More laws to fight cybercrime are likely to be counter-productive, but existing laws must be urgently updated if cybercrime is to be effectively tackled, according to a leading IT thinktank.
Eurim, the European Information Society Group, which counts more than 100 MPs and MEPs among its members and a similar number of industry representatives, delivered the warning in a briefing document at the Infosec security conference in London on Wednesday.
In the briefing document, called E-Crime - a New Opportunity for Partnership, the group said the best way forward is not through extra, more confusing primary legislation, but through industry participation in reviewing and updating existing laws.
Among its recommendations, Eurim said that the Home Office should coordinate constructive dialogue between all stakeholders and that the Law Commission must urgently review existing UK legislation to establish what changes are needed to ensure that e-crimes can be prosecuted effectively.
Many experts agree that current legislation is inadequate. David Spinks, director of information assurance at outsourcing giant EDS, said there is no need for more legislation from a business perspective. "But we do see a need for better legislation that is applied more sensibly -- we see some legislation coming through that will impose more expenditure on big businesses and can't see why law enforcement needs it."
Peter Sommer, a specialist advisor to the Trade and Industry Select Committee on the E-Commerce Bill, agreed on the need for an update to current laws. "The Computer Misuse Act is in serious need of updating," he said. "What is wrong with the Computer Misuse Act is that it relies on a concept of unauthorised access and modification to computers, and on the Internet it may not always be obvious to a visitor what is authorised and what is not."
Sommer said an even more problematical part of the Act is its inability to deal with the threat of denial of service attacks, where an aggressor effectively disables a server by flooding it with -- often malformed -- requests. "Denial of service attacks entail neither unauthorised access or modification," he said. Sommer added that he did not expect to see a Part II of the Act, "but there is scope to get something squirrelled into a general purpose criminal justice bill."
Introducing the briefing document, the MP for North East Milton Keynes, Brian White, who is chairman of Eurim, said cybercrime is becoming an increasingly serious issue, "which both the government and the private sector need to tackle in partnership." The Home Office minister David Blunkett, said White, is very aware of the need. "But there is limited time and many competing issues, so we're suggesting the way forward is not necessarily (a new) Computer Misuse Act but to use other legislation and do it piecemeal rather than in one big bang."
White said talks have been going on since 11 September to address these issues, "so I'm optimistic that in the next session or the near future we may see some changes."
One major problem is that the ineffectiveness of current laws to deal with new online crimes or conventional crimes committed online, is drawing the attention of criminals, according to EDS' Spinks. "We want more aggressive law enforcement in finding the criminals, compiling evidence and pursuing prosecutions," said Spinks. "At the moment organised criminals are looking at the Internet and saying: 'Hey, I'm not going to get caught.'" Spinks added that once law enforcement agencies have complied evidence, the sentences must be made applicable to the crime. "At the moment we see trivial sentences. There is no deterrent, and so the Internet is seen by organised criminals as a soft target."
The police welcomed the report, but said the picture is not as bleak as some paint it. "The document gives us positive ways of going forward," said Tony Neate of the National Hi-Tech Crime Unit. There are new opportunities for partnership, and as for a joined up approach to legislation, he said the NHTCU is constantly talking to the Home Office, "so they do know exactly what the situation is."
Neate said the NHTCU is getting increasingly experienced at investigating and prosecuting criminals who use the Internet. In its first year, the unit has completed 11 operations, made 29 arrests and has captured three terabytes of data.
On the issue of denial of service attacks, Neate said the Unit has been advised that it can prosecute these. "Anybody out there who thinks they can commit a DoS attack and not be prosecute is wrong. We will look at the case, investigate and prosecute."