6 Attacks against Information Systems
(32004)
14436/10
COM(10) 517
+ ADDs 1-2
| Draft Directive on attacks against information systems, repealing Council Framework Decision 2005/222/JHA
Commission staff working documents: Impact assessment and summary of impact assessment
|
Legal base | Article 83(1) TFEU; co-decision; QMV
|
Document originated | 30 September 2010
|
Deposited in Parliament | 5 October 2010
|
Department | Home Office
|
Basis of consideration | EM of 13 October 2010
|
Previous Committee Report | None
|
To be discussed in Council | No date set
|
Committee's assessment | Legally and politically important
|
Committee's decision | Not cleared; further information requested
|
Background
6.1 In 2005, the Council adopted a Framework Decision which required
Member States to criminalise unauthorised access to, or interference
with, information systems and computer data. Member States were
also required to introduce common rules on criminal liability,
criminal sanctions, jurisdiction and the exchange of information
between law enforcement authorities. The UK participated in the
adoption of the Framework Decision and is bound by it.
6.2 In July 2008, the Commission produced a report on the implementation
of the Framework Decision.[30]
It concluded that implementation was relatively good but that
a number of new threats had emerged since the adoption of the
Framework Decision, "in particular the emergence of large-scale
simultaneous attacks against information systems and increased
criminal use of so-called 'botnets'".[31]
The term 'botnet' refers to a network of computers infected by
a virus which can be activated, without their users' knowledge,
to attack information systems. A 'botnet' is one example of a
tool which can be used to carry out large scale attacks affecting
significant numbers of information systems or causing considerable
damage.
The draft Directive
6.3 The draft Directive would repeal the 2005 Framework Decision
while incorporating most of its provisions and introducing some
new elements to strengthen Member States' capacity to prevent
and prosecute large-scale attacks against information systems.
The new elements would require all Member States to criminalise:
- the intentional interception of non-public transmissions
of computer data from an information system (Article 6); and
- the production, sale, procurement, import, possession or
distribution of any device or tool for the purpose of committing
any of the offences contained in the draft Directive (Article
7).
6.4 In addition, the draft Directive would require Member States
to impose tougher criminal penalties if any of the following "aggravating"
circumstances apply:
- where a criminal organisation is involved in the commission
of an offence;
- where the offence has been committed by means of a tool (such
as a botnet) designed to attack a significant number of information
systems or to cause considerable damage; and
- where the commission of the offence conceals the real identity
of the perpetrator and causes prejudice to the rightful identity
owner.
In such cases, Member States would be required to introduce a
maximum term of imprisonment of at least five years (Article 10).
6.5 The draft Directive would extend the bases for establishing
which Member State has jurisdiction so as to include the place
of habitual residence of the offender (Article 13). There would
be a new obligation on national contact points to provide an initial
response to urgent requests for information within eight hours
(Article 14) and a new requirement for Member States to collate
statistical data on offences covered by the draft Directive (including
the number of offences reported, any follow-up, and the number
of investigations, prosecutions and convictions each year
Article 15).
6.6 The legal base proposed for the draft Directive is Article
83(1) of the Treaty on the Functioning of the European Union (TFEU)
which provides for the adoption of directives "establishing
minimum rules concerning the definition of criminal offences and
sanctions in the areas of particularly serious crime with a cross-border
dimension resulting from the nature or impact of such offences
or from a special need to combat them on a common basis".
Computer crime and organised crime are two of the areas identified
under Article 83(1) as suitable for EU action.
6.7 The Commission says that EU action is justified for the following
reasons:
- attacks against information systems often have a cross-border
dimension;
- approximation of Member States' criminal laws will discourage
offenders from exploiting differences by operating in Member States
with more lenient criminal laws or sanctions;
- a common understanding of what constitutes criminal behaviour
will make it easier for Member States to co-operate in exchanging
information and collecting and comparing data; and
- a common EU approach will enhance the EU's contribution to
international efforts to tackle cyber crime (for example, within
the Council of Europe and G8).
6.8 The Commission's impact assessment (ADDs 1-2) considers a
number of options, including non-legislative measures, to achieve
its principal objective, a reduction in the number of large-scale
attacks originating in, or targeting, the EU. It concludes that
the introduction of limited and targeted measures to update the
legal framework established by the 2005 Framework Decision would
be most effective. The Commission says that the stronger penal
measures proposed in the draft Directive would be likely to "reduce
the financial cost caused by large-scale attacks coming from the
EU and third countries, which in turn will have a positive economic
impact in terms of the continued growth of the Internet economy
(estimated at more than 300 billion in Europe) and the economy
as a whole".[32]
The main costs for Member States would arise from the obligation
to collate statistics and to ensure that national contact points
are capable of responding in urgent cases within an eight hour
deadline. The Commission estimates the total cost for all Member
States at just under 6 million.[33]
The Government's view
6.9 In his Explanatory Memorandum of 13 October, the Parliamentary
Under-Secretary of State for Crime Prevention (James Brokenshire)
says that "a robust response and a consistent approach across
the EU" is needed to prevent attacks on information systems
and prosecute those responsible. He adds that, as the draft Directive
incorporates many of the provisions contained in the 2005 Framework
Decision, "significant new legislation is unlikely to be
necessary for the purposes of implementation" as most of
the offences described are already included in the Computer Misuse
Act 1990.[34]
6.10 The Minister helpfully identifies the provisions in the draft
Directive with which the UK may not be fully compliant and which
might therefore require changes to domestic legislation. These
include:
- the requirement in Article 7 to prosecute the creation, possession
and distribution of tools for the purpose of illegal interception;
- the requirement in Article 10 to increase the maximum term
of imprisonment to not less than five years in cases where aggravating
circumstances apply UK legislation does not provide for
the maximum sentence to be increased in such cases but, rather,
envisages that the existence of aggravating circumstances will
result in the imposition of a sentence at the upper end of the
sentencing scale. The maximum sentence in the UK for at least
one of the offences in the draft Directive is less than five years,
so the UK would either have to increase the level of sentence
or create a specific new offence with a higher maximum sentence;
and
- the extension of extra-territorial jurisdiction to include
offences under Articles 6 and 7 of the draft Directive on illegal
interception and the illegal use of tools to commit computer crimes
would require changes to section 4 of the Computer Misuse Act
1990 and section 1 of the Regulation of Investigatory Powers Act
2000.
