The Computer Misuse Act is now 15 years old and legal experts have long questioned whether it adequately outlaws Denial of Service attacks. This is an attack in which a web or email server is deliberately flooded with information to the point of collapse.
But when a court cleared a teenager last November on charges of sending five million emails to his former employer, because the judge decided that no offence had been committed under the Act, the need for amendment became obvious.
An update was attempted in 2002 and on two subsequent occasions, each time as a Private Members' Bill. This type of bill rarely succeeds; but last November's bill by Tom Harris, Labour MP for Glasgow South, has won Government support. His provisions to amend the 1990 legislation are included in the new Police and Justice Bill.
The new offences
The Bill clarifies that all means of interference with a computer system are criminalised.
Denial of Service attacks are addressed at section 34, entitled "Unauthorised acts with intent to impair operation of a computer, etc."
It expands the 1990 Act's provisions on unauthorised modification of computer material to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge."
The requisite intent is an intent to do the act in question and by so doing:
- to impair the operation of any computer,
- to prevent or hinder access to any program or data held in any computer, or
- to impair the operation of any program or data held in any computer.
Mr Harris said today, "the government has sent out a powerful message that cybercrime will not be tolerated."
He pointed out that by increasing the tariff on these crimes, a message will also be sent to the courts and to the Public Prosecution Service that these crimes must be taken seriously and that, where appropriate, custodial sentences must be applied.
Struan Robertson, Senior Associate with Pinsent Masons, the law firm behind OUT-LAW.COM, welcomed the new proposal. "This legislation will remove any doubt about the illegality of Denial of Service attacks," he said.
He said that the wording is wide enough that paying someone else to launch an attack will still be a crime – with a maximum penalty of 10 years in prison. "Even supplying the software tools to launch an attack or offering access to a botnet could get you up to two years in prison," he said.
But Robertson said we should not expect to see a drop in computer crime. "Having clear laws in place is only part of the issue," he said. "The bigger problem is catching the criminals."
He says that the existing laws have stood the test of time quite well. "Most malicious hacking activated is a crime under the 1990 Act. Distributed Denial of Service attacks almost certainly breach the existing Act, too – because such attacks tend to involve compromising many other computers, instructing each computer to attack a single target at the same time. Only plain-vanilla Denial of Service attacks seem to fall through the gaps in the legislation."
But practical problems prevent prosecutions.
"Many attacks come from overseas. If someone in Russia launches the attack on a British business, they will be committing an offence in UK law; but bringing them to justice requires cooperation between UK and Russian law enforcement authorities and also extradition proceedings. Law enforcement simply does not have the resources to deal with every crime of this type."
The new Bill is expected to have its Second Reading in the week commencing 6th February and Mr Harris expects it to reach the Statute book in the Autumn.