Directive on Attacks on Information Systems

The EU has finally adopted a new Directive on attacks against information systems, first proposed in 2010. The Directive will require Member States, within two years, to ensure they meet its requirements on

  • Activities that must be considered crimes;
  • Effective sentences for those convicted of the crimes (including higher maximum sentences for aggravating circumstances such as widespread or seriously damaging attacks or those on critical infrastructures);
  • Collection of statistics on the number of offences, registered, prosecuted and convicted;
  • Completing and improving the existing cross-border collaboration between judiciary and police.

The final text doesn’t seem to have been published, but the version agreed by the European Parliament is available

As far as I can see, all the criminal activities in the Directive are already crimes under various UK laws, with maximum sentences that at least match the Directive’s requirements, so I don’t expect much to have to change here:

  • Unlawful access to information systems and unlawful interference with systems or data (Articles 3 to 5), under sections 1 & 3 of the Computer Misuse Act 1990. These were included in the preceding EU framework decision as well, though the EU text of Article 3 appears to allow a member state to require that unlawful access must involve “infringing a security measure”, something UK law doesn’t require. Even if an account or system has been left without a password, unauthorised access to it is a crime under UK law;
  • Unlawful interception of data transmissions (Article 6), under section 1 of the Regulation of Investigatory Powers Act 2000;
  • Making, supplying and obtaining tools for use in such offences (Article 7), under section 3A of the Computer Misuse Act 1990. As I wrote when the draft Directive was published, the EC text seems less likely than the UK one to capture legitimate actions by system and network administrators, because it requires “intention that [the tool] be used to commit [an] offence”. The Commission’s concern appears to be botnets, though the UK definition of “tools” goes much wider;
  • Inciting, aiding, abetting, attempting the commission of such offences, under existing rules on inchoate offences.

Article 9(5) comes close to activities currently being examined by UK law, as it relates to the misuse of personal data to obtain the trust of a third party and cause prejudice to the rightful “identity owner”. However this appears only to be an aggravating circumstance if used to interfere with a system or data (Articles 4&5), not to just gain unauthorised access to data (Article 3). So I suspect it just misses the ‘blagging’ of personal data, currently covered by section 55 of the Data Protection Act 1998, whose maximum sanctions are widely regarded as much too lenient.

Articles 10 and 11 require the possibility of serious sanctions against organisations for whose benefit any of the crimes are committed, ranging from placing the organisation under judicial supervision to winding it up. These may discourage organisations from any policy of “striking back” against those apparently attacking them; in fact such attacks will normally only harm fellow victims whose compromised systems are unknowingly being used as tools in the attack.

Better statistics on cyber-crime would be welcome, but Article 14 has had some caveats inserted that may mean if covers no more than “existing data”, which is distinctly sparse.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *