MPs: Firms should take fight to cybercriminals

MPs want it to be easier for companies to bring legal action if they suffer a hacking or denial-of-service attack

UK companies should get more support when bringing private prosecutions against suspected cybercriminals, according to the All Party Internet Group (APIG).

In a long-awaited report published on Wednesday, APIG said that Britain's Computer Misuse Act needs updating in several ways. One key recommendation is that the Director of Public Prosecutions (DPP) should set out a "permissive policy for private prosecutions under the CMA".

"This would allow private companies to tackle cases that the police and Crown Prosecution Service (CPS) do not presently consider as priority matters," said APIG.

Companies and individuals already have the right to bring private prosecutions, but APIG claims that businesses won't launch a prosecution in case the DPP should exercise his powers to take over the case, and then drop it.

"It was suggested to us that there are a number of companies who would wish to explore the bringing of private prosecutions for CMA offences. The implication was that the police or prosecutors had not prioritised their cases and they wished to ensure that criminals did not escape justice through lack of resources," said APIG.

"However, these companies were currently reluctant to proceed with private prosecutions because of significant doubts as to whether the DPP would permit them to proceed."

During an evidence session last month, APIG heard that some suspected cybercrime cases are not taken to court because they are seen as "too risky", but that the companies involved might be more interested than the authorities.

"I suspect that occasionally a corporation, hacked and embarrassed on the front page of the Metro, may have slightly more interest in pursuing the hacker to the end of the earth than the National Hi-Tech Crime Unit or the CPS, because they are, as we have heard, resource restrained and they have got other things to look at as well," Clive Gringras, partner and head of the e-commerce group at Olswang solicitors, told APIG.

Suspected cybercrimes could be handled by the police initially but then handed onto the company involved.

"My understanding is that there will be cases that are brought to the attention of the National Hi-Tech Crime Unit and the CPS, but they just look a bit risky," said Gringras.

"I suspect that corporations might say, 'No, we will have a go. We are prepared to take more of a risk in losing than perhaps the CPS might take,'" explained Gringras.

The CPS, though, does not accept that there is a problem that needs to be solved.

A spokeswoman for the CPS told ZDNet UK that suspected cybercrimes were treated in just the same way as any other possible offence.

"The CPS does not make decisions to prosecute or not on a cost basis. The criteria we apply is whether there is sufficient evidence for a realistic prospect of conviction and whether it is in the public interest," said the CPS spokeswoman.

Other key recommendations to government from APIG include raising the maximum sentence for hacking from six months to two years, and adding a specific offence of launching a denial-of-service attack to the Act.

The government is already reviewing the CMA, and is expected to bring forward amendments later this year.