On 3rd September, the new EU Directive 2013/40 on attacks against information systems came into force, requiring Member States to beef up national cybercrime laws and sentencing. The Directive updates and replaces the previous Framework Decision in this area and introduces new measures including criminal offences for attacks using malicious software, and increased sentencing of up to 5 years’ imprisonment for the most serious offences. The new measures are illustrative of the EU’s increasingly aggressive stance in tackling cyber-crime – but how different is the new legislation to that already in force? Datonomy explores.
Why the new Directive?
Last week on 3 September, the new EU Directive 2013/40 on attacks against information systems came into force. The Directive was proposed in 2010 as a replacement to the previous Framework Decision 2005/222/JHA, which criminalised various activities in relation to attacks on information systems, including illegal access to information systems, and illegal interference with systems and data. Following various high-profile cyber-attacks since the passage of the Decision, including a 2009 botnet attack that successfully infiltrated the computer systems of the UK, German and French defence forces, the EU was concerned that such existing legislation was inadequate to prevent cyber-crime and so considered further measures were required.
The text of the new Directive is similar to the previous Decision, and contains almost identical offences in relation to illegal access to information systems and interference with systems or data. As in the Decision, there is again an offence for involvement in incitement, aiding, abetting or attempting such offences. “Information systems” is broadly defined to include any device or group of devices which automatically process computer data by means of a programme, as well as any data stored, processed, retrieved or transmitted by such device(s). The new Directive however now introduces new offences for “illegal interception” of non-public transmissions of computer data (Article 6), and for the production, sale, procurement for use, import or distribution of tools intended to commit cyber-crime offences (Article 7). The latter is primarily targeted at the use of botnets and malicious software, which the European Parliament highlighted as a particular concern in the Directive’s Preamble, citing the potential use of such tools to gain remote access to large numbers of computer systems and potentially cause significant disruption and damage. To support this, new penalties of up to 5 years’ imprisonment are introduced for the most serious systems or data interference offences, either where carried out within the framework of a criminal organisation, or where such attacks cause significant damage or affect key infrastructure. A new penalty of up to 3 years’ imprisonment is also introduced for such offences where carried out through the use of tools specifically designed for such purpose.
In addition to more harshly penalising cyber-crime, the Directive also focuses on improving and strengthening police and judicial co-operation across the Union to counter such attacks. Citing both the frequently cross-border nature of cyber-crime, and the “significant gaps and differences in Member States’ laws and criminal procedures” in this area, the European Parliament has implemented a number of measures designed to facilitate more wide-scale reporting and enforcement. In addition to the pre-existing requirement that Member States implement national contact points in relation to cyber-security, Member States are therefore now also required to use the existing G8 and Council of Europe network of 24/7 contact points to help combat cyber-crime, and must respond within 8 hours to any urgent requests for assistance. They must further collect statistics and data on cyber-attacks, which will be transmitted to the European Commission for consolidated review and to help prevent such attacks in the future.
How will UK law need to change?
Whilst many of the new measures have already been implemented in the UK through previous amendment to the Computer Misuse Act 1990 (“CMA”) in 2005, it is likely that the new Directive will require further changes to UK legislation before its deadline for transposition on 4 September 2015. Although the CMA already contains an offence in relation to the use of tools for the commission of computer misuse offences (under a new section 3A inserted under the Police and Justice Act 2006) for example, its current sentencing provisions run to a maximum of 2 years, and will likely need increasing to take into account the new penalties. Although the offence of illegal interception of telecommunications data is similarly already provided for under section 1 of the Regulation of Investigatory Powers Act 2000 (“RIPA”), this only concerns data transmitted over a public information network and may therefore need amending to include transmissions over private networks. Despite this however, it is unlikely that the Directive will require fundamental changes to existing UK legislation and its amendments to the previous Framework Decision are finally of a more supplementary and enhancing nature than representing a fundamental change.