The European parliament has voted in favour of stronger sentences for cybercriminals, especially those that threaten national infrastructure.
Under new laws the 28 EU member states will be required to set terms of no less than two years in prison for individuals caught illegally accessing information systems, tampering with data, illegally intercepting communications, or creating tools that help commit such offences.
This mandated minimum rises to five years if the individuals involved target national systems such as energy plants, public transportation or government servers. These new sentences are higher than tariffs currently imposed by some member states.
The changes also directly address the creation and operation of botnets – groups of hacked computers that are run in tandem to commit offences such as sending out spam and denial of service attacks. Such botnets can be massive in size, with their owners wielding great power.
For example, the Srizbi botnet, estimated to be either the world’s largest, or second-largest botnet, is thought to be made up of around half a million machines. When a hosting provider associated with the botnet was shut down in November 2008, global spam volumes dropped by up to 75%.
Botnet creators add machines to their networks through spam emails and malware, often building up networks before renting or selling it to other criminals. Anyone found setting up a botnet will face a minimum of three years in jail, and if the system is used to threaten national infrastructure then again, the minimum sentence rises to give years.
Member states have two years to sign the new directives into law, with only Denmark choosing to opt out in favour of its own rules. Legislators hope the changes will standardize laws across the EU, where each country has its own variation on cyber law.