This article, written by criminal lawyer Licia dal Pozzo, draws on her experience of handling cybercrime to highlight the danger cybercrime poses for Italy and the EU.
What are the main Italian laws and statutes relating to cybercrime?
Cybercrime is a crime that has been punished in a strict sense since 2008, according to the Criminal Code. Cyber fraud, abuse of a computerised system or telematic device, damage to software and data, the dissemination of viruses, malware and other cybercrimes, including extortion and identity theft as well as money laundering and misuse of payment cards. Special laws are also relevant to punish other crimes committed via the Internet. These include intellectual property infringement.
L.L. The Budapest Convention of 2001, ratified by Law 48/2008. It also established the European Investigation Order and international cooperation within the investigation field. Decree Law 82/2021 should be mentioned, as it established the National Cybersecurity Agency to combat cybercrimes which harm national interests.
There are many European regulations that apply. I would like to highlight the following: Directive 2013/40/EU by the European Parliament and Council on attacks on information systems, the Digital Operational Resilience Act which will be effective on 16 January 2023 to create a framework for the financial sector’s oversight, and the Council Decision 2023/436 from February 14, 2023 authorizing member states to ratify Second Additional Protocol of the Convention on Cybercrime concerning enhanced cooperation and the disclosure of electronic evidence in order to improve global collaboration among investiga
How serious is cybercrime to Italian organizations?
Cybercrime today is mostly committed by organized crime and foreign governments, not just by individuals.
It is interesting to read the report “Threat Assessment 2022” by EUIPO and Europol. They estimate that counterfeit and pirated products worth EUR119 billion have been imported into EU in 2019. This represents 5.8% of EU imports. The report also estimates that between 2013 and 2017, lost sales due to fake goods amounted more than EUR83billion per year. This is equivalent to an estimated loss of EUR15 billion tax revenue, and the loss of 171,000 jobs. Intellectual property crimes damage the reputations and fair production of legal producers, while distorting competition on the market. Intellectual property crimes also reduce the funds available for research and innovation.
Cybercrime today is mostly committed by organized crime and foreign governments, not just by individuals.
What types of cybercrime have you seen most often subject to criminal charges?
These include electronic payment scams, computer hacking, sensitive information appropriation and extortion, or attempts at extortion, if the ransom amount is not paid.
What are the differences between the prosecution of cybercrime and other criminal cases.
Computer evidence is different from other types of evidence because it has certain characteristics. These characteristics include:
- The promiscuity of information;
- It is difficult to narrow down the search for specific information and data when there are so many computer systems and other immaterial things to consider.
- Transnationality and Delocalisation: Digital data is often stored on devices or servers located in other countries than the ones where investigations are conducted or on cloud services, which can cause problems with international judicial co-operation and territorial jurisdiction;
- The subject has a highly specialised connotation, and requires technical skills that are not common among all investigative offices or even most lawyers.
- There is a great danger that evidence will be manipulated or altered;
- There is an element of anonymity to operations.
- There is no international authority on the topic that could facilitate investigations. However, we are hopeful that the Proposal of United Nations Convention on Countering the Use of Information and Communications Technologies for Crime Purposes will be realized.
It is easy to see that it can be difficult to identify the criminals who commit crimes.
What changes in criminal law and cybercrime have you seen during your career?
Cyber data is now at the heart of the process, thanks to the technological advancements required for cybercrime penalties.
Eurojust has dedicated a chapter in its most recent Annual Report covering activities in 2021 to the fight against Cybercrime. It highlights that online criminal activity is increasing in number, frequency and aggression. Eurojust’s primary intervention activities are ransomware and artificial intelligence. Cryptography, as well as cybercrime, have also been highlighted. Daily, there are many victims.
What are your projections about the future of cybercrime, and the laws that surround it?
Artificial intelligence, they say, will facilitate investigations because it will increase the level of expertise required and the capability to process cyber data. To keep up with the rapid growth of cybercrime, regulatory changes must be made quickly. Both companies and the police should take action on prevention, both in terms of human and technological resources.
What is your first advice to a company that has been or may be in danger of being a victim of ransomware?
Don’t give in to the temptation of paying a ransom. There is no guarantee that the systems will be restored or the data stolen returned. By filing a complaint in a timely manner with the assistance of an attorney, you should immediately contact the Judicial Authority. Reporting is important for the good of everyone.
It is important to consider the importance of implementing prevention systems to control the supply chain, particularly the smaller, more vulnerable suppliers. Also, increasing investment in digital safety to obtain highly-skilled labour and IT alerting systems.
Are there any other comments you’d like to make about cybercrime?
In closing, I would like to mention hybrid warfare. This is not only pertinent to my jurisdiction, but also to that of the United States. The term was first used in 2006 to describe the war in Lebanon. This technique has evolved, as seen with ISIS. It is now a recurring phenomenon. Cyberattacks are one of the most offensive methods and represent the broadest and most damaging level of cybercrime. Although the effects of cybercrime are devastating and effective, the defence tools are still not available.
According to a Microsoft report from 2023 on the tactics and techniques used by Russia against Ukraine, NATO and other countries, spear-phishing attacks against Italian media and organisations, mainly in the energy, finance, IT and refugee assistance sector, were reported in Italy in late 2022.
The international law has a classic notion of war in the kinetic meaning, which excludes cyberattacks as a form of violence. It is important to amend the law and to ensure that all states, as well as large and small businesses, have effective systems for resistance and resilience against this type of aggressive aggression.
Licia Dal Pozzo, Founder
Viale Abruzzi, 7 – 20131 Milano MI, Italy
Tel: +39 02 2941 1289
Fax: +39 02 2040 2080
Licia Dal Pozzo works as an advocate in Milan, Italy. Her expertise is criminal law. She has handled a wide range of subjects, including cybercrime and IP enforcement.