Eurocrats versus the cyber criminals


It has not been a good news day for hackers and cyber criminals, at least not in Europe.

Not only is the European Commission set to open a new CyberCrime Centre in The Hague next year, but, as The Independent reports, a proposed EU Directive could set a minimum jail term of two years for hackers.

More serious offences, such as stealing someone's online identity to use for hacking, would attract three years in jail, and companies that use hackers to attack rivals could be shut down.

The European Parliament's rapporteur, Monika Hohlmeier, describes the type of incident authorities aim to combat as "serious criminal attacks, some of which are even conducted by criminal organisations."

This is true. And it is also true that law enforcement agencies, as well as companies seeking civil damages against cyber criminals, have found their efforts hampered by legal inconsistencies. Nor have the courts always taken cyber crime as seriously as many IT professionals believe they should: cyber crime is not victimless, after all.

But there will be questions about the effectiveness of setting up another cyber crime agency, and indeed whether any one legal jurisdiction can tackle the problem alone.

The EU already has a cyber security body, in the form of Crete-based ENISA, which aims to support businesses and governments from cyber attack at the systems and network level. ENISA works with the EU's national CERTs, or computer emergency response teams. Then there are the national police computer crime units.

It is not yet clear how the new body, which is based within Europol, will fit in with these organisations. And already, the EU press release announcing the new agency suggests some overlap with ENISA's work, especially when it comes to warning governments of cyber threats.

More serious still, though, is whether any European organisation can be effective, on its own, in tackling a global problem.

It is very easy for cyber criminals to base themselves outside the EU; there are plenty of locations around the world where laws on computer crime are either weak, weakly enforced, or both. It is also quite easy for cyber crime gangs to mask their true physical location, not least by turning innocent user's machines into "bots."

More resources to fight cyber crime are welcome. The EU can set an example and, according to Ron Gula, CEO at Tenable Network Security, act as a co-ordinator for incidents such as cyber terrorist attacks. But the real challenge facing politicians is lies in improving laws, investigative capabilities and law enforcement internationally.

"The challenge of pursuing criminals across borders of course remains and nothing in the proposed new Directive is going to change that," warns Martha Bennett, of analyst firm Freeform Dynamics.

"No law will ever be able to protect EU citizens [fully] from attack, again because there is nothing that can be done about nasty stuff coming across the internet.

"But making certain actions a criminal offence is a good idea. At the moment, many so-called cybercrimes' can't be prosecuted at all because there's no punishable offence until an actual crime (under existing legislation) has been committed, such as money being stolen from a bank account."

But if the EU's defences can be bolstered, then perhaps cyber criminals might find other, more productive ways to employ their talents or at least, go elsewhere.

Stephen Pritchard is a contributing editor at IT Pro.