Feeds

MP pitches Denial of Service law to Parliament

'Treat these attacks with the seriousness they deserve'

  • alert
  • submit to reddit

High performance access to file storage

Derek Wyatt MPDerek Wyatt MP, Chairman of the All Party Parliamentary Internet Group (APIG), will try to persuade Parliament next month that the country's 15-year-old Computer Misuse Act needs updating, to increase penalties for hackers and to criminalise denial of service attacks.

The Labour MP for Sittingbourne and Sheppey said today that his Ten Minute Rule Bill – a type of bill offering a back bench MP just 10 minutes to pitch legislation to the House of Commons – is scheduled for a hearing on 5 April.

Wyatt's bill picks up on two main recommendations in last summer's APIG report on the 1990 Act: to add a specific Denial of Service (DoS) offence; and to increase the sentence for hacking – where no manipulation of data or further crime takes place – from six months to two years. Aggravated hacking offences would still carry up to five years in prison.

A DoS attack involves flooding a server with data – sometimes just thousands of emails – to the point where it collapses. More advanced attacks are launched from several machines – known as Distributed DoS, or DDoS attacks.

The consensus is that the Computer Misuse Act probably covers some DDoS attacks, because third party computers are compromised without permission. Whether a plain-vanilla DoS attack is covered is a moot point. The relevant wording in the current Act is that it's an offence to cause "an unauthorised modification of the contents of any computer". Some say a DoS attack amounts to a "modification"; others disagree.

APIG, which exists to provide a discussion forum between new media industries and parliamentarians, wants to remove the ambiguity. It also wants to send a clear signal to the police, Crown Prosecution Service and the courts that DoS attacks should be taken seriously. And it hopes that publicity about the new offence will deter potential attackers by making it explicit that their actions are clearly criminal.

This is the second attempt to tack a DoS extension onto the Computer Misuse Act. The first was a Private Member's Bill introduced by the Earl of Northesk in 2002; but like most Private Members' Bills, it failed. And Derek Wyatt has no illusions about his Ten Minute Rule bill becoming an Act in the short term.

Due to the brevity of the pitch, the Ten Minute Rule bill is a process generally used as a means of making a point on the need to change a law. It's also an opportunity to gauge Parliamentary opinion. Notice of the bill is circulated and one opposing motion is allowed in the House.

Wyatt explained: "The All Party Group was hoping that an MP would have picked this up as part of the Private Members’ allocation for bills but sadly no-one did so it seemed sensible given the work we undertook last year to at least place on record what we think the Bill should look like in the hope that the Government will come back to it after the General Election”

His Computer Misuse Act 1990 (Amendment) Bill says it would be an offence to do something without authority which causes or which is intended to cause "directly or indirectly, an impairment of access to any program or data held in any computer".

'Seriousness they deserve'

This much is similar to the Earl of Northesk's bill of the same name. But that version went no further, and was criticised for being too wide. Wyatt's version specifies that there must be "intent to damage the performance of an activity for which the relevant computer, or any program or data held on that computer, is used."

Wyatt's bill also suggests a maximum sentence of two years for a basic DoS or DDoS attack. The Earl of Northersk's would have applied the Act's maximum sentence of five years. But with Wyatt's bill, where there is intent to commit further offences, the penalty would be five years. This might apply to those who launch attacks and try to blackmail the victim with the threat of further attacks.

Richard Allan MP, Liberal Democrat spokesman for IT, and Vice Chairman of APIG said: "This reform is necessary if we are to treat these attacks with the seriousness which they deserve."

The Computer Misuse Act has been used in a jury trial over a DDoS attack. But it has only happened once. Dorset teenager Aaron Caffrey was acquitted in 2003, after convincing a jury that he was not responsible for the attack that hit the computer systems of the Port of Houston in Texas. Aaron Caffrey gives his first interview in the latest edition of OUT-LAW Magazine, out next week. Caffrey says that the Act should be scrapped, not amended.

The UK's second high profile DoS case may take place later this year: In January, Matthew Anderson appeared in Elgin Sheriff Court, Scotland, facing charges under the Act. He is accused of carrying out DoS attacks as part of an extortion plot that targeted companies in Scotland and the US. But it is early days in that case: there is no guarantee that it will go to trial.

Scotland also has a common law offence of "malicious mischief" that could possibly be used to prosecute DoS attacks. Wyatt's bill excludes Scotland, but not because of this extra law. The most likely reason is that, while the Computer Misuse Act applies to Scotland, changes to it now fall within the devolved powers of the Scottish Parliament.

Jon Fell, a partner with Pinsent Masons, the law firm behind OUT-LAW.COM, said of the new bill: "It's disappointing that APIG's recommendations never made Parliament's agenda, despite assurances from the Home Office at the time that they would be given full consideration. The aim of today's bill is laudable: we need clarity on how the law treats DoS attacks. But the biggest problem is not the lack of laws to deal with computer crime. The biggest problem is catching the criminals."

Copyright © 2005, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Related links

Derek Wyatt's bill of 2005 (5-page PDF)
Earl of Northesk's bill of 2002 (2-page PDF)
Computer Misuse Act 1990

Related stories

Japan.gov weathers DDoS attack
Charges dropped against 'DDoS Mafia'
Unholy trio pose DDoS risk for Cisco kit
Online extortion works
Scot in court on DDoS charges

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.