Cyber-attacks detection and prevention: Cybercrime in international and EC/EU documents

3. Criminal law protection against cybercrime

3.1. Cybercrime in international and EC/EU documents

The Convention on Cybercrime and its associated Additional Protocol should be mentioned first as these are the two most important legal documents that contribute to the protection of society against cybercrime by setting out a basic framework for cybercrime and at the same time providing the means to detect and investigate it. EU and EC legal documents related to cybercrime will also be presented.

3.1.1 Council of Europe Convention No. 185 on Cybercrime

The Convention on Cybercrime is the most important legal document on cybercrime. Its main purpose is to unify national legislation in the field of cybercrime. The above is implemented by the fact that the Convention on Cybercrime obliges the contracting parties to implement into national legal systems such instruments that will enable the punishment of defined cybercrimes. It is the thorough definition of the objective element of crime that is a condition for the use of the rules of criminal law in cyberspace. Furthermore, the Convention on Cybercrime creates a legal framework for uniform and joint action against the perpetrators of these crimes, regardless of the place where the crime was committed.

The Convention on Cybercrime was approved by the Committee of Ministers of the Council of Europe at its 109th meeting on 8^th November 2001. The Convention on Cybercrime was opened for signing on 23^rd November 2001 in Budapest. [1] This convention entered into force on 1^st July 2004.

The Czech Republic signed the Convention on Cybercrime on 9^th February 2005 and ratified it on 22^nd August 2013, coming into force on 1^st December 2013, while Portugal signed at the first day, but only ratified it the 24^th March 2010, entering into force the following 1^st July. EU Member States have committed themselves to ratifying the Convention on Cybercrime and incorporating such provisions into their legal systems, which would make it possible to clarify and investigate said criminal activity. [2] The Convention on Cybercrime has also been signed and ratified, for example, by the United States, Japan and others.

The Convention on Cybercrime [3] consists of a preamble and 48 articles, which are divided into 4 chapters:

1. Use of terms

2. Measures to be taken at the national level

Part 1 – Substantive criminal law (Articles 2–13)

Part 2 – Procedural law(Articles 14–21)

Part 3 – Jurisdiction(Article 22)

3. International co-operation

Part 1 – General principles(Articles 23–28)

Part 2 – Specific provisions(Articles 29–35)

4. Final provisions

An important step towards the unification of law is the definition of four basic groups of criminal offences (see Chapter II; Articles 2–13) and the anchoring of other general institutes of substantive criminal law. It is the uniform definition (naming) of cyberattacks that will enable their more effective prosecution in countries that have ratified the Convention on Cybercrime. In particular:

1) Offences against the confidentiality, integrity and availability of computer data and systems.(Articles 2–6),

2) Computer-related offences.(Articles 7–8),

3) Content-related offences. (Article 9),

4) Offences related to infringements of copyright and related rights. (Article 10).

In terms of general substantive principles, Attempt and aiding or abetting. (Article 11) and Corporate liabilit for a criminal offence under the Convention on Cybercrime are further defined.

3.1.2 Council of Europe Additional Protocol No. 189 to the Convention on Cybercrime

The Council of Europe Additional Protocol No. 189 on the Convention on Cybercrime [4] , adopted on 28^th January 2003 [5] , defines the range of offences which are not covered by the Convention on Cybercrime. The Convention on Cybercrime does not cover offences related to the dissemination of certain “harmful material”. [6] The Additional Protocol defines criminal offences which consist primarily in the dissemination of material containing racist, xenophobic or otherwise manifesting racial intolerance. The reason for not including the crimes in question in the Convention on Cybercrime was, in particular, the signing and subsequent acceptance of the Convention on Cybercrime by the USA. [7]

The Additional Protocol consists of a preamble and 16 articles, which are divided into 4 chapters:

1. Common provisions

2. Measures to be taken at the national level

- Article 3 – Dissemination of racist and xenophobic material through computer systems

- Article 4 – Racist and xenophobic motivated threat

- Article 5 – Racist and xenophobic motivated insult

- Article 6 – Denial, gross minimisation, approval or justification of genocide or crimes against humanity

3. Relationship between the Convention on Cybercrime and the Additional Protocol

4. Final provisions

The first chapter regulates the purpose of the Additional Protocol and defines the term – racist and xenophobic material. According to Article 1 (1) of the Additional Protocol, racist and xenophobic material means “any written material, image or other expression of ideas or theories which defends, encourages or incites hatred, discrimination or violence against any individual or group of individuals, on the basis of race, colour, gender or national or ethnic origin, as well as religion, if used as an excuse instead of one of these attributes."

