Peer backs bill to outlaw denial of service attacks

Conservative peer Earl Northesk is sponsoring a private members bill which aims to strengthen the UK's computer crime laws by...

Conservative peer Earl Northesk is sponsoring a private members bill which aims to strengthen the UK's computer crime laws by making denial of service attacks a criminal offence

Northesk is backing the bill following rising concerns among the police and businesses about the lack of legal recourse against the perpetrators of denial of service attacks.

Although private members bills rarely become law, the Computer Misuse (Amendment) Bill will push reform of the Computer Misuse Act higher up the political agenda.

"Denial of service attacks are growing exponentially. It is very difficult to get prosecutions under the current statutes. It is a real problem," said Northesk.

"Without something straightforward and simple on the statute books, there is no incentive for companies to report denial of service attacks to the police."

The bill, which is likely to have a second reading in the House of Lords in June, is a sign of growing support for Computer Weekly's campaign to "Lock Down the Law" on cybercrime in the UK. It aims to make it an offence for anyone to cause "degredation, failure or other impairment to a computerised system" without permission.

Perpetrators could face prosecution even if they did not intend to cause a denial of service attack, providing any reasonable person could have anticipated that their actions would cause disruption.

"This appears to be one of the holes that needs to be plugged," said Philip Virgo strategic advisor to the Institute for the Management of Information Systems. "I think it is an extremely good idea. It is an area that needs to be addressed. One would hope the Home Office would pick it up and back it."

Lawyers have welcomed the bill but question whether the clause allowing the prosecution of people who commit denial of service attacks unintentionally is workable.

Roger Loosely, partner at law firm Stringer Saul, said it may be difficult with complex technology to show that an ordinary person could have predicted that their actions would lead to a denial of service attack. "The alternative is to use the word 'recklessly', which would address whether a person did something not caring whether it resulted in a denial of service attack or not," he said.

The bill follows requests from the National High-Tech Crime Unit to the Home Office to update the Computer Misuse Act to criminalise denial of service attacks. Although sympathetic, the Home Office is understood to consider reform of computer crime law a low political priority.

Although the Computer Misuse Act can be used against denial of service attackers if they plant code in other people's machines, the lack of a simple denial of service offence can often make prosecution difficult.

Read more on IT risk management