Since March 26, 2013, Cyberbunker, a Dutch company, which provides hosting services, has been carrying out cyberattack of vast proportion against Spamhaus, a no profit organization that distributes a blacklist of spammers to e-mail providers, affecting millions of people across the Internet. This cyberattack has been conducting by means of a distributed denial of service, or DDoS, attack, addressed to Spamhaus’s Websiteand later to the Internet servers used by CloudFlare, a Silicon Valley company that Spamhaus hired to deflect its onslaught.
This massive cyberattack confirms how crime on the Internet is increasing rapidly and can affect all ofusers around the world, leading to substantial financial losses, erode trust in online services and cause major damage to the economy.
So, the question is how EU can protect its economy and its citizens.
In this regard, since January 9, 2013, the new European Cybercrime Center (EC3) has been working to help protect European citizens and businesses from cyber-crime. The main task of the European Cybercrime Centre is to disrupt the operations of organised crime networks that commit a large share of the serious and organised cybercrimes. Offences include those generating large criminal profits, those causing serious harm to their victims or those affecting vital infrastructure, and IT systems. Moreover, EC3 would assume the collective voice of European cybercrime investigators, providing a platform to develop common positions of Union law enforcement authorities on key issues, such as Internet governance structures, providing the natural interface for international initiatives to curb cybercrime, such as Interpol’s work in this domain.
In addition, on February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, issued a cyber security strategy (JOIN(2013) 1 final) alongside a Commission proposed directive on network and information security (NIS) (COM(2013) 48 final).
In particular, the adoption of the NIS directive is considereda priority for EC, since it should contribute to decrease the cyber security incidents and braches that can have a major impact on individual companies and on Europe’s wider economy.
Hence, in order to address these problems and increase the level of NIS within the European Union, the proposed Directive, at first, requires all the Member States to ensure that they have in place a minimum level of national capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans.
Secondly, the aim of the proposed Directive is the cooperation of national competent authorities within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, Member States should Exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan.
Ultimately, based on the model of the Framework Directive for electronic communications, the proposal aims to ensure that a culture of risk management develops and that information is shared between the private and public sectors. Companies in the specific critical sectors outlined above and public administrations will be requiredto assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information systems and significantly affecting the continuity of critical services and supply of goods.
However, the security regulation should not limitfreedom and openness of the Internet. Security is in full compliance with the EU Charter of Fundamental Rights, respecting privacy withprotection for personal data, freedom to conduct a business, the right to property, the right to an effective remedy before a court and the right to be heard.
Moreover, under article 4(c) of Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency (ENISA): “network and information security” means the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity andconfidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.In this regard, on March 13, 2012, ENISA required Europe’s businesses and government organizationsto take urgent actions to address cyber-attacks. It highlighted several issues such as cyber space’s lack of borders, failing security measures and,the security issues of e-mail. It also made several recommendations, for instance to focus more on prevention and to look at more secure communication solutions.
In conclusion, it is confirmed that attacks against information systems are a growing threat, and there is an increasing concern about the potential for terrorist or politically motivated attacks against information systems, which form part of the critical infrastructures of Member States and the Union. Thefore, Member States of EU must strength their actions against cybercrime providing EU law enforcement authorities with enhanced tools to fight cybercrime. It will include provisions for use of specific software (‘Botnets’) as a method of committing cybercrimes making it a criminal offence and also increasing the maximum penalty for offenders. The initiative will strengthen security of citizens and businesses and is expected to have a positive economic impact, as the current costs to business of countering cyber-attacks and repairing post-attack damage are very considerable and rising continually.