EU struggling to fight cyber crime
Faced with increasing cyber attacks, the EU is looking at a new law criminalising the use of 'zombie' computers and is setting up a 'cybercrime' centre and special teams of IT firefighters to prevent further attacks
Notoriously slow in its reaction to world events, the EU has even more difficulties when it comes to adapting its legislation and institutions to the fast-changing online environment.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
A draft law put forward by the EU commission in 2010 on criminalising the spread of malicious software used to launch attacks on government or private company servers is only in the early stages of parliamentary work and still has to be agreed with member states.
And by some account the draft legislation is already out of date as it does not consider issues such as the jurisdiction over social network giants like Facebook or security breaches in cloud data centres.
Jakub Boratynski from the European Commission's cybercrime unit says that the draft bill was "triggered" by the large-scale cyber attack against Estonia in 2007. Four years later, he notes member states still need to update their legislation and "prosecute and convict criminals launching attacks from and outside the EU."
He admits the commission itself has problems with security, noting that people pretending to be using an EU commission email address manage to get past the cyber security gates to send email containing virues. "This is something we witness in the commission despite elaborate filters and protective mechanisms," he said.
The new law would make this practice illegal as well as obliging member states to collect data on cyber attacks.
Boratynski also downplayed the impact of this piece of legislation, which should not be seen as a "panacea for all problems on the internet", but just as one tool in the fight against cyber crime. The only way to avoid being outpaced by rapidly changing technology is for the law to be as "technologically neutral as possible," he said. So the draft law does not specifically refer to 'botnets' (hijacked computers), but rather to more generic terms such as "tools" or "devices".
Events have prompted further action. The EU's diplomatic service was subject to a large denial-of-service attack earlier this year prompting the commission to establish a special squad of IT specialists. The Computer Emergency Response Team (Cert) is meant to detect and prevent such attacks in all institutions.
Such teams already exist in most member states and experts wonder why it took the EU so long to set one up for its own institutions.
From the perspective of a country that had its entire e-government and online banking structure shut down for three weeks in 2007, an Estonian official said that the EU is still lacking a "comprehensive" cyber security response and contingency planning for the entire bloc.
Heli Tiirma-Klaar from the Estonian defence ministry says that while there have been "a mushrooming of cyber initiatives", harmonising penalties would be a "big step forward and a great deterrent."
But human rights defenders are concerned that the more information is collected and shared by law enforcement, the more citizens' privacy rights will be violated.
"Being successful in fighting cyber crime does not require continuous and systematic surveillance of internet users. Systematic tracking is a breach of fundamental rights," said Peter Hustinx, the EU's data protection czar. "We support only targeted measures, where required and proportionate, as it is the case in the offline world as well."
The controversial EU data retention law obliging phone and internet providers to store all traffic logs of their users is a case in point. Initially used to help investigators track down terrorism suspects, it is now primarily used for organised crime and child pornography rings. In Poland, where it has been praised as "efficient" by the police, it was also used to snoop on journalists and their sources.
"What people don't distinguish is using personal data in specific police investigations where you have a suspect and there are normal judicial procedures and a system whereby all citizens are being watched - just in case someone commits a crime in the future," says Dutch Liberal MEP Sophie in't Veld.
"We could just as well have preventive house searches every day. It's just that people don't know it's happening, because it's not in their homes, it's about their data."
It's the data, stupid
And just as intelligence services and police are interested in having access to as much private data as possible, so are cyber criminals.
With an explosion in information generated by every computer and smartphone user - the equivalent of 318 billion DVDs a year - and with social networking creating "countries" of user data, it is getting easier to launch cyber attacks. "There are tools you can search for and buy on the internet. You no longer have to be a computer geek to launch an attack," says Ilias Chantzos from Symantec, a security software firm.
"The target is information, anything that has a value - banking data, email passwords, government records. It is not the infrastructure. And this trend will continue," he said.
That the trend of attacks is increasing is confirmed by Europol, the bloc's police co-operation agency, and by hackers alike. But opinions vary greatly on how to deal with this. Florian Walther, a German hacker and member of the Berlin-based Chaos Computer Club, says that "sloppy IT administrators" and software vendors who are not securing their programmes properly are the ones to blame: "I have been a professional hacker since 1999. I know the financial, corporate and governmental security systems in and out. I know their passwords, because I cracked them. The root of the problem we're dealing here is that cybercrime is increasing because it's easy and less risky than real world crimes. From a cyberbank you can get millions in one night, a real bank would hold maybe only a few thousand euro in cash."
He singled out the embarrassing case of DigiNotar, an online "certificate authority" from the Netherlands which is supposed to mark websites as "trusted", meaning that they really are what they claim to be: banks, search engines, webmail services and not fronts for online scams.
The Dutch government, which was using DigiNotar for its own websites, had to shut it down earlier this month after it emerged that it had been hacked into and that fake certificates had been handed out to websites looking like the intelligence services of the UK, US and Israel, as well as for online services such as Google, Skype, Twitter and Facebook.
"DigiNotar's root password was 'prod admin', meaning production administrator. You can't have that kind of password, it's too easy. And then they inter-connected all systems to one master system. That's plain stupid. And it's even more stupid if you sign digital passwords," Walther said.
The fact that DigiNotar passes were provided without warranty highlights the main issue at stake in cyber security: liability. "Why can software manufacturers sell software without warranty? There is no incentive for them at the moment to make secure products. We should change this, they should have a financial risk if their software is not secure," he said.
To trust or not to trust
The DigiNotar fiasco may "reduce the trust people place in certificate authorities," currently a patchwork of private and partly state-owned companies, Colin Percival, an IT security expert told this website.
Faced with a fake website that his browser will not warn him about, a layman would be defenceless, says Percival: "There's not much people can do, save to use common sense about what they do online -- it's probably not a good idea to write 'let's get together next Monday and overthrow the government' no matter how much you trust the website you're writing it on."
Currently, there is no unified policy on who can set up a certificate authority and computer systems and internet browsers have various criteria on deciding which of these companies they recognise as trustworthy.
Percival said an EU-wide authority would not necessarily be a better solution, but "national certificate authorities would probably be better than private ones." In order for that to happen, however, the whole system would have to be changed, so for instance a small firm in the Netherlands like DigiNotar would no longer be able to sign certificates for sites like Google or Facebook.
"As long as web browsers come with a list of over 50 certificate authorities which can each sign any domain name, attacks like this are inevitable," said Percival.