Revising our national laws on cybercrime

Technological developments together with the myriad of increased cyber attacks being reported in the last few years led European legislators to publish a new Directive focusing on attacks against information systems but the jury is still out whether the Directive will leave the desired impact.

Published in August of last year, the new Directive must be transposed by Member States by the 4^th September 2015. Largely modelled on an EU Council Framework Decision of 2005 which it replaces, the Directive is introducing some innovations at a European Union level. Some of these new introductions are already catered for under Maltese law whilst others will need to be transposed.

The main scope behind the Directive is to have harmonisation of criminal law measures within the European Union in the area of attacks against information systems through the introduction of minimum rules concerning the definition of criminal offences and the relevant sanctions as well as improving the cooperation between the competent authorities of the Member States. It establishes that Illegal access, illegal system or data interference or interception should be criminalised by Member States.

Most of these provisions however were already reflected in the Council of Europe Cybercrime Convention also known as the Budapest Convention to which Malta is a party. Substantive definitions and categorizations of cyber offences contained in our Criminal Code follow the provisions contained in the Budapest Convention.

One therefore questions what will really change in Malta pursuant to Directive 2013/40/EU and the answer is not that straightforward.

The new Directive highlights the recognition by European lawmakers that information systems are a key element of the political, social and economic interactions in Europe and that society at large has become highly dependent on such systems. There has also been the realisation that there is a dangerous increasing link between attacks on information systems and organised crime as well as serious concern regarding terrorist or politically motivated cyber attacks especially those targeting national critical infrastructures which might have a cross border impact.

Critical Infrastructures have been termed under Directive 2013/40/EU as an asset, system or part thereof located in a Member State which is essential for the maintenance of vital societal functions, health, safety, security economic or social well-being. The Directive lists power plants, transport networks or government networks as examples of critical infrastructures. In tiny Malta, we can also find quite a number of examples that might be considered a critical infrastructure. The transport service IT system, the IT infrastructure at Mater Dei and the systems controlling our energy provision might all fall under this category.

Evidence of a tendency towards recurrent large-scale attacks and the utilization of bot armies and botnets was also another instigator for the promulgation of the new Directive.

The Directive introduces aggravating circumstances, and therefore stiffer penalties, for crimes committed through organised crime, botnets, identity theft or attacks against critical infrastructures. Presently, Maltese law does not provide for such factors as being aggravating circumstances. Under Maltese law penalties are increased in situations where the cybercrime is committed by employees against their employer or clients (something also found in the new Directive) but also in situations where the cyber crime is directed towards a public service or utility operated or maintained by Government.

The new Directive makes it clear that criminal liability should not subsist when a person did not know that his machine was used in a criminal attack without his consent. This reflects the reality that many personal machines are being infected by malicious software and ‘recruited’ as zombies in bot nets. The Directive also criminalizes aiding, abetting and attempted crimes as well as the production, sale or making available of tools used to commit offences. Article 337(C)(1)(l) of our Criminal Code already criminalizes the sale, production and distribution of such devises and software.

The two most controversial aspects of Directive 2013/40/EU however revolve around minor cases as well as illegal access of computer systems committed through the infringement of a security measure.

The new Directive leaves it up to the Member States to determine whether criminal penalties should be imposed in situations where the cyber-crime is considered to be ‘minor’. This will eventually mean that there will not be harmonisation of cyber-crime penalties as one Member State might consider a specific activity to minor whilst another jurisdiction might consider it serious. Everything will depend on how the national prosecuting authorities as well as national legislators consider the specific activity in question and the damage caused. This, I believe, is one of the major flaws of the Directive. The Directive in fact stipulates that Member States may determine what constitutes a minor case according to their national law and practice. The Directive continues that a case may be considered minor, for example, where the damage caused by the offence or the risk to public and private interests including the integrity to computer systems are insignificant or are of a nature that the imposition of a criminal penalty is not necessary. This will lead to trouble.

Unlike the Budapest Convention and our current Criminal Code, Article 3 of Directive 2013/40/EU provides that illegal access to information systems would be considered to be a criminal offence only when a security measure is infringed. This will mean that under the Directive access to an information system without authorization but through no breach of any security will not be considered as criminal. I find this slightly puzzling. If we had to try and find a real-world example, we would see that if I leave my car unlocked, anyone could just go in make themselves comfortable in it without having committed an offence. Strange. The Counter argument would be that persons accessing an unsecure system might say that they did not know that they were not authorised to access such systems since there was no security in place. This will mean that all operators of IT systems will need to beef up their security in order to ensure that a minimum level of security exists. Well, self-help is always a key concept in cybercrime but perhaps linking unauthorized access directly to security breaches might not be the best option.

The EU Framework Decision of 2005 was termed as being the EU version of the Budapest Convention. Whilst the Directive published in August is surely a step in the right direction, one still needs to wait and see how the Member States will transpose it into national law.