Review of computer misuse laws essential to keep up with rapidly developing market

Participate in consultation to develop most effective computer legislation

E-crime is a difficult term to define - we all probably have a different interpretation of what it means.

The term covers many different areas, including, phishing, hacking, extortion, denial of service attacks, advanced fee fraud, money laundering; virus writing, distributing malicious code, bot-herding, grooming, distributing paedophile material, internet abuse in the workplace, intellectual property theft, online piracy of copyright material, and spamming.

This list is by no means exhaustive, but it does serve to highlight the diversity of the challenges facing those trying to prevent or investigate e-crimes, either on the internet or in the corporate domain.

Many of these crimes are covered by conventional legislation, whereas those of a truly technical nature - where, in effect, a computer is the victim - are catered for under the Computer Misuse Act 1990.

But that law was enacted in the year in which Microsoft Windows version 3 was released - a time when the internet was a much smaller and entirely different place.

When we consider the technical evolution of the internet since 1990, the wide scale deployment of computers within businesses and the tremendous uptake in home computing it is not surprising that there is a need to update this legislation.

The recent amendments proposed by the Home Office are welcome, and it is likely that they will undergo some revision as a result of public consultation. This consultation is a vital part of the change process and interested parties should work together with the Home Office to ensure that we have legislation fit to address the current, and emerging, 21st century cyber threats.

There have been relatively few prosecutions for e-crime in any jurisdiction around the world. This could be interpreted as indicating a low level of criminal activity in this area, but I firmly believe that this is not the case.

According to Spamhaus, the international NGO that monitors malicious computer activity, the UK frequently has the largest percentage of compromised computers connected to the internet of any country around the world. In many cases compromised machines may be hosting several different infections, each of which represents an offence under the Computer Misuse Act.

The fact that there are many thousands, if not millions, of compromised machines around the world gives some indication of the prevalence of at least one of the forms of cybercrime. The constantly evolving nature of the internet and related technology is destined to create new vulnerabilities, many of which will be exploited by the criminal fraternity.

Clearly, legislation needs to keep pace with emerging threats, otherwise incidents with a high financial impact may occur and law enforcement may not be in a position to respond, so ultimately no public interest prosecution can be launched.

Notwithstanding the need for evolving legislation, more attention should be drawn to IT security. Almost every hacking case reported to the Metropolitan Police Computer Crime Unit was preventable, if appropriate policy and procedures had been in place.

Responsibility for raising IT security awareness rests with government, law enforcers, ISPs, equipment manufacturers, retailers and employers. Generally people's IT security awareness is quite low.

Government and industry partnership is essential if we are to address this issue. The Get Safe Online campaign is a prime example of how successful this can be. By raising awareness we can address confidence and trust issues relating to online trading. If people are confident they are secure online they are more likely to engage in online transactions.

All employers should review their IT security policies and ensure that processes are in place to monitor and review the management of those policies.

Home users need anti-virus products and firewalls, and should renew subscriptions to these services at the end of the licence period. Failure to keep them up to date will probably result in the individual or corporate system being compromised. At best this means someone else is using part of your processor's capacity, at worst it will result in online identity theft. In the case of businesses this can have a crippling effect.

Detective inspector Chris Simpson is head of the Metropolitan Police Computer Crime Unit

Read more on IT risk management