Lord battles government over cybercrime laws

Lord battles government over cybercrime laws

Summary: Lord Northesk wants to protect IT pros and the police from criminalisation, and nail down the law covering denial of service attacks

TOPICS: Security

Sweeping changes to UK computer crime laws have been proposed by a Conservative peer.

Lord Northesk is seeking to amend the Computer Misuse Act (CMA) 1990 to give the police and judiciary greater "legal clarity" when dealing with computer crime.

The proposed changes would alter the law regarding launching denial of service attacks, the creation of tools that could be used for hacking, and bot attacks.

The UK government is currently trying to update the CMA through amendments in the Police and Justice Bill 2006, which will be debated in the House of Lords this week. Northesk has proposed amendments to the government's own amendments.

As it stands, paragraph 1b of Clause 41 of the Police and Justice Bill would make it an offence to release a computer tool that is "likely to be used" in a computer offense. As reported last month, experts are concerned that the government's proposals would have criminalised IT and security professionals who make network monitoring tools publicly available or who disclose details of unpatched vulnerabilities.

Northesk's amendments, if passed, would see this paragraph deleted. He believes that it could even criminalise the police, if they create and distribute tools for forensic investigation.

Northesk is pushing for the concept of recklessness to be introduced into the updated CMA. He is seeking to amend Clause 40 of the Police and Justice Bill so that malicious denial of service (DoS) attacks are criminalised by the CMA but legitimate political protests that slow down servers would not be.

"The key point in Clause 40 is the inclusion of recklessness and intention [in launching attacks]. With effective civil disobedience, a whole series of people petition online [which may cause servers to crash]. Under the current draft this form of legitimate protest may be denied," said Northesk.

"The purpose of the Clause 40 amendment is to address the fundamental issue that a lot of Internet activity — such as electronic civil disobedience — currently comes under CMA."

By introducing the issue of recklessness, Lord Northesk also hopes to protect the police themselves from prosecution. "With [establishing] recklessness there is no bar on forensic hacking," he said.

Northesk has also proposed modifying Clause 39 of the Police and Justice Bill so that Trojan horse software that inserts itself onto a system, allowing remote access by hackers, will be specifically covered by the law.

"The current text of the CMA doesn't deal with bot attacks — inserting software onto a machine that allows remote attacks," said Northesk.

The peer said he hopes the legislation will enable the police and judiciary to better tackle cybercrime, and provide the government with guidance in understanding it.

"I'm a great believer in legal clarity. Too often within government it's not properly understood that which is trying to be achieved. In the desire to future-proof legislation, they tend not to address problems that are sitting there because they are seen as difficult to understand," Northesk told ZDNet UK.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It seems to me that the House of Lords has been very poorly informed overall concerning these matters. Best to sent these cybercrime laws back from where they came from along with the message that they should redo their home work. To go on as things are now would only result in fighting symptoms for just the issues that are obvious (for some) at present. Basically setting yourself up for additional "oversights" in the future.

    I wonder. The text, quote, to release a computer tool that is "likely to be used" in a computer offense, unquote. Might that include Windows? Outlook? MSN? Internet Explorer? Printers? Keyboards? Because such tools are likely to be used in order to test the average attack possibilities. Not to mention the development of.

    In short, stop fighting symptoms. You'll find it much easier to put into law that what resolves causes. A small hint: realistic liability there where it matters.
  • In following the discussion and development of the cybercrime laws I have reached a couple of conclusions. First, it seems that parliament does not understand the problems that it is trying to resolve. Second, the House of Lords is not the bunch of doddery fools that many in parliament would have us believe. Thank heavens for the Lords.