EU: Possession of Hacking Tools to Become a Criminal Offense

Wednesday, April 04, 2012



Cyber attacks on IT systems would become a criminal offense punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee.

Possessing or distributing hacking software and tools would also be an offense, and companies would be liable for cyber attacks committed for their benefit.

The proposal, which would update existing EU legislation on cyber attacks, was approved with by 50 votes in favor, 1 against and 3 abstentions.

"We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world," said rapporteur Monika Hohlmeier (EPP, DE).

The proposal would establish harmonized penal sanctions against perpetrators of cyber attacks against an information system - for instance a network, database or website. Illegal access, interference or interception of data should be treated as a criminal offense, MEPs say.

The maximum penalty to be imposed by Member States for these offenses would be at least two years' imprisonment, and at least five years where there are aggravating circumstances such as the use of a tool specifically designed to for large-scale (e.g. "botnet") attacks, or attacks cause considerable damage (e.g. by disrupting system service), financial costs or loss of financial data.

IP spoofing

Using another person's electronic identity (e.g. by "spoofing" their IP address), to commit an attack, and causing prejudice to the rightful identity owner would also be an aggravating circumstance - for which MEPs say Member States must set a maximum penalty of at least three years.

MEPs also propose tougher penalties if the attack is committed by a criminal organization and/or if it targets critical infrastructure such as the IT systems of power plants or transport networks.

However, no criminal sanctions should apply to "minor cases", i.e. when the damage caused by the offense is insignificant.

Cyber-attack tools

The proposal also targets tools used to commit offenses: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offenses.


Possibly Related Articles:
Software Hacking Tools Headlines legislation Hacktivist Information Security European Union Spoofing IT Security
Post Rating I Like this!
vaughan montgomery does than mean owning & possessing hacking tools will be illegal? how would software developers etc like myself be able to run penetration tests and check security of our own & our clients systems if we are no longer allowed to own such tools?
Michael Johnson The legislation, as explained by the article linked to above, is badly conceived and open to all kinds of interpretation.
For a start, I'd imagine the word 'cyber' would nullify any legislation, since it's basically slang for the non-technical, unless the prosecutors were able to explain specifically how and why an offence was committed.
It would also be ineffective if most attacks are committed using tools not specifically created for committing said offences.
The definition of 'hacking tool' could also be expanded to cover text editors, compilers, etc.
vaughan montgomery exactly.

I have lots of tools specifically designed for hacking & attacking systems. The fact is I use them in my work non-maliciously. Not all hackers are bad people.

but to make possession of hacking tools & distribution of them illegal is totally absurd. Does anybody die from using them?

People die from gun shots, Guns are dangerous. but they're still legal (with license) & they're still sold.

Knives kill people, but they're legal & are still distributed.

hacking causes no deaths at all, but in the same case as with guns, it's down to the person using it as to whether that person uses them maliciously or not. But in the case of hacking tools, if you take them away from people, you'll find websites & servers/systems will become more vulnerable & be attacked at an exponentially increasing rate.
Michael Johnson In fact I'd argue 99% of proper hackers are good guys, and today's Internet wouldn't exist without them.

Perhaps we're worrying too much about this legislation - the lawmakers are entirely ignorant of hacking, how network penetration and security works, and what the 'hacking tools' do.
And as I pointed out, only a minority of tools are distributed for the express purpose of illegally breaking into systems.
My prediction is it'll be next to impossible to convict someone who's technically knowledgeable, and therefore several steps ahead of the prosecution.

I just don't see how they'll ever define 'hacking tool' anyway, unless someone distributes a program clearly labeled 'Hacking Tool'. For example, a vulnerability scanner by itself only scans for vulnerabilities. nmap/Zenmap only maps out a network.

Even if 'hacking tools' were somehow defined and outlawed, the criminals would still happily distribute and use them regardless, while the law-abiding professionals wouldn't, and as you pointed out, successful attacks will increase exponentially.
vaughan montgomery yep good points. but as with most types of regulations on the internet, they all are worded (purposely in most cases imo) so there is the possibility of misinterpretation and ambiguity. though i'm quite capable of 'hacking' to an extent without the use of such tools (though a computer is an essential tool), they do make life easier in some cases.

this is why governments and legislators should stay away from passing or drawing up stupid laws governing the net, when they do not have the intelligence to understand the implications of what they suggest.

i know how to make bombs too, but that doesn't mean i'm going to make 1. the crime is in the action of using it or threatening to in a malicious manner, not in having the capability or knowledge of doing so.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.