The Computer Misuse Act is now 15 years old and legal experts
have long questioned whether it adequately outlaws Denial of
Service attacks. This is an attack in which a web or email server
is deliberately flooded with information to the point of
collapse.
But when a court cleared a teenager last November on charges of
sending five million emails to his former employer, because the
judge decided that no offence had been committed under the Act, the
need for amendment became obvious.
An update was attempted in 2002 and on two subsequent occasions,
each time as a Private Members' Bill. This type of bill rarely
succeeds; but last November's bill by Tom Harris, Labour MP for
Glasgow South, has won Government support. His provisions to amend
the 1990 legislation are included in the new Police and Justice
Bill.
The new offences
The Bill clarifies that all means of interference with a
computer system are criminalised.
Denial of Service attacks are addressed at section 34, entitled
"Unauthorised acts with intent to impair operation of a computer,
etc."
It expands the 1990 Act's provisions on unauthorised
modification of computer material to cover someone who does
an unauthorised act in relation to a computer with "the requisite
intent and the requisite knowledge."
The requisite intent is an intent to do the act in question and
by so doing:
- to impair the operation of any computer,
- to prevent or hinder access to any program or data held in any
computer, or
- to impair the operation of any program or data held in any
computer.
Comment
Mr Harris said today, "the government has sent out a powerful
message that cybercrime will not be tolerated."
He pointed out that by increasing the tariff on these crimes, a
message will also be sent to the courts and to the Public
Prosecution Service that these crimes must be taken seriously and
that, where appropriate, custodial sentences must be applied.
Struan Robertson, Senior Associate with Pinsent Masons, the law
firm behind OUT-LAW.COM, welcomed the new proposal. "This
legislation will remove any doubt about the illegality of Denial of
Service attacks," he said.
He said that the wording is wide enough that paying someone else
to launch an attack will still be a crime – with a maximum penalty
of 10 years in prison. "Even supplying the software tools
to launch an attack or offering access to a
botnet could get you up to two years in prison," he
said.
But Robertson said we should not expect to see a drop in
computer crime. "Having clear laws in place is only part of the
issue," he said. "The bigger problem is catching the
criminals."
He says that the existing laws have stood the test of time quite
well. "Most malicious hacking activated is a crime under the 1990
Act. Distributed Denial of Service attacks almost certainly
breach the existing Act, too – because such attacks tend
to involve compromising many other computers, instructing each
computer to attack a single target at the same time. Only
plain-vanilla Denial of Service attacks seem to fall through the
gaps in the legislation."
But practical problems prevent prosecutions.
"Many attacks come from overseas. If someone in Russia launches
the attack on a British business, they will be committing an
offence in UK law; but bringing them to justice requires
cooperation between UK and Russian law enforcement authorities and
also extradition proceedings. Law enforcement simply does not have
the resources to deal with every crime of this type."
The new Bill is expected to have its Second Reading in the week
commencing 6th February and Mr Harris expects it to reach the
Statute book in the Autumn.
