation on cybercrime incidents has to be minimized by applying existing EU and national legislation particularly for the protection of personal data.
Nevertheless, the impact on fundamental rights by the introduction of new criminal provisions and harsher penalties will mostly be positive in terms of the protection of private life and the protection of personal data as a result of more effective and deterring sanctions to be imposed in case of infringement of the provisions of existing EU and national legislation in particular for the protection of personal data.
Magnitude of the fundamental rights impact: -/++
5.3.4 Effects on third countries
EU measures taken will have the effect of raising the standard for other countries. Based on the conducted consultations, the EU is looked upon as a standard setter. Therefore, an EU action will have a beneficial impact in the long run due to other countries following its lead. Stronger measures, such as more efficient contact points, will make the EU's action more effective, which in turn will translate into a more effective response worldwide given the interconnectedness of contact points worldwide, including third countries. The introduction of aggravating circumstances for committing large-scale attacks is not expected to 'export' the problem to third-countries, as large-scale attacks almost invariably target EU countries, and their authors are therefore liable for prosecution. In addition, the majority of large-scale attacks already originates outside the EU.
Magnitude of the effects on third countries: +++
5.3.5 Relevance of the measure
As explained above on the analysis of impacts, this policy option contributes significantly to the achievement of all objectives, and they are expected to be met in the short-to-medium term.
Magnitude of relevance: +++ (objectives A, B and C)
5.3.6 Consistency with international law
As already discussed, above, this policy option is consistent with the Council of Europe Cybercrime Convention, as was also the requirement by the stakeholders during the consultation process. The new Directive on attacks would bring its use of terms and concepts in line with the Convention, and, similarly to Article 19 of the Convention, it introduces new procedural rules, such as those regarding search and seizure of computer data. However, it goes beyond the Convention in a number of aspects:
Substantive aspects:
The Directive will introduce measures allowing specifically tackling the large-scale aspect of attacks, which is in line with current tendencies witnessed in cybercrime.84
A. The Directive adds aggravating circumstances:
- the large-scale aspect of the attacks - the botnets or similar tools would be addressed through the introduction of a new aggravating circumstance, in the sense that the act of putting in place a botnet or a similar tool would be aggravating when crimes enumerated in the existing FD are committed.
- when concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner (e.g. identity theft). Any such rules would need to comply with the principles of legality and proportionality of criminal offences and penalties and be fully consistent with existing legislation on the protection of personal data85.
B. The Directive will also introduce measures to improve European criminal justice cooperation by strengthening the existing structure of 24/7 contact points86:
- An obligation to reply to assistance requests over the operational points of contact (foreseen in Article 11 of the FD) within a certain time limit could be proposed. . The Cybercrime Convention does not specify such binding provision;
- the Contact Points will also be accessible to private sector input and requests.
C. The Directive would also address the necessity to provide for statistical data on cybercrimes by imposing an obligation on the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on the offences referred to in the existing FD.
Formal aspects:
Due to the legal nature of the Convention, even if all Member States ratified, there are a number of advantages to taking action through means of a Directive, notably the:
- Faster adoption of national measures
In contrast with the lengthy procedures to sign and ratify international conventions that can last for many years, Directives have to be transposed to national legislation do, and set out a restricted period for implementation.
- Monitoring of implementation
Member States must notify the national measures implementing Directives to the Commission. The correct and full implementation by Member States is evaluated in an implementation report from the Commission, which is then sent to the European Parliament and the Council. In addition, the European Court of Justice is entitled to interpret Directives via preliminary rulings.
The Cybercrime Convention does not have the same binding nature as an EU-initiative, and it is not enforceable. This is a problematic aspect as an effective approach to large scale attacks can only be achieved if structures, such as the CP's are fully operational.
Magnitude of consistency: ++
5.3.7 Proportionality
This option contributes substantially to the achievement of the objectives and, at the same time, results in a positive economic, social and fundamental rights impacts, which would not be possible to achieve applying simpler Community actions. The update would be limited only to large-scale attacks against information systems (targeted update). This problem can be tackled neither by the Member States alone nor merely by a non-legislative EU action. Well established national arrangements and legal systems applied in individual Member States would be respected. Medium financial costs would be necessary but would be kept on the minimal level to ensure the achievement of the objectives.
As already mentioned in relation to fundamental rights impact, the proposed measures would aim to prevent and combat large-scale attacks, a legitimate aim that, subject to the principle of proportionality, can justify limitations on the rights and freedoms recognised by the Charter, provided they are foreseen by law which contain, and respect, the essence of those rights. This is the case of policy option 3.
5.3.8 Stakeholders' views
The risk of non-compliance and low transposition is expected to be low due to broad agreement on this policy option that has been achieved in the consultation process and due to the low cost associated with the proposed measures. Indeed, as explained in section 5.2.1, the member States and the private sector agreed on the necessity to create permanent contact points to deal not only with the public, but also with the private sector.87 The measure regarding data collection is also in line with JHA Council Conclusions of 24 October 2008, where Member States agreed to "compile statistics on alerts, showing the development of cybercrime at national level".88
5.3.9 Possible policy sub-options
(a) Aggravating circumstances:
These policy sub-options deal specifically with objective A. They have little to no impact on objectives B & C.
Policy options 1 and 2 aim at the establishing a system of dissuasive punishments as the legal response to cyber attacks. Policy option 2 aims at incorporating the proceeds of the illegal activities into the punishment. As these economic gains are the main reason for committing the crime, this might have a more dissuasive effect than option 1.
Option 3 (a combination of both) will of course have the biggest effect.
(b) The obligation on the 24/7 contact points to respond to assistance requests:
These policy sub-options deal specifically with objective B. They have little to no impact on objectives A & C.
Policy option 1 does not define a strict deadline for reaction, thus leaving a margin of interpretation. Opposed to this is policy option 2, where the deadline is fixed. Option 3 introduced the concept of 'urgency', whilst at the same time leaving the definition of this in the realm of the Member States. This, in ideal circumstances, could lead to a clear classification where Member States and the private sector have a clear understanding of cooperation. A risk lies in cross-border cases, where this solution leaves room for interpretation. However, the time limit, analogous with option 2, should offset this.
