The European Union wants to throw the book at cyber criminals and is giving
its member nations 20 months to get everything in order to accommodate the
The proposed framework decision, released April 19, adresses cracking and distributed denial of service
Calling for a mandatory jail sentence of “no less than one year” for cyber
crimes causing significant damage to a business (whether through downtime
or man-hours spent correcting a hack), the proposal leaves the door open
for individual countries to make their own interpretations of an offense’s
seriousness and the methods of punishment as long as they obey the
For example, in lieu of jail time, the EU suggests fines or recompense paid
by the criminal to the violated company, though countries are free to
add fines to a jail sentence.
Erkki Liikanen, the EU commissioner charged with the security of
information systems and the corporations that use them, said while cyber
crime makes up a relatively small segment of the Internet traffic out there
today, it needs to be addressed before it gets out of hand.
“However small a part of the overall picture, cybercrime is still crime
which needs to be dealt with,” he said. “This proposal also contributes to
improving the overall security of our information infrastructures, which is
a key element in our efforts towards a knowledge-based economy.”
According to the 2002 “Computer Crime and Security Survey,” 223 companies
reported a staggering $455.8 million in losses attributable to cyber
crime. The survey, the seventh co-sponsored by the Computer Security
Institute and the Federal Bureau of Investigation, shows a growing trend
of Internet-related security breaches (40 percent), where in the past most
came from inside the company (now down to 33 percent).
The financial losses are sometimes less damaging than the loss of face
within the business community, as potential customers are loathe to put
their e-trust in a company that gets publicly hacked.
Charles Williams, chairman of the world Internet providers operations
counsel, said the framework decision by the EU is a good start to putting
real penalties behind cyber crime.
“As we have all learned in the past, anytime that a company’s security is
compromised there is a serious loss of trust in the victim company by
clients and/or investors,” he said. “The fact that someone actually
succeeded in either intruding into or denied traffic to a company’s network
is something that will never be 100 percent preventable. Thus, any time that a
company is the victim of such an attack the only thing to be done is to
report it, learn from it, and prosecute the perpetrator.”
Officials are quick to point out the EU’s answer to cyber crime is a work
in progress and there is a lot of time to make improvements to the
proposal. Nowhere is clarification needed more than in the area of
jurisdiction, an oversight (though one EU officials say they are aware of)
when you consider the nature of the Internet.
On the issue of cyber crime committed by a country outside the EU, the
commission doesn’t have an answer. The framework calls for member nations
to hammer out appropriate extradition and territorial clauses, but if the
hacker comes from the U.S. or Asia, for example, it will have to be handled
on a case-by-case basis.
“That’s one area the EU has been working on for some time and there’s been
a lot of debate about,” said Maeve O’Beirne. She said two methods, one
from the EU and one by the Council of Europe, have two disparate approaches.
The EU wants to strengthen ties with foreign law enforcement agencies to
combat the international nature of cyber crime. It’s a process that began
a couple years ago when the FBI, Interpol, Europol and others banded
together successfully for Operations Starburst and Cathedral, a worldwide
sting netting hundreds of pedophiles.
Commissioners want to expand on that, stringing together a 24/7 point of
contact network in each country and an information-exchange program (the
U.S. and several European countries already have one in place), and devote
more resources to upgrading computer systems and educating law enforcement
The Council of Europe supports the same, but looks to an international
intermediary to liaison between the two countries if an agreement can’t be
The EU’s new cyber crime framework isn’t expected to become a reality until
2004, after the member nations have submitted the measures it will take to
ensure compliance and EU publishes its final framework decision.
The EU member nations are: Austria, Belgium, Denmark, Finland, France,
Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal,
Spain, Sweden and the United Kingdom.