3.1.3 EU/EC documents used to harmonise legislation in the fight against cybercrime

In particular, due to the specific nature of cybercrime and the need for effective international cooperation, the EU seeks to approximate the legislation of individual Member States so that this negative phenomenon can be more effectively prosecuted. Framework decisions, directives, and other EU/EC documents are primarily a means of coming into line with the laws of individual EU countries. From the point of view of the fight against cybercrime, the most important documents are the following:

· Council Directive 91/250/EEC on the legal protection of computer programs

· Council Decision 92/242/EEC on the security of information systems

· Directive 98/34/EC of the European Parliament and of the Council on the procedure for the provision of information in the field of technical standards and regulations, as amended by Directive 98/48/EC

· Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”)

· Council Framework Decision 2000/375/JHA on combating child pornography on the Internet

· Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services (Framework Directive)

· Directive 2002/19/EC of the European Parliament and of the Councilon access to, and interconnection of, electronic communications networks and associated facilities (Access Directive)

· Directive 2002/20/EC of the European Parliament and of the Council on the authorisation of electronic communications networks and services (Authorisation Directive)

· Directive 2002/22/EC of the European Parliament and of the Council on universal service and user rights relating to electronic communications networks and services (Universal Service Directive)

· Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on the protection of data in electronic communications)

· Commission Directive 2002/77/EC on competition in the markets for electronic communications networks and services (Competition Directive)

· EU Council Framework Decision 2002/584/JHA on the European arrest warrant and the surrender procedures between Member States

· Council Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography

· Council Framework Decision 2005/222/JHA on attacks against information systems

· Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions – Fight against spam and spyware and malicious software of15 November 2006

· Communication from the Commission to the European Parliament, the Council and the European Committee of the Regions on a general policy on the fight against cybercrime of 22 May 2007

· Council Conclusions on a common working strategy and concrete measures to combat cybercrime of 27 November 2008

· Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on critical information infrastructure protection “Protecting Europe from large-scale cyberattacks and intrusions: enhancing preparedness, security and resilience” of 30 March 2009

· Communication from the Commission to the Council and the European Parliament, Tackling crime in the digital age: setting up the European Cybercrime Centre. 2012

· Regulation (EU) No 526/2013 of the European Parliament and of the Council on the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 of 21 May 2013

· Directive 2013/40/EU of the European Parliament and of the Council on attacks on information systems and replacing Council Framework Decision 2005/222/JHA of 12 August 2013

· Regulation (EU) No 513/2014 of the European Parliament and of the Council establishing, as part of the Internal Security Fund, an instrument for financial support for police cooperation, preventing and combating crime and crisis management and repealing Council Decision 2007/125/JHA, of 16 April 2014

· Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC of 23 July 2014 (eIDAS, or eIDAS Regulation)

· Regulation (EU) 2016/794 of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation (Europol) and repealing and replacing Decision 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA, of 11 May 2016

· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)

· Directive of the European Parliament and of the Council (EU) 2016/1148, on measures to ensure a high common level of security of networks and information systems in the Union of 6 July 2016 (NIS Directive)

· Directive of the European Parliament and of the Council (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA of 17 April 2019

Council Conclusions on a common working strategy and concrete measures to combat cybercrime of 27 November 2008
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection "Protecting Europe from large-scale cyberattacks and intrusions: enhancing preparedness, security and resilience" of 30 March 2009

3.1.4. Legal norms of the Czech Republic

In connection with cybercrime and cybersecurity, it is necessary to mention the legal norms of the Czech Republic, which are directly related to this issue:

