EVENT REPORT & SUMMARY
EVENT TITLE: COMBATTING CYBER WARFARE CRIMES IN THE EUROPEAN UNION
ORGANISER: PROFESSOR DR. MIHA ŠEPEC
DATE AND VENUE: 20th JUNE 2024, ONLINE EVENT (ZOOM SESSION)
The Event titled Combatting Cyber Warfare Crimes in the European Union was advertised on the webpage of the Faculty of Law of University of Maribor (https://www.pf.um.si/) as an online event for experts of criminal law (judges, public prosecutors, defence attorneys, police officers and students). The invitation stated that all the attendees must send an email to the organizer of the event (prof. dr. Miha Šepec) in order to receive a Privacy Notice and that by registering to the event the participants agree with the use of their personal data according to the Privacy Notice.
In one month since the publishing of the advertisement on the webpage, 14 people applied for the online event. Attendees were mostly students of the Faculty of Law of University of Maribor (most were master students – 2nd grade of law study and some were PhD students – 3rd grade of law study). Tow practitioners also applied for the seminar (intern at the District Court of Maribor and a PhD laboratory researcher at the Faculty of Medicine).
The online seminar began on 20th June 2024 at 15:00 on the Zoom platform. The Lecturer prof. dr. Miha Šepec began by welcoming all the attendees, briefly explaining the schedule and reminding the attendees about the Privacy Notice. No one complained or left the seminar; therefore the Lecturer began with his lecture on Cyber Warfare Crimes in the EU.
The first topic was what are cyber warfare crimes?
Although cyber warfare crimes have neither a single definition nor a clearly established legal definition, for the purpose of the lecture the definition was “using computer technologies to disrupt or destroy an adversary’s information systems and networks, which amount to an armed attack.”
The specific of cyberwarfare crimes is that they are firstly connected with the army of an individual country – i.e. it is a military operation, and secondly that the range and scope of the crimes are significantly wider, as they attack more important targets with significantly more repulsive motives – paralyzing the country’s national security with attacks on its infrastructure, technological centres etc.
The next topic was the question if there is a European criminal law in the sense that the EU acts as a sovereign state, formulates criminal acts, conducts criminal prosecution and sanctions perpetrators of criminal acts? The answer is clearly no. However, we could speak of European criminal law, when the EU protects its monetary interests through legislation that is enforced on its members. Only in this sense can we speak of European criminal law, where the Union itself is the creator of criminal law norms. However, the Union still depends on the Member States to enforce its regulations, as in itself EU has no means of physical coercion of individuals.
This harmonization takes place, on the one hand, through an assimilation obligation on the part of the Member States and, on the other hand, through the harmonization of substantive criminal law by means of the EU’s competence to approximate and annex criminal law pursuant to Art. 83(1) and (2) TFEU.
One of such documents of harmonization is also the Directive EU 2013/40/EU on attacks against information systems. The objective of the Directive is to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences, relevant sanctions and to improve cooperation between competent authorities. Substantive criminal measures that the Directive brings to EU legislation are the following: Illegal access to information systems (Article 3), Illegal system interference (Article 4), Illegal data interference (Article 5), Illegal interception (Article 6), Tools used for committing offences (Article 7), Incitement, aiding, abetting and attempt (Article 8).
The goal of the Directive was always combatting ordinary cyber offences committed by ordinary perpetrators or hackers, and not cyberwarfare attacks committed by a foreign military or hacker organization backed by foreign state. This is evident by the fact that in 2013 when the Directive was adopted, cyberwarfare attacks on Member States were clearly not a major concern. If the EU wishes to develop a system of joint military defence, a legislation that will provide further protection of Member States against cyberwarfare attacks would be needed.
The final chapter was the presentation of the EU Institutions for combatting cyberwarfare crimes. European Union has numerous institutions for international cooperation in criminal matters, such as: Europol, Eurojust, The Court of Justice of the European Union (CJEU), European Anti-Fraud Office – OLAF and The European Public Prosecutor’s Office (EPPO).
However, not all are relevant for combatting cyberwarfare crimes as some have almost no real powers over such offences (such as OLAF, The European Public Prosecutor’s Office, CJEU). On the other hand, Europol, Eurojust and European Network and Information Security Agency (ENISA) have some authority over cyberwarfare crimes. However, even these institutions lack any real formal investigative powers, as the decision to investigate or prosecute a crime in a
The event was organised as part of the Central European Professors’ Network, coordinated by the
Central European Academy.
Member State falls to the national authorities. The goal of Europol and Eurojust is therefore to support law enforcement efforts across EU member states in addressing cyber threats and cyber-enabled crimes, while ENISA is tasked with enhancing cybersecurity across Europe.
The lecturer concluded, that although Europe has mechanisms in place to combat and prevent cyberwarfare crimes, the legal situation is still far from ideal. The main problem remains the lack of clear legal definition of cyberwarfare crimes and no focused legislation in regard to criminal prosecution of such crimes. Cyberwarfare crimes therefore remain in the domain of classical cyber crimes, which have a much smaller scope and meaning than cyberwarfare crimes. It is therefore up to the Member States to implement stricter legislation for cyberwarfare offences, or up to the EU to present new legislation that would be more adept to legally combatting cyberwarfare crimes. If the EU wishes to develop a system of joint military defence, a legislation that will provide further protection of Member States against cyberwarfare crimes would be a viable option in the future.
The online seminar was concluded at 15:30, lasting altogether 30 minutes. The lecturer thanked the participants and finished the seminar
