VVD Europarty on-line

WRITTEN QUESTION P-0780/03
by Elly Plooij-van Gorsel (ELDR) to the Commission

(04 March 2003)

Subject: President Bush's powers to carry out cyber attacks

Up until recently very little attention was paid to possible cyber attacks and their repercussions. In Europe the primary responsibility for the vulnerability of computer systems was placed on industry and organisations themselves, even by the European Parliament. Since the terrorist attacks of 11 September 2001 in the United States and the constant warnings about possible cyber attacks, much greater attention is now being paid to security.

Not only do we have to fear damage as a result of cyber attacks by Iraq or Islamic groups such as the Unix Security Guards or Anti-India Crew but, in the war on Internet terrorism, President Bush signed a special bill into law six months ago enabling him to carry out cyber attacks himself. These attacks are not necessarily restricted to Iraq but can also affect the total operation of the World Wide Web. In other words, Bush can completely paralyse the net if he wants to. It is assumed that only targets of military importance would be attacked. The major problem with online attacks is that there can be a great deal of collateral damage. Because of the high degree of complexity and interdependence of the Internet, other countries and firms may be seriously inconvenienced by such action. A denial-of-service attack, a classic way of disabling a network, also has implications for intermediate networks between the attacker and his target.

1. Is the Commission aware of this new law which gives President Bush the power to carry out cyber attacks and, if so, what does it think of it?

2. How does the Commission intend to protect European citizens and firms from such attacks and their consequences?

3. Who does the Commission think should pay for the damage that might be caused by such attacks and how can compensation be obtained?

P-0780/03EN
Answer given by Mr Liikanen
on behalf of the Commission
(7 April 2003)

The Commission is aware of an article in the Washington Post of 7 February 2003 that alleges that according to United States administration officials, President Bush has signed a secret order in July 2002, known as National Security Presidential Directive 16. According to the Washington Post, this Directive orders the United States government to develop national-level guidance for determining when and how the United States would launch cyber-attacks against enemy computer networks. Allegedly, military planners imagine computer experts hacking into enemy electronic networks to, e.g., shut down radars, disable electrical facilities or disrupt phone services.
The Commission is not aware of any publication or official confirmation of this Directive by the United States government.
Measures in the area of defence against cyber-warfare have elements similar to those promoting cybersecurity and combating computer-related crime, and the Commission has been very active in developing policy in these areas.
The Commission adopted a Communication on “Creating a safer information society by improving the security of information infrastructures and combating computer-related crime” on 26 January 2001 that acknowledges the importance of information and communication infrastructures, including the Internet, as a critical part of its economies and proposes specific actions.
On 19 April 2002, as proposed in the Communication, the Commission adopted a proposal for a Council Framework Decision on attacks against information systems . The proposal requires Member States to establish in national law the criminal offences of illegal access to an information system and illegal interference with information system. It also contained provisions on criminal penalties, rules on liability of legal persons and associated sanctions, rules on jurisdiction, and a requirement for Member States to join the existing network of operational points of contact on high tech crime available 24 hours per day, seven days per week. The Parliament delivered its Opinion on the draft Framework Decision in October 2002 , and the Council reached political agreement on the text of the main articles on 28 February 2003.
The eEurope 2005 Action Plan aims to stimulate security services and thus to contribute to securing the information infrastructure. Also previous eEurope Action Plans focused on improving cybersecurity as a priority.
In February 2003, the Commission has proposed a European Network and Information Security Agency . The objective of the Agency will be to serve as a centre of competence where both Member States and the Commission can seek advice on matters relating to cybersecurity. The Agency will also provide assistance to authorities of the Member States – including the various Computer Emergency Response Teams (CERTS).
In addition, the Commission has just launched the 6th Framework Programme of research and technological development (RTD) in which the R&D on security and dependability technologies is a key component of the ‘priority’ on Information Society Technologies (IST). Also in the 5th Framework Programme, ample attention was given to security technologies and dependability of information infrastructure, including research on interdependencies.
In most cases, under civil and criminal law in the Member States, the attacker would be liable for most attacks against information systems. Following implementation of the Framework Decision on attacks against information systems, the attacks for which there is criminal liability will be extended to include, e.g., denial of service attacks in all Member-States.
In the case of acts that are carried out by or on behalf of a foreign state (including acts of war), the question might arise whether this state would enjoy state immunity from the jurisdiction of the courts of other states for such acts. However, a response to this question would depend on the precise state of international law in this evolving field, and on the specific circumstances of the act in question.