Clamping down on the cyber criminals

Last week’s decision by the government to introduce stiffer penalties for internet criminals has been welcomed by businesses and politicians.

The Police and Justice Bill, drawn up by the Home Office, calls for a number of changes to the outdated 1990 Computer Misuse Act (CMA). These include prison sentences of up to 10 years for criminals making unauthorised modifications to computers (Computing, 26 January).

If the bill receives support from MPs and passes into law, hackers who try to gain unauthorised access to computer systems could see their sentences rise from six months to two years.

Politicians and IT industry experts have been calling for changes for a number of years.

The Internet Crime Forum, chaired by the head of the National Hi-Tech Crime Unit, detective chief superintendent Sharon Lemon, has been asking for reforms since 2002.

In 2004 the All Party Internet Group, chaired by MP Derek Wyatt, also launched an inquiry to identify areas where the CMA could be updated to tackle new computer security threats. Its key recommendations were taken up by the Home Office last week and included in the bill.

‘The bill will increase penalties for hacking, viruses and other cyber crimes to reflect their severity,’ a Home Office spokeswoman told Computing.

Both Wyatt and fellow MP Tom Harris have also tried to bring changes to the Act through 10-Minute Rule Bills in the House of Commons, but it is widely agreed that amendments are far more likely to come into law if they are included as part of a major piece of legislation (Computing, 10 November).

‘The 10-Minute Rule Bill was a gesture showing that something needed to be done, but it was important that the legislation came through with full government support,’ said Philip Virgo, secretary general of parliamentary lobby group Eurim.

The CMA, drawn up in the late 1980s, is outdated and no longer addresses many of the newer internet crimes, such as denial of service attacks, say critics.

‘In the past it has proven difficult to convict perpetrators of denial of service attacks because of a lack of clarity in the legislation,’ said Harris.

If the Police and Justice Bill passes into law, distributed denial of service attacks and other attempts to interfere with computer systems will also be more clearly criminalised under new computer misuse legislation.

‘The estimated cost to UK business from these sorts of electronic attacks and denial of service is estimated to be more than £3bn and they continue to grow in sophistication,’ said the Home Office spokeswoman.

As well as the cost incurred by UK businesses from damages caused by hackers and virus writers each year, the Home Office has other motives for bringing changes to the legislation.

By amending section three of the CMA to explicitly make denial of service attacks a criminal offence, the UK government is also ratifying its position as a member of the Council of Europe’s cyber crime convention, which sets out a common international approach to prosecuting hackers, virus writers and internet extortionists.