After 18 months of campaigning by Computer Weekly, politicians, and leading IT industry bodies, the Home Office has agreed to update the UK's computer crime law, the Computer Misuse Act.
E-crime minister Caroline Flint, speaking at a meeting of IT professionals and politicians at the House Of Commons last month, promised to strengthen the law's coverage of denial of service attacks and to review the adequacy of sentencing for computer hackers.
The move is a significant victory for Computer Weekly's Lock Down the Law campaign and for IT bodies such as Parliamentary/industry IT group Eurim, the Information Assurance Advisory Council and the Internet Crime Forum, which have been working behind the scenes to ensure that the law is brought up to date.
The Computer Misuse Act was introduced in 1990, following a celebrated case when hackers walked away from court after breaking into BT's Prestel public access service. For the first time, the Act made it an offence to gain access to a computer system or to modify data without authorisation.
Since the Act was introduced, a lot in IT security has changed. The rise of the internet means that rather than trying to keep people out of their systems, businesses are actively encouraging them to browse their websites. New threats have emerged, such as sophisticated viruses and denial of service attacks, which could not be foreseen in 1990.
However, as a piece of legislation, the Computer Misuse Act has stood the test of time well. As Caroline Flint said last month, "The Act is technologically neutral, and its terms deliberately undefined to provide flexibility for the courts in interpreting them widely." But, she said, that does not mean there is not possible scope for improvement.
The government plans to look for improvement in two areas. The first, and possibly most significant, is in the length of sentencing. This has long been a point of frustration for IT directors, who have seen too many hackers leave court with community service orders or relatively trivial fines.
A working paper by industry/ government body the Internet Crime Forum has provided a taste of what is likely to come. It advocated increasing the maximum penalty for a simple unauthorised access offence from six months to at least one year, and potentially up to five years.
This would bring the penalty for unauthorised access into line with the penalties for unauthorised modification of computer data and the unauthorised access of a computer system with intent to commit a further offence.
There are several things to be gained from making unauthorised access a more serious offence. It would give the police powers to raid and seize computer equipment for evidence when they suspect a hacker has been at work. Also, police would have up to three years to bring a prosecution, rather than the current six-month time limit.
Most significantly, unauthorised access would become an extraditable offence. This would greatly enhance the ability of UK law enforcement agencies to collaborate with overseas police forces on cross-border hacking investigations.
The international nature of the internet means that it is common for the perpetrators of computer crimes in one country to be based in another, and cross-border co-operation will become increasingly important.
The second issue the government plans to address is denial of service attacks. Senior police officers have raised concerns that some types of denial of service attack may not be adequately covered by existing legislation. Although police can resort to other legislation if perpetrators have committed other offences, it can be difficult and time-consuming to bring prosecutions.
The government has responded by announcing plans to modify section three of the Computer Misuse Act, which deals with unauthorised modification of computer data, to make it clearer that denial of service attacks fall within the definition of the offence.
It will not mean a wholesale re-writing of the Act, more of a fine-tuning and clarification, but it is likely to give police greater confidence in bringing prosecutions against denial of service attackers, whatever method they adopt.
The government's moves have been welcomed by the IT profession, but many have warned that while it is a major victory in Computer Weekly's campaign, it would be premature to relax just yet. With the Parliamentary timetable already looking tight, and a flurry of Home Office bills expected on a variety of subjects, it would be all too easy for reform of the Computer Misuse Act to fall off the political agenda.
Industry bodies welcome reform of UK computer crime laws
David Rippon, chairman of IT directors' organisation Elite
"I welcome the government's initiative. Anything that makes life more difficult for computer hackers is to be welcomed. It is important that the government does make the Parliamentary time available."
Will Roebuck, legal affairs executive, E-Centre
"The Home Office is making the law more clear, more certain. That can only be a good thing. It certainly gives the industry clarity, but nothing can be enforced until the changes go ahead."
David Roberts, chief executive of the Corporate IT Forum, Tif
"It would be too easy to cry too little too late, but acts of Parliament relating to IT issues are in their infancy. We must be patient on the one hand and provide constant support on the other to see the requirements hit the statute books."
Peter Sommer, security expert at the London School of Economics
"This is a useful step forward but I am really apprehensive about whether there will be enough Parliamentary time. There are a large number of Home Office bills, many of which look as though they will be fearfully opposed."
Philip Virgo, Institute for the Management of Information Systems
"We welcome Caroline Flint's comments. They are extremely helpful. The proposals on sentencing have the great advantage that they would make the offence extraditable, thus making international co-operation on cross-border issues very much easier. The work of Computer Weekly in calling for changes in this area has been most helpful."
Roger Loosely, Technology Lawyers Association
When the amendments to section three of the Computer Misuse Act and increased sentencing are enacted, it will provide a real deterrent for those who can easily cause damage to business. But the campaign must be continued until promises are turned into legislation.