Does this apply to Satellite TV?
and will it be retrospective?
Thought not.
The European Parliament's Civil Liberties Committee overwhelmingly voted to approve proposals to criminalise certain activity relating to cyber attacks last week. The proposals contain plans to make specified "legal persons" within companies liable for certain offences. "Legal persons would be liable for offences committed for …
Most hackers don't benefit its just a game. How far could you criminalise this, a college lecturer perhaps?
For instance the definition of theft, dishonestly appropriating property with the intention of permanently depriving the other of it..... You need to prove dishonesty which is subjective, prove the property has been taken, then the intention which can be subjective.
Being in possession, using, and maybe even promoting through discussion would not be enough.
Looks to be poorly draughted legislation....
Can't disagree with most of it, but I am concerned at the potential interpretion of "Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals".
They have to be a bit more specific about what constitutes 'hacking software/tools'. Many tools can be used for these purposes but otherwise have perfectly legitimate uses.
I prefer the Computer Misuse Act approach, which focuses on intent.
However alot of new legislation is deterrant to be "tested in court" with is plain lazy in my mind. Write it right or leave it out !
Anyway I think it'll probably stay in and they'll see if it can "stick" with the first court case to try to use it. After all it's far easier to prove posession rather than intent and if I own "hacking tools" I must be a baddie. No regard for white hacks, professional penetration testers or maybe someone who wants to hack for fun with no plans to take it outside of their home network (white hacks have to start somewhere yes ?).
In MEP speak everyone who owns a crowbar must be a thief to lets do them for intent to break and enter.... idiots.... mini rant over :)
I'm not sure I like "intent" either. Motives are difficult to prove and goes down the road of thought-crime. Intent works if you catch someone in an act (in a carpark, hiding between cars, with a slim-jim), but mostly we will be looking at (computer) forensics and inferring intent. This is after the fact, not preventative.
How about "conspiracy"? While I agree that some crackers are lone-wolves, we are talking about corporate work. It requires a bit more concrete evidence, which is a bit unfashionable these days but I rather like it.
I'd also be wary of penalties which scale with "costs to rectify." We all know what the American DOD thinks of McKinnon. These costs mostly fictitious and will never be recovered, so its gesture politics and I don't like that enshrined in law. There is also a particularly cavalier attitude to putting stuff online. I've seen horrible SCADA-to-internet connectivity put in place which simply should not be there. Even RSA's crown jewels were put online instead of being air-gapped. Companies probably need to feel that the internet is a harsh and dangerous place before they take security seriously.
Lastly, why is the EU doing this? For all the good such a law may do, I strongly object to the removal of self-determination from my own country's legal system. Come up with some advice, set a standard and coordinate information regarding which countries meet which principles. When people feel that whatever they do doesn't impact their lives, they can get quite destructive.
And whenever one would be hacking for governments? ..... although it must be noticed that "certain activity relating to cyber attacks" will probably have an exemption and be excepted from legislation because any subjective and self-serving rules and regulations would be totally unenforceable.
Then of course would it be different and something to lauded and extremely well paid for by the EU, should they ever get their act together. But that then would put them into conflict with nations and their national security services, which would be/could be/are fully paid up members of their quango institution, which is an odd state of affairs which is bound to be exploited by those able state and non-state actors exercising such initiatives in the field.
Yes, all in all, a bit of a mind minefield that one ....... but a great little earner for those active in the virtual environment of digital shenanigans and ....... well, national, international and internetional cyberspace security systems.
IT
"Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals".
Arms Industry
"Individuals found in possession of or distributing weapons also face criminal charges under the Committee's proposals".
Surely this should also apply to Weapons manufacturers. But then again the Arms industry is capable of powerfull lobbying within appropriate circles.
"Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee's proposals."
"Criminal offences will also apply for the sale or production of tools that are used to commit cyber-attack crimes, it said."
Depending on the legal definition of hacking software and tools this criminalises at least the IT security industry and maybe everyone in IT. Just because I have a copy of BackTrack and know how to use it does not make me a criminal. How else am I going to ensure that my sites are resistant to attack?
This law could make EU based sites and companies more vulnerable to attack and cause IT security companies and researchers to move their business to non-EU countries.
I agree,
The likelihood is that the next step, should this legislation were to be put forward, possession of hacking tools would likely require some licensing control. Therefore there will be further cost for implementing and policing this. This cost will be passed on through either taxes or the license fee, putting small technology firms at ransom to either obtaining a costly license or to paying a security firms fees.
Also, the legitimate licensed security hacking tools will suffer a divide from from the criminal hacking tools that will be forced further underground. Thus rendering penetration testing more and more ineffective. Ultimately leaving all networks without any legally accepted strategy to effective network security hardening... It doesn't work, unless I am missing something...
Possession has to be assumed to be for legitimate reason, unless actions prove otherwise and further legislation is ineffective. Yes hackers must be stopped but this will not stop them it will merely tie the hands of their victims.