Time for action on cyberlaw

Since February Computer Weekly has been marshalling its Lock Down the Law campaign to protect businesses from the increasing...

Since February Computer Weekly has been marshalling its Lock Down the Law campaign to protect businesses from the increasing threat of cybercrime. Andy Favell explores the evolution of the UK's high-tech crime law and discusses how it might be changed.

Last week, the National High-Tech Crime Unit reported that every UKbusiness is attacked on average three times a month by cybercriminals. Almost half of UK companies polled in a Department of Trade & Industry survey earlier this year experienced at least one malicious security breach last year. Yet few offenders that target business - virus writers and hackers - seem to end up in prison. This has led to a heated debate about changes to legislation and to the way in which crimes are reported, investigated or prosecuted.

The statute at the heart of UK computer crime law is the Computer Misuse Act 1990. Yet despite the number of attacks, in 2000 the courts handed out 15 convictions and four prison sentences where the principle offence was under the Act and 31 convictions and 15 prison sentences where the more serious offence was under a different statute.

Concern about rising computer crime led to the creation in April 2001 of the National High-Tech Crime Unit. Some 25% of the unit's activity focuses on hacking, virus attacks and denial of service attacks, but all six convictions in which the unit was involved were crimes against children, rather than business, according to its annual report, published this month.

Many arguments are put forward as to why so few high-tech crimes against business end up in court: IT managers hush up attacks; the police do not have sufficient experience or resources to investigate; or the legal establishment has not grasped how to bring criminals to justice. Whatever the reason, the fundamental problem is that until more ground-breaking - or "precedent" - cases end up in court much of the law on cybercrime will remain unclear to business, the police and the legal establishment.

High-tech crime offences fall into two categories: established offline crimes that are now perpetrated using a computer; and crimes that specifically target computer systems and networks.

The unit's 2002 review says, "It is a fact that almost any crime committed in the real world can be committed in the virtual one. Indeed some real-world crimes have been revitalised in the electronic environment. We should not forget that organised crime will turn its hand to anything that is lucrative."

The body of law covering this first category is as vast as the number of crimes for which computers can be used: theft, blackmail, narcotics trafficking, illegal immigration, terrorism, child pornography or conspiracy. These laws long preceded high-tech crime, says Peter Sommer, research fellow at the London School of Economics, so many high-tech crimes will be enforced under "laws without the word 'computer' in them".

It is not just identifying applicable laws that is tricky, there is also the requirement to prove the case. Traditionally this involves tangible evidence, but in a high-tech crime the police have to investigate and the prosecution has to win a case based on virtual evidence.

Should a high-tech crime expose a weakness in existing statute law - usually illustrated by the collapse of a prosecution - the Home Office will, where practical, update the existing offline statute, rather than create a new law dedicated to computer crime.

"Any existing or new legislation needs to be equally capable of applying to offences committed offline or online, or there will indeed be offences which fall through the cracks," says a spokesperson for the Home Office high-tech crime team. For example, "The Sexual Offences Bill intends to establish a new grooming offence, to apply both to the Internet and offline."

The Home Office is currently considering alterations to the law of theft that could widen the legislation to include new offences both offline and online.

Sometimes it is not practical to amend existing legislation. In the 1980s, the UK courts were struggling to re-interpret the existing law to convict hackers. In the case of Crown v Gold (1988), for example, two journalists, Gold and Schifreen, were acquitted having accessed BT's network using a password that they had seen being used at a trade show. Such cases resulted in the Computer Misuse Act 1990.

The Act established three computer misuse offences: unauthorised access to computer material (section 1); unauthorised access with intent to commit or facilitate the commission of further offences (section 2); and unauthorised modification of computer material (section 3). The maximum sentences are six months for the first section and five years for the other two.

In the 12 years since the Act became law, the courts have interpreted the wording of the Computer Misuse Act widely in hacking cases. The first prison sentences handed out were in 1993 to two members of the Eight Legged Groove Machine, Strickland and Woods: six months each. Since then precedent cases have shown that to convict a hacker using the Act it is not necessary for them to hack into systems - knowledge of the password might be legitimate - or to be motivated by profit or even causing damage. The courts will also hand out stiff rebukes and sentences to match.

The case of Crown v Lindesay last year involved a revenge attack following a dispute over money. Victor Lindesay accessed the Web sites of three clients of his former employer using passwords he already knew. He defaced three Web sites and sent e-mails from a supermarket Web site to the customers warning them of price rises. The cost of putting the damage right was £9,000. The Appeal Court refused to reduce his nine-month prison sentence.