6.11 The Minister indicates that the Government will seek to ensure
that the current, non-statutory basis for providing an operational
national contact point (through the Serious Organised Crime Agency)
is compliant with the requirements of the draft Directive, and
will also seek further detail from the Commission on the type
of statistical data which Member States would be required to collate
under Article 15. The UK already collates information on prosecutions
and convictions under the Computer Misuse Act 1990, but does not
collect broader statistical information on computer crime.
6.12 The Minister notes that the UK's Opt-in applies to the draft
Directive and that the deadline for notifying the Government's
decision on whether or not to opt in is 28 December 2010. He adds:
"The Government will particularly consider the impact of
the given proposal on our security, civil liberties, the integrity
of the UK common law systems and the control of immigration.
"We do not believe that the Directive would have a significant
impact upon UK national security, as the Directive relates to
tackling criminal activity. We do not believe that that there
are concerns relating to the balance of EU and UK competence in
this area.
"Most of the offences contained in the Directive are already
offences in UK law and therefore we do not believe that the Directive
poses any significant concerns relating to civil liberties.
"The proposed sentences for offences committed as part of
an organised crime group do conflict with the current sentences
in UK law. We would seek to address this in negotiations.
"Any decision to amend UK legislation will take into account
the outcomes of impact assessments, the potential costs, and better
regulation."[35]
6.13 The Minister considers the proposed legal base for the draft
Directive to be appropriate and agrees with the Commission's assessment
that EU action is justified on grounds of subsidiarity. He provides
an extensive analysis of the fundamental rights implications of
the draft Directive. A number of provisions lack precision (for
example, criminal liability under certain Articles applies only
for cases "which are not minor"), but the Minister adds
that the UK would seek to ensure more precise wording during negotiations
and in any ensuing domestic implementing legislation. He concludes
that the Government is satisfied that the draft Directive complies
with fundamental rights.
6.14 Finally, the Minister indicates that there would be some
financial cost associated with UK participation in the draft Directive
(as currently worded) resulting from the need to amend some aspects
of domestic legislation and to establish a structure for collating
statistics relating to cyber crime.
Conclusion
6.15 We thank the Minister for his informative Explanatory
Memorandum which sets out clearly the possible implications of
the proposed Directive for UK domestic law and sentencing policy.
We agree that large-scale attacks against information systems
are likely to have a cross-border dimension and require close
co-operation between Member States. We think that the legal base
proposed is appropriate and accept that there is a case for further
EU action to respond to new methods and tools for committing cyber
crime.
6.16 We note that many of the provisions in the proposed Directive
are the same as those included in the 2005 Framework Decision.
The Framework Decision established criminal liability for illegal
access to, or interference with, information systems and computer
data and required Member States to ensure, in each case, that
criminal liability applies "at least for cases which are
not minor". While such language may not be unusual in Framework
Decisions adopted before the Lisbon Treaty entered into force,
at a time when the jurisdiction of the Court of Justice for EU
criminal law matters was limited, we question whether such language
continues to be appropriate, and to provide the necessary legal
certainty and clarity, in the post-Lisbon era where the Court
will have full jurisdiction to sanction Member States for inadequate
transposition or implementation of new EU criminal law measures.
The Minister alludes to the problem of unclear and imprecise wording
in his Explanatory Memorandum and suggests that this can be tackled
during negotiations or by implementing more precise national laws.
We think the former course would be preferable.
6.17 The rules on jurisdiction in Article 13 of the draft Directive
differ in one important respect from those set out in the Framework
Decision. Article 13(1)(b) would require a Member State to exercise
jurisdiction where an offence has been committed by a person who
is "habitually resident" within the territory of that
State. We should be grateful if the Minister would explain what
implications, if any, this provision would have for existing UK
rules on jurisdiction.
6.18 We note that the Government has not yet decided whether
or not to opt into the draft Directive. We should be grateful
if the Minister would inform us of the Government's decision and
provide us with progress reports once negotiations are underway.
Meanwhile, we intend to hold the draft Directive under scrutiny.
30 Member States were required to implement the Framework
Decision by 16 March 2007. Back
31
Commission's explanatory memorandum, section 1, paragraph 2. Back
32
See ADD 1, section 5.3.1, p. 34. Back
33
Compliance costs for the UK may be lower than in some other Member
States as the UK national contact point is already capable of
responding within 12 hours, so little additional resource is likely
to be needed to reduce this to 8 hours - see ADD 1, section 5.3.10,
p. 40. Back
34
Paragraph 13 of the Minister's Explanatory Memorandum. Back
35
Paragraphs 51-55 of the Minister's Explanatory Memorandum. Back
|