In summer 2003, the then e-crime minister Caroline Flint
promised to answer growing disquiet about Britain's computer crime
laws by strengthening the Computer Misuse Act.
But if a week is a long time in politics, a year and a half
seems like an eternity, and with little sign of progress,
businesses are beginning to wonder just how serious the government
is.
The acid test will come in March 2006, when the government faces
the choice of backing a 10 minute rule bill by Glasgow South MP Tom
Harris to update the Computer Misuse Act, or to let it wither, like
so many previous attempts at reform.
The arguments for strengthening the Computer Misuse Act have
been well rehearsed in the pages of Computer Weekly, which ran a
successful 18-month campaign in 2002/2003, with businesses,
security professionals, leading trade organisations and MPs calling
for the Computer Misuse Act to be put on the political agenda.
At its heart was the need for government to increase the minimum
sentences for simple hacking offences. This straightforward move
would give police powers of arrest and seizure of computer
equipment and, in recognition of the internationalisation of
computer crime, make unauthorised access of computer systems an
extraditable offence.
Equally importantly, Computer Weekly's campaign called for the
government to clarify the Computer Misuse Act to ensure that denial
of service attacks, a crime which had not been conceived at the
time the act was created, were covered by criminal sanctions.
The need for reform was given fresh impetus this month when a
judge at Wimbledon Magistrates Court threw out a case against a
teenager accused of crashing his former employer's mail server by
bombarding it with five million e-mails.
In a case that could set a legal precedent, district judge
Kenneth Grant ruled that the teenager had not committed an
unauthorised access offence under the terms of the Computer Misuse
Act because members of the public were authorised to send e-mails
to the server.
Although the Crown Prosecution Service is considering an appeal,
the outcome of the case has angered IT security commentators. The
judgement may not open the flood gates for all types of denial of
service attack, but it does make it clear than an e-mail bombing
attack that brings down a computer system is not illegal under
current law.
"There is an issue about giving someone implied permission here.
You give the postman implied permission to deliver post to your
door. But you do not give him permission to knock on your door
5,000 times a day," one IT security professional told Computer
Weekly.
The case for reform of the Computer Misuse Act has already won
backing from the Internet Crime Forum, which submitted its report
to the Home Office in early 2003, and the All Party Internet Group
of MPs, which came out in favour of strengthening the Act in
2004.
For all the sympathetic words of the Home Office, computer crime
appears to have fallen off the political agenda. Harris' bill next
year will show just how serious the government is about fulfilling
its promises.
Three years of slow progress
February 2002 - The National Hi-Tech Crime Unit
voices concerns to government about the adequacy of the Computer
Misuse Act against denial of service attacks.
February 2002 - Computer Weekly launches a
campaign calling for a review of UK computer crime law. It wins
support from user groups, lawyers, IT professionals and
politicians.
May 2002- Internet Crime
Forum and Crown Prosecution Service begin review of the Computer
Misuse Act.
May 2002 - Lord Northesk introduces private
members bill to outlaw all types of denial of service attacks. The
bill does not reach statute.
June 2002 - The government offers to meet with
IT security professionals to discuss the adequacy of the Computer
Misuse Act.
June 2003 - The Internet Crime Forum calls for
tougher sentences for hackers and clarification of the law on
denial of service attacks.
June 2003 - Home Office says it will update the
Computer Misuse Act as soon as parliamentary time allows.
June 2004 - A report from the All Party
Internet Group supports strengthening of Computer Misuse Act.
June 2005 - First reading of 10 minute rule
bill to update the Computer Misuse Act by Glasgow South MP Tom
Harris.