On Thursday, a European Parliament committee approved a new draft directive (PDF) that would, among other things, require European Union member states to step up criminal penalties for hacking, botnets, and other digital malfeasance.
Under EU law, directives are a set of instructions for all 27 (soon to be 28, when Croatia joins on July 1, 2013) member states to “translate” the new rules into their own local law. The new draft directive is set to be voted on by all of Parliament in July 2013 and enter into force shortly thereafter if approved.
According to a press release from the civil liberties committee, the new language requires that maximum prison terms for “illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences,” be set at least for two years.
In addition, the new law also creates new minimum jail time of “at least three years’ imprisonment for creating ‘botnets,’ i.e. establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber attacks.”
Among the harshest of the new revisions are the punishments associated with cyberattacks against “critical infrastructure,” including power plants, public transit networks, and government computer systems—the minimum sentencing would be at least five years in prison.
In addition, EU member states would be required to provide cross-border assistance to each other within eight hours of an urgent request for help.
While the new draft passed the commitee by a vote of 36-8, the Green Party has voiced its opposition to the new language, largely on the grounds that it does not distinguish between “white hat” security testing and malicious “black hat” attacks.
“The blunt new rules on criminalizing cyber attacks take a totally flawed approach to Internet security,” Jan Philipp Albrecht, a Green Party member from northern Germany, told the IDG News Service. “The broad strokes approach to all information system breaches, which would apply criminal penalties for minor or non-malicious attacks, risks undermining Internet security.”