The U.K. government is proposing changes to an existing law thatit says will bolster the ability to prosecute hackers and put themin prison longer.
Analysts question whether the moves will constrict an explosivegrowth in costly cybercrime.
The U.K. has sought to tighten the Computer Misuse Act of 1990to more precisely target denial-of-service (DOS) attacks, whichhave been used to extort operators of online gambling sites.
Other legal cases in recent years have also brought intoquestion whether the law, composed of three sections, was keepingup with rapid changes in technology.
In November, a judge threw out a case against David Lennon, whoallegedly crashed his former employer’s e-mail server in a DOSattack in early 2004 using an automated program to send fivemillion messages.
Lennon, who was 16 years old at the time of the attack, toldauthorities after his arrest he wanted to cause “a bit of a messup” in the company, court documents said.
The judge said the company’s Web site invited users to sende-mail. He ruled the section of the CMA under which Lennon wascharged was intended to deal with Trojan horses, worms and virusesthat corrupt or change data, not e-mail.
Last month an appeals court judge sent Lennon’s case back totrial, ruling the volume of e-mail was unwarranted, even if the Website solicited e-mail. Lennon’s case is pending in WimbledonMagistrates Court.
The amendments to the CMA are currently being considered in theHouse of Lords as part of the Police and Justice Bill, acomprehensive law enforcement package.
The changes would increase the maximum penalty for unauthorizedmodification of a computer, under which DOS attacks could beincluded, from five to 10 years. The maximum penalty forunauthorized access would be raised to two years, up from sixmonths.
An expanded third section is intended to more thoroughly coverDOS attacks, including new language making it an offense to supplyhacking tools knowing the programs might be used to break thelaw.
But observers view the changes to the CMA as unnecessary. GrahamSmith, a partner at law firm Bird and Bird in London and author of”Internet Law and Regulation,” said the act is broad enough tocover most breaches. Further, Lennon’s case has added clarity toprosecution of DOS attacks, Smith said.
“We already have what is probably the most broadly drafted andall-encompassing antihacking legislation in the entire world,”Smith said. “I’ve always been of the view that what is required isa willingness on the part of the prosecution to bring cases.”
The Crown Prosecution Service (CPS) can’t comment on pendinglegislation, a spokesman said. But on Tuesday, the CPS issued astatement saying its lawyers are undergoing special cybercrimetraining in areas such as Trojan horse programs, viruses and IRC(Internet Relay Chat).
CPS also addressed its ability to bring cases, saying it woulduse legislation “creatively” to disrupt organized crime. The CPS,which has upward of 150 prosecutors trained in dealing withhigh-tech crime, does not keep specific statistics on how manypeople have been prosecuted under the CMA.
Cybercrime cases are notoriously difficult to investigate sincecriminals have found complex, technical ways to avoid detection.Hackers are increasingly commandeering vulnerable computers inother countries, using them to send spam messages containingprograms that can record keystrokes.
If those programs are run by a user, credit card data and logincredentials could be sent back to the hacker.
A former British hacker, Robert Schifreen, said police generallyhave no idea what to do if someone called and said they have avirus on their computer.
Schifreen’s hacking of an online system from BT Group PLC in themid-1980s spurred legislative moves for a U.K. computer crimelaw.
“At the end of the day, the police don’t have the manpower orthe skills to prosecute the hackers anyway, so having betterlegislation I don’t think is going to do any good,” said Schifreen,author of “Defeating the Hacker.” “Most computer crime doesn’t getprosecuted.
“The problem with all legislation is that times change andtechnology moves on, and however you frame legislation, it’s goingto be irrelevant fairly quickly and confusing fairly quickly,”Schifreen said.
The U.K. recently folded its national computer crime unit, theNational Hi-Tech Crime Unit, into a new agency, the SeriousOrganized Crime Agency. The consolidation, authorities said, wouldnot affect high-tech investigations, despite concerns resourcesmight be diverted.
A survey commissioned by the Department of Trade and Industrythis year found security incidents and breaches cost U.K.businesses up to