The UK Government's cyber-crime strategy came under the spotlight in the fading
moments of the last parliament as MP Derek Wyatt introduced a Bill to create
a new offence of denial of service ("DOS") and to extend the penalties
The proposals in the Bill create a specific offence for DOS attacks and increase
the penalty from six months to two years. If the DOS attack is carried out
with the intention of committing or facilitating the commission of a further
offence, the maximum jail sentence increases to five years.
A DOS attack involves a deliberate attempt to stop a machine from working.
This can be done, for example, by bombarding a computer system with a large
volume of email. Alternatively, a hacker could develop protocol fragments that
tie up the machine in performing purposeless tasks. These attacks may be aimed
at the machine itself or its connections. A large number of remote computers
can be used to gang up on a target in what is known as a distributed DOS ("DDOS")
Labour MP Derek Wyatt, who held his constituency of Sittingbourne and Sheppey
in this month's general election, told Parliament that criminal gangs carrying
out DDOS attacks have targeted gambling websites, demanding up to £100,000
to make the attacks stop. Although many of the 4,000 weekly DOS and DDOS attacks
are more benign, computer hacking costs UK businesses an estimated £1
billion a year and strikes at the heart of the software trade. The cost of
cleaning up virus and worm attacks and collateral damage caused by such attacks
may run into the billions.
Mr Wyatt's move followed an all-party internet group inquiry launched in March
2004. The proposal is for an amendment to the Computer Misuse Act 1990 ("Act"),
which first introduced the unauthorised access offence to deal with computer
hackers after it became obvious that the existing criminal law framework was
inadequate to deal with computer crime. The Theft Act 1968, the Forgery and
Counterfeiting Act 1981 and the Criminal Damage Act 1971 were not designed
with computer crime in mind. For example, it was not possible to prosecute
for theft of data under theft legislation and it was not possible to defraud
a computer under fraud legislation. Although destroying files causes damage
to businesses, such activities would not come within the definition of criminal
damage unless the computer itself was physically attacked.
The Act made it an offence to gain unauthorised access to a computer, even
if no damage is done and no files are tampered with. Gaining access to a computer
without authorisation, for example by guessing a password, attracts a maximum
six-month prison sentence or and/ a fine of up to £2,000. A more serious
offence of gaining unauthorised access with the intent to commit a further
offence is committed if, for example a hacker gains access to an online bank
account and transfers money. The maximum penalty for this offence is five years
imprisonment and a fine. Insiders who change computer settings or delete files
could also face a prison sentence of five years and an unlimited fine, as it
is an offence under the Act to purposely change files on a computer with intent
and without authorisation.
The Act also deals with "intangible damage" and "intangible
acts". Intangible damage includes writing and distributing viruses in
the UK, even if they are not targeted at a particular machine. Intangible acts
include unauthorised modifications that have certain effects, such as impairing
operation (which would include a DOS attack), prevent or hinder access or affect
Computer industry commentators have welcomed legislative reforms but insist
that strict enforcement by criminal and regulatory authorities is imperative
if recent laws aimed at preventing activities such as hacking, phishing and
spamming in the UK are to have a deterrent impact. The Act has also been criticised
for focusing on standalone computers, rather than networks.
When introducing his private members' bill, Mr Wyatt told Parliament that
the all-party internet group had collaborated with the US "because any
measure relating to computers and the internet must now go beyond individual
Computer industry pressure groups are likely to continue lobbying the Government
in its next term to pass the Bill, and possibly even more extensive legislation.
Whether the proposals set out in the Bill are wide and flexible enough to deal
with the ever-growing number of mischiefs that computer saboteurs come up with
remains to be seen.