Parliament hears 10 minutes on Denial of Service law

Derek Wyatt MP made a 10-minute pitch to Parliament on Tuesday for changes to the UK's 15-year-old anti-hacking laws. His proposals would make denial of service an undeniable offence; but there will be no action ahead of the general election on 5th May.

The Labour MP for Sittingbourne and Sheppey, who chairs the All Party Parliamentary Internet Group (APIG) acknowledges that his Ten Minute Rule Motion – a type of bill offering a back bench MP just 10 minutes to pitch legislation to the House of Commons – will not go anywhere fast.

Ten Minute Rule Motions, like all Private Member's Bills, are very unlikely to become law. In this instance the Bill will not receive a second reading in the House of Commons due to Parliament being dissolved for the election. APIG said yesterday it will continue to campaign on this issue in the next Parliamentary term.

Wyatt's bill picks up on two main recommendations in last summer's APIG report on the 1990 Act: to add a specific Denial of Service (DoS) offence; and to increase the sentence for hacking – where no manipulation of data or further crime takes place – from six months to two years. Aggravated hacking offences would still carry up to five years in prison.

The consensus is that the current wording of the Computer Misuse Act probably covers some DDoS attacks, because third party computers are compromised without permission. Whether a plain-vanilla DoS attack is covered is a moot point. The relevant wording in the current Act is that it's an offence to cause "an unauthorised modification of the contents of any computer". Some say a DoS attack amounts to a "modification"; others disagree.

APIG, which exists to provide a discussion forum between new media industries and parliamentarians, wants to remove the ambiguity. It also wants to send a clear signal to the police, Crown Prosecution Service and the courts that DoS attacks should be taken seriously. And it hopes that publicity about the new offence will deter potential attackers by making it explicit that their actions are clearly criminal.

The unedited text of Derek Wyatt's speech to the House of Commons is below.

Mr. Derek Wyatt (Sittingbourne and Sheppey) (Lab): I beg to move, That leave be given to bring in a Bill to amend the Computer Misuse Act 1990 to create offences in connection with denial of service and to make further provision about proceedings and penalties for an offence under section 1 of that Act; and for connected purposes.

The initiative for this Bill comes from the all-party internet group's inquiry, which began in March last year. I am indebted to my colleagues, my hon. Friend the Member for Milton Keynes, North-East (Brian White) and the hon. Member for Sheffield, Hallam (Mr. Allan), for their great support last year in the report work that we did that paved the way for this Bill. It would also be unfair not to mention the sterling work of our clerks, Marc Woolfson and Nick Lansman of Political Intelligence, who helped to put the report together.

The all-party internet group has also pioneered twinning with its American counterpart, the internet caucus. We have done that because any measure relating to computers and the internet must now go beyond individual Parliaments. We hope that other committees will note that and develop relationships with other Parliaments in the world. I also want to thank the Home Office, particularly the Under-Secretary of State for the Home Department, my hon. Friend the Member for Don Valley (Caroline Flint) for her support, and her staff for their work in this regard. It would be unreasonable not to pay tribute, too, to the Earl of Northesk, who also introduced a private Member's Bill in another place in 2002 to amend the Computer Misuse Act 1990.

Let me give some background to the 1990 Act. Criminal activity involving computers has a long history and several existing statutes have been used in prosecutions for criminal damage, such as Cox v. Riley in 1985 and Regina v. Whitely in 1991, and for fraud, such as Regina v. Lamberti and Filinski in 1987. Eventually, existing legislation proved inadequate to cover all the activities involved in computer hacking. In particular, Robert Schifreen and Steve Gold were initially convicted of a number of offences under the Forgery and Counterfeiting Act 1981, after they had used passwords without permission to obtain unauthorised access to electronic mailboxes on the Prestel system – my, my. However, on 21 April 1998, the House of Lords overturned their convictions, agreeing with Lord Lane in the Court of Appeal that there had been a "Procrustean attempt to force the facts of the present case into the language of an Act not designed to fit them".

With regard to legislative matters, events then moved rapidly. In September 1988, the Law Commission published a consultative document on computer misuse. In April 1989, Emma Nicholson, MP, introduced a private Member's Bill to make various hacking activities illegal, but that was widely perceived as containing several faults and failed through lack of time. In October 1989, the Law Commission published its final report on computer misuse, which recommended the three offences that we have today. The legislation to implement them was brought forward as a private Member's Bill by Michael Colvin, MP. That Computer Misuse Bill received its Second Reading in the House of Commons on 2 May 1990 and was given Royal Assent on 29 June 1990.

