MP pitches Denial of Service law to Parliament

'Treat these attacks with the seriousness they deserve'

  • alert
  • submit to reddit

3 Big data security analytics techniques

Derek Wyatt MPDerek Wyatt MP, Chairman of the All Party Parliamentary Internet Group (APIG), will try to persuade Parliament next month that the country's 15-year-old Computer Misuse Act needs updating, to increase penalties for hackers and to criminalise denial of service attacks.

The Labour MP for Sittingbourne and Sheppey said today that his Ten Minute Rule Bill – a type of bill offering a back bench MP just 10 minutes to pitch legislation to the House of Commons – is scheduled for a hearing on 5 April.

Wyatt's bill picks up on two main recommendations in last summer's APIG report on the 1990 Act: to add a specific Denial of Service (DoS) offence; and to increase the sentence for hacking – where no manipulation of data or further crime takes place – from six months to two years. Aggravated hacking offences would still carry up to five years in prison.

A DoS attack involves flooding a server with data – sometimes just thousands of emails – to the point where it collapses. More advanced attacks are launched from several machines – known as Distributed DoS, or DDoS attacks.

The consensus is that the Computer Misuse Act probably covers some DDoS attacks, because third party computers are compromised without permission. Whether a plain-vanilla DoS attack is covered is a moot point. The relevant wording in the current Act is that it's an offence to cause "an unauthorised modification of the contents of any computer". Some say a DoS attack amounts to a "modification"; others disagree.

APIG, which exists to provide a discussion forum between new media industries and parliamentarians, wants to remove the ambiguity. It also wants to send a clear signal to the police, Crown Prosecution Service and the courts that DoS attacks should be taken seriously. And it hopes that publicity about the new offence will deter potential attackers by making it explicit that their actions are clearly criminal.

This is the second attempt to tack a DoS extension onto the Computer Misuse Act. The first was a Private Member's Bill introduced by the Earl of Northesk in 2002; but like most Private Members' Bills, it failed. And Derek Wyatt has no illusions about his Ten Minute Rule bill becoming an Act in the short term.

Due to the brevity of the pitch, the Ten Minute Rule bill is a process generally used as a means of making a point on the need to change a law. It's also an opportunity to gauge Parliamentary opinion. Notice of the bill is circulated and one opposing motion is allowed in the House.

Wyatt explained: "The All Party Group was hoping that an MP would have picked this up as part of the Private Members’ allocation for bills but sadly no-one did so it seemed sensible given the work we undertook last year to at least place on record what we think the Bill should look like in the hope that the Government will come back to it after the General Election”

His Computer Misuse Act 1990 (Amendment) Bill says it would be an offence to do something without authority which causes or which is intended to cause "directly or indirectly, an impairment of access to any program or data held in any computer".

'Seriousness they deserve'

This much is similar to the Earl of Northesk's bill of the same name. But that version went no further, and was criticised for being too wide. Wyatt's version specifies that there must be "intent to damage the performance of an activity for which the relevant computer, or any program or data held on that computer, is used."

Wyatt's bill also suggests a maximum sentence of two years for a basic DoS or DDoS attack. The Earl of Northersk's would have applied the Act's maximum sentence of five years. But with Wyatt's bill, where there is intent to commit further offences, the penalty would be five years. This might apply to those who launch attacks and try to blackmail the victim with the threat of further attacks.

Richard Allan MP, Liberal Democrat spokesman for IT, and Vice Chairman of APIG said: "This reform is necessary if we are to treat these attacks with the seriousness which they deserve."

The Computer Misuse Act has been used in a jury trial over a DDoS attack. But it has only happened once. Dorset teenager Aaron Caffrey was acquitted in 2003, after convincing a jury that he was not responsible for the attack that hit the computer systems of the Port of Houston in Texas. Aaron Caffrey gives his first interview in the latest edition of OUT-LAW Magazine, out next week. Caffrey says that the Act should be scrapped, not amended.

The UK's second high profile DoS case may take place later this year: In January, Matthew Anderson appeared in Elgin Sheriff Court, Scotland, facing charges under the Act. He is accused of carrying out DoS attacks as part of an extortion plot that targeted companies in Scotland and the US. But it is early days in that case: there is no guarantee that it will go to trial.

Scotland also has a common law offence of "malicious mischief" that could possibly be used to prosecute DoS attacks. Wyatt's bill excludes Scotland, but not because of this extra law. The most likely reason is that, while the Computer Misuse Act applies to Scotland, changes to it now fall within the devolved powers of the Scottish Parliament.

Jon Fell, a partner with Pinsent Masons, the law firm behind OUT-LAW.COM, said of the new bill: "It's disappointing that APIG's recommendations never made Parliament's agenda, despite assurances from the Home Office at the time that they would be given full consideration. The aim of today's bill is laudable: we need clarity on how the law treats DoS attacks. But the biggest problem is not the lack of laws to deal with computer crime. The biggest problem is catching the criminals."

Copyright © 2005, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Related links

Derek Wyatt's bill of 2005 (5-page PDF)
Earl of Northesk's bill of 2002 (2-page PDF)
Computer Misuse Act 1990

Related stories

Japan.gov weathers DDoS attack
Charges dropped against 'DDoS Mafia'
Unholy trio pose DDoS risk for Cisco kit
Online extortion works
Scot in court on DDoS charges

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.