Outage

Cheat Sheet: The Computer Misuse Act

Update - legislating against fraudsters, hackers and DoS...

The Computer Misuse Act... I think I can work out what that is...
Indeed, it is a reasonably self-explanatory article of UK legislation.

So is it a new thing?
Not at all, it dates back to 1990.

Blimey, it must be covered in a thick layer of dust by now…
Until very recently it was indeed languishing unloved at the back of the proverbial cupboard. But it's just had a much-needed facelift.

Ooh, tell me more…
Then I'll have to tell you about the Police and Justice Act 2006.

Want more photos?

Click here to browse the full archive of our photo stories.

What, another law?! Oh go on then.
The Police and Justice Act 2006, which gained Royal Assent on 8 November, is the focus of the government's police reform strategy. It establishes a National Policing Improvement Agency (replacing the Police Information Technology Organisation) and - among other things - gives police officers new stop-and-search powers and hands a raft of new powers and functions to police authorities. The Home Office line runs that it will "help build safer communities".

But what's all this got to do with the CMA?
I'm just getting to that. As well as being the vehicle for delivering Labour's police reforms, the Police and Justice Act contains amendments to the Computer Misuse Act. Specifically sections 33 to 36 of the Police and Justice Act - which amend sections one and three of the CMA. So the Home Office line should be read as 'safer online communities' too.

Give me the lowdown.
Section 33 of the Police and Justice Act increases the penalty for hacking from six months to two years in jail. This was a key recommendation of the All Party Internet Group (Apig) which had talked about the need to take "firm action to deal with those who maliciously attack systems and compromise data". In addition, by extending the jail term to two years, hacking becomes an extraditable offence and that is very important when dealing with the global threat of cyber crime.

Another key amendment is section 34, which replaces section three of the CMA - closing the loophole around denial of service (DoS) attacks by changing the wording so it legislates against "unauthorised acts with intent to impair operation of a computer, etc".

What was this loophole of which you speak?
While a DoS attack is undoubtedly disruptive, it does not involve data modification - so this type of cyber attack fell between the wording of the old CMA, which only criminalised those who intentionally gained unauthorised access to, or modified, data or any program held in a computer. This meant prosecutions of alleged perpetrators of email bombs and the like proved troublesome under the old law.

But not any more?
Well, judge for yourself. The wording of section 34 of the Police and Justice Act runs to six clauses and specifies that offenders need not direct an "intent" against a particular computer, program, piece of data or type of program in order to be deemed guilty. Moreover a person is guilty of an offence if "he does any unauthorised act in relation to a computer" - and regardless of whether or not the impact on operational performance (or access) is temporary or permanent.

Bingo.
Wait - there's more. Those found guilty of denial of service attacks can now expect up to a decade in the slammer.

Yikes. What else?
Section 35 of the Police and Justice Act deals with "making, supplying or obtaining articles for use in computer misuse offences" - which translates into the criminalising of a whole new swathe of IT society. This addition has proved somewhat controversial. In fact, a Tory peer criticised the amendment to the then Bill as "pure idiocy" and "absolute madness", arguing it could criminalise both the police and innocent IT professionals who build or make available programs which are then used for hacking. Academics and industry experts also expressed concerns that IT pros might end up on the wrong side of the law. Time will tell whether these fears were baseless or not.

So is the shiny new CMA going to scythe through the cyber criminal underworld like the grim reaper on judgement day?
If only. The DoS loophole was certainly an embarrassing loose end that needed tying but this type of crime is not committed through ignorance. Apig has claimed "publicity about the new offence will reach DoS attackers and some will be deterred by knowing that their actions are clearly criminal". To say that's na

0 comments

Editor's Picks