An IT security and compliance company has commented on the new European Cybercrime Directive. The Directive has been updated to target organised crime on the internet and makes it an offence to use new forms of cyber attack, in particular the use of command and control centres to manage botnets.
Under the new terms of the European Cybercrime Directive, botnet operators will face jail terms of three years and those convicted of cyber attacks on critical infrastructure risk five years’ in prison.
Some commentators have pointed to section A of the Directive which “penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices / tools used for committing the offences,” warning that this risks criminalising ethical hackers who use software tools to test for vulnerabilities on networks and websites. RandomStorm employs researchers who, in their spare time, find and flag security flaws in major web services such as Facebook, Google, Twitter, Paypal and LinkedIN. In a word, whitehats. That is, the good guys, rather than the blackhats, the hackers out to damage, deface, blackmail or steal. The cybercrime directive has been updated to penalise people who use hacking tools to intercept communications or interfere with IT networks and some industry commentators viewed that as a threat to legitimate security research.
However, RandomStorm has looked further into the new legislation and point out that “The Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only ‘cases which are not minor’. This element of flexibility is intended to allow Member States not to cover cases that would, in abstracto, be covered by the basic definition, but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology.”
Andrew Mason, co-founder and Technical Director of security and compliance company, RandomStorm, says: “Some people have expressed concern that the updated EU Cybercrime Directive could criminalise legitimate cyber security researchers and bug bounty hunters, whose work helps to make the internet safer for all users. This could have had serious repercussions for ethical hackers, so we are glad to see the European Commission has included a proviso recognising the need for information security professionals to hone their skills without fearing a jail sentence.”
In 2010, RandomStorm sponsored the development of the Damned Vulberable Web Application (DVWA) by Ryan Dewhurst, an undergraduate at the University of Northumbria, Ethical Hacking degree. The DVWA was developed to provide a legal forum where developers could learn about the common hacking vulnerabilities that affect web applications. It was downloaded 46,490 times in its first twelve months.
“In the last fortnight a UK whitehat was rewarded with a twenty thousand dollar bounty for finding and reporting a serious Facebook flaw that enabled him to access and control Facebook user accounts. This demonstrates the value of the work done by ethical hackers. One of our own researchers, Avram Marius Gabriel, is listed in the voluntary security research programmes of twelve leading organisations, including Facebook, Twitter, Google, Microsoft and Adobe, in recognition of his efforts to find and flag security flaws in web applications. We are pleased to see that this vital bug hunting work will not be hampered by the new EU Cybercrime Directive.”
RandomStorm adds that it provides vulnerability scanning and intrusion detection services to help companies in the public sector, retail, hospitality, financial and utility industries to improve their security posture and comply with industry guidelines and data protection regulations. The company is a CESG CHECK <%20http:/www.randomstorm.com/news-randomstorm-check.php> security consultancy and certified as both an Approved Scanning Vendor and Qualified Security Assessor <%20https:/www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php> by the Payment Card Industry Security Standards Council.
References
European Commission Home Affairs: Cybercrime, 4th July 2013 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/organized-crime-and-human-trafficking/cybercrime/index_en.htm
European Commission, Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA 2013
http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/pdf/1_en_act_part1_v101_en.pdf
Infosecurity Magazine, 5th July 2013, “The European Parliament has voted in favour of a new directive on cybercrime”: http://www.infosecurity-magazine.com/view/33308/the-european-parliament-has-voted-in-favor-of-a-new-directive-on-cybercrime/
Security News Desk, 5th July 2013 “EU Directive outlines tougher penalties for cybercrime” http://www.securitynewsdesk.com/2013/07/05/eu-directive-outlines-tougher-penalties-for-cyber-crime/
Computer Weekly, 5th July 2013, “Tougher penalties for cybercrime not enough say security experts” http://www.computerweekly.com/news/2240187517/Tougher-EU-penalties-for-cyber-crime-not-enough-say-security-experts
Business Insider, 30th June 2013, “Facebook pays $20K bounty to researcher who found a major security flaw in Facebook before hackers did” http://www.businessinsider.com/facebook-pays-researcher-20k-for-bug-2013-6
PC Pro, 7th December 2012, “Q&A, the life of a bug bounty hunter” http://www.pcpro.co.uk/features/378577/q-a-the-life-of-a-bug-bounty-hunter
