An EU Cybercrime Centre is to fight online criminals and protect e-consumers. The centre is expected to start operations in January 2013. According to Brussels, it is estimated that, worldwide, more than one million people become victims of cybercrime every day. The cost of cybercrime could reach an overall total of USD 388 billion worldwide.
The European Commission proposed to establish a European Cybercrime Centre to help protect European citizens and businesses against these mounting cyber-threats. The centre will be established within the European Police Office, Europol in The Hague (The Netherlands). The centre will be the European focal point in fighting cyber-crime and will focus on illegal online activities carried out by organised crime, particularly those generating large criminal profits, such as online fraud involving credit cards and bank credentials.
The EU will also work on preventing cyber-crimes affecting e-banking and online booking activities, thus increasing e-consumers trust. A focus of the European Cybercrime Centre will be to protect social network profiles from e-crime infiltration and will help the fight against online identity theft. It will also focus on cyber-crimes which cause serious harm to their victims, such as online child sexual exploitation and cyber-attacks affecting critical infrastructure and information systems in the Union.
Cecilia Malmström, European Commissioner for Home Affairs, said: “Millions of Europeans use the Internet for home banking, online shopping and planning holidays, or to stay in touch with family and friends via online social networks. But as the online part of our everyday lives grows, organised crime is following suit – and these crimes affect each and every one of us. We can’t let cybercriminals disrupt our digital lives. A European Cybercrime Centre within Europol will become a hub for cooperation in defending an internet that is free, open and safe.”
By 2011, nearly three quarters (73 percent) of European households had Internet access at home and in 2010 over one third of EU citizens (36 percent) were banking online. Eighty percent of young Europeans connect through online social networks and about USD 8 trillion exchanges hands globally each year in e-commerce.
Consequently, cybercrime is on the raise and cyber-criminals have created a profitable market around their illegal activities where credit card details can be sold between organised crime groups for as little as one euro per card, a counterfeited physical credit card for around 140 euros and bank credentials for as little as 60 euros. Cybercrimes are also targeting social media: up to 600 000 Facebook accounts are blocked every day, after various types of hacking attempts and over 6 700 000 distinct bot-infected computers were detected in 2009.
The European centre will warn EU countries of major cyber-crime threats and alert them of weaknesses in their online defences. It will identify organised cyber-criminal networks and prominent offenders in cyberspace. It will provide operational support in concrete investigations, be it with forensic assistance or by helping to set up cybercrime Joint Investigation Teams. To achieve its tasks and to better support cybercrime investigators, prosecutors and judges in the Member States, the Centre will fuse information from open sources, private industry, police and academia. The new Centre will also serve as a knowledge base for national police in the member states and it will pool European cybercrime expertise and training efforts. It will be able to respond to queries from cybercrime investigators, prosecutors and judges as well as the private sector on specific technical and forensic issues.
The centre will serve as a platform for European cybercrime investigators, where they can have a collective voice in discussions with the IT industry, other private sector companies, the research community, users’ associations and civil society organisations. Finally, the Centre is to become the natural partner for wider international partners and initiatives in the field of cybercrime. For the centre to be established, the Commission’s proposal now needs to be adopted by the budgetary authority of Europol.
Meanwhile, cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on March 27. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.
The proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favour, one against and three abstentions.
Rapporteur Monika Hohlmeier (EPP, DE) said: “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world” she added.
The proposal would establish harmonised penal sanctions against perpetrators of cyber attacks against an information system – for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offence, MEPs say.
The maximum penalty to be imposed by member states for these offences would be at least two years’ imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. “botnet”) attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.
IP spoofing
Using another person’s electronic identity (e.g. by “spoofing” their IP address), to commit an attack, and causing prejudice to the rightful identity owner would also be an aggravating circumstance – for which MEPs say countries must set a maximum penalty of at least three years. MEPs also propose tougher penalties if the attack is committed by a criminal organisation and/or if it targets critical infrastructure such as the IT systems of power plants or transport networks. However, no criminal sanctions should apply to “minor cases”, i.e. when the damage caused by the offence is insignificant.
Cyber-attack tools
The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.
Liability of legal persons
Legal persons would be liable for offences committed for their benefit (e.g. a company would be liable for hiring a hacker to get access to a competitor’s database), whether deliberately or through a lack of supervision. They would also face penalties such as exclusion for entitlement to public benefits or judicial winding-up.
To resist cross-border cyber-attacks, Member States need to ensure that their networks of national contact points are available round the clock, and can respond to urgent requests within a maximum of eight hours, says the text.
Background
Large-scale cyber-attacks took place in Estonia in 2007 and Lithuania in 2008. In March 2009, public and private sector IT systems in more than 103 countries were attacked using a “zombie” network of compromised, infected computers.
