Tag Archive | netsec

EP directive 2013/40 on attacks against information systems – metasploit legal (somewhat)

Recent EP directive which replaced Council Framework Decision 2005/222/JHA at first glance doesn’t seem too differ much than retired document – specifically it attempts to push the law into territory of more sophisticated attacks without tinkering too much with already set guidelines and nomen omen framework. Most significant is probably mention of botnets. Approach to up-to-date network security problems gives hope of reasonable and professional law.  Unfortunately, the directive copies many troubling solutions that were part of the original document.

Some attention should be paid to preamble, which in most cases is – and let’s face it – padding. Here however, it is important to get a grasp of thought process behind the law, as unfortunately its purpose is not always obvious. First of all, lot of pressure is directed towards larger scale, more economically damaging attacks, including mentioned botnets. It seems that current trend of cybercrime prevention will be set more to protect enterprise targets rather than individual, ‘private’ networks. Even though it might seem almost cliche – big corporation gets more from law than common citizens, it is hard not to agree with the assessment. Attacks on single computers are common and almost impossible to trace most of the time. Furthermore in purely quantitative terms, damages to economy are certainly more significant when companies are affected. It is almost needles to say that in modern times, with increasing reliance on digital services a successful breach can disable smaller company. Second, as usual with EP directives, need of harmonization is emphasized. Again, it is quite obviously fair point, especially because of borderless nature of cybercrimes. Perhaps more important point is underlining importance of providing adequate training for law enforcement and judiciary. In Poland problem of lack of qualifications becomes especially visible when dealing with lesser crimes. These are reported to local police stations, where common officers does not even know how to approach the subject. Observing current situation it becomes obvious that significant shift in policy is required – it is no longer possible to afford not to train every policeman in at least basics of cybercrime. Finally, compared to earlier act, part about respecting privacy and protecting fundamental rights has been extended. To what degree is it reaction to NSA leaks remains open case.

Read More…

Advertisements