A Research Project Funded by the Sixth Framework Research Programme of DG Research (European Commission)
Proposal for a Council Framework Decision on attacks against information systems
Monday 14 November 2005, by European Commission
All the versions of this article:
- [English]
- [English]
EXPLANATORY MEMORANDUM
1. INTRODUCTION
Electronic communication networks and information systems are now an essential part of the daily lives of EU citizens and are fundamental to the success of the EU economy. Networks and information systems are converging and becoming increasingly interconnected. Despite the many and obvious benefits of this development, it has also brought with it the worrying threat of intentional attacks against information systems. These attacks can take a wide variety of forms including illegal access, spread of malicious code and denial of service attacks. It is possible to launch an attack from anywhere in the world, to anywhere in the world, at any time. New, unexpected forms of attacks could occur in the future.
Attacks against information systems constitute a threat to the achievement of a safer Information Society and an Area of Freedom, Security and Justice, and therefore require a response at the level of the European Union. Part of the Commission’s contribution to this response is this proposal for a Framework Decision on approximation of criminal law in the area of attacks against information systems.
1.1. Types of attacks against information systems
The phrase «information system» is deliberately used here in its broadest sense in recognition of the convergence between electronic communication networks and the various systems they connect. For the purpose of this proposal, information systems therefore include «standalone» personal computers, personal digital organisers, mobile telephones, intranets, extranets and, of course, the networks, servers and other infrastructure of the Internet. In its Communication "Network and Information security - A European Policy Approach" [1], the Commission has proposed the following description of threats against computer systems:
(a) Unauthorised access to information systems.
This includes the notion of «hacking». Hacking is gaining unauthorised access to a computer or network of computers. It can be undertaken in a variety of ways from simply exploiting inside information to brute force attacks and password interception. It is often - though not always - with malicious intent to either copy, modify or destroy data. Intentional corruption of web-sites or access to services protected by conditional access without payment can be one of the aims of unauthorised access.
(b) Disruption of information systems.
Different ways exist to disrupt information systems through malicious attacks. One of the best known ways to deny or degrade the services offered by the Internet is a «denial of service» attack (DoS). In a way this attack is similar to fax machines being flooded with long and repeated messages. Denial of service attacks attempt to overload web servers or Internet Service Providers (ISPs) with automatically generated messages. Other types of attacks can include disrupting servers operating the domain name system (DNS) and attacks directed at «routers». Attacks aimed at disrupting systems have been damaging for certain high profile web-sites like portals. Some studies have calculated that a recent attack caused damage worth several hundred million Euros, in addition to the intangible damage to reputation. Increasingly, companies rely on the availability of their web-sites for their business and those companies which depend on it for «just in time» supply are particularly vulnerable.
(c) Execution of malicious software that modifies or destroys data.
The most well known type of malicious software is the virus. Infamous examples include the «I Love You», «Melissa» and «Kournikova» viruses. About 11 % of European users have caught a virus on their home personal computer (PC). There are other types of malicious software. Some damage the PC itself, whereas others use the PC to attack other networked components. Some programs (often called ‘logic bombs’) can lie dormant until triggered by some event such as a specific date, at which point they can cause major damage by altering or deleting data. Other programs appear to be benign, but when opened release a malicious attack (often called ‘Trojan Horses’). Another variant is a program (often called a worm) that does not infect other programs as a virus, but instead creates copies of itself, which in turn create even more copies and eventually swamp the system.
(d) Interception of communications.
Malicious interception of communications compromises the confidentiality and integrity requirements of users. It is often called «sniffing».
(e) Malicious misrepresentation.
Information systems offer new opportunities for misrepresentation and fraud. The taking of someone else’s identity on the Internet, and using this for malicious purposes, is often called «spoofing».
Download at PDF format
- Proposal for a Council Framework Decision on attacks against information systems
Footnotes
[1] Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions «Network and Information Security: Proposal for a European Policy Approach» of 6.6.2001. COM (2001) 298 final.
Sections
In the same section
Commission d’enquête sur l’immigration clandestine du Sénat : audition de MM. Stéphane Maugendre, vice-président, et Jean-Pierre Alaux, chargé de mission, au Groupement d’information et de soutien aux immigrés- La flexicurité en Europe
- European Commission’s Proposal aiming to improve police cooperation at the internal borders between Member States
- Adoption de nouveaux instruments financiers destinés à renforcer la sécurité en Europe et à favoriser la coopération judiciaire en matière pénale
- Respect for human rights in the fight against terrorism
- Building International Political Will and Capacity to Combat Terrorism: a G8 Action Plan
- EC criminal law competence – judgment of the Court in case C-440/05
- Controlling our borders : Making migration work for Britain
- Critical Infrastructure Protection in the fight against terrorism
- Un Big Bang à Noël pour l’espace Schengen
Keywords
Files - Dossiers
- Antiterrorism struggle and internal security / Lutte antiterroriste et sécurité intérieure
- Asylum outsourcing / Externalisation de l’asile
- Borders, Enlargement and Neighbourhood / Frontières, élargissement, voisinage
- Breaking news / Une
- Critical Infrastructure protection / Protection des infrastructures critiques
- Detention of foreigners - Camps in Europe / Détention des étrangers - Camps en Europe
- European Liberty and Security / Liberté et Sécurité en Europe (ELISE)
- European Union and Lebanon Crisis / Union européenne et crise libanaise
- European Union databases & biometrics / Bases de données et biométrie en Europe
- Guantanamo
- Implementing the Hague Programme / Mise en oeuvre du programme de La Haye
- Mapping the field of European security / Cartographier le champ de la sécurité en Europe
- Urban riots in France / Violences urbaines en France
Keywords - Mots clefs
- Asylum - Asile
- Biometry - Biométrie
- Borders - Frontières
- Camps - Camps
- Citizenship - Citoyenneté
- Coercive Agencies - Agences coercitives
- Conflict - Conflit
- Data Files - Fichiers
- Databases - Bases de données
- Exception - Exception
- Foreign affairs - Affaires étrangères
- Freedom - Liberté
- Human rights - Droits de l’homme
- Illiberalism - Illibéralisme
- Justice - Justice
- Liberalism - Libéralisme
- Migrations - Migrations
- Military - Militaires
- Nationalism - Nationalisme
- Police - Police
- Religion - Religion
- Security - Sécurité
- Securization - Sécurisation
- Social insecurity - Insécurité sociale
- Sovereignty - Souveraineté
- Surveillance - Surveillance
- Technologies - Technologies
- Terrorism - Terrorisme
- Violence - Violence
- War - Guerre
RSS 2.0
CERI