Feeds

UK bans denial of service attacks

That'll stop 'em

Secure remote control for conventional and virtual desktops

A law was passed last week that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison.

There had been concern that Britain's Computer Misuse Act, written in the days before the World Wide Web, allowed denial of service attacks to fall through a loophole. These are attacks in which a web or email server is deliberately flooded with information to the point of collapse.

The 1990 legislation described an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer"; the question was whether that covered denial of service attacks. When a court cleared teenager David Lennon in November 2005 on charges of sending five million emails to his former employer – because the judge decided that no offence had been committed under the Act – the need for amendment seemed obvious.

Lennon's lawyer had successfully argued that the purpose of the company's server was to receive emails, and therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act and that Lennon had no case to answer, so no trial took place. That ruling was overturned and Lennon was sentenced to two months' curfew with an electronic tag. But by that time, amendments to the 1990 legislation were already included in the Police and Justice bill.

It was passed yesterday, becoming the Police And Justice Act 2006. The Act also increased the penalty for unauthorised access to computer material from a maximum of six months' imprisonment to two years.

The 2006 Act expands the 1990 Act's provisions on unauthorised modification of computer material to criminalise someone who does an unauthorised act in relation to a computer with "the requisite intent" and "the requisite knowledge."

The requisite intent is an intent to do the act in question and by so doing:

  • to impair the operation of any computer,
  • to prevent or hinder access to any program or data held in any computer, or
  • to impair the operation of any program or data held in any computer.

The intent need not be directed at any particular computer or any particular program or data.

The wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. Supplying the software tools to launch an attack or offering access to a botnet could be punished with up to two years in prison.

See: The Police and Justice Bill(the relevant clauses are 33 to 36; the Act was not available at the time of writing)asHTML or as a 145-page / 633KB PDF.

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?