Early this week the European Union (EU) mandated national maximum sentences of at least two years in prison for attempting to illegally access information systems.
In addition, according to the UK Telegraph, “The maximum penalty for attacks against infrastructure such as power plants, transport or government networks will be set at five years or more, higher than the current tariff in most member states....”
The global coverage of these EU legal changes has been enormous, with numerous editorial perspectives clearly supporting the new regulations that add teeth in fighting cybercrime.
These developments also come at an interesting time – shortly after the allegations by Edward Snowden that the US spied on European nations and businesses. These new EU regulations also include “cyber-snooping” as a prohibited action.
Do stronger penalties deter cybercrime?
However, many experts believe that tougher penalties do little to deter criminal behavior in cyberspace, since most hackers think that they will never be caught by law enforcement officials. In fact, some experts actually think these changes make things worse, since white hat hackers will lose their ability to help.
For example, this techdirt.com article makes the case that tougher new laws are misguided:
“…Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.
End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities….”
Under the new EU rules, companies that hire hackers to steal secrets or benefit from malware or botnets
will be liable for any offences committed on their behalf.
One thing to keep in mind is that we are currently in a sort of “catch-22” today, where cyber criminals that are caught face lighter penalties than criminals who commit crimes in the physical world. Advocates of tougher laws point to the need for new penalties for the time when the good guys catch-up.
It is worth noting that a new European Cybercrime Centre (EC3) was opened earlier this year to work with the FBI and US authorities on fighting global cybercrime. Here is a video describing that topic:
Cybercrime penalties in the USA
Penalties for cybercrimes are generally tougher overall in the US than in Europe, and new bills that are circulating in Washington D.C. would strengthen computer hacking laws further.
Information Week offered these thoughts on new cybercrime penalty legislation changes:
“Legal experts and privacy activists are crying foul after the House Judiciary Committee began circulating a draft bill that would amend the Computer Fraud and Abuse Act (CFAA) to impose tougher penalties for many types of computer crimes.
The 22-page draft "cyber-security" legislation is currently being circulated among committee members. A
House Judiciary Committee aide told The Hill that the draft is still in its early stages, and feedback is still being gathered from multiple stakeholders.”
More recently, the Electronic Frontier Foundation (EFF) offered this piece on updating CFAA: “…But common sense changes to the CFAA are needed to update the law and make it in-line with recent court rulings, and this bill is a great start.”
Available options for cybercrime victims
So what options are available to cybercrime victims today? What can a company do given our current situation?
I like the summary of available options given by this law.com article – The War on CyberCrime: How Far Can You Go? This piece lays out the current landscape in America and offers proactive alternatives ranging from collaborating with government to civil litigation to hacking back.
Various expert sources tell me that hacking back (also called active defense by some) from businesses is more common currently than many people believe. Some advocates describe a middle ground where stolen data can send a beacon back or perhaps even self-destruct.
Nevertheless, I have gone on record as saying that that “hacking back” is not ok for the majority of us. In addition, this a role that state and local government CIOs, CSOs and CISOs should be involved in – at least under current federal law in 2013. (Note: To be clear, I am not talking about criminal justice organizations
such as the FBI or state police – who may need to access criminal networks with a court order and the legal right to do so.)
So what’s your view? Do tougher laws help in the fight against cybercrime? Should organizations take matters into their own hands? Will the new EU rules help?