After 18 months of campaigning by Computer Weekly,
politicians, and leading IT industry bodies, the Home Office has
agreed to update the UK's computer crime law, the Computer Misuse
Act.
E-crime minister Caroline Flint, speaking at a meeting of IT
professionals and politicians at the House Of Commons last month,
promised to strengthen the law's coverage of denial of service
attacks and to review the adequacy of sentencing for computer
hackers.
The move is a significant victory for Computer Weekly's Lock Down
the Law campaign and for IT bodies such as Parliamentary/industry
IT group Eurim, the Information Assurance Advisory Council and the
Internet Crime Forum, which have been working behind the scenes to
ensure that the law is brought up to date.
The Computer Misuse Act was introduced in 1990, following a
celebrated case when hackers walked away from court after breaking
into BT's Prestel public access service. For the first time, the
Act made it an offence to gain access to a computer system or to
modify data without authorisation.
Since the Act was introduced, a lot in IT security has changed. The
rise of the internet means that rather than trying to keep people
out of their systems, businesses are actively encouraging them to
browse their websites. New threats have emerged, such as
sophisticated viruses and denial of service attacks, which could
not be foreseen in 1990.
However, as a piece of legislation, the Computer Misuse Act has
stood the test of time well. As Caroline Flint said last month,
"The Act is technologically neutral, and its terms deliberately
undefined to provide flexibility for the courts in interpreting
them widely." But, she said, that does not mean there is not
possible scope for improvement.
The government plans to look for improvement in two areas. The
first, and possibly most significant, is in the length of
sentencing. This has long been a point of frustration for IT
directors, who have seen too many hackers leave court with
community service orders or relatively trivial fines.
A working paper by industry/ government body the Internet Crime
Forum has provided a taste of what is likely to come. It advocated
increasing the maximum penalty for a simple unauthorised access
offence from six months to at least one year, and potentially up to
five years.
This would bring the penalty for unauthorised access into line with
the penalties for unauthorised modification of computer data and
the unauthorised access of a computer system with intent to commit
a further offence.
There are several things to be gained from making unauthorised
access a more serious offence. It would give the police powers to
raid and seize computer equipment for evidence when they suspect a
hacker has been at work. Also, police would have up to three years
to bring a prosecution, rather than the current six-month time
limit.
Most significantly, unauthorised access would become an
extraditable offence. This would greatly enhance the ability of UK
law enforcement agencies to collaborate with overseas police forces
on cross-border hacking investigations.
The international nature of the internet means that it is common
for the perpetrators of computer crimes in one country to be based
in another, and cross-border co-operation will become increasingly
important.
The second issue the government plans to address is denial of
service attacks. Senior police officers have raised concerns that
some types of denial of service attack may not be adequately
covered by existing legislation. Although police can resort to
other legislation if perpetrators have committed other offences, it
can be difficult and time-consuming to bring prosecutions.
The government has responded by announcing plans to modify section
three of the Computer Misuse Act, which deals with unauthorised
modification of computer data, to make it clearer that denial of
service attacks fall within the definition of the offence.
It will not mean a wholesale re-writing of the Act, more of a
fine-tuning and clarification, but it is likely to give police
greater confidence in bringing prosecutions against denial of
service attackers, whatever method they adopt.
The government's moves have been welcomed by the IT profession, but
many have warned that while it is a major victory in Computer
Weekly's campaign, it would be premature to relax just yet. With
the Parliamentary timetable already looking tight, and a flurry of
Home Office bills expected on a variety of subjects, it would be
all too easy for reform of the Computer Misuse Act to fall off the
political agenda.
Industry bodies welcome reform of UK computer crime
laws
David Rippon, chairman of IT directors'
organisation Elite
"I welcome the government's initiative. Anything that makes life
more difficult for computer hackers is to be welcomed. It is
important that the government does make the Parliamentary time
available."
Will Roebuck, legal affairs executive,
E-Centre
"The Home Office is making the law more clear, more certain. That
can only be a good thing. It certainly gives the industry clarity,
but nothing can be enforced until the changes go ahead."
David Roberts, chief executive of the Corporate
IT Forum, Tif
"It would be too easy to cry too little too late, but acts of
Parliament relating to IT issues are in their infancy. We must be
patient on the one hand and provide constant support on the other
to see the requirements hit the statute books."
Peter Sommer, security expert at the London
School of Economics
"This is a useful step forward but I am really apprehensive about
whether there will be enough Parliamentary time. There are a large
number of Home Office bills, many of which look as though they will
be fearfully opposed."
Philip Virgo, Institute for the Management of
Information Systems
"We welcome Caroline Flint's comments. They are extremely helpful.
The proposals on sentencing have the great advantage that they
would make the offence extraditable, thus making international
co-operation on cross-border issues very much easier. The work of
Computer Weekly in calling for changes in this area has been most
helpful."
Roger Loosely, Technology Lawyers
Association
When the amendments to section three of the Computer Misuse Act and
increased sentencing are enacted, it will provide a real deterrent
for those who can easily cause damage to business. But the campaign
must be continued until promises are turned into legislation.