The sub-options under (b) are in line with the above-mentioned Council Conclusions of 27-28 November 2008, which stated that permanent contact points should facilitate the "clarity and efficiency of request and response processes" and that the "qualification of ‘urgent’ should be agreed between law enforcement and the private sector".89 Moreover, the second and third policy sub-option takes into account Article 4 of the Council Framework Decision 2006/960/JHA90 ("shall ensure that they have procedures in place so that they can respond within at most eight hours to urgent request […]"), which limits the time period of response between law enforcement authorities when exchanging information and intelligence (see also section 4.3 above).
Each sub-option under (a) is also mutually compatible with any sub-option under (b).
5.3.10 Political feasibility
This policy option is politically feasible, as it builds upon the consensus between all stakeholders, and is compatible with both EU priorities and the priorities set out at the international level.91 Indeed, as already mentioned in section 2.9, the Council of Europe's Global Project on Cybercrime has as one of its priorities the effective criminalisation of cyber-offences. The project clearly states that "[t]he legislation of different countries should be as harmonized as possible to facilitate cooperation."92 The suggested policy sub-options allow sufficient manoeuvre for discussion in the final elaboration of the update.
In terms of the level of intervention needed by the Member States, almost all Member States will have to take action for each of the issues, but the proposed measures have been welcomed by all Member States in the consultation process, as they were not considered too costly and difficult to implement. Most Member States have at present low level penalties (1 to 3 years), which is in line with the current FD on attacks. Only Estonia has introduced aggravating circumstances for large-scale attacks, and France and Germany recently increased penalties to up to five years for cyber attacks. The UK Computer Misuse Act of 1990 (updated in 2004 to comply with the Council of Europe Cybercrime Convention) allows penalties of up to 10 years for cyber attacks.
The Contact points of FR, UK, IT, EE, NL and LT already usually respond within less than 12 hours to assistance requests, although they do not specify any time limit for that. Other Member States will have to modify more substantially their existing arrangements for contact points. While Member States collect statistical data relating to cybercrime, the statistics are often not comparable due to varying statistical methodologies applied by the Member States.
5.4 Option (4) Introduction of comprehensive EU legislation against cybercrime
This policy option introduces new comprehensive EU legislation, dealing with all aspects related to cybercrime. It involves the update set out in policy option 3, and adds the soft-law measures of policy option 2. It goes beyond these by tackling other legal problems related to internet usage.
5.4.1 Economic impact
- financial cost: ---
- economic benefit: +++
The budgetary consequences of the criminal law provisions cannot be quantified since they are included in the general costs of the criminal justice system. Nevertheless, it is possible to estimate that there will be additional costs related to the obligation to set up permanent contact points and their monitoring obligation, which have been estimated at around EUR 219,000 per Member State (see Annex 1 and 2).
In addition, blocking access to websites offering tools to carry out attacks against information systems would involve financial costs. The economic impact of a similar measure to restrict access to material inciting terrorism was assessed in revising the Framework Decision on Combating Terrorism and Framework Decision on combating the sexual abuse and sexual exploitation of children.93 Although the impact assessments accompanying the respective Commission proposals stated, the cost of imposing any of the different filtering methods to all internet service providers based in the EU is impossible to calculate, an upper limit of EUR 10 per computer is given on the basis of a specific example of implementing filtering in a network of 100,000 computers at 4,000 schools in Ireland. The cost of running a list of websites to be blocked may be borne by those in charge of it, whether law enforcement authorities or specific NGOs. This can be estimated at about EUR 110,000 and EUR 90,000 per year for maintenance. However, EU funding may be available for managing blacklists and exchanging information on illegal content, such as under the financial programme 'Prevention of and fight against Crime'.
The economic impact related to the decrease of severe forms of crime is likely to be positive, since this option is most likely to produce deterrent effects and a substantial reduction of the scale of the crime in the medium-to-long term.
The Directive on attacks will criminalise the use, sale and putting at the disposal of tools such as botnets; thereby undermining the ability of organised crime to launch large-scale attacks. This criminalisation will also affect the ability to use these tools for committing other types of cybercrimes, and gives law enforcement agencies a tool in fighting certain crimes related to terrorism, such as cyber attacks against critical infrastructure.
However, the considerable economic losses resulting from cybercrime are unlikely to be reduced in the short term by an attempt to introduce a comprehensive EU legislation on cybercrime. Such impact has to be viewed as medium-to-long term, as negotiating a comprehensive EU legislation would likely cause delays due to the existing disparities among Member States' practices and positions on issues, such as collection/storage/transfer of electronic evidence, the blocking of websites that can be used to sell tools facilitating attacks, and a clearer definition of jurisdiction rules. Indeed, only six EU member states currently allow blocking access to web sites with illicit web content: DK, FI, IT, NL, SE and UK. Only BE, DE and FR consider this option to be introduced this year, mostly on voluntary-based agreements with the private sector. No other countries are currently favourable to this measure.
Moreover, the current practice of blocking access is targeted principally at child-abuse web content.94 However, thousands of web sites exist where tools for creating and selling custom designed malware (e.g. botnets) are openly commercialised. Any of these tools poses a threat and could be used for cyber attacks, corporate espionage and theft of confidential and sensitive data. These sites may also offer stolen personal data, credit card details and other illegally obtained material. However, it is very unlikely that political agreement on blocking or 'take down' measures that go beyond child pornography can be reached at this stage.95 This has to do with different interpretations in national legal systems about what content is considered harmful.
The argument is raised that blocking websites can easily be circumvented. With regard to the blocking of child pornography websites, this argument is however not convincing, as the average paedophile is not a versed IT expert. Admittingly, the situation is different in the case of websites offering tools to carry out cyber attacks. Here, the likely user will probably possess a higher level of IT skills and blocking might not be an effective measure in this context.
Similarly to the previous section, the administrative cost related to the obligation on the Member States to ensure that an adequate system is in place for the recording, production and provision of statistical data on attacks against information systems is expected to be low.
Magnitude of the economic impact: ---/+++
5.4.2 Social impact
A positive impact on public security and citizens’ trust can be expected, but only in the medium-to-long term given the necessity to implement all measures of a comprehensive EU legislation. This would be made more difficult by introducing all other complementary measures on which there is currently little consensus among stakeholders (as became obvious during the consultation process). Nevertheless, one can assume that by the approximation of national law in the area of cybercrime, law enforcement and judicial cooperation improves, which in turn translates over time into a greater number and quality of investigations and prosecutions.