Act No. 40/2009 Sb., Criminal Code
Act No. 141/1961 Sb., on Criminal Court Proceedings
Act No. 218/2003 Sb., Act on Juvenile Justice
Act No. 121/2000 Sb., Copyright Act
Act No. 127/2005 Sb., on Electronic Communications
Act No. 480/2004 Sb., on Certain Information Society Services
Act No. 273/2008 Sb., on the Police of the Czech Republic
Act No. 89/2012 Sb., Civil Code
Act No. 110/2019 Sb., on the Processing of Personal Data
Act No. 14/1993 Sb., on Measures for the Protection of Industrial Property
Act No. 441/2003 Sb., on Trademarks
Act No. 527/1990 Sb., on Inventions, Industrial Designs and Improvement Proposals
Act No. 300/2008 Sb., on Electronic Acts and Authorised Conversion of Documents, as amended
Act No. 297/2016 Sb., on Services Creating Trust for Electronic Transactions
Act No. 160/1999 Sb., on Free Access to Information
Act No. 181/2014 Sb., on Cybersecurity and on Amendments to Related Acts (Cybersecurity Act)

3.1.5. Legal norms of Poland

In Polish law, the main regulations regarding cybercrime are:

Illegal access to a system (hacking) - Art. 267 § 1 and 2 of the Penal Code.This crime is prosecuted at the request of the aggrieved party. They are punishable by a fine, restriction of liberty or imprisonment for up to 2 years.
Breach of the secret of communication (sniffing) - art. 267 § 3 of the Penal Code. This type of crime consists in obtaining proprietary information, e.g. through sniffers, i.e. programs that intercept data (passwords and user IDs). Such an act is punishable by up to 2 years imprisonment.
Violation of data integrity (viruses, trojans), 268 of the Penal Code, Art. 268a of the Penal Code. This offence concerns, inter alia, stealing personal data, making them available to third parties without the consent of the owner, as well as use them in an unauthorised way. There are financial sanctions (up to PLN 100,000) for committing these acts.
Breach of system integrity - Art. 269 of the Penal Code. An example of such a crime are, Ping flood attacks, which consist in overloading the Internet connection. They can, for example, lead to the unavailability of certain services. The Polish legislator provided for a maximum penalty for this act of up to 8 years imprisonment (in the case of a breach of state security).
Crafting "hacking tools" - Art. 269a of the Penal Code, Art. 269b of the Penal Code. Committing this offence is punishable by a penalty of 3 months to 5 years imprisonment.
Act of 5 July 2018 on the national cybersecurity system.

3.1.6. Legal norms of Portugal

Regarding cybercrime and cybersecurity, in Portugal are in force the following Legal Acts, several of them repeatedly amended:

Law No. 109/2009, theCybercrimeLaw
Decree-Law No. 48/95, theCriminalCode
Law No. 103/2015, on the criminal registry of convicted offenders for minors sexual self-determination offences
Law No. 52/2003, on the fight against terrorism
Law No 58/2019, on data protection, including related crimes
Law No. 59/2019, on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offences or the execution of criminal sanctions, including related crimes
Law No. 32/2008, on the retention of data generated or processed in connectionwiththeprovisionofpubliclyavailableelectroniccommunicationsservicesorof public communications networks
Decree-Law No. 131/2014, on the protection and confidentiality of genetic information, human genetic databases for healthcare and health research purposes
Decree-Law No. 63/85, the Code of Copyright and RelatedRights
Decree-Law No. 252/94, on computer programmes
Decree-Law No. 110/2018, the Code of Industrial Property
Decree-Law No. 122/2000, on databases
Law No. 46/2018, on cyberspace security
Decree-Law No. 65/2021, regulatingLaw No. 46/2018
Decree-Law No. 62/2011, on critical infrastructures
Law No. 5/2004, on electronic communications
Law No. 41/2004, on privacy and data protection in electronic communications
Law No. 26/2016, on the access to administrative information
Decree-Law No. 7/2004, on information society services
Decree-Law No. 12/2021, on electronic identification and trust services
Law No. 7/2007, on the citizen card
Law No. 37/2014, on digital mobile key
Decree-Law No. 91/2018, on payment services and electronic money
Decree-Law No. 69/2014, approving the constitution of the National CyberSecurity Centre

3.1.7 Cybercrime in a special part of the Criminal Code

From the point of view of cybercrime, the Criminal Code contains special objective elements of criminal offences, which are focused on cybercrime, or some cyberattacks.

