Parliamentary Assembly

Draft resolution

1The Parliamentary Assembly is aware of the epochal positive impact of new information technologies on all aspects of modern societies and human life. Besides these positive effects, new vulnerabilities of our societies have emerged through the growth of the Internet and other computer networks. The Assembly is alarmed by the number and magnitude of criminal attacks perpetrated in cyberspace over the past few years, undermining public trust in technological development.

2The Council of Europe has set important international legal standards in this field though its Conventions on Mutual Assistance in Criminal Matters (ETS Nos. 30, 99 and 182), on the Suppression of Terrorism (ETS Nos. 90 and 190), on the Prevention of Terrorism (CETS No. 196) and on Cybercrime (ETS Nos. 185 and 189). Nevertheless, severe obstacles still hamper the investigation and prosecution of cyberoffences, particularly in the context of cross-border networks, and the sanctions provided for by national legislation are not always adequate. The Assembly therefore believes that further work is necessary at European and international level in order to address adequately the challenges posed by cyberterrorism and other forms of large-scale attacks on and through computer systems, which threaten the national security, public safety and economic well-being of States.

3Having regard to the relevant European Union legislation, in particular the European Union Convention on Mutual Assistance in Criminal Matters, the Assembly emphasises the need to further develop and co-ordinate international legal and practical aspects, including the following principles:

3.1requests for mutual assistance should be executed by the requested State as soon as possible, taking as full account as possible of the deadlines indicated by the requesting State. If a request cannot fully be executed in accordance with the requirements of the requesting State, the authorities of the requested State should promptly indicate the estimated time needed for execution of the request and the conditions under which it might be possible to execute it;

3.2each member State should ensure that systems of telecommunications services operated via a gateway on its territory, and which for the lawful interception of the communications of a subject present in another State are not directly accessible on the territory of the latter, may be made directly accessible for the lawful interception by the latter State through the intermediary of a designated service provider present on its territory. Such a procedure should be accompanied by safeguards against espionage by third States;

3.3member States should agree on a common level of criminalisation of large-scale cyberattacks, including aggravating circumstances of those attacks, as well as on minimum standards for penalties for such attacks.

4Although mutual legal assistance of law-enforcement authorities has to be improved and adapted with regard to technological developments, the Assembly is aware that other fundamental rights must not be compromised, in particular the right to protection of private life and personal data under Article 8 of the European Convention on Human Rights (ETS No. 5) and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108).

5Aware that certain services and infrastructure are critical for the national security, public safety and economic well-being of States, the Assembly recommends that member States:

5.1draw up Internet-independent emergency plans against cyberattacks on critical services and infrastructure, such as electricity services, gas and oil pipelines, power plants, waterworks, telecommunication networks, airports, railways, hospitals, fire brigades, security services and the military;

5.2install technical security measures for the protection of critical services and infrastructure on their national territory, such as the creation of closed back-up computer systems and networks which can be used if open Internet connections are attacked or blocked;

5.3conclude bilateral emergency agreements with neighbouring States, in order to ensure mutual assistance in case of a cyberattack on critical services or infrastructure;

5.4establish an adequate legal framework for public–private co-operation in the defence against large-scale cyberattacks;

5.5recognise that States are internationally responsible for taking all reasonable measures to prevent large-scale cyberattacks from being launched by persons under their jurisdiction or emanating from their national territory;

5.6criminalise the production, distribution and use of malware which is intended to enable individuals to prepare or launch large-scale cyberattacks.

6Providers of critical services or infrastructure should be obliged to immediately report any large-scale cyberattack on them to the competent law-enforcement authorities of the Sate where they have their registered seat, as well as of the State where such an attack occurred. In addition, any natural or legal person should be made aware of how to report cyberattacks on them to their competent law-enforcement authorities.

7Producers of hardware and software should immediately inform their customers if a systemic weakness is detected which allows large-scale cyberattacks, such as through Botnets, electronic viruses or other malware.

8Providers of cloud computing services should set up security measures to protect their cloud against attacks on its security and integrity which could lead to large-scale cyberattacks, such as Botclouds.

9Providers of public websites should ensure that their sites do not contain electronic viruses or other malware which could lead to large-scale cyberattacks. For this purpose, their webmasters should regularly apply technical devices to prevent such malware.

10Producers and sellers of computers or software should regularly inform computer owners about their possibilities, and ultimate responsibility, for ensuring the technical safety of their computers when connecting them to the Internet or other public computer networks.

11Member States should develop binding security standards for protection against large-scale cyberattacks as well as the public certification of such standards, if possible at European or international level.

12The Assembly invites the Secretary General of the Council of Europe to initiate and co-ordinate intergovernmental action of the Council of Europe, establish co-operation programmes with the information technology industry and Internet service providers, and ensure closer co-operation with the European Union and the United Nations in this field of utmost importance.

Draft recommendation

1The Parliamentary Assembly refers to its Resolution …. (2015) on increasing co-operation against cyberterrorism and other large-scale attacks on the Internet.

2It emphasises the importance for the Council of Europe to address the globally growing challenge to the security of computer networks posed by cyberterrorism and other forms of large-scale attacks on and through computer systems, which represent a serious threat to the national security, public safety and economic well-being of States.

3The Assembly recommends that the Committee of Ministers:

3.1invite the Parties to the Convention on Cybercrime and its Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS Nos. 185 and 189) to:

3.1.1draft an additional protocol defining a common level of criminalisation of large-scale cyberattacks, including aggravating circumstances of those attacks, as well as on minimum standards for penalties for such attacks;

3.1.2draft another additional protocol on mutual assistance regarding investigative powers, extending in particular the scope and application of Article 32 of the convention, in accordance with the respective Guidance Note of the Cybercrime Convention Committee representing the Parties to the convention;

3.2invite the Cloud Evidence Group established by the Cybercrime Convention Committee to study the feasibility of drafting an additional protocol to the Convention on Cybercrime regarding criminal justice access to data on cloud servers;

3.3draft legal standards on the international responsibility of States for taking all reasonable measures to prevent large-scale cyberattacks from being launched by persons under their jurisdiction or emanating from their national territory against computer systems in another State;

3.4increase the assistance and monitoring action regarding the implementation of the Convention on Cybercrime in domestic law and practice as well as practical measures and co-operation against large-scale cyberattacks, in particular for the benefit of member States where the practical implementation of the Convention on Cybercrime faces difficulties;

3.5call on Austria, Bosnia and Herzegovina, the Czech Republic, Greece, Hungary, Iceland, Ireland, Italy, Malta, Monaco, Portugal, San Marino, Sweden and the United Kingdom to sign and/or ratify without further delay the Protocol of 2003 amending the European Convention on the Suppression of Terrorism (ETS Nos. 90 and 190), which is necessary for the entry into force of this Protocol;

3.6transmit to their competent national ministries and authorities this recommendation and Resolution …. (2015) on increasing co-operation against cyberterrorism and other large-scale attacks on the Internet.