Magnitude of the social impact: +++
5.4.3 Fundamental rights impact
In addition to the elements outlined in option 3, this option would introduce legislation covering illicit web content, including blocking of access to websites that facilitate attacks as well as legislation covering the collection, storage and transfer of electronic evidence. Blocking of websites by public authorities may carry the risk that also legal Internet content is deemed illicit and could lead to infringements of the right to engage in legal business activities and freedom of expression. As far as the introduction of criminal procedural rules is concerned, negative impacts on the principle of presumption of innocence, the right to a fair trial, and the right of defence would need to be avoided (Articles 47 and 48 EU Charter). The blocking of access should be subject to adequate safeguards, in particular to ensure that the blocking is limited to what is necessary, that users are informed of the reason for the blocking and that content providers, as far as possible, are informed of the possibility of challenging it.
As for the obligation to collect statistics, statistical data is anonymous, and therefore does not have data protection implications.
Magnitude of the fundamental rights impact: --/++
5.4.4 Effects on third countries
The legislative update will have in the medium-to-long term a positive effect on the situation in third countries. EU measures taken will have the effect of raising the standard for other countries. Based on the conducted consultations, the EU is looked upon as a standard setter. Therefore, an EU action will have a beneficial impact in the long run due to other countries following its lead.
Magnitude of the effects on third countries: +++
5.4.5 Relevance of the measure
As explained above on the assessment of impacts, the policy option contributes potentially significantly to the achievement of all objectives, but unlike in previous policy option, they cannot be met in the short-to-medium term, which would not meet current expectations of stakeholders.
Magnitude of relevance: ++ (objectives A, B and C)
5.4.6 Consistency with international law
As already discussed above, this policy option is consistent with the Council of Europe Cybercrime Convention, but goes beyond in a number of measures as discussed in previous policy option. Moreover, a number of negative impacts on fundamental rights would have to be minimized to ensure consistency with EU Charter of Fundamental Rights.
Magnitude of consistency: -/++
5.4.7 Proportionality
Similarly to policy option 3, this option contributes substantially to the achievement of the objectives and, at the same time, results in positive economic, social and fundamental rights impacts. However, as the proposed solution would not be limited only to large-scale attacks against information systems (targeted update), but would also tackle other forms of cybercrime, it would be disproportionate to the objectives sought. Indeed, applying simpler Community actions, such as policy option 3, would be possible to deal with the identified problems.
5.4.8 Stakeholders' views
Although most stakeholders agreed on the long-term need to deal with large-scale cyber attacks, and cybercrime in general, by introducing comprehensive measures, including legislation, no consensus emerged in the consultation process on the measures to be included in the comprehensive legislation.
5.4.9 Political feasibility
This policy option is currently not politically feasible, as there is little consensus on the scale and scope of such legislation (as already discussed in 5.4.1). Moreover, Member States policies on the admissibility of electronic evidence in courts are too differently developed. An approximation in this area would be difficult to attain in the short-to-medium term.96
5.5 Comparison of options
Option (1) Status Quo
As cybercrime will become more advanced over time, this would also lead to an increased vulnerability for all actors (public and private). The overall security structure (law enforcement and the legal framework) will not catch up with the crime. Even at a sustained level of currently existing actions, European coordination would be required.
Option (2) Development of a programme to strengthen the efforts to counter attacks against information systems with non legislative measures
This option has all the advantages and disadvantages related to a soft law instrument. The positive side is that it is possible to describe each measure as the current best national practices, and thereby facilitate the identification of which measures are best in terms of effectiveness.
However, this option is less effective in terms of the achievement of the objectives. In addition, this option implies that a ban of botnets and similar tools will not be addressed. Furthermore, issues related to substantive criminal law and prosecution are crucial to curb and eradicate the crime; these are not properly addressed in this option.
Option (3) Targeted update of FD on attacks to address the threat from large-scale attacks against information systems
This option offers a timely and targeted response to the identified problems. It addresses the criminal law issues necessary to effectively prosecute the perpetrators of this crime. It also improves international cooperation by introducing a mechanism for immediate international assistance in cases of urgent requests for cooperation, and promotes cooperation with the private sector through accompanying measures, such as expert meetings. Finally, to enable measuring of the extent of the problem, monitoring obligations are introduced.
Option (4) Introduction of comprehensive EU legislation against cybercrime
This option, like option 3, has the added value of establishing binding provisions, and therefore a higher level of effectiveness is expected if fully implemented. It is also expected to maximise the positive impact of both the legislative and non-legislative instruments in a wider range of cybercrime issues than only large-scale attacks. In addition, it would address the criminal law legal framework and at the same time improve law enforcement cooperation over the borders. However, this holistic approach at this stage is not reflecting a consensus of the stakeholders.
5.6 The Preferred Option: a combination of Options (2) "Development of a programme to strengthen the efforts, with non-legislative measures", and (3) "a Targeted update of FD on attacks"
The preferred policy option is neither of the four policy options alone, but a combination of policy options 2 and 3. These policy options complement each other and therefore best meet the defined objectives, and give the most value added in resolving the issues associated with the existing situation.
The preferred option combines all elements of options (2) and (3), which are:
From Option 2, the non-legislative elements:
- Strengthening of the existing 24/7 network of contact points for law enforcement authorities by establishing best practice recommendations;
- Establishment of an EU network of public-private contact points of cybercrime experts and law enforcement, and consequent opening of these contact points for requests from the private sector. This network would bring about a list containing contact details on both public and private contact points the elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators;
Supporting the organisation of training programmes for law enforcement agencies on cybercrime investigation.
From Option 3, the legislative elements:
- Introduction of legislation against the tools used for attacks against information systems;
- Introduction of new aggravating circumstances regarding large-scale attacks, such as the act of putting in place a botnet or a similar tool enabling committing offences mentioned in Article 2 of the current FD, and when committed by concealing the real identity of the perpetrator and causing prejudice to the rightful identity owner (so-called identity theft);
- Introduction of an obligation for Member States to respond to an urgent request from both the public and the private sector via the 24/7 network of contact points within a certain time limit;
- Introduction of a monitoring obligation for Member States to facilitate the collection and provision of data about cyber attacks and cybercrime, including the number of prosecutions and criminal reports.
