European Parliament toughens criminal penalties for cyber attacks

The European Parliament has decided to toughen criminal penalties across the EU for cyber attacks especially those that threatened national infrastructure or were deemed to be aimed at stealing sensitive data.

Under the new directive the 28 member states would be forced to adopt maximum sentences of a prison term of at least two years for trying to break into any information systems.

However, if the attack was against a critical infrastructure network, like a power plant, transport or government network, the maximum penalty would be least five years - higher than currently in force across all states. Maximum sentences would also be up to at least three years for botnet attacks or cyber intrusions that resulted in financial costs or loss of personal data.

The EU commissioner for home affairs Cecilia Malmström said she was pleased that formal approval had been reached on new rules concerning the definition of criminal offences and the sanctions in the area of cybercrime.

She added, the perpetrators of increasingly sophisticated attacks and the producers of related and malicious software could now face prosecution, and would face heavier criminal sanctions.

However, security professionals were not so sure that increasing the jail time was the right way to go about defeating cybercrime.

Etay Maor, fraud prevention manager at security firm Trusteer, says governments needed to be aware that the people behind cyber attacks like botnets were often nowhere near the actual attack.

According to Maor, in most cases the people who got caught were the "money mules" who may not even be aware they were committing a crime, and not the bot masters or ring leaders.

Accoeding to Maor, to apprehend the masterminds law enforcement agencies would need to have cooperation with local agencies all around the world, which was not an easy task, something that cyber-criminals were aware of.

He said the masterminds usually resided in a country where they would be safe from most western governments.

Commentators also point out that the stiffer prison sentences was not likely to have much of an effect without more cooperation between the countries being attacked and the countries that were home to many malicious hackers.

According to security experts, many attacks originated from countries in Eastern Europe and South Asia and nations such as Russia and China. Hackers often bragged about being untouchable by western authorities and they also marketed their abilities to interested parties around the globe, offering attacks as a service.

However, the penalties in the EU would be more in line with those in the US with the two countries trying to work together to combat cyber crime.

Recent discussions in US Congress had focused on actually cutting some penalties by more clearly defining terms in the Computer Fraud and Abuse Act, the nation's main cyber-security law, so that misuse of data could be differentiated from the stealing of data and to ensure penalties were more commensurate with the crime.

US lawmakers are  also considering bills targeting specific offshore hackers by giving authorities more flexibility to freeze bank accounts and to create other financial disincentives.