Cybercrime is most generally classified in terms of the use of information and communication technologies in criminal offences where these elements are used as a tool to commit a criminal offence and the objective element of the criminal offence includes the use of these means as a characteristic of the objective element, and criminal offences where elements of information and communication technologies are the target of a offender's attack, i.e. they represent an individual object or material object of attack.

The legislator has included in a special part of the Criminal Code a number of objective elements of criminal offences, which either contain features related to information and communication technologies or can be filled with a cyberattack. These offences include:

- Section 180 Illicit Handling of Personal Data

- Section 181 Infringement of the Rights of Another

- Section 182 Breach of Secrecy of Correspondence

- Section 183 Breach of Confidentiality of Files and other Private Documents

- Section 184 Defamation

- Section 191 Distribution of Pornography

- Section 192 Production and Handling of Child Pornography

- Section 193 Abuse of a Child for Production of Pornography

- Section 193b Establishing Illegal Contacts with a Child

- Section 205 Theft

- Section 206 Unauthorised Use of Another’s Property

- Section 209 Fraud

- Section 213 Practice of Unfair Games and Wagers

- Section 214 Participation

- Section 216 Money Laundering

- Section 228 Damage to Another’s

- Section 230 Unauthorised Access to Computer Systems and Information Media

- Section 231 Obtainment and Possession of Access Device and Computer System Passwords and other such Data

- Section 232 Damage to Computer Systems and Information Media Records and Interference with Computer Equipment out of Negligence

- Section 234 Unauthorised Obtainment, Forgery and Alteration of Means of Payment

- Section 236 Manufacture and Possession of Forgery Equipment

- Section 264 Distortion of Data and Lack of Records of Exporting Goods and Technologies of Dual Use

- Section 268 Infringement of Trademark Rights and Rights to Other Names

- Section 267 Distortion of Data and Lack of Records of Foreign Trade with Military Material

- Section 269 Infringement of Protected Economical Rights

- Section 270 Infringement of Copyright, Rights Related to Copyright and Rights to Databases

- Section 272 Public Menace

- Section 276 Damage and Compromise of Operation of Publicly Beneficial Facility

- Section 287 Propagation of Drug Addiction

- Section 290 Gaining Control over an Aircraft, Civilian Vessels and Fixed Platform

- Section 291 Endangering the Safety of an Aircraft and Civilian Vessel

- Section 311 Terrorist Attack

- Section 316 Espionage

- Section 317 Endangering Classified Information

- Section 345 False Accusation

- Section 348 Forgery and Alteration of Public Documents

- Section 353 Dangerous Threatening

- Section 354 Dangerous Pursuing

- Section 355 Defamation of Nation, Race, Ethnic or other Group of People

- Section 356 Instigation of Hatred towards a Group of People or of the Suppression of their Rights and Freedoms

- Section 357 Disseminating Hoaxes

- Section 361 Participation in Organised Criminal Group

- Section 364 Incitement to Criminal Offence

- Section 365 Approval of Criminal Offence

- Section 400 Genocide

- Section 403 Establishment, Support and Promotion of Movements Aimed at Suppression of Human Rights and Freedoms

- Section 404 Expressing Sympathies for Movements Seeking to Suppress Human Rights and Freedoms

- Section 405 Denial, Contesting, Approval and Justification of Genocide

- Section 407 Incitation of Offensive War

Under the Criminal Code, these cybercrimes can be classified according to many different criteria. One of the most commonly used classifications of cybercrime is the above-mentioned classification into: [8]

a) criminal offences in the commission of which the means of information and communication technologies are the subject of protection (i.e. which are the target of a cyberattack):