Since February Computer Weekly has been marshalling its Lock Down
the Law campaign to protect businesses from the increasing threat
of cybercrime. Andy Favell explores the evolution of the UK's
high-tech crime law and discusses how it might be changed.
Last week, the National High-Tech Crime Unit reported that every
UKbusiness is attacked on average three times a month by
cybercriminals. Almost half of UK companies polled in a Department
of Trade & Industry survey earlier this year experienced at
least one malicious security breach last year. Yet few offenders
that target business - virus writers and hackers - seem to end up
in prison. This has led to a heated debate about changes to
legislation and to the way in which crimes are reported,
investigated or prosecuted.
The statute at the heart of UK computer crime law is the Computer
Misuse Act 1990. Yet despite the number of attacks, in 2000 the
courts handed out 15 convictions and four prison sentences where
the principle offence was under the Act and 31 convictions and 15
prison sentences where the more serious offence was under a
different statute.
Concern about rising computer crime led to the creation in April
2001 of the National High-Tech Crime Unit. Some 25% of the unit's
activity focuses on hacking, virus attacks and denial of service
attacks, but all six convictions in which the unit was involved
were crimes against children, rather than business, according to
its annual report, published this month.
Many arguments are put forward as to why so few high-tech crimes
against business end up in court: IT managers hush up attacks; the
police do not have sufficient experience or resources to
investigate; or the legal establishment has not grasped how to
bring criminals to justice. Whatever the reason, the fundamental
problem is that until more ground-breaking - or "precedent" - cases
end up in court much of the law on cybercrime will remain unclear
to business, the police and the legal establishment.
High-tech crime offences fall into two categories: established
offline crimes that are now perpetrated using a computer; and
crimes that specifically target computer systems and networks.
The unit's 2002 review says, "It is a fact that almost any crime
committed in the real world can be committed in the virtual one.
Indeed some real-world crimes have been revitalised in the
electronic environment. We should not forget that organised crime
will turn its hand to anything that is lucrative."
The body of law covering this first category is as vast as the
number of crimes for which computers can be used: theft, blackmail,
narcotics trafficking, illegal immigration, terrorism, child
pornography or conspiracy. These laws long preceded high-tech
crime, says Peter Sommer, research fellow at the London School of
Economics, so many high-tech crimes will be enforced under "laws
without the word 'computer' in them".
It is not just identifying applicable laws that is tricky, there is
also the requirement to prove the case. Traditionally this involves
tangible evidence, but in a high-tech crime the police have to
investigate and the prosecution has to win a case based on virtual
evidence.
Should a high-tech crime expose a weakness in existing statute law
- usually illustrated by the collapse of a prosecution - the Home
Office will, where practical, update the existing offline statute,
rather than create a new law dedicated to computer crime.
"Any existing or new legislation needs to be equally capable of
applying to offences committed offline or online, or there will
indeed be offences which fall through the cracks," says a
spokesperson for the Home Office high-tech crime team. For example,
"The Sexual Offences Bill intends to establish a new grooming
offence, to apply both to the Internet and offline."
The Home Office is currently considering alterations to the law of
theft that could widen the legislation to include new offences both
offline and online.
Sometimes it is not practical to amend existing legislation. In the
1980s, the UK courts were struggling to re-interpret the existing
law to convict hackers. In the case of Crown v Gold (1988), for
example, two journalists, Gold and Schifreen, were acquitted having
accessed BT's network using a password that they had seen being
used at a trade show. Such cases resulted in the Computer Misuse
Act 1990.
The Act established three computer misuse offences: unauthorised
access to computer material (section 1); unauthorised access with
intent to commit or facilitate the commission of further offences
(section 2); and unauthorised modification of computer material
(section 3). The maximum sentences are six months for the first
section and five years for the other two.
In the 12 years since the Act became law, the courts have
interpreted the wording of the Computer Misuse Act widely in
hacking cases. The first prison sentences handed out were in 1993
to two members of the Eight Legged Groove Machine, Strickland and
Woods: six months each. Since then precedent cases have shown that
to convict a hacker using the Act it is not necessary for them to
hack into systems - knowledge of the password might be legitimate -
or to be motivated by profit or even causing damage. The courts
will also hand out stiff rebukes and sentences to match.
The case of Crown v Lindesay last year involved a revenge attack
following a dispute over money. Victor Lindesay accessed the Web
sites of three clients of his former employer using passwords he
already knew. He defaced three Web sites and sent e-mails from a
supermarket Web site to the customers warning them of price rises.
