Global Challenges in Securing the Human-Domain, Part I

Untangling European Laws Germane to Insider Threat as Compared to the U.S

The United States Code (U.S.C. Section 1030) of law which enables insider fraud and computer misuse remediation is a broad, straightforward prescriptive requirement for prosecutors.[1] When it comes to criminal law, it is the common tool for indicting and legally remediating cyber threats stemming from the human domain. But, how does this compare with laws in Europe, a landmass of countries internal and external to the European Union (EU), each with sovereign law, some with additional external binding regulations. This research (as part of a series) explores the global legal similarities and enough nuances to fill a Leprechaun’s Pot of gold.

The EU is a highly regulated region oft-overlooked in the nuance that lies in its status as an economic union requiring an informed standards-based approach. In essence, the EU provides an omnibus, acceptable framework for governance while allowing sovereign rule of law in most aspects of criminal indictments. Even the General Data Protection Regulation (GDPR) is enforced by local authorities rather than a centralized EU body.

Also nuanced, is the pace and breadth of new EU-based laws with cybersecurity equity being put in play. While the GDPR is the premier regional data privacy law, the EU has recently enacted the Digital Operational Resilience Act (DORA) as a regulation driving resilience and security primarily for information and technology companies (ICTs) and financial sector (FS) entities. [2] Another recent directive is the EU’s Directive on Security of Network and Information Systems (NIS 2) which prescribes governance, third-party and supply-chain risk management for digital infrastructure, energy, health and transport sectors taking an “all hazards approach.” [3] Also introduced is the EU Data Governance Act, an act introduced in 2022 that spans nearly every sector looking to help establish a single data standard for the EU that helps operationalize insights from across the Union. [4], [5] GDPR, DORA, NIS 2, and DGA represent a few regional policies that start to form a top-down view of the complexities of identifying, detecting, protecting, and responding to the human-risk.

In Germany, a leading EU-member state in privacy, laws germane to protecting organizations, people, and privacy are cumbersome. Sections 202 and 303 of the German Criminal Code (Strafgesetzbuch-StGB) cover a range of cyber-crime offenses from denial of service or hacking to unsolicited penetration tests. Sections 143, 263, and 267 are more generally aligned with fraud, identity theft, and betrayal of corporate secrets. This is where German law distinguishes between acts, actors, and impact. U.S.C. Section 1030 compares to the whole of stated StGB code broadly. [6]

Whereas the U.S. has an array of executive regulators largely answerable to the Attorney General, Germany has the Das Bundesamt für Sicherheit in der Informationstechnik (BSI) for cybersecurity-related matters. Alleged acts of espionage are coordinated through the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz-BfV) or the Federal Intelligence Service (Bundesnachrichtendienst-BND), depending on the alleged act and threat actor. [6] Leading German prosecutors have publicly stated that it is nearly impossible to “convict anyone spying on, or sabotaging Data.” Given the total reported cyber-crimes in Germany grew by more than 2300% (in reported abuse) since 1995, it is hard to imagine how the wilderness of regulators and regulations will untangle the problem. [7]

References:

[1] C. Doyle, “Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws,” Congressional Research Service, 7–5700, Oct. 2014. [Online]. Available: www.crs.gov 97–1025

[2] “Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554.” https://www.digital-operational-resilience-act.com/.

[3] “NIS 2 Directive.” https://www.nis-2-directive.com/.

[4] “The European Data Governance Act (DGA).” https://www.european-data-governance-act.com/.

[5] “The Data Act: new EU rules for data sharing.” https://www.ibanet.org/the-data-act-new-EU-rules-for-data-sharing.

[6] G. L. Group, “International Comparative Legal Guides,” International Comparative Legal Guides International Business Reports. https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/germany.

[7] “Comparison of Computer Misuse Acts around the World — Louis & Michaelis Rechtsanwälte und Strafverteidiger,” Jan. 16, 2017. https://rechtsanwalt-louis.de/comparison-of-computer-misuse-acts-around-the-world/.