Cyber criminals will face tougher penalties in the EU, under new rules adopted by Parliament on 4 July. The draft directive, already informally agreed with member states, also aims to facilitate prevention and to boost police and judicial cooperation in this field. In the event of a cyber attack, EU countries will have to respond to urgent requests for help within eight hours.
Advertisement
1. What is the problem to be addressed?
In recent years, the number of attacks against information systems (IT systems) or, in common words, the illegal entering of or tampering with information systems – has risen steadily in Europe. Moreover, previously unknown large-scale and dangerous attacks against the information systems of companies, such as banks, the public sector and even the military, have been observed in the Member States and other countries. New concerns, such as the massive spread of malicious software creating ‘botnets’ – networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks – have emerged.
2. What is a botnet?
The term botnet indicates a network of computers that have been infected by malicious software (computer virus). Such network of compromised computers (‘zombies’) may be activated to perform specific actions such as attacks against information systems (cyber-attacks). These ‘zombies’ can be controlled often without the knowledge of the users of the compromised computers by another computer. This ‘controlling’ computer is also known as the ‘command-and-control centre’. The people who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack, might be located elsewhere than the offender himself.
3. How does it work?
- In a preparatory step a cyber-criminal acquires or produces malicious software;
- This software is placed on one computer that becomes the ‘command-and-control centre’ and is set-up by the hacker to remotely control other computers through malware;
- Once installed the bot program turns the victim computer into a ”zombie” that is able to infect more computers and turn them into other ”zombies”; all ‘zombies’ together form a botnet;
- Once bots connect zombies to controllers;
- The cybercriminals take control and command of the servers;
- At this point they can send commands to the zombies;
- The zombies will execute those commands against targets.
4. What is the aim of the cyber-attacks?
The underlying objectives can be varied. Attacks can have criminal objectives or can be used as one of the means in a larger campaign to exert pressure. Attacks often include one or more of the following elements:
Diverting money from bank accounts and stealing sensitive financial information
Extortion: criminals only unlock the computers after the victims pay a certain amount of money to the controllers of the botnet;
Sabotage purposes: disabling (critical) infrastructure, such as a security system, either to commit another crime, or in relation to a terrorist act;
Exerting illicit pressure on a state or an organisation. This pressure can have various objectives. In some cases, pressure is exerted through illegal means: there are a number of documented cases where viruses attacked sites related to certain political movements, or attempted to take out the sites and servers of governments. Economic pressure on a company can be exerted through for example, the use of emails containing malware. These can also be used to undermine the reputation of a competitor.
Illegal information gathering / spying activities. Information and Communication Technologies (ICT) are increasingly used for purposes of information gathering, setting up surveillance networks by breaking into computer systems of economic competitors, or political opponents.
A strong tendency towards a stronger implication of organised crime in the attacks has been observed; organised crime groups may, for instance hire hackers or other computer specialists to conduct a specific attack. A large-scale attack may be launched against a critical information infrastructure of for example a financial institution, followed by a message that the financial institution has to pay a ransom in order for the attack to cease. Networks of more than a million computers linked together by a command-and-control centre have been observed, and the damages caused by a coordinated attack through the use of such network can be considerable
5. What is new in the Directive? (As compared to the previous Framework Decision on attacks against information systems 2005/222/JHA)
The Directive includes the penalisation of illegal access, illegal system interference and illegal data interference – and introduces the following new elements:
Penalisation of the use of tools (such as malicious software e.g. ‘botnets’ or unrightfully obtained computer passwords) for committing the offences;
Introduction of ‘illegal interception’ of information systems as a criminal offence;
Improvement of European criminal justice/police cooperation by
strengthening the existing structure of 24/7 contact points, including an obligation to answer within 8 hours to urgent request and;
Including the obligation to collect basic statistical data on cybercrimes.
Furthermore, the Directive raises the level of criminal penalties to a maximum term of imprisonment of at least two years. Instigation, aiding, abetting and attempt of those offences will become penalised as well.
The Directive also raises the level of criminal penalties of offences committed under within the framework of a criminal organisation (maximum penalty of at least five years) and adds new aggravating circumstances:
When a significant number of information systems have been affected through the use of a tool (‘e.g. botnets’) (maximum penalty of at least three years);
When causing serious damage (maximum penalty of at least five years);
When committed against a critical infrastructure information system (maximum penalty of at least five years).
Annex
Botnet indicates a network of computers that have been infected by malicious software (computer virus). Such network of compromised computers (‘zombies’) may be activated to perform specific actions such as attacks against information systems (cyber-attacks). These ‘zombies’ can be controlled often without the knowledge of the users of the compromised computers by another computer. This ‘controlling’ computer is also known as the ‘command-and-control centre’. The persons who control this centre are among the offenders, as they use the compromised computers to launch attacks against information systems. It is very difficult to trace the perpetrators, as the computers that make up the botnet and carry out the attack, might be located elsewhere than the offender himself.
Bot capacity is the number of computers in a given botnet.
Denial-of-Service (DoS) attack a denial of service attack is an act to make a computer resource (for example a website or Internet service) unavailable to its intended users. The contacted server or webpage will show itself as “unavailable” to its users. The result of such an attack could, for example, render online payment systems non-operational, causing losses for its users.
Information System is any device or group of interconnected or related devices, one or more of which, pursuant to a programme, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance. An example of this is a computer or a server.
Illegal System Interference is the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data, which is punishable as a criminal offence when committed without right, at least for cases which are not minor (as defined in Framework Decision 2005/222/JHA).
Illegal data interference is the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system, which is punishable as a criminal offence when committed without right, at least for cases which are not minor (as defined in Framework Decision 2005/222/JHA).
Large-scale attacks are the attacks that can either be carried out by big botnets, or attacks that cause considerable damage, e.g. in terms of disrupted system services, financial cost, loss of personal data, etc.. The damage caused by the attack can have a major impact on the functioning of the target itself, and/or affect its working environment. In this context, a ‘big’ botnet will be understood to have the capacity to cause serious damage. It is difficult to define botnets in terms of size, but the biggest botnets witnessed were estimated to have between 40,000 to 100,000 connections (i.e. infected computers) per time span of 24 hours.
Malware is computer software designed to infiltrate or damage a computer system without the owner’s consent. It is distributed through a variety of means (emails, computer viruses, and botnets). Intention is to obtain data (passwords, codes) in a fraudulent way, or to integrate this computer in a computer network destined to be used for criminal actions.
Phishing is an electronic mail that convinces end users to reveal confidential data via websites that imitate the sites of bona fide companies (e.g. websites of banks).
Spam is electronic messages sent in large numbers to internet users without their consent. These unsolicited electronic messages are usually of a commercial nature. Spam is the electronic equivalent of stuffing letter boxes with advertising materials that have not been requested by their recipients.
Spyware is software that is installed on a user’s computer without his knowledge. Such software transmits information on the user and his habits once connected to the internet. The information gathered this way is usually intended for use by advertisers.
Source: European Commission
