Internet industry calls for Computer Misuse Act review

This recommendation was included in the written evidence submitted by the ISPA to the All Party Internet Group (APIG), a group open to members of all Houses of Parliament, which is currently holding a public enquiry into the retention of and access to communications data for law enforcement purposes.

Although the enquiry primarily focuses on the effects of the Regulation of Investigatory Powers Act (RIPA) and the Anti-Terrorism Crime & Security Act on the telecoms industry, other relevant issues are also examined.

According to the ISPA, it is still unclear whether the CMA, as it currently stands, criminalises DoS attacks aimed at electronic networks.

DoS attacks occur when web servers are flooded with false and untraceable requests of information, overwhelming the system. Although such attacks do not normally compromise information security, they cost time and money.

This is because they result in temporary loss of network connectivity and services and can force web sites to temporarily shut down.

The application the CMA, which precedes the birth of the World Wide Web, to certain activities and particularly DoS attacks has been doubted. The CMA created three offences – the unauthorised access to computer material, the unauthorised modification of such material and the unauthorised access with intent to commit or facilitate commission of further offences.

It has been argued that, in DoS attacks, there is no access to or modification of material and that, therefore, the application of the CMA to such attacks is problematic.

On the other hand, it has been suggested that DoS attacks do modify data stored in a computer's random access memory (RAM). This could arguably be considered as access to and modification of computer material as required by the CMA. Finally, DoS attacks could be prosecuted under the Criminal Damage Act in England, or as malicious mischief in Scotland.

A Bill which would amend the CMA to address DoS attacks has already been introduced. The ISPA, however, said in its submission to the APIG enquiry that the issue is of "fundamental importance" to the communications industry.

The ISPA said:

"We would therefore recommend to the Government that the Crown Prosecution Service be encouraged to launch a test case under the CMA as soon as possible and that, if it is found that perpetrators of DoS attacks cannot be prosecuted within the scope of the CMA, that the Act is modified accordingly as a matter of urgency."

As part of the enquiry, an evidence session was held by the APIG yesterday.

The Computer Misuse Act 1990 can be found at:
www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm