In light of recent terrorist and cyber-terrorist attacks, European states have more seriously focused on measures that could be taken to prevent future attacks and bring to justice those responsible or associated with terrorist activities.
Although each EU state has its own body of laws that interprets and treats various forms of cyberattacks, the EU has proposed several legislative actions that contribute to the fight against cybercrime.
The “Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA” attempts to draw up guidelines regarding how EU countries should cooperate, what mechanisms should be set in place to facilitate exchange of information between EU member states, and how user privacy (data) should be handled.
Who’s in charge of EU cybersecurity?
The same directive advocates the need for a centralized police body specialized in dealing with cybercrime that also acts as hub for information coming from each EU country. Member States are urged to fully cooperate with the institution and provide “possibilities for the legal detection and reporting of security gaps.”
“Relevant data should be made available to the competent specialised Union agencies and bodies, such as Europol and ENISA, in line with their tasks and information needs, in order to gain a more complete picture of the problem of cybercrime and network and information security at Union level and thereby to contribute to formulating a more effective response,” reads the Directive. “Member States should submit information on the modus operandi of the offenders to Europol and its European Cybercrime Centre for the purpose of conducting threat assessments and strategic analyses of cybercrime in accordance with Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (1).”
Consequently, Europol and ENISA have become the two EU cybercrime organizations that State Members need to cooperate with whenever cybercrime crosses multiple EU borders.
Is Legislation Enough to Fight Cybercrime?
Recent endeavors to set up a coherent and restrictive legislative framework that allows law enforcement to identify and prosecute cybercrime have also met skepticism from data protection activists.
While new directives and laws aim to provide greater visibility into how companies treat cyberterrorist incidents, some believe they infringe on basic citizen privacy rights, allowing for continuous monitoring of all individuals, not only those associated with terrorist or cyberterrorist activities.
Encryption has also entered the spotlight as law enforcement has been pushing either for a complete lack of it or for mechanisms that allow them to eavesdrop on all “encrypted” channels.
While the EU has yet to adopt such a law/directive, China has already passed a controversial anti-terrorism law requiring all companies that operate within its borders to provide decryption keys for all encrypted information, if the state demands it.
Stating that China is simply carrying out an action that other countries are debating, Li Shouwei, deputy head of the parliament's criminal law division under the legislative affairs committee, said this is necessary when fighting terrorism at a global level.
The United Kingdom has also proposed the Investigatory Powers Bill, aiming to grant more power to security services by having phone companies store records of visited websites and even help with descrambling encrypted communications.
“Interception is the making available of the content of a communication – such as a telephone call, email or social media message – in the course of its transmission or while stored on a telecommunications system,” reads the IP Bill Draft. “Interception is used to collect valuable intelligence against terrorists and serious criminals, which can inform law enforcement and national security investigations as well as support military operations.”
Will it stop Cyberterrorism?
While companies might be legally bound to stop using strong encryption or allow law enforcement agencies to tap into all user data, cyberterrorists feel no such obligation.
While the rest of the world will be “downgraded” in terms of encryption, it will also make it easier for cybercriminals to tap into their data, not only law enforcement. The whole idea of operating outside the law is that you can do whatever it takes to reach your objectives, meaning that new regulations will also make it easier for cyberterrorists to do their “job” while the average user is an innocent bystander in the data security and privacy war.
The Legislation Unicorn
With states struggling to either individually or collectively pass legislation that can combat cyberterrorist attacks, some proposals have been criticized as usurping basic privacy rights for both companies and end users.
Continuous collaboration into finding the adequate legal framework that can help law enforcement agencies identify cyberterrorist activities is mandatory if we’re to find the right balance between control and privacy.
This global initiative will likely continue throughout 2016, chipping off some of the privacy-infringing proposals already drafted. Continued collaboration between the public and private sector is vital in setting the right legal context that satisfies both national security concerns and consumer rights.