Technological developments together with the myriad of
increased cyber attacks being reported in the last few years led European
legislators to publish a new Directive focusing on attacks against information
systems but the jury is still out whether the Directive will leave the desired
impact.
Published in August of last year, the new Directive must be
transposed by Member States by the 4th September 2015. Largely
modelled on an EU Council Framework Decision of 2005 which it replaces, the
Directive is introducing some innovations at a European Union level. Some of
these new introductions are already catered for under Maltese law whilst others
will need to be transposed.
The main scope behind the Directive is to have harmonisation
of criminal law measures within the European Union in the area of attacks
against information systems through the introduction of minimum rules
concerning the definition of criminal offences and the relevant sanctions as
well as improving the cooperation between the competent authorities of the Member
States. It establishes that Illegal access, illegal system or data interference
or interception should be criminalised by Member States.
Most of these provisions however were already reflected in
the Council of Europe Cybercrime Convention also known as the Budapest
Convention to which Malta is a party. Substantive definitions and categorizations
of cyber offences contained in our Criminal Code follow the provisions
contained in the Budapest Convention.
One therefore questions what will really change in Malta
pursuant to Directive 2013/40/EU and the answer is not that straightforward.
The new Directive highlights the recognition by European
lawmakers that information systems are a key element of the political, social
and economic interactions in Europe and that society at large has become highly
dependent on such systems. There has also been the realisation that there is a
dangerous increasing link between attacks on information systems and organised
crime as well as serious concern regarding terrorist or politically motivated
cyber attacks especially those targeting national critical infrastructures
which might have a cross border impact.
Critical Infrastructures have been termed under Directive
2013/40/EU as an asset, system or part thereof located in a Member State which
is essential for the maintenance of vital societal functions, health, safety,
security economic or social well-being. The Directive lists power plants,
transport networks or government networks as examples of critical infrastructures.
In tiny Malta, we can also find quite a number of examples that might be
considered a critical infrastructure. The transport service IT system, the IT infrastructure
at Mater Dei and the systems controlling our energy provision might all fall
under this category.
Evidence of a tendency towards recurrent large-scale attacks
and the utilization of bot armies and botnets was also another instigator for
the promulgation of the new Directive.
The Directive introduces aggravating circumstances, and therefore
stiffer penalties, for crimes committed through organised crime, botnets,
identity theft or attacks against critical infrastructures. Presently, Maltese
law does not provide for such factors as being aggravating circumstances. Under
Maltese law penalties are increased in situations where the cybercrime is
committed by employees against their employer or clients (something also found
in the new Directive) but also in situations where the cyber crime is directed
towards a public service or utility operated or maintained by Government.
The new Directive makes it clear that criminal liability
should not subsist when a person did not know that his machine was used in a
criminal attack without his consent. This reflects the reality that many
personal machines are being infected by malicious software and ‘recruited’ as
zombies in bot nets. The Directive also criminalizes aiding, abetting and
attempted crimes as well as the production, sale or making available of tools
used to commit offences. Article 337(C)(1)(l) of our Criminal Code already
criminalizes the sale, production and distribution of such devises and
software.
The two most controversial aspects of Directive 2013/40/EU however
revolve around minor cases as well as illegal access of computer systems
committed through the infringement of a security measure.
The new Directive leaves it up to the Member States to
determine whether criminal penalties should be imposed in situations where the
cyber-crime is considered to be ‘minor’. This will eventually mean that there
will not be harmonisation of cyber-crime penalties as one Member State might
consider a specific activity to minor whilst another jurisdiction might
consider it serious. Everything will depend on how the national prosecuting authorities
as well as national legislators consider the specific activity in question and the
damage caused. This, I believe, is one of the major flaws of the Directive. The
Directive in fact stipulates that Member States may determine what constitutes
a minor case according to their national law and practice. The Directive
continues that a case may be considered minor, for example, where the damage
caused by the offence or the risk to public and private interests including the
integrity to computer systems are insignificant or are of a nature that the
imposition of a criminal penalty is not necessary. This will lead to trouble.
Unlike the Budapest Convention and our current Criminal Code,
Article 3 of Directive 2013/40/EU provides that illegal access to information
systems would be considered to be a criminal offence only when a security
measure is infringed. This will mean that under the Directive access to an
information system without authorization but through no breach of any security
will not be considered as criminal. I find this slightly puzzling. If we had to
try and find a real-world example, we would see that if I leave my car
unlocked, anyone could just go in make themselves comfortable in it without
having committed an offence. Strange. The Counter argument would be that
persons accessing an unsecure system might say that they did not know that they
were not authorised to access such systems since there was no security in
place. This will mean that all operators of IT systems will need to beef up
their security in order to ensure that a minimum level of security exists.
Well, self-help is always a key concept in cybercrime but perhaps linking unauthorized
access directly to security breaches might not be the best option.
The EU Framework Decision of 2005 was termed as being the EU
version of the Budapest Convention. Whilst the Directive published in August is
surely a step in the right direction, one still needs to wait and see how the
Member States will transpose it into national law.
No comments:
Post a Comment