The European Parliament is to vote on a proposal that could see sentences raised for crackers who gain illegal access to critical infrastructure systems to a five-year minimum.
A proposed new directive could mandate minimum two- and five-year jail terms for those found guilty of attacking the security of a computer system with criminal intent.
Part of a new directive designed to discourage and penalise those who bypass security systems with ill intent, the draft proposals were approved late last week ahead of a vote in July. Should the proposals go ahead, the minimum penalties that could apply to digital ne'er-do-wells will be severely strengthened.
A cracker found guilty of illegal and intentional access to an information system, the illegal interference with data or the illegal interception of communications will face a minimum of two years jail time under the new EU directive. Should the attack cause serious damage, be at the behest or under the control of a known criminal organisation or target critical infrastructure such as power stations, that minimum is boosted to five years.
Somewhat more controversially, the proposal also mandates a two-year sentence on those found guilty of intentionally producing and selling tools designed to commit the above offences. If not carefully worded and clarified, that could have a chilling effect on security research: many tools designed for legitimate purposes can be co-opted for evil, with network security toolkits frequently including vulnerability scanners and password crackers.
That concern has been noted in the directive's amendments. Sections of the proposal that would make the ownership of security-cracking tools have been deleted, under the justification that such software is 'inherently dual-use, and [is] crucially needed for security testing. If we want to have the whistleblower protection, we also have to legalise their possession and distribution.
The directive does attempt to prevent the dragnet capturing system administrators and security researchers who use their skills for good, however. Sections include exclusions for those without criminal intent - protecting professional penetration testers and the like - as well as those who stumble upon a security hole but tell the responsible company in a timely manner.
Other sentences proposed by the directive include a three-year sentence for those who create malware designed to take remote control of systems for the purpose of creating a 'botnet,' as well as those who make use of a botnet created by others, along with companies who hire crackers to carry out attacks on competitors for the purposes of espionage or sabotage.
The latest amendments to the proposed directive include a requirement that EU members states respond within an eight-hour window to reports of other member states experiencing attack.
Security firms are cautiously optimistic about the proposals. 'The directive is clear about distinguishing attacks that lack criminal intent, which would cover testing or protection of information systems and thereby shield whistleblowers,
' claimed Lisa Vaas for Sophos
. 'That's reassuring. Pen testing and whistleblowing are essential activities that deserve legal protection.
Those who have been following the furore in the mainstream press regarding the US National Security Agency's PRISM computer system and its allegedly unconstitutional monitoring of citizen's communications will be interested in one particular amendment to Article 2 Point C, submitted by Jan Philipp Albrecht. '"Legal person" means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations, which does not imply that States or other public bodies should be able to attack information systems without a legal basis and full respect for fundamental rights.
' (Amended portion emphasised.)
The reason for Albrecht's amendment? 'We don't want state hacking be legalised, as it would violate the 'basic right to the integrity and confidentiality of information technical systems' as determined by the German Constitutional Court.
The EU will vote on the directive next month, with the Committee on Civil Liberties, Justice and Home Affairs having already approved the latest draft.