"That is not lenient," says Richard Chapman, a solicitor at Berwin Leighton Paisner. He points out that such sentences dispel any myth that courts are not tough on hackers, stating that criminals often receive shorter sentences for crimes that cause physical harm to others.

In 1995 the courts determined that the writing and distribution of computer viruses was punishable under Computer Misuse Act 1990. "For distribution of viruses the precedent in the UK is Crown v Pile," says Rupert Battcock, an IT lawyer at Nabarro Nathanson. "There may have been subsequent UK prosecutions for distribution of viruses, but I do not believe they have added anything to [case law]"

Christopher Pile - also known as The Black Baron - received an 18-month prison sentence for writing and distributing a computer virus contrary to sections 2 and 3 of the Computer Misuse Act. According to estimates the virus caused £500,000 of damage to computer systems. It was irrelevant that Pile did not know who his victims would be.

Denial of service attacks
In denial of service attacks the point of contention arises where there is no precedent case law. It is often argued that denial of services may not contravene the provisions of the Act. A denial of service attack attempts to disable a server by bombarding it with data messages, it does not necessarily require gaining unauthorised access to a computer or modifying its contents.

In recent years, attacks on eBay, E*trade, Microsoft and many Internet service providers (ISPs) have hit the headlines. In January a small UK ISP, Cloud Nine was put out of business by such an attack. Researchers from the University of California at San Diego believe that 4,000 denial of service attacks happen worldwide each week.

The champion of the campaign to legislate against denial of service attacks is the Earl of Northesk. In May, Northesk introduced the Computer Misuse (Amendment) Bill as a private member's bill in the House of Lords. However, he does not plan to re-introduce it in the current session as he believes the Government will not give a private bill a good hearing. Instead it should review the legislation itself. "It is much more important that a wholesale review be conducted to achieve a casting of law in this area," says Northesk, "Inevitably that is a task for government, not for individual members of Parliament."

The crime of "identity theft" - obtaining services by deception - hit the headlines worldwide last month as several people were arrested in the US after a computer helpdesk employee allegedly stole and sold on 30,000 credit card numbers. Consequent damage was estimated at $2.7m (£1.7m).

The UK's fraud prevention service CIFAS claims that in 2001 there were more than 40,000 cases of identity fraud identified in the UK, yet the CIFAS Web site states, "Perhaps surprisingly, identity theft is not yet a crime under UK law."

In the UK a criminal act occurs if and when the false identity is used - deceptively - to buy goods or services. If the purchase is made on the Internet, however, we have a problem. As spelled out in the Law Commission report of July this is, "Because it requires proof of deception, the offence under section 1 of the 1978 Theft Act fails to catch a person who succeeds in obtaining a service dishonestly but without deceiving anyone. This may happen [if]... The service may not be provided directly by people at all, but through a machine. For example, the defendant downloads, via the Internet, software or data for which a charge is made... by giving false credit card or identification details."

The Law Commission proposes creating an all-encompassing offence of dishonestly obtaining services with the intent to avoid payment. This appears in a proposed bill on fraud and dishonesty currently under consideration at the Home Office.

In recognition of the fact that cybercrime is often perpetrated from outside local legal jurisdictions, there have been international efforts to update the law. Both the Council of Europe Cybercrime Convention and the European Commission's Draft Council Framework Decision on attacks against information systems could be the catalyst for change in UK computer crime law.

"The changes needed to legislation are being considered," says a Home Office representative, "And will impact wider than the Computer Misuse Act."

International efforts
The Cybercrime Convention was signed by 32 nations in November 2001. Signatories agreed to introduce criminal laws covering a wide variety of offences governing unlawful access, interception and interference with computer data or systems, computer-related fraud, forgery and paedophilia; and the aiding and abetting these crimes. A year on 30 nations including the UK and the US have not ratified the treaty.

In April the European Commission published a Draft Council Framework Decision on attacks against information systems. The aim is to create an "approximation of substantive law in the area of high-tech crime", across the EU. It endorses many of the articles of the cybercrime convention, notably referring to crimes of denial of service and "taking of someone else's identity on the Internet". It sets a provisional date for compliance of December 2003.

