Does this apply to Satellite TV?
and will it be retrospective?
The European Parliament's Civil Liberties Committee overwhelmingly voted to approve proposals to criminalise certain activity relating to cyber attacks last week. The proposals contain plans to make specified "legal persons" within companies liable for certain offences. "Legal persons would be liable for offences committed for …
and will it be retrospective?
Most hackers don't benefit its just a game. How far could you criminalise this, a college lecturer perhaps?
For instance the definition of theft, dishonestly appropriating property with the intention of permanently depriving the other of it..... You need to prove dishonesty which is subjective, prove the property has been taken, then the intention which can be subjective.
Being in possession, using, and maybe even promoting through discussion would not be enough.
Looks to be poorly draughted legislation....
Can't disagree with most of it, but I am concerned at the potential interpretion of "Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals".
They have to be a bit more specific about what constitutes 'hacking software/tools'. Many tools can be used for these purposes but otherwise have perfectly legitimate uses.
I prefer the Computer Misuse Act approach, which focuses on intent.
Exactly. The tools that we use for penetration testing would certainly qualify as "hacking software" As JustaKOS said, this really needs to be clarified to intent rather than simply possession.
However alot of new legislation is deterrant to be "tested in court" with is plain lazy in my mind. Write it right or leave it out !
Anyway I think it'll probably stay in and they'll see if it can "stick" with the first court case to try to use it. After all it's far easier to prove posession rather than intent and if I own "hacking tools" I must be a baddie. No regard for white hacks, professional penetration testers or maybe someone who wants to hack for fun with no plans to take it outside of their home network (white hacks have to start somewhere yes ?).
In MEP speak everyone who owns a crowbar must be a thief to lets do them for intent to break and enter.... idiots.... mini rant over :)
I'm not sure I like "intent" either. Motives are difficult to prove and goes down the road of thought-crime. Intent works if you catch someone in an act (in a carpark, hiding between cars, with a slim-jim), but mostly we will be looking at (computer) forensics and inferring intent. This is after the fact, not preventative.
How about "conspiracy"? While I agree that some crackers are lone-wolves, we are talking about corporate work. It requires a bit more concrete evidence, which is a bit unfashionable these days but I rather like it.
I'd also be wary of penalties which scale with "costs to rectify." We all know what the American DOD thinks of McKinnon. These costs mostly fictitious and will never be recovered, so its gesture politics and I don't like that enshrined in law. There is also a particularly cavalier attitude to putting stuff online. I've seen horrible SCADA-to-internet connectivity put in place which simply should not be there. Even RSA's crown jewels were put online instead of being air-gapped. Companies probably need to feel that the internet is a harsh and dangerous place before they take security seriously.
Lastly, why is the EU doing this? For all the good such a law may do, I strongly object to the removal of self-determination from my own country's legal system. Come up with some advice, set a standard and coordinate information regarding which countries meet which principles. When people feel that whatever they do doesn't impact their lives, they can get quite destructive.
Agreed with Justa. The [purposeful?] obfuscation between possession and intent is a sign this law will be shot down in the near future.
Shame as a lot of the law is a good idea, in principal.
about how computer security works - they're potentially going to criminalize academics and security professionals for doing their jobs, distributing malware and developing proof-of-concept hacks.
And whenever one would be hacking for governments? ..... although it must be noticed that "certain activity relating to cyber attacks" will probably have an exemption and be excepted from legislation because any subjective and self-serving rules and regulations would be totally unenforceable.
Then of course would it be different and something to lauded and extremely well paid for by the EU, should they ever get their act together. But that then would put them into conflict with nations and their national security services, which would be/could be/are fully paid up members of their quango institution, which is an odd state of affairs which is bound to be exploited by those able state and non-state actors exercising such initiatives in the field.
Yes, all in all, a bit of a mind minefield that one ....... but a great little earner for those active in the virtual environment of digital shenanigans and ....... well, national, international and internetional cyberspace security systems.
"respond to urgent requests within a maximum of eight hours in order to prevent cyber-attacks spreading across borders
"Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals".
"Individuals found in possession of or distributing weapons also face criminal charges under the Committee's proposals".
Surely this should also apply to Weapons manufacturers. But then again the Arms industry is capable of powerfull lobbying within appropriate circles.
"Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals."
"Criminal offences will also apply for the sale or production of tools that are used to commit cyber-attack crimes, it said."
Depending on the legal definition of hacking software and tools this criminalises at least the IT security industry and maybe everyone in IT. Just because I have a copy of BackTrack and know how to use it does not make me a criminal. How else am I going to ensure that my sites are resistant to attack?
This law could make EU based sites and companies more vulnerable to attack and cause IT security companies and researchers to move their business to non-EU countries.
The likelihood is that the next step, should this legislation were to be put forward, possession of hacking tools would likely require some licensing control. Therefore there will be further cost for implementing and policing this. This cost will be passed on through either taxes or the license fee, putting small technology firms at ransom to either obtaining a costly license or to paying a security firms fees.
Also, the legitimate licensed security hacking tools will suffer a divide from from the criminal hacking tools that will be forced further underground. Thus rendering penetration testing more and more ineffective. Ultimately leaving all networks without any legally accepted strategy to effective network security hardening... It doesn't work, unless I am missing something...
Possession has to be assumed to be for legitimate reason, unless actions prove otherwise and further legislation is ineffective. Yes hackers must be stopped but this will not stop them it will merely tie the hands of their victims.
In addition to hackers and pirates all CEOs should be held acountable for the actions of their company including folks like Bill Gates, Paul Otellini, etc. and imprisoned for all violations of law. It's called personal responsibility.
Yeah good luck enforcing that boys!!