Following an agreement in the European Parliament on the 4th July, EU countries are to strengthen their domestic laws against the more serious forms of cyber-crime.
We can now expect to see prison sentences of at least two years handed down to those caught illegally accessing or interfering with information systems or data, and at least five years for using botnets - a network of computers controlled remotely with the aim of infecting others with malicious software.
Each member country will be left to decide where to draw the line between minor and serious offences. But there is a bigger question here about whether prison is the right punishment for hackers.
On the one hand, custodial sentences are called for because more serious crimes require more serious sentences. On the other hand, these perpetrators tend to be younger and socially different to the standard criminal profile. Controversially, they are also possibly more reformable in that they could be convinced to use their skills for good after turning their back on the dark side. Reformed cyber-criminals can and do make a significant contribution to society and industry when they decide to switch teams. Perhaps the classic example here (though not a cybercriminal) was the fraudster, Frank William Abagnale, Jr, who was the subject of the 2002 movie “Catch Me If You Can”.
There also remains some question about whether current prison regimes are the best place for cyber-criminals because of the possible development of links with established organised crime groups. At present, there seem to be few established links between traditional organised crime groups and the hacker community. Cyber-criminals seem to be able to resist the clutches of the more traditional types of underworld operators in much the same way that they evade control by the government. But if you put more hackers into prison (and for longer) then links will quickly develop, not least through protection. If you want to lay the foundations for a real cyber-crimewave, this is an excellent way to go about it.
The UK already has some fairly robust laws for cyber-crime, such as the Computer Misuse Act 1990, which can be used to jail cyber-criminals for up to five years in certain circumstances. But the act is rarely used in court. Despite estimates from the cyber-security industry that millions of cyber-crimes are taking place at any given time, there have only been about 300 or so prosecutions under the CMA since it came in to effect more than two decades ago.
This is in part because financial crimes involving computers are often prosecuted under different laws, such as the Fraud Act, because the “computer factor” is often too hard, or too expensive, to prove. With other types of cyber-crime, cases are regularly dropped because of the de minimis rule; they are too small to prosecute. An enduring characteristic of cyber-crime is that, individually, they tend to be too small to prosecute and only become significant when added together across a global span. In cyber-space, one perpetrator can commit many crimes. However, it is also worth noting that fear of cyber-crime is 10 times greater than actual victimisation.
The current problem from a European perspective, and hence the need for the EU agreement, is that cyber-crime is viewed differently by different countries. While there is widespread agreement that cyber-crimes exist, there is much disagreement as to what they consist of, and how harmful they are.
My own work has identified different security concerns arising from individual, corporate and infrastructural victimisation. Each has varying motivations and different levels of impacts. But much of the legislation currently operating in Europe has tended to view cyber-crime as an individual crime with relatively low impact since no violence occurs. This decision to modernise the rules therefore brings in a sense of proportionality into European Law and helps member states to recognise that cyber-crime has many degrees of seriousness.
But EU debate should not stop at agreeing on how long prison sentences should be. We need to accept that there are more constructive ways of using the talents of these people for good rather than harm. If we fail to recognise their potential, the problem may escalate rather than subside.