Analysis: Conflicting forces of cyber law and order

New EU initiatives may duplicate, or even undermine, efforts to protect the UK’s financial services industry from cyber crime. And as Sooraj Shah and Andrew Charlesworth report, this is the last thing the sector needs 

Security professionals fighting cyber crime could themselves be criminalised under plans being developed by the European Parliament. MEPs are considering proposals to make it a criminal offence to distribute hacking tools, such as scripts,  with a minimum jail term of two years for convicted offenders.

That, of course, would hamper security software companies in their everyday work, as well as the security professionals employed to protect corporate and government systems.

“In an effort to combat cyber attacks, security researchers and ethical hackers are continuously seeking these tools to demonstrate weaknesses within an organisation’s network and as a way to reverse engineer solutions to combat hacks,” said Andrew Millar, chief operating officer of Corero Network Security.

If MEPs understand so little about the work of industries they seek to regulate, it is little wonder that efforts to fight cyber crime are in such disarray.

One idea to shut down the Sality botnet, one of the world’s largest networks of malware-infected computers, involves using its update feature to inject code into the botnet’s “zombie” PCs to automatically remove the Trojan that was used to take control of them. Such a technique could be used to clean up other botnets, but would effectively be outlawed under the proposals being considered in the European Parliament.

“It’s insane. MEPs obviously don’t know how security experts go about their work,” one security researcher, who wished to remain anonymous, told Computing.

The debate over plans to criminalise the distribution of hacking tools comes as the European Commission announced a new dedicated centre to fight cyber crime. The European Cybercrime Centre will be based at Europol in the Hague and is expected to start operations in January 2013.
Its staff of 36 will focus on the activities of organised crime groups, particularly online fraud involving credit cards and attacks on bank accounts. It will help to protect social network profiles from criminal infiltration; help fight against online identity theft; support member states’ law enforcement agencies in their fight against cyber crime; give technical advice to investigators, prosecutors and judges; and provide early warnings of new vulnerabilities.
 
FSA punishes security failings

Much of this work will inevitably overlap with efforts by the UK’s Financial Services Authority (FSA) to protect the world’s biggest financial services centre from cyber crime.

The FSA has been concentrating minds in the financial sector by handing out big fines to banks and insurers whose security has fallen short. Banking giant HSBC was fined more than £3m in July 2009 when it was found to have inadequate systems and controls in place to protect customers’ details – it even lost customer data in the post on two occasions. Zurich Insurance, meanwhile, was fined more than £2m in August 2010 after losing sensitive data relating to 46,000 of its customers.