Denial of service (DoS) attacks involve the simultaneous sending
of millions of messages or page requests to an organisation's
servers. The sudden, massive deluge of information can render
website and email servers inoperable.
The UK's main cybercrime law is the Computer Misuse Act, passed
18 years ago. Its application to denial of service attacks had been
the subject of some confusion.
In 2005, charges were brought under that Act against teenager
David Lennon who sent his former employer five million emails at
once. The massive volume of email disabled the office server. A
Magistrates' Court said that Lennon had no case to answer because
the employer's system was designed to receive email. But the High
Court later said that the original judge had erred in that ruling.
Lennon eventually pleaded guilty and, in 2006, he was sentenced to
two months' curfew with an electronic tag.
The first attempt to amend the Computer Misuse Act, to put the
illegality of DoS attacks beyond doubt, dates back six years. A
Private Member's Bill to amend the Act was introduced by the Earl
of Northesk in 2002, but like most Private Members' Bills, it
failed to become law.
Changes were made to the Computer Misuse Act in 2006 but they
were not made live at the time. In October 2007 they were adopted
in Scotland, but not in England and Wales.
The Home Office said that the changes would be brought into
force in April 2008, but they were not. The Statutory Instrument to
bring them into force was finally passed on 24th September and the
changes came into effect for England and Wales on 1st October
2008.
The changes make it a criminal offence to conduct DoS attacks.
The original legislation included offences of unauthorised access
to computer material and of unauthorised modification of computer
material. There is now a new offence of doing anything without
authorisation with intent to impair, or with recklessness as to
impairing, the operation of a computer.
The new offence carries a maximum penalty of 10 years'
imprisonment and a fine. It replaces the more limited offence of
unauthorised modification, which carried a five-year maximum
sentence.
The changes also increase the maximum penalty for unauthorised
access to computer material from six months' imprisonment and a
fine to two years' imprisonment and a fine.
The Computer Misuse Act has also been changed to make it an
offence to make, adapt, supply or offer to supply any article which
is "likely to be used to commit, or to assist in the commission of,
[a hacking or unauthorised modification or DoS] offence". It is
also an offence to supply an article "believing that it is likely"
to be used to commit such an offence.
The meaning of "article" includes any program or data. The
provisions would cover the supply of DoS or virus toolkits. Anyone
convicted of breaking this section of the Act could be jailed for
up to two years.
This part of the law has been controversial because security
researchers have said that it could impede their work.
"The difficulty in the Act is that it says 'any item' and people
are worried that that might include information about a piece of
software's security vulnerability," Cambridge University security
researcher Dr Richard Clayton previously told OUT-LAW.COM. "If you
distribute information about a security vulnerability and the bad
guys use it to attack it then the information about that
vulnerability might qualify."
The Statutory Instrument which came into force this October
amends the Police and Justice Act of 2006. The Instrument makes
live provisions in that Act which in turn amend the Computer Misuse
Act.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
