Industry experts are calling for changes to the UK Computer Misuse Act (CMA), after a teenager walked free from court last week after allegedly crashing his former employer’s email server.

The teenager, who cannot be named for legal reasons, was accused of flooding email servers at the insurance firm he worked for by sending five million emails.

Despite being charged under Section Three of the Act – which criminalises
unauthorised access to or modification of computer systems – the courts ruled that the teenager’s actions did not break the law.

It was alleged that he used email ‘bombing’ software called Avalanche, but District Judge Kenneth Grant of Wimbledon Magistrates Court ruled that no offence was committed under the Act, which dates back to 1990.

The teenager’s defence lawyers claimed that email servers are designed to receive emails, and that what happened did not constitute unauthorised modification.

In a written ruling the judge said: ‘In this case the individual emails sent
each caused a modification which was in each case an “authorised” modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by Section Three.’

The ruling highlights a clear need for changes to the CMA, says Peter Sommer, senior research fellow at the London School of Economics, who appeared as an expert witness in the case.

‘For the avoidance of doubt, we need to address this area that did not really exist when the Computer Misuse Act was being drawn up in the late 1980s,’ he said. ‘We ought to have a new clause in the Act to explicitly focus on denial of service.’

Arthur Wong, vice president of security response at anti-virus vendor Symantec, says legislation is struggling to keep up with the changing nature of internet threats.

‘This underscores the need legally for a greater understanding of the threats that are out there, so that they can be better defined and enforced,’ he said.
Parliamentary lobby group the All Party Internet Group (Apig) has been calling for changes to the Act for a number of years.

In July this year, Glasgow South MP Tom Harris introduced a 10 Minute Rule Bill into the House of Commons, calling for clarification on parts of the Act and stiffer penalties for internet criminals (Computing, 21 July). This followed a similar motion by Apig chairman Derek Wyatt MP in April.

‘Those who regularly and increasingly hold web site operators to ransom are more likely to be members of an organised crime syndicate than the school computer club,’ Harris told MPs at the time. ‘It’s time that cyber crime was recognised for the serious crime that it is.’

Among the amendments that Apig is proposing is the inclusion of a section on denial of service attacks – see box, below.

While existing legislation requires people to modify content or gain unauthorised access to systems before they can be prosecuted, the amendment proposes a clause where people can be prosecuted for impairing access to programs or data.

‘The 1990 Computer Misuse Act is outdated and badly in need of revision,’ said Wyatt. ‘My 10 Minute Rule Bill proposed amending it to include denial of service attacks following an inquiry by Apig into the issue. This case is a clear example of why such a revision is urgently required.’

With the government signed up to the Council of Europe’s cyber crime convention, it should be only a matter of time before denial of service is listed as a crime.

The convention, backed by the UK, the US and a number of other countries, looks to promote a common criminal policy for protecting society against cyber crime. It includes all participating countries adding denial of service to their statute books as an offence.

‘As the internet plays an ever greater role in our lives, cyber crime becomes ever more threatening,’ says Wyatt. ‘The Computer Misuse Act as it stands simpl y isn’t comprehensive enough.’

Proposed changes to the Computer Misuse Act

In March 2004, the All Party Internet Group (Apig) launched an inquiry into the 1990 Computer Misuse Act (CMA) to identify areas where the Act could be updated to tackle new threats faced by today’s computer users.

MPs Derek Wyatt and Tom Harris have both tried to propose changes in the House of Commons through 10 Minute Rule Bills, but have yet to be successful.

The Home Office is now committed to trying to introduce changes to the CMA.

Apig suggests several additions, which it says will send a clear signal to police, the Crown Prosecution Service and courts that attacks should be taken seriously. Apig says potential incidents may also be deterred when attackers realise their actions are criminal.

Suggestions include raising the sentence for hacking from six months to two years, and adding a clause that makes denial of service attacks an extraditable offence.
Some 14 per cent of UK firms suffered some form of denial of service attack last year, according to the National Hi-Tech Crime Unit.