nito - Fotolia

Security skills shortage blamed for low rate of Computer Misuse Act prosecutions

TechUK datacentre security event shines a light on how skills shortages are impacting on the investigative powers of law enforcers

The relevancy of the Computer Misuse Act has been called into question by industry experts, with some claiming investigators lack the IT skills needed to use the Act effectively to bring cyber criminals to justice.

The legislation, which was introduced in 1990 to make it a criminal offence for third parties to gain unauthorised access to computing materials, was discussed at a TechUK datacentre security event in London this week.  

The discussion was carried out under Chatham House Rules, which allows Computer Weekly to report on the discussion provided the speakers aren’t identified.

The attendees included a mix of datacentre operators, IT security experts and legal specialists.

According to Steve Southern of security consultancy Amethyst Risk Management, who agreed to be quoted by Computer Weekly, a surprisingly low number of prosecutions have been carried out under the terms of the Computer Misuse Act, despite the growing frequency of cyber attacks.

“I’m no lawyer, but I do know the number of prosecutions under the Computer Misuse Act Section 1 is probably standing at less than 10. There just aren’t any. That suggests to me the law is not fit for purpose,” said Southern.

“Typically we might say the law doesn’t keep pace with the changing technology and it’s an easy thing to say, but that’s the fact,” he added.

When pressed for further details on why there are so few prosecutions, Southern said part of the problem is the shortage of criminal investigators with cyber security knowledge.

However, he was quick to add that things are improving, with police forces embarking on staff training initiatives or specialist recruitment drives, but there is still some way to go.

Read more about the Computer Misuse Act

“They are putting resources behind it and we’ve been involved with the City of London Police on this. They have some of the best and well-respected detectives in the force, but they lack basic IT and cyber skills.

“The vast majority of fraud incidents [the police] investigate these days have a technical component. They’ve taken steps to address that, but they are in catch-up mode,” said Southern.

Another speaker at the event shed further light on this issue, adding that the shortage of people with the right profile of investigative and IT security skills means the ones that have the skills are often poached.

“It’s very hard to recruit good security people. It’s even harder to keep them because as soon as you get to a certain level and you’re good, someone offers you a lot more money,” the speaker said.

“I think we need to feedback into colleges and universities and get more people coming out with those levels of skills,” the speaker added. 

The dearth of IT security experts has been repeatedly highlighted by recruitment surveys and suppliers in recent years, with many warning that it could put the UK at increased risk of cyber attacks.

Read more on Security policy and user awareness