The computer crimes we hear about most often involve
fraud, extortion and child abuse, but the problematic offences of
hacking and viruses, set out in the 1990 Computer Misuse Act, are
on the increase.
Computers and networks, and the degree to which we rely on them,
have changed almost beyond recognition since 1990, but the
framework of the act remains effective.
However, to reflect the changed environment, the government is
proposing to increase the penalties for unauthorised access and
modification of computers in the Police and Justice Bill currently
before parliament.
Like networks, hacking and the use of malware have also expanded
and, more worryingly, in recent years we have seen an explosion in
the availability of hacking tools and services and their use by
organised criminals.
To target them, we are proposing a new offence to criminalise
those individuals who make and distribute hacking tools. It is
important to stress that the new offence does not affect those that
use the tools, but covers those who make or distribute them.
There is wide support for a law criminalising individuals who
distribute and supply these tools for unlawful means, and the
Cybercrime Convention obliges countries to do this.
However, concerns have rightly been raised about whether the new
offence will criminalise IT professionals who make and distribute
these tools for legitimate purposes, such as penetration testing or
identifying vulnerabilities.
The test for the offence will be whether the person believed at
the time that the tool would be used more criminally than
legitimately, so IT professionals will not be affected.
In a court case, the prosecution would need to prove that the
accused believed that the hacking tool was likely to be used to
commit an offence under section 1 or 3 of the Computer Misuse
Act.
In the case of the producer of the hacking tool, it would not be
sufficient for the prosecution to show that the tool has been used
for illegal purposes on some occasions because that does not prove
a belief that the hacking tool in question will definitely be used
for criminal means.
On the contrary, the producer would be taken to believe that the
hacking tool would be used honestly, as it is in the majority of
cases. In the case of a supplier, the prosecution may well need to
prove that the supplier knew something about the person to whom
they supplied the article on which to base a belief of dishonest
use.
It is important that we get the balance right between protecting
IT security professionals and those who work to improve the
security of products and systems, and criminalising those who
develop or supply tools for criminal use. The changes to the act
strike that balance.
Vernon Coaker is a Home Office minister
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats