Tougher EU penalties for cyber crime not enough, say security experts

The European Parliament has adopted a draft directive to toughen up EU penalties for cyber crime, but security experts say this is not enough on its own

The European Parliament has adopted a draft directive, toughening up the EU’s penalties for cyber crime, but security experts say this is not enough on its own.

The directive also extends EU rules that have been in force since 2005 to cover the use of botnets, the theft of online credentials, and the use of tools that enable cyber crime.

Anyone caught running a botnet of hijacked computers will face a minimum of three years in prison, and anyone attacking critical infrastructure could spend up to five years behind bars.

The directive recommends that criminals involved in some crimes should serve minimum sentences and aims to clamp down on corporate espionage by making companies liable for any online offences committed in their name.

The new rules say companies could be shut down if they hire hackers to attack rivals or steal corporate secrets, according to the BBC.

Tougher penalties for cyber criminals

EU member states have two years to adopt the directive as law, but an existing, unofficial agreement suggests that some countries will not wait that long, according to US reports.

The changes mean the perpetrators of cyber attacks and the producers of malicious software can now be prosecuted, and will face heavier criminal sanctions, according to Cecilia Malmstrom, European commissioner for home affairs.

But security experts point out that tougher sanctions are meaningless if law enforcement authorities are not able to identify and apprehend those behind international cyber crimes.

They say the element of the draft directive that seeks to improve co-operation between EU states to investigate cyber crime is at least as important as tougher sanctions.

To apprehend the criminal masterminds, law enforcement agencies will need to have co-operation with local agencies all around the world

Etay Maor, Trusteer

Cross-border co-operation needed in fight against online crime

One of the biggest challenges in bringing cyber criminals to justice is the fact that in most cases they do not reside in the country where the crime takes place.

“Unfortunately, in most cases the people who get caught are the money mules who may not even be aware they are committing a crime, not the bot masters or ring leaders,” said Etay Maor, fraud prevention manager at security firm Trusteer.

To apprehend the masterminds, law enforcement agencies will need to have co-operation with local agencies all around the world, he said.

“This is not an easy task. Cyber criminals know this, and this is why they usually reside in a country where they will stay safe from most western governments,” said Maor.

He believes that cyber criminals will be brought to justice only once tight co-operation between law enforcement agencies around the world is achieved.

“In the meantime, we have to make sure that users' devices stay malware-free and that organisations worldwide have a clear picture of what is targeting them and how they can mitigate the threat quickly and effectively,” said Maor.

More on cyber crime

  • Infosec 2013: Cyber crime challenges law enforcement
  • Trend Micro joins Interpol fight against cyber crime
  • Cyber crime costing SMEs £785m
  • Microsoft evolves disruption anti-cyber crime tactic
  • UK government announces Cyber Crime Reduction Partnership
  • US will pile diplomatic pressure on cyber crime nations, says attorney general Eric Holder
  • EU to set up cyber crime centre
  • Europol leads initiative to pool cyber crime intelligence

Disruption tactics can mean cyber crime doesn't pay

Other cyber security experts have suggested that the tactic used by Microsoft, Adobe and others of disrupting the cyber criminal business model is also likely to be more effective than tougher sanctions.

“As long as the cost of data extraction is lower than the value of the data itself, criminal elements will continue to take advantage, irrelevant of the consequences,” said Gavin Millard, technical director for Europe at Tripwire.

“The suggested laws will do little to break these gangs, prevention being far more effective than restriction,” he said.

In January, Brad Arkin, chief security officer at Adobe, told the Security Development Conference 2013 in San Francisco that attackers are economically rational.

“They will always seek to minimise the cost and effort of developing an exploit to take advantage of software vulnerabilities,” he said.

Arkin believes that finding and fixing bugs is a waste of time because it is hugely expensive and there will always be vulnerabilities in code – attackers just have to find one to make it worthwhile.

Mitigation such as sandboxing, he said, is more effective because it changes the cost equation for the attacker.

Similarly, Microsoft’s digital crimes unit (DCU) has recognised the importance of shutting down botnets because they form the backbone of cyber criminal operations.

So far, the DCU, in collaboration with cross-industry partners, has taken down seven major botnets, effectively disabling key cyber criminal infrastructure.

Read more on Hackers and cybercrime prevention