The move towards greater harmony of legislation across national borders has been welcomed by law enforcement agencies. "If law enforcement worldwide follows the same legal definitions and same procedural standards in relation to high-tech crimes, it will help the Interpol community," says Michael Holstein, programme manager at Interpol's High-Tech Crime Unit.

There is already a mountain of legislation of which IT directors should be aware - Data Protection Act, Human Rights Act, Electronic Communications Act, Copyright, Designs & Patents Act, Regulation of Investigatory Powers Act (2000) and Terrorism Act (2000) - that the danger with adding still more is the potential to cloud as well as clarify matters for IT managers.

"Business wants legal certainty," says Will Roebuck, law and policy executive at e.centre. But laws "need to be clear and correct. If not they should not be implemented. We learnt this with the Regulation of Investigatory Powers Act."

Experts also warn there is more to combating cybercrime than changing the law. "Even if the law is made more stringent, the support mechanisms need to be in place," explains Beatrice Rogers, private sector programme manager at Intellect. "There needs to be education throughout the process, of the police and the courts, and it needs to be in the public interest to report [the crime]."

The National High-Tech Crime Unit requires the co-operation of business to better understand the extent of high-tech crime in the UK, says Rogers. Without the statistics it cannot go to the government and ask for the resources required by the police to combat high-tech crime against business.

It is recognised that business is concerned about the implications of reporting computer crime. The National High-Tech Crime Unit plans to woo business into helping it to help them with the promise of a confidential reporting mechanism. Perhaps this will help get more computer cases into the courts.

Cybercrime in 2002
UK Internet service provider Cloud Nine is put out of business after being targeted by a denial of service attack

A Web site designer from North Wales is arrested on charges of distributing the Gokar Redesi and Admirer e-mail computer viruses, and possessing indecent images of children

European Commission publishes its Draft Council Framework Decision on attacks against information systems attempts to unify anti-crime laws across European Union states

The Earl of Northesk introduces the Computer Misuse (Amendment) Bill as a private member's bill in the House of Lords highlighting problems with denial of service attacks

Police from 31 forces arrest 36 Britons on charges of downloading pay-per-view child pornography from Web sites in the US

British Chamber of Commerce launches campaign to help small- and medium-sized enterprises protect themselves from cybercrime

US courts sentence author of the Melissa worm to a 20-month custodial sentence and fines of $7,500

Law Commission report recommends changing the law to make dishonestly obtaining services on Internet a crime

Some 50 suspected Net paedophiles from Shadowz Brotherhood arrested in morning raids across seven countries, with six people arrested in the UK

Judges in the US sentence a man who defrauded at least 268 Internet shoppers to 12 years in prison

Sussex computer engineer receives 18-month prison sentence after a grudge attack on an employer which refused to pay him. Using a backdoor into the system, he deleted a database full of designs, causing an estimated £50,000-worth of damage

A 21-year-old is arrested in Surbiton for allegedly writing and distributing the T0rn rootkit that enables users to hack Linux servers

North London computer administrator Gary McKinnon faces extradition to the US accused of hacking into 92 military and Nasa, causing an estimated £600,000 worth of damage

A helpdesk employee is arrested in US for alleged involvement in the theft of credit card details of 30,000 people

National High-Tech Crime Unit launches confidentiality charter for businesses that wish to report high-tech crime

Klez virus tops Sophos' monthly chart for most of the year

Upcoming in 2003
UK Government has yet to ratify the Council of Europe Cybercrime Convention signed in November 2001 and the European Commission's Draft Council Framework Decision on attacks against information systems signed in April

Theft proposals are expected from the Law Commission and the EU Copyright Directive

Parliamentary IT lobby group Eurim plans a major exercise including a pamphlet explaining cybercrime and the law for small businesses

In spring the Internet Crime Forum will publish its review of the Computer Misuse Act 1990.

What does our campaign hope to achieve?
Police and law enforcement agencies are hampered in their prosecution and investigation of computer criminals because the UK's computer crime laws are outdated and full of gaps.

So far, the Government has not done enough to empower either the police or the private sector to take action against computer criminals. When such criminals are caught, the penalties available to judges often do not reflect the damage that computer-related crime can cause.

Computer Weekly's Lock Down the Law campaign plans to press the Government to review the UK's Computer Crime laws, to plug the gaps, bring them up to date and give the police the powers they need to fight computer criminals.

Call for cyber law review >>
IT directors must review security every 90 days >>
Concern grows over cybercrime >>

Read more on IT risk management