The cost of putting the damage right was £9,000. The Appeal Court
refused to reduce his nine-month prison sentence.
"That is not lenient," says Richard Chapman, a solicitor at Berwin
Leighton Paisner. He points out that such sentences dispel any myth
that courts are not tough on hackers, stating that criminals often
receive shorter sentences for crimes that cause physical harm to
others.
In 1995 the courts determined that the writing and distribution of
computer viruses was punishable under Computer Misuse Act 1990.
"For distribution of viruses the precedent in the UK is Crown v
Pile," says Rupert Battcock, an IT lawyer at Nabarro Nathanson.
"There may have been subsequent UK prosecutions for distribution of
viruses, but I do not believe they have added anything to [case
law]"
Christopher Pile - also known as The Black Baron - received an
18-month prison sentence for writing and distributing a computer
virus contrary to sections 2 and 3 of the Computer Misuse Act.
According to estimates the virus caused £500,000 of damage to
computer systems. It was irrelevant that Pile did not know who his
victims would be.
Denial of service attacks
In denial of
service attacks the point of contention arises where there is no
precedent case law. It is often argued that denial of services may
not contravene the provisions of the Act. A denial of service
attack attempts to disable a server by bombarding it with data
messages, it does not necessarily require gaining unauthorised
access to a computer or modifying its contents.
In recent years, attacks on eBay, E*trade, Microsoft and many
Internet service providers (ISPs) have hit the headlines. In
January a small UK ISP, Cloud Nine was put out of business by such
an attack. Researchers from the University of California at San
Diego believe that 4,000 denial of service attacks happen worldwide
each week.
The champion of the campaign to legislate against denial of service
attacks is the Earl of Northesk. In May, Northesk introduced the
Computer Misuse (Amendment) Bill as a private member's bill in the
House of Lords. However, he does not plan to re-introduce it in the
current session as he believes the Government will not give a
private bill a good hearing. Instead it should review the
legislation itself. "It is much more important that a wholesale
review be conducted to achieve a casting of law in this area," says
Northesk, "Inevitably that is a task for government, not for
individual members of Parliament."
Theft
The crime of "identity theft" -
obtaining services by deception - hit the headlines worldwide last
month as several people were arrested in the US after a computer
helpdesk employee allegedly stole and sold on 30,000 credit card
numbers. Consequent damage was estimated at $2.7m (£1.7m).
The UK's fraud prevention service CIFAS claims that in 2001 there
were more than 40,000 cases of identity fraud identified in the UK,
yet the CIFAS Web site states, "Perhaps surprisingly, identity
theft is not yet a crime under UK law."
In the UK a criminal act occurs if and when the false identity is
used - deceptively - to buy goods or services. If the purchase is
made on the Internet, however, we have a problem. As spelled out in
the Law Commission report of July this is, "Because it requires
proof of deception, the offence under section 1 of the 1978 Theft
Act fails to catch a person who succeeds in obtaining a service
dishonestly but without deceiving anyone. This may happen [if]...
The service may not be provided directly by people at all, but
through a machine. For example, the defendant downloads, via the
Internet, software or data for which a charge is made... by giving
false credit card or identification details."
The Law Commission proposes creating an all-encompassing offence of
dishonestly obtaining services with the intent to avoid payment.
This appears in a proposed bill on fraud and dishonesty currently
under consideration at the Home Office.
In recognition of the fact that cybercrime is often perpetrated
from outside local legal jurisdictions, there have been
international efforts to update the law. Both the Council of Europe
Cybercrime Convention and the European Commission's Draft Council
Framework Decision on attacks against information systems could be
the catalyst for change in UK computer crime law.
"The changes needed to legislation are being considered," says a
Home Office representative, "And will impact wider than the
Computer Misuse Act."
International efforts
The Cybercrime
Convention was signed by 32 nations in November 2001. Signatories
agreed to introduce criminal laws covering a wide variety of
offences governing unlawful access, interception and interference
with computer data or systems, computer-related fraud, forgery and
paedophilia; and the aiding and abetting these crimes. A year on 30
nations including the UK and the US have not ratified the treaty.
In April the European Commission published a Draft Council
Framework Decision on attacks against information systems. The aim
is to create an "approximation of substantive law in the area of
high-tech crime", across the EU. It endorses many of the articles
of the cybercrime convention, notably referring to crimes of denial
of service and "taking of someone else's identity on the Internet".
It sets a provisional date for compliance of December 2003.
