EP directive 2013/40 on attacks against information systems – metasploit legal (somewhat)
Recent EP directive which replaced Council Framework Decision 2005/222/JHA at first glance doesn’t seem too differ much than retired document – specifically it attempts to push the law into territory of more sophisticated attacks without tinkering too much with already set guidelines and nomen omen framework. Most significant is probably mention of botnets. Approach to up-to-date network security problems gives hope of reasonable and professional law. Unfortunately, the directive copies many troubling solutions that were part of the original document.
Some attention should be paid to preamble, which in most cases is – and let’s face it – padding. Here however, it is important to get a grasp of thought process behind the law, as unfortunately its purpose is not always obvious. First of all, lot of pressure is directed towards larger scale, more economically damaging attacks, including mentioned botnets. It seems that current trend of cybercrime prevention will be set more to protect enterprise targets rather than individual, ‘private’ networks. Even though it might seem almost cliche – big corporation gets more from law than common citizens, it is hard not to agree with the assessment. Attacks on single computers are common and almost impossible to trace most of the time. Furthermore in purely quantitative terms, damages to economy are certainly more significant when companies are affected. It is almost needles to say that in modern times, with increasing reliance on digital services a successful breach can disable smaller company. Second, as usual with EP directives, need of harmonization is emphasized. Again, it is quite obviously fair point, especially because of borderless nature of cybercrimes. Perhaps more important point is underlining importance of providing adequate training for law enforcement and judiciary. In Poland problem of lack of qualifications becomes especially visible when dealing with lesser crimes. These are reported to local police stations, where common officers does not even know how to approach the subject. Observing current situation it becomes obvious that significant shift in policy is required – it is no longer possible to afford not to train every policeman in at least basics of cybercrime. Finally, compared to earlier act, part about respecting privacy and protecting fundamental rights has been extended. To what degree is it reaction to NSA leaks remains open case.
The directive itself starts with article that was not included in previous act. Apparently EU felt need to underline that directive specifies minimum rules concerning cybercrime criminal law. The second article is where things become interesting. Definitions are always a problem when dealing with cyberlaw due to the fact that basic operations are the same for almost every piece of electronical equipment. It became apparent with introduction of convention on cybercrime – where definition of computer system managed to cover everything from playstation with controller, thorough two smartphones, to the ‘real’ computer networks. Unfortunately in the directive the same content seem to be expressed, just with more words. Instead of ‘automatic processing of data’ we have ‘automatically processes computer data, as well as computer data stored, processed, retrieved or transmitted by that device or group of devices for the purposes of its or their operation, use, protection’. It is quite hard to imagine device which process data that is not used for its operation or use. On the other hand it is hard to make definition precise enough to include computers, and servers while excluding ie. smartphones. Operating system – check, connected to other similar devises – check, performs automated data processing – don’t even start. I’m not a proponent of casuistry in law but now it seems that there is no other option than to include ‘interconnected personal computers’ and leave definition of ‘personal computer’ for appendix.
Among crimes listed in directive there is one that was not included in the framework decision – illegal interception. Including this offense was most likely caused by increasing prevalence of wireless networking and dangers that could result from activities as simple as sniffing. Number of access points that become available almost everywhere in bigger cities creates perfect opportunity for rogue honeypot AP’s. Passive sniffing of data couldn’t be classified as illegal access or interference, creating a gaping hole in cybercrime law. Remaining offenses – illegal access to information system, illegal system interference, illegal data interference – did not change much. All of them provides possibility of excluding ‘minor’ crimes from prosecution. Given massive volume of petty, incidental breaches it is a good move, certainly one that saves prosecutors from being flooded with reports that are impossible to result in convictions anyway.
The article seven – tools used for committing offenses – caused much controversy when similar provision was included in convention on cybercrime. Question that immediately comes to mind is about penetration testing tools. At first sight it seems that there is not much to worry about – provision ‘without right and with the intention that it be used to commit any of the offenses referred to in Articles 3 to 6 may suggest that as long as we do not intend to use tools to commit crime there is nothing to worry about. However broad scope of the article might result in prosecution of security researches who produce exploits for the purpose of vulnerability hunting competitions. After all, before the reveal it is impossible to tell if exploit was meant to be used lawfully as presentation of weakness or for actual attack. Another problem is activity of companies such as Offensive Security. It’s not a secret that BackTrack (now Kali) Linux is used as much for pen testing as it is for breaking into neighbor’s wifi and as complete easy-hacking platform for script kiddies. Is it sufficient that company states that their products should be use only for legitimate actions? In Poland designer drugs gained significant popularity, as they were sold as ‘collectors’ products – not meant for consumption. Time will tell if pen testing tools will meet similar fate.
Article ten – liability of legal persons – is also worth of closer look. Aim of the article is most likely preventing corporate cyber warfare. Certainly in modern times well trained and equipped hackers are much more useful, and discrete, in hindering efforts of competitors than physical sabotage. Some reports be experts like McAfee suggests that companies around the world face millions of cyberattacks per day. While there is no doubt that legislation is required here, it is not so certain how effective it will be. After all there is hardly any method of sabotage / espionage that provides more plausible deniability than computer approach (see stuxnet). Especially that article primarily mentions as link to liability people who have ‘a power of representation of the legal person’, ‘an authority to take decisions on behalf of the legal person’ or ‘an authority to exercise control within the legal person’ – which is extremely optimistic, in terms of simplicity, approach to what cyber war among corporations might look like.