The Police and Justice Bill was put before the House of Commons on 25 January 2006. The main aim of the Bill is to improve the powers and scope of the police force but there are a number of sections which look to update the Computer Misuse Act 1990 ("CMA") and in particular to make Denial of Service (“DOS”) Attacks illegal.
DOS attacks can take many forms but are essentially an attempt to disrupt the use of a computer, server or website. Types of DOS attacks include; an attempt to flood a server with e-mails or data so that it fails; attempts to disrupt the connection between computers; or a distributed denial of service ("DDOS") attack, which is when a large number of unconnected computers all attack a particular target simultaneously. In a DDOS attack the hacker will infect a large number of computers with a virus, the virus will enable the hacker to use these computers remotely to flood the targeted server or website with information or requests for data.
DOS and DDOS attacks have become an increasing problem for businesses and according to a parliamentary inquiry in 2001 there were over 4,000 DOS or DDOS attacks each week in the UK. The intensity of DOS attacks was found to vary. Very minor cases result in a network slowing down while more serious attacks can lead to large networks being unusable for a number of hours. Some commentators have suggested that as many as 50% of businesses in the UK have suffered from DOS or DDOS attacks.
In preventing DOS or DDOS attacks one of the biggest considerations for businesses is cost. In 2003 the Internet payment system Nochex, received an e-mail threatening an attack on their website unless $10,000 was sent to an offshore bank account. Mr Malik (the founder of Nochex) initially ignored the threat however when the website went down an hour later the situation was taken more seriously. The website had been attacked by 115 Mb of data and Mr Malik decided to contact the attackers (later known to be Russian gangsters) and requested that they give Nochex 1hour to come up with the money. In this time Mr Malik arranged for his service provider to protect the system and this upgrade was immediately successful.
Nochex has since introduced a permanent network based solution designed by Cisco Systems to safeguard its network and prevent further attacks. This system is very expensive, with estimated initial costs of £20,000 with a further £3,000 required per month. These types of systems, however, are not full proof and one of their drawbacks is that they often cannot distinguish between legitimate activities and illegitimate activities resulting in genuine traffic being discarded.
There has been a considerable amount of speculation surrounding the CMA and whether DOS attacks amount to an offence under the Act.
At the end of last year this was tested in a UK court. The case (DPP v Lennon) involved a teenager who flooded his former employer with over 5 million emails. The District Judge considered whether Lennon’s actions amounted to an offence under the CMA. The Judge acquitted Lennon on the basis that although the sending of the emails was a modification of his former employers computer system, it was an authorised modification of the system, which took the attack outside the scope of the CMA.
The most significant alteration that The Police and Justice Bill proposes to make to the CMA is that instead of an "unauthorised modification" of a computer system the required crime will be an "unauthorised act". The "act" must have both intent and knowledge. This alteration should encompass both a wider range of activities and a wider range of resulting effects. For example, this change should mean that a computer system does not have to have suffered any adverse effects before charges can be brought against the perpetrator, therefore even if the network solution prevents the attack, it may be possible to press charges against the attackers.
It is unfortunate that The Police and Justice Bill, as currently drafted, does not remove "unauthorised" as this was the reason that the case against the teenager failed. However, it now clear that the intention of the Act is to prevent DOS attacks, this might mean that a Judge can be more comfortable in ruling that a DOS attack is illegal, as it seems quite clear that sending 5 million e-mail in order to disrupt a network is not an authorised use of a system or website.
Whilst the biggest challenge for businesses is the cost of dealing with the attacks, or at least having sufficient IT systems in place, it is to be hoped that this amendment to the CMA will make prosecution for such attacks easier.
Since this article was written the case mentioned above, DPP v Lennon, has been appealed to the Divisional court who overturned the decision. The Divisional Court looked at the legal question posed by case (rather than its facts and the apportionment of guilt). It was held that although the owner of a computer would ordinarily be taken to have consented to the sending of emails to his computer this implied consent is not without limits. The owner of a computer does not consent to emails sent in such large volumes and with the clear intent to affect the operation of the computer system. Lennon (the attacker) must now face conviction, and if found guilty could face a maximum sentence of 5 years and a fine.
This decision will give significant comfort to prosecutors who may be looking to prosecute other attackers, and makes denial of service attacks a clear criminal offence prior to the introduction of the new legislation.
The above first article appeared in the May edition of "CA Magazine".