Enforcement is key to fighting cybercrime

Leave law alone and feel more collars, MPs' report concludes

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Analysis The publication of a review of Britain's cybercrime laws by an influential group of MPs and peers this week has been welcomed by the IT industry. Broad agreement with the All Party Internet Group's (APIG) conclusion that the Computer Misuse Act 1990 needs only minor reforms have been matched with widespread calls for tougher enforcement action against cybercriminals.

APIG concluded that the CMA had stood the test of time well. Although written before widespread use of the Internet its provisions covered most cyber crimes just as the Theft Act, for example, covers the theft of mobile phones and other devices not even dreamt of by the legislators who drafted that law. APIG limited its recommendation to the introduction of a specific new "denial of service" offence - a grey area in the current law - and tougher sentences for hackers convicted under Section One of the Act. MPs would also like to see steps to encourage private prosecutions of cybercrime offences.

Offences under Section One of the CMA, unauthorised access to computers, would be punishable by up to two years' imprisonment instead of just six months, if APIG's recommendations are taken up by the Home Office. The higher sentences would allow the UK to seek extradition of individuals suspected of Section One (hacking) offences. Penalties for offences under other sections of the Act - unauthorised access with intent to commit further offences (Section Two) and unauthorised modification of computer material (section Three) - would remain punishable by a maximum of five years' imprisonment.

A good start but more work needed

APIG's recommendations follow a public hearing with industry, Government and public figures in April into how the law could tackle the increase in computer crime. Security services firm Ubizen believes the proposed revisions should help clear up some of the grey areas that exist within the CMA, but that there is still more that should be done.

"The recommendation to increase length of sentencing under section one of the CMA to up to two years, and thus enable the UK to extradite cyber criminals from abroad, is definitely a step in the right direction," said Bart Vansevenant, director of European security strategies at Ubizen. "Many hacking groups operate out of countries in Eastern Europe, and it has been very difficult for the UK authorities to bring them to justice. Hackers in these countries have previously regarded the UK as a 'soft target', so it is good news that this issue is finally being addressed."

Other observers questioned whether tougher laws would have much effect on international hacking activity. Alan Lawson, research analyst at Butler Group, said: "Marginally increased powers for section one hacking offences and explicit denial of service offences may discourage 'joyrider' hackers and stimulate legal prosecutions but is not strong enough to prevent any significant illegal activity. Hardened criminals will continue to ignore the present legislation."

Act locally, think globally

Cybercrime is an international problem that requires an international response. Ubizen would also like to see improved integration of international computer crime laws, the promotion of increased public awareness of cybercrime threats (such as phishing) and California-style laws to oblige companies to tell their customers if confidential details have been accessed. "If companies are obliged to publish when consumers' details have been accessed, a culture of openness will evolve and it will become more acceptable to admit to being a victim of cybercrime," said Ubizen's Vansevenant.

Computer crimes are frequently online variants of established crimes, like fraud and blackmail. A failure to feel enough collars rather than a lack of applicable laws is blamed for the relative rarity of cybercrime prosecutions. The reluctance of victims of cybercrime to come forward is a big problem in this area.

Simon Janes, a former head of Scotland Yard's Computer Crime Unit, reckons that UK businesses typically only report five to seven per cent of all computer-based crimes to the police. "Around 93-95 per cent of all cybercrimes go unreported because companies rate unwanted publicity as potentially more damaging to their business than the incident itself. The report offers recommendations toward allowing private prosecutions however I believe that it should go one step further by facilitating and legitimising private cyber investigations," he said.

More resources needed but who will pay/

Janes, operations director of computer forensic firm ibas, and a witness to its inquiry, warns that the UK is facing a critical shortage of trained computer forensic investigators both within law enforcement and in the private sector.

"Whilst the report's recommendations on reforming the Computer Misuse Act are a welcome first step, I am disappointed The All Parliamentary Group has not offered any solution as to how resources can be increased for specialist training for law enforcement agencies," he said.

APIG also recommends a number of other initiatives to tackle new forms of computer-related crime such as "phishing" attacks and spyware. Sometimes it is appropriate to look outside the CMA in tackling cybercrime offences. Measures in the Fraud Bill expected in November, for example, will make it an offence to set up a bogus website prior to sending out phishing emails, a move that will make police action in this arena far more straightforward.

The MPs' recommendations were welcomed by the Home Office, which has announced its intention to review the CMA and bring forward amendments to the Act. Although APIG's report pushes the issue of cybercrime further up the political agenda it's still unclear if changes in computer crime legislation will be prioritised by the Home Office ahead of a general election, likely to take place in April or May next year. ®

APIG's Key Recommendations

  • Add a denial-of-service (DoS) offence to the Computer Misuse Act
  • Increase the tariff for CMA section One (hacking) offences from six months to two years
  • Ensure that the Director of Public Prosecutions (DPP) "sets out a permissive policy for private prosecutions" under the CMA
  • Provide educational material about the Computer Misuse Act (CMA) on the Home Office website
  • Improve information on cybercrime by using statistical sampling to more accurately estimate levels of computer crime
  • Introduce a new Fraud Bill - reforming the law on fraud rather than computer crime might be a better way to deal with some offences

Related stories

MPs demand big stick for hackers
MPs urged to reform cybercrime laws
MPs hold inquiry into UK computer crime law
US should follow EU lead on spam MPs
UK police lack e-crime savvy officers
Small.biz told to swot up on Net security

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.