RealTime IT News

EU Throws The Book At Cyber Criminals

The European Union wants to throw the book at cyber criminals and is giving its member nations 20 months to get everything in order to accommodate the necessary changes.

The proposed framework decision, released April 19, adresses cracking and distributed denial of service (DDoS) attacks.

Calling for a mandatory jail sentence of "no less than one year" for cyber crimes causing significant damage to a business (whether through downtime or man-hours spent correcting a hack), the proposal leaves the door open for individual countries to make their own interpretations of an offense's seriousness and the methods of punishment as long as they obey the EU's guidelines.

For example, in lieu of jail time, the EU suggests fines or recompense paid by the criminal to the violated company, though countries are free to add fines to a jail sentence.

Erkki Liikanen, the EU commissioner charged with the security of information systems and the corporations that use them, said while cyber crime makes up a relatively small segment of the Internet traffic out there today, it needs to be addressed before it gets out of hand.

"However small a part of the overall picture, cybercrime is still crime which needs to be dealt with," he said. "This proposal also contributes to improving the overall security of our information infrastructures, which is a key element in our efforts towards a knowledge-based economy."

According to the 2002 "Computer Crime and Security Survey," 223 companies reported a staggering $455.8 million in losses attributable to cyber crime. The survey, the seventh co-sponsored by the Computer Security Institute and the Federal Bureau of Investigation, shows a growing trend of Internet-related security breaches (40 percent), where in the past most came from inside the company (now down to 33 percent).

The financial losses are sometimes less damaging than the loss of face within the business community, as potential customers are loathe to put their e-trust in a company that gets publicly hacked.

Charles Williams, chairman of the world Internet providers operations counsel, said the framework decision by the EU is a good start to putting real penalties behind cyber crime.

"As we have all learned in the past, anytime that a company's security is compromised there is a serious loss of trust in the victim company by clients and/or investors," he said. "The fact that someone actually succeeded in either intruding into or denied traffic to a company's network is something that will never be 100 percent preventable. Thus, any time that a company is the victim of such an attack the only thing to be done is to report it, learn from it, and prosecute the perpetrator."

Officials are quick to point out the EU's answer to cyber crime is a work in progress and there is a lot of time to make improvements to the proposal. Nowhere is clarification needed more than in the area of jurisdiction, an oversight (though one EU officials say they are aware of) when you consider the nature of the Internet.

On the issue of cyber crime committed by a country outside the EU, the commission doesn't have an answer. The framework calls for member nations to hammer out appropriate extradition and territorial clauses, but if the hacker comes from the U.S. or Asia, for example, it will have to be handled on a case-by-case basis.

"That's one area the EU has been working on for some time and there's been a lot of debate about," said Maeve O'Beirne. She said two methods, one from the EU and one by the Council of Europe, have two disparate approaches.

The EU wants to strengthen ties with foreign law enforcement agencies to combat the international nature of cyber crime. It's a process that began a couple years ago when the FBI, Interpol, Europol and others banded together successfully for Operations Starburst and Cathedral, a worldwide sting netting hundreds of pedophiles.

Commissioners want to expand on that, stringing together a 24/7 point of contact network in each country and an information-exchange program (the U.S. and several European countries already have one in place), and devote more resources to upgrading computer systems and educating law enforcement personnel.

The Council of Europe supports the same, but looks to an international intermediary to liaison between the two countries if an agreement can't be reached.

The EU's new cyber crime framework isn't expected to become a reality until 2004, after the member nations have submitted the measures it will take to ensure compliance and EU publishes its final framework decision.

The EU member nations are: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden and the United Kingdom.