Early this week the European Union (EU) mandated national maximum sentences of at least two years in prison for attempting to illegally access information systems.
In addition, according to the UK Telegraph, “The maximum penalty for attacks against infrastructure such as power plants, transport or government networks will be set at five years or more, higher than the current tariff in most member states....”
The global coverage of these EU legal changes has been enormous, with numerous editorial perspectives clearly supporting the new regulations that add teeth in fighting cybercrime.
These developments also come at an interesting time – shortly after the allegations by Edward Snowden that the US spied on European nations and businesses. These new EU regulations also include “cyber-snooping” as a prohibited action.
Do stronger penalties deter cybercrime?
However, many experts believe that tougher penalties do little to deter criminal behavior in cyberspace, since most hackers think that they will never be caught by law enforcement officials. In fact, some experts actually think these changes make things worse, since white hat hackers will lose their ability to help.
For example, this techdirt.com article makes the case that tougher new laws are misguided:
“…Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.
End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities….”
Under the new EU rules, companies that hire hackers to steal secrets or benefit from malware or botnets
will be liable for any offences committed on their behalf.
One thing to keep in mind is that we are currently in a sort of “catch-22” today, where cyber criminals that are caught face lighter penalties than criminals who commit crimes in the physical world. Advocates of tougher laws point to the need for new penalties for the time when the good guys catch-up.
It is worth noting that a new European Cybercrime Centre (EC3) was opened earlier this year to work with the FBI and US authorities on fighting global cybercrime. Here is a video describing that topic:
Cybercrime penalties in the USA
Penalties for cybercrimes are generally tougher overall in the US than in Europe, and new bills that are circulating in Washington D.C. would strengthen computer hacking laws further.
Information Week offered these thoughts on new cybercrime penalty legislation changes:
“Legal experts and privacy activists are crying foul after the House Judiciary Committee began circulating a draft bill that would amend the Computer Fraud and Abuse Act (CFAA) to impose tougher penalties for many types of computer crimes.
The 22-page draft "cyber-security" legislation is currently being circulated among committee members. A
House Judiciary Committee aide told The Hill that the draft is still in its early stages, and feedback is still being gathered from multiple stakeholders.”
More recently, the Electronic Frontier Foundation (EFF) offered this piece on updating CFAA: “…But common sense changes to the CFAA are needed to update the law and make it in-line with recent court rulings, and this bill is a great start.”
Available options for cybercrime victims
So what options are available to cybercrime victims today? What can a company do given our current situation?
I like the summary of available options given by this law.com article – The War on CyberCrime: How Far Can You Go? This piece lays out the current landscape in America and offers proactive alternatives ranging from collaborating with government to civil litigation to hacking back.
Various expert sources tell me that hacking back (also called active defense by some) from businesses is more common currently than many people believe. Some advocates describe a middle ground where stolen data can send a beacon back or perhaps even self-destruct.
Nevertheless, I have gone on record as saying that that “hacking back” is not ok for the majority of us. In addition, this a role that state and local government CIOs, CSOs and CISOs should be involved in – at least under current federal law in 2013. (Note: To be clear, I am not talking about criminal justice organizations
such as the FBI or state police – who may need to access criminal networks with a court order and the legal right to do so.)
So what’s your view? Do tougher laws help in the fight against cybercrime? Should organizations take matters into their own hands? Will the new EU rules help?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.