Law may be updated to cover DoS attacks

Concerns that some types of hacking might not be covered by the UK's Computer Misuse Act could prompt changes to the law, following strong lobbying from industry

The government is considering amending the Computer Misuse Act (CMA), amid concern within the Internet industry that denial of service (DoS) attacks may not be covered by the law.

The Home Office, in consultation with groups such as the police and industry representatives, is currently examining ways of updating the CMA, according to a Home Office spokeswoman.

The CMA, which was passed in 1990, makes it a criminal offence to access a computing system unless authorised, to access a computer system without authorisation with the intention of committing a further offence, and to modify computer material without authorisation.

Some experts believe that the CMA does not make it illegal to conduct a denial of service attack, under which a hacker attempts to bring down a Web site by bombarding a server with data traffic, overwhelming it so it cannot carry out its normal functions.

Click here for a full definition of denial of service attacks.

Both the Home Office and the National Hi-Tech Crime Unit (NHTCU) believe that the CMA already outlaws denial of service attacks. But the Home Office has admitted that there is significant concern within the industry over this issue and appears to be accepting that there could be a need for an update; nobody has yet been prosecuted under the CMA for a DoS attack.

"We believe that the act covers most if not all types of hacking attacks, including denial of service attacks. However, we recognise there is a need for more clarity," the Home Office spokeswoman told ZDNet UK News on Wednesday.

Len Hynds, head of the NHCTU, agrees. "Our advice from the Crown Prosecution Service is that denial of service attacks are already covered by the Computer Misuse Act. The key question is whether a system is changed when data stored in the random access memory (RAM) is modified -- our advice is that it is," Hynds said, speaking at the e-crime congress on Monday.

Some in the industry disagree, though. According to Clive Feather, Internet expert at Thus, an urgent review of the law is needed.

"It is unclear whether denial of service is an offence at present. The person perpetrating a denial of service attack is not trying to break into a machine. CMA was written in the days of mainframes, not for the Internet. It needs updating fast," said Feather on Wednesday, giving evidence at an inquiry into data retention held by the UK Parliament's All Party Internet Group.

The Home Office is also currently working with the Crown Prosecution Service, the police and industry representatives, to decide how to implement the Council Of Europe Cybercrime Convention. It is likely that any changes to the CMA will be included in legislation that the government brings in to implement this convention.

ZDNet UK's Matt Loney contributed to this report.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.