Rationale for levels of penalisation and international cooperation
A higher level of penalisation is required to effectively pursue international cooperation in the fight against cybercrime for the following reasons:
- Firstly, higher level of penalties applied consistently across the EU, and the introduction of aggravating circumstances would mean that a criminal offence linked to a large-scale attack will be treated everywhere as a serious crime. Differences between Member States’ levels of penalisation hinder cooperation, as level of penalties in some countries may not be regarded as severe enough to justify rapid cross-border law enforcement and judicial cooperation. Qualification as serious crime would allow for rapid, and fully fledged cross border law enforcement and judicial cooperation.
The currently low level of penalties across the EU (mostly up to 3 years) does not reflect the seriousness of large-scale attacks and the damage they inflict. Estonia called for higher penalties nationally and internationally following cyber attacks in 2008. Lithuania increased penalties for cyber attacks in 2007, and at the same time called for higher penalties across the EU and internationally. The minimum of the maximum penalty should therefore be set at five years, which corresponds to the level in those Member States which recently increased their penalties for cyber attacks, as well as to the generally perceived notion of what constitutes serious crime. Such an increase in the minimum level of penalties will not only send a clear message that the European Union is regarding this type of criminality with increased seriousness, but is also likely to have a deterrent effect.97
- The legislative changes that were introduced by Estonia are too recent to establish a link between the higher penalties and the number of large-scale attacks. Large-scale attacks will inevitably continue to grow in absolute terms in years to come due to the fast development in computer technologies and the growth of the Internet. The Internet will grow in terms of potential uses, applications, and number of users. Especially the new possibilities the Internet offers also come with vulnerabilities that can be exploited. However, higher penalisation may slow down the growth dynamic of the crimes, and limit the impact the attacks have on societies. Secondly, only qualification as serious crime would allow for provision of adequate resources by law enforcement. To investigate cybercrime, computer data need to be tracked by specialized officers, and specific high-tech tools need to be applied. This makes this type of investigations rather costly. As a consequence, cross-border cybercrime investigations are still rare, which compares unfavourably with the large number of cyber attacks.
- Secondly, the use of special investigative techniques (without which effective cybercrime investigation is not possible) is only allowed in a number of countries in relation to serious crimes as they potentially infringe on individual liberties. These may be electronic surveillance, phone tapping and remote investigation techniques.
- Thirdly, the deterrent function of criminal law is related to the level of penalties. The higher the penalties, the higher their deterrent function is and this is one of the fundamental principles of modern criminal policy from its beginning. This goes hand-in-hand with a stronger and more publicly visible prosecution of the crimes.
The lack of efficient international cooperation also results from problems with functioning of the contact points. Contact points are the first interlocutors among Member States and when international cooperation is sought in cybercrime investigation. Their efficiency (speed of reaction) determines the efficiency of the whole investigation. Strengthening the contact points by making them truly permanent is going to make not only the EU, but the whole network of G8 and Council of Europe contact points stronger.98 Indeed, the G8 JHA Ministerial Declaration (29-30 May 2009), raised the issue of further cooperation between the Member States concerning cybercrime by stating that: "It is also essential for States to give a technologically advanced response, and to strengthen the existing forms of international co-operation such as the G8 24/7 High Tech Crime Points of Contact."99 Similarly, the Council of Europe has called for greater efficiency in cooperation among the contact points, and is currently evaluating the efficiency of the contact points in a report entitled "The functions of 24/7 points of contact for cybercrime".100 Therefore, by promoting the efficiency of EU contact points we promote the efficiency of the whole world network of contact points.
Due to the prioritisation of cybercrime brought by higher level of penalties, and the obligations included in the update of the FD to have the contact points operate efficiently and on a 24/7 basis, a new "institutional culture" will gradually come into existence. It will also build trust and know-how between the contact points and law enforcement authorities, which, in turn, will make the fight against large scale attacks more efficient. This culture will be reinforced by the flanking actions such as the training and the establishment of the public-private network of contact points.
Finally, training of law enforcement will also enhance the capabilities of law enforcement agencies to respond effectively to cyber attacks. Promoting cybercrime training of both law enforcement agencies and the private sector is essential if the efficiency of all the measures in the preferred policy option is to be maximized. In line with its Communication of 2007, the Commission is currently establishing with the Member States and the private sector an EU cybercrime training platform.101 This support enables to bring together the best cybercrime trainers and training material in Europe, and to share this expertise with countries, which would not otherwise be able to have access to such expertise. EU funding also serves to update the training material to keep abreast of the fast-evolving techniques used by cyber criminals.
The setting up of EU cybercrime training platform also goes beyond EU borders, as the training material is currently being shared with Europol, Interpol and the Council of Europe. The EU-funded material has become a global reference for cybercrime training.
5.6.1 Economic impact
The economic impact of combining the non-legislative measures with the update of the FD on attacks will be bigger than choosing and implementing either one of the options. This is due to the synergies that are created in the combination.
The costs linked to this option are defined in the detailed assessments of options (2) & (3) above, and can be estimated at EUR 219,000 per Member State for making the contact points available 24/7. Including also the total monitoring and reporting costs (Annex 2), the overall cost linked to the obligation of Member States to keep contact points and provide statistics would amount EUR 5,960,655 for the entire EU. No other entities will be subject to new reporting obligations. The cost of the elaboration of a standard EU service level agreement for law enforcement cooperation with private sector operators has been estimated at EUR 30,000 for the Commission.
The synergies are especially in the combination of programmes, such as the establishment of networks of cybercrime experts, the use of a service level agreement and the training programmes for law enforcement agencies, with the strengthening of the legal framework (the Directive). The policy sub-options allow for the establishment of a dissuasive level of penalties, and optimize the way in which the 24/7 contact points operate.
This combination of options also allows linking the binding nature of the update with the positive results to be expected from the flanking non-legislative measures, such as training.
