The European Parliament has voted in favor of a new directive on cybercrime

European member states now have two years to implement the proposals, which are an attempt to impose a more standard response to cybercrime across the Union. In general it introduces stronger penalties. It increases penalties for illegally intercepting communications, and producing or selling tools that enable this. The penalty for attacking national infrastructures, such as power plants or government networks, is set at five years in prison - which is generally higher than most nations' current sanctions.

"The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions," said Cecilia Malmstrom, European Commissioner for Home Affairs in a statement.

But not all MEPs are happy with the outcome. During the debate on Tuesday, MEP Jan Philipp Albrecht warned, "we're not getting any more security from this directive, simply tougher and tougher punishments". He suggested that responsibility should be taken by the operators of the IT networks to ensure that all loopholes are closed.

In a statement issued last month, Albrecht warned that Europe's new approach would likely weaken rather than strengthen security. "The blunt new rules on criminalising cyber attacks... take a totally flawed approach to internet security. The broad strokes approach to all information system breaches, which would apply criminal penalties for minor or non-malicious attacks, risks undermining internet security." 

He is particularly concerned about the effect of the new laws on white hat hackers. "Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security. This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals. The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."

He is not alone in thinking Europe's approach is flawed. Conrad Constantine, research team engineer at AlienVault, takes a similar view. "'Cybercrime' is an oxymoron," he suggests. "We already have a word for it - 'Crime' - the reason 'cybercrimes' are criminal acts is because they were criminal acts before computers were involved."

He cites the US Computer Fraud and Abuse Act (CFAA) as an example of the difficulties that can ensue from trying to make cybercrime different to general crime. Every time governments "to encode some particular use of technology into law, the result is inevitably poor for civilians. The American Computer Fraud and Abuse Act (CFAA) was written during a time when the average person had no access to computer networks, yet the wording of that law now allows civilians to be convicted for violating the terms of service of public websites."

This is exactly what Albrecht fears - that the new directive will prevent the research by white hats that leads to improvements in general security. It is ironic, perhaps, that the US is attempting to alleviate such issues - through Aaron's Law - at the same time as the EU is in danger of introducing them.

What’s hot on Infosecurity Magazine?