To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,39121838,00.htm

Cheat Sheet: The Computer Misuse Act
Update - legislating against fraudsters, hackers and DoS...

By Natasha Lomas and Will Sturgeon

Published: Wednesday 29 November 2006

The Computer Misuse Act... I think I can work out what that is...
Indeed, it is a reasonably self-explanatory article of UK legislation.

So is it a new thing?
Not at all, it dates back to 1990.

Blimey, it must be covered in a thick layer of dust by now…
Until very recently it was indeed languishing unloved at the back of the proverbial cupboard. But it's just had a much-needed facelift.

Ooh, tell me more…
Then I'll have to tell you about the Police and Justice Act 2006.

Want more photos?

Click here to browse the full archive of our photo stories.

What, another law?! Oh go on then.
The Police and Justice Act 2006, which gained Royal Assent on 8 November, is the focus of the government's police reform strategy. It establishes a National Policing Improvement Agency (replacing the Police Information Technology Organisation) and - among other things - gives police officers new stop-and-search powers and hands a raft of new powers and functions to police authorities. The Home Office line runs that it will "help build safer communities".

But what's all this got to do with the CMA?
I'm just getting to that. As well as being the vehicle for delivering Labour's police reforms, the Police and Justice Act contains amendments to the Computer Misuse Act. Specifically sections 33 to 36 of the Police and Justice Act - which amend sections one and three of the CMA. So the Home Office line should be read as 'safer online communities' too.

Give me the lowdown.
Section 33 of the Police and Justice Act increases the penalty for hacking from six months to two years in jail. This was a key recommendation of the All Party Internet Group (Apig) which had talked about the need to take "firm action to deal with those who maliciously attack systems and compromise data". In addition, by extending the jail term to two years, hacking becomes an extraditable offence and that is very important when dealing with the global threat of cyber crime.

Another key amendment is section 34, which replaces section three of the CMA - closing the loophole around denial of service (DoS) attacks by changing the wording so it legislates against "unauthorised acts with intent to impair operation of a computer, etc".

What was this loophole of which you speak?
While a DoS attack is undoubtedly disruptive, it does not involve data modification - so this type of cyber attack fell between the wording of the old CMA, which only criminalised those who intentionally gained unauthorised access to, or modified, data or any program held in a computer. This meant prosecutions of alleged perpetrators of email bombs and the like proved troublesome under the old law.

But not any more?
Well, judge for yourself. The wording of section 34 of the Police and Justice Act runs to six clauses and specifies that offenders need not direct an "intent" against a particular computer, program, piece of data or type of program in order to be deemed guilty. Moreover a person is guilty of an offence if "he does any unauthorised act in relation to a computer" - and regardless of whether or not the impact on operational performance (or access) is temporary or permanent.

Bingo.
Wait - there's more. Those found guilty of denial of service attacks can now expect up to a decade in the slammer.

Yikes. What else?
Section 35 of the Police and Justice Act deals with "making, supplying or obtaining articles for use in computer misuse offences" - which translates into the criminalising of a whole new swathe of IT society. This addition has proved somewhat controversial. In fact, a Tory peer criticised the amendment to the then Bill as "pure idiocy" and "absolute madness", arguing it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking. Academics and industry experts also expressed concerns that IT pros might end up on the wrong side of the law. Time will tell whether these fears were baseless or not.

So is the shiny new CMA going to scythe through the cyber criminal underworld like the grim reaper on judgement day?
If only. The DoS loophole was certainly an embarrassing loose end that needed tying but this type of crime is not committed through ignorance. Apig has claimed "publicity about the new offence will reach DoS attackers and some will be deterred by knowing that their actions are clearly criminal". To say that's naïve is an insult to the naïve. The Russian mafia, widely linked with DoS attacks against UK bookies, are hardly likely to throw up their hands in despair and say 'oh well Dmitri, we had a good innings but now there's this new CMA let's call it a day'.

And while the tougher prison sentences for hacking and DoS should be applauded - and may prove a minor deterrent for small-time cyber crooks - criminal behaviour is never going to be eradicated by legislation alone. Any law needs to be backed up with law enforcement - and that means resources. In the words of Simon Janes, former head of Scotland Yard's Computer Crime Unit, the police are currently "woefully" under-resourced and are "a long way from effectively and efficiently investigating and solving computer crimes".