- financial cost: --
- economic benefit: +++
Magnitude of the economic impact: --/+++
5.6.2 Social impact
The social impact in terms of improving the security and trust of citizens by the actions of existing law enforcement contact points will be enhanced: if citizens and economic operators affected by cybercrimes are given the possibilities to report these crimes in a trusted manner, and if law enforcement has the possibilities to act, the overall perceived and real security will rise. For companies and internet service providers, initiatives such as the service level agreement, will provide the tool for transmitting confidential data on attacks in a trusted way to law enforcement.
Magnitude of the social impact: +++
5.6.3 Fundamental rights impact
Any measure taken by the Commission will be in line with articles 7 & 8 European Convention on Human Rights. This concerns especially measures taken concerning the storage of data and the exchange of data between law enforcement agencies. However, the existing EU and national legislation, in particular on data protection, will guarantee a minimal impact on fundamental rights.
The strengthening of EU legislation (Directive) through the penalisation of the production, sale, procurement for use, import, distribution or otherwise making available of tools for cyberattacks needs to be worded carefully in order not to criminalise lawful behaviour. This lawful behaviour includes the economic activities by internet security companies, such as the use of botnets to test the effectiveness of their products. From fundamental rights point of view, this measure needs to guarantee the freedom of expression and the free exercise of political rights and activities (Article 11 EU Charter of Fundamental Rights).
This exception can be guaranteed in the following way:
- By making explicit references to the EU Charter, and referring to it as basic law for the interpretation of the actions investigated under the terms of the FD on attacks;
- By detailing the exact conditions under which the use of ICT tools that are mainly used to launch large scale attacks, can be used for beneficial purposes. To establish these conditions, further consultations will be conducted with the relevant stakeholders, and a 'white listing' of these conditions will be done. This process implies that when these conditions are not met, the use of the tools is considered to be malicious and can therefore be prosecuted.
It will be modelled on the relevant provision in the Council of Europe's Convention on Cybercrime, article 6, paragraph 2.
Magnitude of the fundamental rights impact: -/++
5.6.4 Effects on third countries
The positive effect of the combination of non-legislative actions and a proposed targeted update of the FD on attacks would be very positive, due to both the making available of knowledge and expertise on the one hand, and acting as a standard setter on the other hand.
The positive effects would be most visible in the long term, but would already become clear through international cooperation in the short-term.
Magnitude of the effects on third countries: +++
5.6.5 Relevance of the measure
The preferred policy option contributes in an optimum way to the achievement of all objectives, which are expected to be met in the short-to-medium term. Furthermore, the achievement is supposed to be sustainable, through the application of the flanking non-legislative measures.
Magnitude of relevance: +++ (objectives A, B and C)
5.6.6 Consistency with international law
The consistency of this option is identical to the consistency with international law of Option 3 (see point 5.3.5), as Option 2 does not have implications on international law (the Cybercrime Convention).
Magnitude of consistency: -/++
5.6.7 Proportionality
The combination of the two options answers the need to not only strengthen the legal framework, but to supplement it with flanking measures. The synergies lead to the achievement of all objectives, and establish a good and positive balance in the economic, social and fundamental rights impacts.
The proposed legislative measures will, on the one hand, aim to prevent and combat large-scale attacks, whilst the flanking non-legislative measures ensure a close and efficient cooperation between the law enforcement agencies across borders.
5.6.8 Political feasibility
The political feasibility of this option is the highest of all discussed options. It builds on the consensus amongst (public and private sector) stakeholders, on the policy documents that have been issued by the EU, and the actions that are currently developed at the international level (especially the G8).
5.6.9 Implementation of the measures
As the real value added of the preferred option lies in the synergies created by the combination of both options, it is important to ensure the correct implementation of all its components, legislative and non-legislative.
In order to guarantee the implementation of non-legislative measures, the following examples of actions can be mentioned:
Concerning the establishment of a service level agreement, the Commission will follow the JHA Council Conclusions of 27-28 November 2008 on closer public-private cooperation. Best-practices will be learned from the Member States where such agreements are already in place, such as the German example of voluntary agreement dealing with Child Abuse Materials on the internet.
The non-legislative measure of promoting training is in line with the Communication of 2007, and the financial support is and will be provided by EU financial programmes, such as ISEC ('Prevention of and Fight against Crime'). An example is the ongoing initiative to create EU training platform.
The nature of non-legislative measures will require that their implementation is done voluntarily by the Member States. However, as mentioned above, previous experience gained in public-private cooperation agreements and training programmes suggests that the level of commitment by the Member States to other non-legislative measures is expected to be good. Moreover, by agreeing to the Stockholm programme, the Member States have committed to promote cross-border investigations of cybercrime, and called on the Commission to take measures for enhancing/improving public-private partnerships.102
6. Comparing the options
6.1. Summary table: costs and benefits
| Options | Economic impact | Social impact | Fundamental rights impact | Impact on third countries | Relevance for objectives A,B,C | Consistency with int’l law |
| Option 1: Status quo / no new EU action | 0 | 0 | 0 | - | 0 | 0 |
| Option 2: Development of a programme to strengthen the efforts to counter attacks against information systems with non- legislative measures. | -/+ | ++ | -/+ | ++ | A + B ++ C + | -/+ |
| Option 3: Targeted update of FD on attacks to address the threat from large-scale attacks against information systems. | --/++ | -/+++ | -/++ | +++ | A +++ B +++ C +++ | ++ |
| Option 4: Introduction of comprehensive EU legislation against cybercrime. | ---/+++ | +++ | --/++ | ++ | A ++ B ++ C ++ | -/++ |
| Preferred option (Options 2 and 3): combination of non-legislative measures with a targeted update of the FD on Attacks | --/+++ | +++ | -/++ | +++ | A +++ B +++ C +++ | ++ |
7. Monitoring and evaluation
With respect to the specific and operational objectives identified in this impact assessment, rough indicators could be the following:
| Objective | Indicator |
| Specific Objective: A. Prosecute and convict criminals responsible for large-scale attacks, through the approximation of criminal law in the area of attacks against information systems | |
| A.1 To address the problem of large scale attacks from a criminal law perspective; i.e. through the criminalisation of the sale, use and putting at the disposal of tools. | Number of investigated and prosecuted cases. Number of large-scale attacks detected |
| A.2 To facilitate prosecution of cross-border cybercrime cases. | Number of cybercrime cases in which European cooperation tools have been used. |
| A.3 To impose effective, proportionate and dissuasive penalties. | Level of penalties imposed. Number of penalties. |
| Specific Objective: B. Improve of cross-border cooperation between Law Enforcement Agencies | |
| B.1 To introduce mechanisms for immediate international assistance in cases of urgency in a Member State. | Number of occasions that the 24/7 network has been used. Time needed to get replies on urgent requests. |
| B.2 To improve exchange of information and best practices among Member States. | Number of organised best practice events in the EU. Number of participants. |
| B.3 To improve public-private cooperation through the establishment of contact points and cooperation agreements. | Creation of a service level agreement. Number of information exchanges between public and private sector contact points. |
| Specific Objective: C. To establish effective monitoring systems | |
| C1: To record, produce and provide statistical data on the offences referred to in the Directive. | Monitoring mechanism established at national level. Tasks, human resources and budget set up. Number of information exchanged through the established channels. |
The Commission should ensure the regular monitoring and evaluation of the Directive on the basis of the proposed indicators.