The Computer Misuse Act 1990 deals with just two mischiefs. In section 1, it criminalises "unauthorised access to computer material", and in section 3, "unauthorised modification of computer material". The offence in section 2 is a more serious version of section 1 where there is an intent to commit or facilitate further offences.

I propose two further measures. The Bill would add specific denial of service – DOS – and it would increase the tariff for Computer Misuse Act section 1 offences involving hacking from six months to two years.

A denial of service attack occurs when a deliberate attempt is made to stop a machine performing. Usually another computer is made to create large amounts of specious traffic. The traffic may consist of valid requests made in overwhelming volume, or specifically crafted protocol fragments that cause the serving machine to tie up significant resources to no usual purpose. In a distributed denial of service – DDOS – attack, a large number of remote computers are orchestrated to attack a target at the same time. In some cases, the attacks overwhelm the connecting links to a machine rather than the machine itself. That can result in significant collateral damage that extends beyond the machine that is being attacked.

DOS and DDOS attacks are extremely common on today's internet, with academic studies measuring more than 4,000 a week. There are many different types of attack and the volume of traffic involved varies hugely, so it is difficult to generalise about the impact. At the lower end of effectiveness, the blips in traffic are hardly noticeable but we are told of cases at the other end in which large university networks have been made unusable for hours at a time.

Providing protection against some types of DOS and especially DDOS attacks can be technically challenging. It is often hard to distinguish legitimate from illegitimate activity, which means that genuine traffic can be discarded through protective measures.

Criminal DDOS attacks are being made on gambling websites both in the United Kingdom and elsewhere. Such attacks are accompanied by demands for amounts between £10,000 and more than £100,000 to make the attacks stop. The impact on gambling businesses has been severe. The national hi-tech crime unit has become involved in investigations, but the perpetrators are believed to be based abroad, which sets some limits on what it can quickly achieve.
The second part of the Bill deals with length of sentences. At present, a summary conviction under existing law carries a maximum penalty of six months in prison and/or a fine of £5,000. A conviction on indictment currently applies only to section 2 and section 3 offences. In that case, the maximum penalty is five years in prison or an unlimited fine. There are, however, maximum sentences. Home Office figures show that, when a CMA offence is the principal offence with which someone is charged, only about a third of those found guilty are given custodial sentences. When a CMA offence is not the principal offence, the proportion is very small indeed. Often CMA offences involve plea bargains that are not proceeded with because justice has been done in some other way.

It is regularly claimed that the cost of cleaning up virus or worm attacks runs into billions of pounds. The current level of sentences does not reflect the seriousness of such offences. The attack on the port of Houston in the Caffrey case was widely viewed as an attack on the critical national infrastructure of the United States, a most serious action.

Longer sentences should be imposed for section 1 offences because of the side effects that that would have. Raising the tariff to one year would make an offender extraditable. Making section 1 offences indictable would make it possible to prosecute for a criminal attempt, which would not have to succeed. Raising the tariff to five years in line with section 2 and section 3 offences would make section 1 offences arrestable. That would also make it easier to obtain search warrants by means of the Police and Criminal Evidence Act 1984.

We recommend that the maximum sentence following conviction of an offence under section 1 of the Computer Misuse Act should be raised to two years. Since our report, there has been an interesting series of conversations on the net about whether that is long enough. Spamhaus, in particular, would like it to be longer. Let us hope that, after the general election, the Home Office will introduce its own version of an amended CMA. That would be the time at which to review sentencing.

The problem is growing. The Symantec global internet threat report covering July to December 2004, released at the end of March, shows that Britain has a larger percentage of botnets than any other country in the world, with 25.2 per cent. of PCs infected. The United States and China are second and third respectively. The fast growth in broadband take-up has been cited as the main reason for Britain's topping the chart: users take on always-on connections without being aware of the security risks. The number is expected to decline as the UK Government's education and awareness programmes IT Safe and Project Endurance begin to take effect.

Although high-profile DDOS attacks have been made against e-commerce and, especially, gambling sites, the UK Government and the country's critical infrastructure could also be attacked. It is essential for a law to be in place to make prosecution possible when offences are committed, because that will send the strong and unambiguous message that e-crime is treated with the utmost seriousness. International co-operation is also key. Increasing sentences for section 1 offences to two years will create an extraditable offence, and bring the law into line with the European cybercrime convention.