An all-party group of MPs is to hold a public inquiry in to the effectiveness of the Computer Misuse Act following concerns that it is outdated and contains loopholes that could allow some computer crimes to go unprosecuted.
The All Party Internet Group is calling for IT professionals to submit evidence on the adequacy of the Act and to disclose details of the security risks they face by 9 April, in an attempt to push reform of the UK's computer laws higher up the political agenda.
The inquiry follows a 12-month campaign by Computer Weekly and leading IT groups, including Eurim, e.centre and the Corporate IT Forum, calling for the government to review the Computer Misuse Act, which was drafted before the widespread use of the internet for business.
"We put this on our agenda for future work last year, in light of the fact that Computer Weekly and the industry had highlighted the way that legal remedies appeared to be inadequate to deal with the current attacks," said MP Richard Allan, joint vice chairman of the All Party Internet Group.
Home Office minister Caroline Flint announced plans to strengthen the Act last year but some MPs are concerned that unless the issue is kept in the public eye through an inquiry, reform of the law could fall off the political agenda.
The law has been criticised by police and IT security professionals following several high-profile cases in which hackers have escaped with light sentences despite causing severe damage to computer systems.
Lord Northesk, who proposed a private members bill to update the Computer Misuse Act two years ago, said the Act needed updating to ensure that all types of denial of service attacks and phishing attacks were criminalised. "The whole premise of the Act is wrong in that it is cast towards trespass. In a virtual medium it is very difficult to prove trespass," he said.
Nick Ray, chief executive of security firm Prevx, which has been asked to give evidence to the inquiry, said there were too few resources being put into fighting cybercrime.
"The law needs to be more specific," he said. "The law is not necessarily badly written, but it is broad. There need to be more specifics: that installing a Trojan is against the law; that propagating a virus is against the law. This would make it easier for law enforcement agencies to prosecute cases."
The Home Office has indicated its willingness to review sentencing policy and to strengthen the Act's wording on denial of service attacks.
A paper produced by police/ industry working group the Internet Crime Forum called for the minimum sentence for hacking to be increased from six months to five years. It would also make unauthorised access an extraditable offence and give police powers to seize suspects' computer equipment.
Further details: www.apig.org.uk
Key concerns of the inquiry
- Is the Computer Misuse Act broad enough to cover current computer crime?
- Has the Act's definition of computers and data stood the test of time?
- Do loopholes in the Act need to be plugged?
- What revisions will be needed to meet international treaty obligations?
- What penalties will be sufficient to deter computer criminals?