An implementation report should be published within 2 years after the date of entry into force of the Directive. This report should pay attention to the exact implementation of the Directive by the Member States.
Furthermore, regular evaluations should be carried out in order to assess how and to what extent the Directive has contributed to the achievement of its objectives. The first evaluation should be carried out within five years after the entry into force of the Directive; the Commission will then publish evaluation reports every five years thereafter and these will include information on implementation. On the basis of the conclusions and recommendations of the evaluations, the Commission should take into account any further amendment to or other possible developments of the Directive.
Annex 1
Costs of keeping permanence of the contact points per Member State
| Tariff (€ per hour) | Time (hour) | Price (per action or equip) | Freq (per year) | Cost per Member State (€) | ||||||
| No. | Ass. Art. | Orig. Art. | Type of obligation | Description of required action(s) | Target group | |||||
| 1 | permanence103 | Keeping permanence in the 24/7 contact points. | Member States | 25 | 24 | 600 | 365 | 219,000 |
Annex 2
Administrative costs related to the contact points (labour costs and overhead costs)
| Policy Option 3: | Tariff (€ per hour) | Time (hour) | Price (per action or equip) | Freq (per year) | Nº of entities | Total cost (€) | Cost per Member State (€) | Regulatory origin (%) | ||||||||
| No. | Ass. Art. | Orig. Art. | Type of obligation | Description of required action(s) | Target group | Int | EU104 | Nat | Reg | |||||||
| 1 | collection | Collection of cybercrime data based on reports. | Member States | 25 | 24 | 600 | 365 | 27 | 5,913,000 | 219,000 | 0-95% | 5-100% | ||||
| 2 | Annual reporting | Annual reporting to the national statistical office. | Member States | 25 | 30 | 750 | 1 | 27 | 20,250 | 750 | 0-95% | 5-100% | ||||
| Total costs EUR 5,933,250 | ||||||||||||||||
| The assumption is that there are 1760 working hours per year per person (8 hours * 20 days * 11 months). | ||||||||||||||||
| Average employment costs in the EU-27 public administration: Eurostat: Average hourly labour costs, defined as total labour costs divided by the corresponding number of hours worked (€20,35 in 2005). The 2005 figure has been rounded upwards, based on the assumption of economic growth and pattern over the preceding years and overheads of 10% have been added. Source: http://epp.eurostat.ec.europa.eu/portal/page?_pageid=1996,39140985&_dad=portal&_schema=PORTAL&screen=detailref&language=en&product=Yearlies_new_population&root=Y |
Administrative costs related to monitoring costs (labour costs and overhead costs)
| Policy Option 3: | Tariff (€ per hour) | Time (hour) | Price (per action or equip) | Freq (per year) | Nº of entities | Total cost (€) | Cost per Member State (€) | Regulatory origin (%) | ||||||||
| No. | Ass. Art. | Orig. Art. | Type of obligation | Description of required action(s) | Target group | Int | EU105 | Nat | Reg | |||||||
| 1 | monitoring | retrieving relevant information from existing data | Member States | 25 | 40,00 | 1,000 | 1 | 27 | 27,000 | 1,000 | 0-95% | 5-100% | ||||
| 2 | monitoring | Submitting the information (sending it to the designated recipient) | Member States | 25 | 0,1 | 2.5 | 1 | 27 | 67.5 | 2.5 | 0-95% | 5-100% | ||||
| 3 | monitoring | filing the information | Member States | 25 | 0,5 | 12.5 | 1 | 27 | 337.5 | 12.5 | 0-95% | 5-100% | ||||
| Total costs EUR 27 405 | ||||||||||||||||
| The assumption is that there are 1760 working hours per year per person (8 hours * 20 days * 11 months). | ||||||||||||||||
| Average employment costs in the EU-27 public administration: Eurostat: Average hourly labour costs, defined as total labour costs divided by the corresponding number of hours worked (€20,35 in 2005). The 2005 figure has been rounded upwards, based on the assumption of economic growth and pattern over the preceding years and overheads of 10% have been added. Source: http://epp.eurostat.ec.europa.eu/portal/page?_pageid=1996,39140985&_dad=portal&_schema=PORTAL&screen=detailref&language=en&product=Yearlies_new_population&root=Y |
TOTAL ADMINISTRATIVE COSTS: EUR 27 405 + EUR 5,933,250 = EUR 5,960,655
1COM(2005) 576 final, Annex 1, p. 19.
2Idem.
3Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, OJ L 69 of 16.3.2005, p. 67.
4Number of connections per 24 hours is the commonly used measuring unit to estimate the size of botnets.
5COM(2008) 712.
6OJ L 69 of 16.03.2005, pp. 67-71.
7See Definitions provided in the terms of reference of this report.
8Report from the Commission to the Council based on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems, COM (2008)0448 final.
9OJ C 236 of 24.9.2005; OJ C 155 of 4.5.2010, pp.1-38.
10Council of Europe Convention on Cybercrime, Budapest 23.XI.2001, CETS n° 185. See also the Terms of Reference - Definition of Basic Concepts.
11An overview of the ratifications of the Convention (CETS n° 185) can be seen at http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=ENG
12"Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" Communication from the Commission to the Council, the European Parliament, The European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection, COM (2009) 149/1
13Communication from the Commission to the European Parliament, the Council and the Committee of the regions "Towards a general policy on the fight against cyber crime", COM(2007) 267 final
14As presented in the accompanying Impact assessment report, SEC (2007) 0642.
15When the preparations for the Communication "Towards a general policy on the Fight against cyber crime" were started.
16http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf, p.10.
17http://www.lemonde.fr/technologies/article/2009/03/31/virus-conficker-catastrophe-ou-poisson-d-avril_1174916_651865.html
18Report from the Commission to the Council based on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems, COM (2008)0448 final.
19See: http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
20See: http://www.cpni.gov.uk/docs/botnet_11a.pdf , p11, indent 30; http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/networking_solutions_whitepaper0900aecd8072a537.pdf
21Jennifer A. Chandler, University of Ottawa, "Liability for Botnet Attacks", p. 16 Conference Paper, presented at the Oxford Internet Institute’s Conference ‘‘Safety and Security in a Networked World’’, September 8–10, 2005. Paper available at: http://cjlt.dal.ca/vol5_no1/pdfarticles/chandler.pdf
http://cjlt.dal.ca/vol5_no1/pdfarticles/chandler.pdf, footnotes 48-50
22http://www.sophos.com/pressoffice/news/articles/2004/12/va_maslanc.html
23‘‘Yaha Worm Takes Out Pakistan Government’s Site’’ Security Focus (26 June 2002); available at:
http://online.securityfocus.com/news/501
There are several other cases like this documented, where political opponents attack the websites of rival groups or the state they oppose. However, similar attacks have been seen targeted against commercial organisations and companies.
24An example of this is the so-called "Ghostnet" where 1295 computers in highly sensitive places were infiltrated: embassies, foreign ministries and a number of international organisations. The origins of the network have been traced back to China-based computers. The Economist, 4/4/2009.
25Chandler, "Liability for Botnet Attacks", p. 15
26http://www.pdesign.net/SED/SED%20Articles/Web%20of%20Crime%20Enter%20the%20Professionals.htm
27See: http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=172303265
28http://www.irishtimes.com/newspaper/world/2008/0702/1214949259098.html
29There were costs to the government organisations related to the restoration of information systems and compensations for caused disturbances. In addition to the estimated financial cost, the total cost of such attacks is difficult to compile, as this involves not only the direct economic costs due to the attack, but also extra measures that were required to prevent further damage. Source: e-mail exchange with the Estonian Ministry of Foreign Affairs.
30E-mail exchange with Lithuanian authorities, April 2009.
31http://www.gartner.com/it/page.jsp?id=565125
32http://www.ic3.gov/media/annualreport/2008_IC3Report.pdf
33http://www.crime-research.org/news/28.04.2005/1189/
34http://www.computereconomics.com/article.cfm?id=1225
35DG INFSO Safer Internet Programme: http://ec.europa.eu/information_society/activities/sip/index_en.htm
36Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script, or computer programme imitates a legitimate user of a web browser clicking on an ad for the purpose of generating a charge per click without having actual interest in the target of the ad's link. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.
37http://www.computereconomics.com/article.cfm?id=1225
38In the case of phishing scams, the scammer (cyber criminal, the person attempting to steal the confidential information) is attempting to acquire sensitive information such as usernames, credit card numbers, or bank account credentials. Source: Symantec Report on the Underground Economy, July 07-June 08, p.82.
39Symantec Report on the Underground Economy, July 07–June 08, p. 19. See also footnotes 13 & 14.
40Consumer Reports.org source cited in Symantec Report on the Underground Economy July 07–June 08, p. 19; source: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf
41Arbor Sert Security Engineering and Response Team, http://asert.arbornetworks.com/2009/01/two-weeks-of-conflicker-data/
42http://www.f-secure.com/weblog/archives/00001584.html
43http://www.bundeswehr.de/portal/a/bwde/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLd443DgwBSUGYAfqR6GIBIQixoJRUfW99X4_83FT9AP2C3NCIckdHRQAlYgRn/delta/base64xml/L2dJQSEvUUt3QS80SVVFLzZfQ18zUkU!?yw_contentURL=/C1256EF4002AED30/W27PED65714INFODE/content.jsp
44http://www.theregister.co.uk/2009/01/20/mod_malware_still_going_strong/
45Symantec Global Internet Security report, Trends for 2008, Volume XIV, Published April 2009. The report specifically mentions the Netherlands as 4th worldwide source of attacks with 8%, the UK, Latvia and France are also in the top-10. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
46http://www.fsb.org.uk/news.aspx?REC=5038&re=policy/news.asp
See also: CSI Computer Crime and Security Surveys, CSI 2008:22-23, according to this research, only 27 percent of victims report cybercrime, and 47 percent of those interrogated agreed with the statement that they do "not believe that Law enforcement can help the matter".
47See: http://www.darkreading.com/security/management/showArticle.jhtml?articleID=208808174
48See: http://news.bbc.co.uk/2/hi/technology/7208511.stm; http://www.baltictimes.com/news/articles/18815/
49This has been repeatedly explained to the Commission to be a well know fact within European law enforcement by different authorities in Member States and European institutions, although it has not been possible to find a scientific source to confirm this.
50This has been confirmed to the Commission by law enforcement from different Member States and from Europol, for example, in a telephone conversation with the Europol High Tech Crime Centre on 29 January 2010.
51See Council of Europe paper "The functioning of 24/7 points of contact for cybercrime." 2 April 2009.
52Idem.
53See also point 2.1 Problem definition, see above in the text.
As an example of the differences in application of the law, we can look at the way “illegal system interference” is applied in Germany and France (FD 2005/222 JHA article 3, corresponding to the CoE Cybercrime Convention, article 5): this article implies the concept of serious hindering of the functioning of a computer system, which has, as such, been incorporated in French law (article 323-1 du code penal). In German law the hindering is not specified as dealing with a computer (or information technology) system, therefore allowing a subjective interpretation of the hindering. This might lead to a restriction of the criminalisation.
54See point 2.3 on the size and nature of the problem
55These areas of weakness have been identified as a result of consultations with Member States and stakeholders.
56Report from the Commission to the Council based on Article 12 of the Council Framework Decision of 24 February 2005 on attacks against information systems, COM (2008)0448 final.
