Technological developments and the myriad of increased cyber attacks reported in the last few years have led European legislators to publish a new directive focusing on attacks against information systems.

Published in August last year, the new directive must be transposed by member states by September 4, 2015. Largely modelled on an EU Council Framework Decision of 2005 which it replaces, the directive introduces some innovations at a European Union level. Some of these new introductions are already catered for under Maltese law.

The main scope behind the directive is to have harmonisation of criminal law measures within the EU in the area of attacks against information systems through the introduction of minimum rules concerning the definition of criminal offences and relevant sanctions. It also aims to improve cooperation among competent authorities of the member states. It establishes that illegal access, illegal system or data interference or interception should be criminalised by member states.

Most of these provisions were already reflected in the Council of Europe Cybercrime Convention, also known as the Budapest Convention, to which Malta is a party. Substantive definitions and categor-isations of cyber offences in our Criminal Code follow the provisions contained in the Convention.

One therefore questions what will really change in Malta pursuant to Directive 2013/40/EU. The answer is not that straightforward.

The new directive highlights the recognition by European lawmakers that information systems are a key element of the political, social and economic interactions in Europe, and that society at large has become highly dependent on such systems. There has also been the realisation that there is a dangerous increasing link between attacks on information systems and organised crime, as well as serious concern regarding terrorist or politically- motivated cyber attacks.

The new directive leaves it up to the member states to determine whether criminal penalties should be imposed in situations where the cyber offence is considered to be minor

Critical infrastructures have been termed under Directive 2013/40/EU as an asset, system or part thereof located in a member state which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being. The directive lists power plants, transport networks or government networks as examples of critical infrastructures. In Malta we can also find examples of a critical infrastructure, such as the transport service IT system, the IT infrastructure at Mater Dei and the systems controlling our energy provision.

Evidence of a tendency towards recurrent large-scale attacks and the use of bot armies and botnets was also another instigator for the promulgation of the new directive.

The directive introduces aggrav-ating circumstances, and therefore stiffer penalties, for crimes committed through organised crime, botnets, identity theft or attacks against critical infrastructures. Currently, Maltese law does not provide for such factors as being aggravating circumstances. Under Maltese law, penalties are increased in situations where the cybercrime is committed by employees against employer or clients but also in situations where the crime is directed towards a utility operated by government.

The new directive makes it clear that criminal liability should not subsist when a person did not know that his machine was used in a criminal attack without his consent. This reflects the reality that many personal machines are infected by malicious software and recruited as zombies in botnets. The directive also criminalises aiding, abetting and attempted crimes as well as the production, sale or making available of tools used to commit offences. Article 337(C)(1)(l) of our Criminal Code already criminalises the sale, production and distribution of such devices and software.

The two most controversial aspects of Directive 2013/40/EU however revolve around minor cases as well as illegal access of computer systems committed through the infringement of a security measure.

The new directive leaves it up to the member states to determine whether criminal penalties should be imposed in situations where the cyber offence is considered to be minor. This will mean that there will not be harmonisation of cybercrime penalties, as one member state might consider an activity to be minor while another might consider it serious. Everything will depend on how the national prosecuting authorities consider the specific activity and the damage caused.

This is one of the directive’s major flaws. In fact it stipulates that member states may determine what constitutes a minor case. The directive continues that a case may be considered minor, for instance, where the damage caused by the offence or the risk to public and private interests, including the integrity of computer systems, are insignificant or are such that the imposition of a criminal penalty is not necessary. This will lead to trouble.

Unlike the Budapest Convention and our current Criminal Code, Article 3 of Directive 2013/40/EU provides that illegal access to information systems would be considered a criminal offence only when a security measure is infringed. So access to an information system without authorisation but through no breach of any security will not be considered criminal. I find this slightly puzzling, as if I leave my car unlocked, anyone could just go and make themselves comfortable in it without committing an offence.

The counter argument would be that persons accessing an unsecure system might say they did not know that they were not authorised. This will mean that all operators of IT systems will need to beef up their security. Self-help is a key concept in cybercrime, but linking unauthorised access to security breaches might not be the best option.

The EU Framework Decision of 2005 was termed as being the EU version of the Budapest Convention. While the directive published last August is surely a step in the right direction, we still need to wait and see how the member states will transpose it into national law.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT Law (www.fenechlaw.com). He also lectures ICT Law and Cybercrime at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.