The move towards greater harmony of legislation across national
borders has been welcomed by law enforcement agencies. "If law
enforcement worldwide follows the same legal definitions and same
procedural standards in relation to high-tech crimes, it will help
the Interpol community," says Michael Holstein, programme manager
at Interpol's High-Tech Crime Unit.
There is already a mountain of legislation of which IT directors
should be aware - Data Protection Act, Human Rights Act, Electronic
Communications Act, Copyright, Designs & Patents Act,
Regulation of Investigatory Powers Act (2000) and Terrorism Act
(2000) - that the danger with adding still more is the potential to
cloud as well as clarify matters for IT managers.
"Business wants legal certainty," says Will Roebuck, law and policy
executive at e.centre. But laws "need to be clear and correct. If
not they should not be implemented. We learnt this with the
Regulation of Investigatory Powers Act."
Experts also warn there is more to combating cybercrime than
changing the law. "Even if the law is made more stringent, the
support mechanisms need to be in place," explains Beatrice Rogers,
private sector programme manager at Intellect. "There needs to be
education throughout the process, of the police and the courts, and
it needs to be in the public interest to report [the crime]."
The National High-Tech Crime Unit requires the co-operation of
business to better understand the extent of high-tech crime in the
UK, says Rogers. Without the statistics it cannot go to the
government and ask for the resources required by the police to
combat high-tech crime against business.
It is recognised that business is concerned about the implications
of reporting computer crime. The National High-Tech Crime Unit
plans to woo business into helping it to help them with the promise
of a confidential reporting mechanism. Perhaps this will help get
more computer cases into the courts.
Cybercrime in 2002
January
UK Internet service provider Cloud Nine is
put out of business after being targeted by a denial of service
attack
February
A Web site designer from North
Wales is arrested on charges of distributing the Gokar Redesi and
Admirer e-mail computer viruses, and possessing indecent images of
children
April
European Commission publishes its
Draft Council Framework Decision on attacks against information
systems attempts to unify anti-crime laws across European Union
states
May
The Earl of Northesk introduces the
Computer Misuse (Amendment) Bill as a private member's bill in the
House of Lords highlighting problems with denial of service attacks
Police from 31 forces arrest 36 Britons on charges of downloading
pay-per-view child pornography from Web sites in the US
British Chamber of Commerce launches campaign to help small- and
medium-sized enterprises protect themselves from cybercrime
US courts sentence author of the Melissa worm to a 20-month
custodial sentence and fines of $7,500
July
Law Commission report recommends
changing the law to make dishonestly obtaining services on Internet
a crime
Some 50 suspected Net paedophiles from Shadowz Brotherhood arrested
in morning raids across seven countries, with six people arrested
in the UK
Judges in the US sentence a man who defrauded at least 268 Internet
shoppers to 12 years in prison
September
Sussex computer engineer receives
18-month prison sentence after a grudge attack on an employer which
refused to pay him. Using a backdoor into the system, he deleted a
database full of designs, causing an estimated £50,000-worth of
damage
A 21-year-old is arrested in Surbiton for allegedly writing and
distributing the T0rn rootkit that enables users to hack Linux
servers
North London computer administrator Gary McKinnon faces extradition
to the US accused of hacking into 92 military and Nasa, causing an
estimated £600,000 worth of damage
November
A helpdesk employee is arrested in
US for alleged involvement in the theft of credit card details of
30,000 people
December
National High-Tech Crime Unit
launches confidentiality charter for businesses that wish to report
high-tech crime
Klez virus tops Sophos' monthly chart for most of the year
Upcoming in 2003
UK Government has yet to
ratify the Council of Europe Cybercrime Convention signed in
November 2001 and the European Commission's Draft Council Framework
Decision on attacks against information systems signed in April
Theft proposals are expected from the Law Commission and the EU
Copyright Directive
Parliamentary IT lobby group Eurim plans a major exercise including
a pamphlet explaining cybercrime and the law for small businesses
In spring the Internet Crime Forum will publish its review of the
Computer Misuse Act 1990.
What does our campaign hope to achieve?
Police and law enforcement agencies are hampered in their
prosecution and investigation of computer criminals because the
UK's computer crime laws are outdated and full of gaps.
So far, the Government has not done enough to empower either the
police or the private sector to take action against computer
criminals. When such criminals are caught, the penalties available
to judges often do not reflect the damage that computer-related
crime can cause.
Computer Weekly's Lock Down the Law campaign plans to press the
Government to review the UK's Computer Crime laws, to plug the
gaps, bring them up to date and give the police the powers they
need to fight computer criminals.
Call for cyber law review >>IT directors must review security every 90 days
>>Concern grows over cybercrime >>