57Final Declaration, G8 ministerial meeting of Justice and Home Affairs, Rome, 29- 30 May 2009, http://www.g8italia2009.it/static/G8_Allegato/declaration1giu2009.pdf
58See Council of Europe paper "The functions of 24/7 points of contact for cybercrime", 2009; Report from the EU expert meeting on cybercrime of 15-16 November 2007 (internal DG JLS document).
59See Council of Europe paper "The functions of 24/7 points of contact for cybercrime", 2009. Still to be released.
60See Council of Europe paper "The functions of 24/7 points of contact for cybercrime", 2009. Still to be released. CETS 185, article 35 states that contact points shall ensure that they are able to coordinate with the responsible authority or authorities responsible for international mutual assistance or extradition. They thus act as liaison offices in cases of international requests.
61It should be kept in mind that the EU is not the only organisation that could take action to fight the problem. NATO and Council of Europe, are also very active in the efforts to strengthen the fight against attacks as well as to strengthen network and information security. In this context, NATO created a Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Tallinn, Estonia. However, NATO only deals with military infrastructure.
62The consulted experts represented 27 EU member states law enforcement agencies, Switzerland, Norway and member countries of the Council of Europe, OSCE, G8, Interpol, Europol and Eurojust. Consultations with the private sector included industry federations, such as EuroISPA, Eco, the Irish Banking Federation, ECTA and a number of private companies including Symantec, eBay, Microsoft, MasterCard, Blueprint Partners, KPN, Telefonica, Bouygues Telecom, HP, CA, SAP, Business Software Alliance.
63The new framework decision must ensure that the private sector can still use botnets or similar tools for testing the effectiveness of anti-virus software or other security appliances.
64See: http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG
65See: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime%5Ccy%20Project%20global%20phase%202/2079adm_prosummary1d%20_9%20mar%202009.pdf
66In particular the United Nations, G 8 and NATO.
67Cybercrime Convention concluded in Budapest on 23 November 2001; See: http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm.
68List of signatories of the Cybercrime Convention (CETS 185): http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=3/17/2009&CL=EG
69COM(2007) 267 final
70COM(2006) 251 final
71"Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" Communication from the Commission to the Council, the European Parliament, The European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection, COM (2009) 149/1
72OJ C 62 of 17.3.2009, p. 17.
73Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union.
74Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee of 7 August 2006 - Developing a comprehensive and coherent EU strategy to measure crime and criminal justice: an EU Action Plan 2006-2010, COM(2006) 437 final.
75In line with Framework Decision 2006/960/JHA on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union.
76http://www.smebusinessnews.co.uk/cyber-crime-costs-smes-800-each-year/160/
77OJ C 62 of 17.3.2009, pp. 17-18.
78http://www.businessweek.com/1999/99_40/b3649004.htm
79These programmes have been financed by the financial programmes "Prevention of and fight against crime" and "Criminal Justice".
80OJ C 62 of 17.3.2009, p. 18.
81OJ C 62 of 17.3.2009, p. 18.
82Aspects of cybercrime often surface in other crimes, such as fraud through use of a computer. It is therefore essential that not only those crimes are recorded which "cyber crimes" are according to existing legislation, but also those where the cybercrime is a secondary crime in the prosecutor’s file.
83Flash Eurobarometer, Data Protection in the European Union, Citizens’ perceptions, Analytical Report,
available at: http://ec.europa.eu/public_opinion/flash/fl_225_en.pdf
84the use of computer networks and botnets as tools in committing crimes.
85Such as the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201 of 31.7.2002, p. 37–47 (currently under revision), and such as the general data protection Directive 95/46/EC.
86Introduced by the Convention, and FD 2005/222/JHA on Attacks against Information Systems
87OJ C 62 of 17.3.2009, p. 18.
88Council Conclusions on setting up national alert platforms and a European alert platform for reporting
offences noted on the Internet, 2899th JUSTICE and HOME AFFAIRS Council meeting, Luxembourg, 24 October 2008, p. 2.
89OJ C 62 of 17.3.2009, p. 18.
90Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union.
91Council Conclusions of 27/11/2008, and the European Security Strategy.
92See: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime%5Ccy%20Project%20global% 20phase%202/2079adm_prosummary1d%20_9%20mar%202009.pdf
93SEC(2009) 355, p. 29.
94A number of current non-legislative activities concerning filtering/blocking of illicit web content are currently undergone in for a, such as COSPOL Internet Related Child Abusive Material Project or the Virtual Global Taskforce, which Member States may join in the short-term. See: http://www.europol.europa.eu/index.asp?page=InternetRelatedChildAbusiveMaterialProject; http://www.virtualglobaltaskforce.com/
In this framework too, is the proposal for a new FD on combating the sexual abuse , sexual exploitation of children and child pornography, repealing Framework Decision 2004/68/JHA, COM(2009)135 final
95This is the conclusion of consultations undertaken by the Commission in preparation for this impact assessment.
96“The Admissibility of Electronic Evidence in Court: Fighting against Hight-tech Crime,” Cybex report (2006); available at: http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/contributions/ libro_aeec_en.pdf
97For general surveys of the deterrent effect of higher penalties, see:
http://pricetheory.uchicago.edu/levitt/Papers/LevittWhyDoIncreasedArrest1998.pdf
98There are cases of cyber criminals in the UK, Sweden and Norway being tracked within 4 hours from notification by the UK law enforcement due to swift public-private cooperation and a rapid reaction by 24/7 contact points.
99Final Declaration, G8 ministerial meeting of Justice and Home Affairs, Rome, 29- 30 May 2009, http://www.g8italia2009.it/static/G8_Allegato/declaration1giu2009.pdf
100Council of Europe paper "The functions of 24/7 points of contact for cybercrime", 2009. Still to be released.
101Communication from the Commission to the European Parliament, the Council and the Committee of the regions "Towards a general policy on the fight against cyber crime", COM(2007) 267 final
102 OJ C 115 of 4.5.2010, pp. 1-38.
103This obligation already exists in the existing FD 2005/222, and can therefore not be considered to be a "new" administrative cost.
104EU member states have the possibility to apply for Commission co-funding up to 95% of the overall costs associated with the relevant measures.
105EU member states have the possibility to apply for Commission co-funding up to 95% of the overall costs associated with the relevant measures.
EN EN