The UK’s primary legislation dealing with cyber crime, the Computer Misuse Act 1990, has recently come under scrutiny from the All-Party Parliamentary Internet Group (Apig). Apig’s overall purpose is to encourage the use of the internet in the UK and to act as a forum for discussion between industry and government on internet-related issues. The public inquiry it launched earlier this year aims to take into consideration the opinions of UK businesses, those in IT security and representatives of the Government, with a view to making recommendations as to whether the act needs to be updated.
What does the act cover? Essentially, it imposes criminal sanctions for unauthorised access to or modification of ‘computer material’ (Sections 1 and 3). Additional sanctions are imposed where the computer material is accessed as a preliminary to the commission of another crime – blackmail, for example (Section 2). Each of these offences requires that the offender intended to access or modify the computer material and knew that they were unauthorised in doing so. This, in itself, will often be difficult to prove, as computer viruses and other similar mechanisms for impairing or disrupting computer systems are often specifically designed to be spread unwittingly to and from the computers of innocent third parties.
These evidential difficulties aside, a major criticism of the act is that it fails to address modern, online criminal activities, such as denial of service (DoS) attacks. A DoS aims to prevent the use of the target, such as a company’s website, by its legitimate users, by overloading its systems or causing it to crash. Such attacks, which appear to be on the increase, can cause a great deal of embarrassment and considerable financial loss to the target entity. Although various technologies exist that protect against DoS attacks, critics of the act – which include the Confederation of British Industry – take the view that its provisions need updating specifically to cover DoS. They claim that it is unclear as to whether the originator of a DoS can be prosecuted under the act, as, arguably, these attacks amount to neither unauthorised access to nor modification of computer material. For example, a DoS may take the form of thousands of hits being instantaneously made on a website, which will eventually cause the site to crash and this would not seem to constitute either unauthorised access to or modification of that site.
Despite the increased number of DoS attacks, so far there has been only one DoS-related case brought under the act, which involved an attack on the US Port of Houston’s computer systems. In this instance, the defendant was acquitted, as the jury seemingly believed his defence that a foreign computer program had installed itself on his computer and that it was this program that was responsible for the attack.
Whether a DoS-related offence can be tried under the act was apparently not at issue in this case, and other commentators have said that the instigators of DoS attacks could be prosecuted under the existing legislation simply by judges and magistrates taking a common sense approach to applying the existing definitions and categories of offence under the act to emergent technologies.
Having heard oral evidence from the representatives of the Government, UK business and the IT industry, the Apig is to deliver its report imminently. In addition to considering whether the offences and definitions in the act need to be updated, Apig is also to consider whether the penalties under it should be increased and whether it meets international treaty obligations. Its critics hope that the inquiry will result in a new cyber crime bill in time for the Queen’s Speech in November.
Either way, as the Home Office puts the finishing touches on its E-Crime Strategy, into which the recommendations of the inquiry will be fed, the debate looks set to continue on whether the existing regime in the UK is adequate to cope with the fight against cyber crime.
Paul Barton was assisted in this article by Field Fisher Waterhouse associate Liz McSweeney