Cecilia Malmström Member of the European Commission responsible for Home Affairs Commission to boost Europe's defence against cyber-attacks Press conference Bruxelles, 30 September 2010

Source: European Commission (EC) i, published on Thursday, September 30 2010.

Ladies and gentlemen,

If your idea of cybercrime is a young hacker cracking down some secret services' website for the fun of it or just to show his outstanding ability, then you should ''reboot'' and get a closer look to reality. The rapid development of technology is leading to new ways of committing crimes, and to completely new crimes committed by highly organised groups of criminals.

Cyber-criminals today are motivated more by a desire to gain financially than to create havoc. Instead of releasing malware as a form of electronic vandalism, they design malicious codes to quietly use infected machines to accomplish their objectives, such as sending spam, diverting money from bank accounts, stealing credit card numbers, displaying advertisements, or providing a backdoor into the organization's network.

In fact, as we speak, your computer at office or at home could be illegally used to perpetrate serious crimes without you even noticing. Your PC could be used, together with hundreds of thousands other PCs, to crash down your own bank security systems and to divert money from your account or to steal sensitive information like your credit card number. If you think this is a ''science fiction'' scenario, let me give you some factual elements about these new forms of crime that are often perpetrated using the so called ''botnets''.

  • Cybercriminal acquires or produces malicious software and places it on victim computer. The bot program turns the victim's computer into a ''zombie'' that is able to infect more computers. All 'zombies' together form a botnet.
  • Bots connect zombies to controllers so that cybercriminals can take control and command the servers.
  • Commands are sent to the zombies that will execute them against targets.

This kind of cyber attacks can be committed across a number of countries: e.g. a cyber criminal can be in the Netherlands, his command-and-control centre can be in Germany, the compromised computers can be in Ukraine, and the attack can be directed against a bank in the UK.

The number of attacks against information systems has increased significantly in the last years and a number of attacks of previously unknown large and dangerous scale have been observed, such as those in Estonia and Lithuania in 2007 and 2008 respectively. According to an estimate by the Estonian government, the cost of the cyber attack against Estonia can be estimated roughly between EUR 19 and 28 Million.

Even more recently the world witnessed the spread of a botnet called 'Conficker', which has propagated and acted in an unprecedented scale and scope since November 2008. In terms of the potential capacity of current botnets, the botnet ‘Conficker', with an alleged bot capacity number of 12 million infected computers and a capacity to send 10 billion of spam emails per day, is considered the biggest and fastest botnet currently affecting the world.

Inside the EU i, damages from this botnet were reported in France, the UK and Germany.

French fighter planes were unable to take off after military computers were infected by Conficker in January 2009. The German army reported in February 2009 that parts of its computer network were infected by Conficker, making the websites of the German army, and the Defence ministry unreachable and preventing them from being updated by their administrators. Certain IT services, including e-mails, were unavailable for weeks to the UK Ministry of Defence personnel in January/February 2009 after they were infected by the Conficker botnet.

In the last days experts at international level have launched an alert for a new type of malicious computer warm called Stuxnet that is infecting a high number of power plants, pipelines and factories and could be used to control plant operations remotely. If confirmed, this would be the first case of a highly sophisticated botnet aimed at industrial targets, a development experts don't hesitate to define ''the first directed cyber weapon''. Botnets like Stuxnet could give wrong information and orders to industrial plants and operate sabotage at several levels, causing severe damages.

The underlying objectives of the cybercriminals using botnets can be of different character. Attacks can have criminal objectives or they can be used as one of the means in a larger campaign to exert pressure. Attacks often include one or more of the following elements:

  • Diverting money from bank accounts and stealing sensitive financial information
  • Extortion: criminals only unlock the computers after the victims pay a certain amount of money to the controllers of the botnet;
  • Sabotage purposes: disabling (critical) infrastructure, such as a security system, either to commit another crime, or in relation to a terrorist act;
  • Exerting illicit pressure on a state or an organization. This pressure can have various objectives. In some cases, pressure is exerted through illegal means: there are a number of documented cases where viruses attacked sites related to certain political movements, or attempted to take out the sites and servers of governments. Economic pressure on a company can be exerted through for example, the use of emails containing malware. These can also be used to undermine the reputation of a competitor.
  • Illegal information gathering / spying activities. Information and Communication Technologies (ICT) are increasingly used for purposes of information gathering, setting up surveillance networks by breaking into computer systems of economic competitors, or political opponents.

A large-scale attack may be launched against a critical information infrastructure of for example a financial institution, followed by a message that the financial institution has to pay a ransom in order for the attack to cease. Networks of more than a million computers linked together by a command-and-control centre have been observed, and the damages caused by a coordinated attack through the use of such network can be considerable.

The current legal framework has two major weaknesses: It does not foresee an adequate answer to large-scale attacks against information systems. This is due to the absence of specific legal provisions addressing botnets and similar tools used to prepare and conduct attacks against information systems; and due to the absence of dissuasive penalties associated with large-scale attacks. This makes prosecution more difficult, as the formal criminal offence linked to a large-scale attack may not be regarded as severe enough to justify rapid cross-border law enforcement and judicial cooperation. Cybercrimes are prosecuted according to various national laws, some of which are not specifically geared to attacks through computer systems.

It does not address the issue of cross-border cooperation against such attacks in a way which would ensure swift dealing with the problem. The mechanisms intended for the Member States to immediately engage in operational cooperation to counter ongoing attack, are not as effective as they could be, particularly in terms of their visibility and responsiveness to assistance requests by other law enforcement agencies.

The proposed legislation introduces new elements to address the prevention and the fight against such attacks. It raises the level of criminal penalties to a maximum term of imprisonment of at least two years for the use of tools such as malicious software - e.g. 'botnets' - or unrightfully obtained computer passwords for committing the offences. If the offence is committed under aggravating circumstances (i.e. in the framework of a criminal organisation or causing considerable damages or stealing identity) the maximum term of imprisonment will have to be of at least five years.

The proposal also introduces the 'illegal interception' (stealing identity or sensitive information) of information systems as a criminal offence.

It also Improves European criminal justice/police cooperation by strengthening the existing structure of 24/7 contact points, including an obligation to answer within 8 hours to urgent requests.

This of course will not fully address the problem of cyber criminality, but it will contribute to improve our tools, it will enhance cooperation and provide us with a better picture of the problem by coordinate our efforts and by better defining the crime and criminalise the tools.

Thank you very much for your attention.