Internet: US warns of new denial of service risks as Whitehall
drags its feet on reform of computer crime law
The National High-Tech Crime Unit is urging the Government to
change the law to give police clearer powers to prosecute hackers
who try to halt computer systems by bombarding them with tens of
thousands of messages.
Although the police have already made representations to the Home
Office, government sources claim that a revision of the Computer
Misuse Act is low on the list of priorities and may not occur
within the current or even the next parliament.
Police are concerned that the Computer Misuse Act offers no
straightforward way for police to act against perpetrators of
denial of service (DoS) attacks.
The police concerns were raised as US government security body, the
Computer Emergency Response Team (Cert) co-ordination centre warned
that DoS attacks could put large sections of the Internet out of
action.
The attacks represent an increasing threat to organisations that
rely on the Internet for e-commerce or use the Web to communicate
with their customers.
Research from the University of California last year suggests that
hackers are mounting at least 4,000 attacks a week.
But lawyers have advised the UK's National High-Tech Crime Unit
that Britain's current computer-crime laws are not sufficiently
clear-cut to enable police to bring prosecutions against the
perpetrators of DoS attacks.
The gap in the law means that police have to conduct detailed
examinations of computer systems to gather evidence of offences
that can be prosecuted under the Computer Misuse Act, which was
passed by Parliament before the Web was used for e-commerce.
"Our advice is that it is not clear-cut in every case that a denial
of service attack is going to constitute a criminal offence. It
depends on what people are doing to individual machines or routers
to deny service," said Tony Hutchings, intelligence team leader at
the High-Tech Crime Unit.
Police fear that apparent shortcomings in the law are deterring
organisations from reporting DoS attacks, making it difficult to
take action or collect evidence of the scale of the threat.
The IT parliamentary lobby group, Eurim, which represents IT user
organisations, has raised similar concerns.
"The Computer Misuse Act is nearly 12 years old and has not been
reviewed. The legal basis for existing law is the law of trespass.
In the modern world, with companies inviting people to view their
Web sites, that whole concept does not stand up," said Chris Sundt,
IT security consultant.
The High-Tech Crime Unit is calling on businesses to help it to
gather evidence on the scale of DoS attacks in the UK and their
impact on business profits and costs. It plans to use the
information to build up a case for reviewing the Computer Misuse
Act and other IT legislation.
Have your say on Denial of Service Attacks
The High-Tech Crime Unit is is trying to gather evidence of the
problems caused by denial of service attacks. The unit, which has
promised to treat all information confidentially, wants to know
about the impact of attacks, and the costs of defending against
them. Comments to tony.hutchings@nhtcu.org