U.K. government must update cybercrime laws, say experts

The government has been accused of sitting on its hands rather than making the Computer Misuse Act relevant.

The government "no longer has an excuse" to delay updating the Computer Misuse Act to include denial of service attacks in the light of last week's e-mail bomber trial, according to legal experts.

A judge at Wimbledon Magistrates Court dismissed a charge brought a teenager who allegedly sent five million emails to his ex-employer, crashing its server. The judge ruled that denial-of-service (DoS) attacks are not illegal under the CMA.

The Home Office has repeatedly indicated in the past that the government is aware that the Computer Misuse Act needs to be strengthened, but nothing has yet been done.

Derek Wyatt, MP and chairman of the All Party Parliamentary Internet Group, chastized the government for failing to strengthen the CMA.

"It's time they found a way of including the small changes necessary in a Home Office bill or helped with a Private Members bill," said Wyatt.

The Home Office indicated it was aware the CMA was inadequate at present.

"The government is aware of the issue," a Home Office spokesperson told ZDNet UK last week.

The government is looking at "strengthening the CMA, including increasing the maximum penalties [for cybercrime] and clarifying that all means of interference with a computer system are criminalised," the Home Office spokesperson added.

The Home Office made a similar statement to ZDNET UK back in 2002.

"It is no longer an excuse just to say they are aware of the issue," Wyatt said.

The law has not yet been updated because there has not been a suitable legislative vehicle, the Home Office said.

Government must "close the loophole"
Experts agree that the outcome of this trial highlights inadequacies in CMA.

"The ruling confirms what many people have long suspected: that DoS attacks are not caught by the CMA," said Struan Robertson, senior associate at solicitors firm Pinsent Masons and editor of Out-Law.com.

"It's necessary to amend the existing CMA to make it an offence to deliberately impair the function of another computer. Although the act is robust and has withstood the test of time, DoS is one problem that has been identified as falling through the cracks," said Robertson.

Robertson called for government action to close the loophole, as previous attempts to legislation through private members bills have failed.

"There have been attempts to update the CMA--three Private Members' bills have been introduced. The first two failed; the third is scheduled for a second reading in December. But Private Members' Bills rarely succeed so Government action is necessary to close this apparent loophole," Robertson said.

Another expert called for the government to make good on its pledge.

"We need the government to come forward with its promise to introduce new legislation." said Peter Sommer, a former parliamentary specialist advisor and senior research fellow at the London School of Economics' Information Systems department.

Sommer said that lack of parliamentary time had been a major factor. Updating the CMA may also not be a priority.

"Traditionally the government recognises the need to change the Act, but don't give it parliamentary time. The Home Office may think terrorism is more important than the APIG report," said Sommer.

Sommer said the government could easily amend existing legislation by adding a clause covering DoS attacks to a Home Office bill.

"If a piece of legislation had a clause which dealt specifically with interference with computer systems, it would cover a wider set of circumstances. This doesn't need a specific Bill--it would be possible to add a clause to a general-purpose Criminal Justice Bill," Sommer said.

"In technical parliamentary terms this need not make huge demands on parliamentary time, and wouldn't be particularly controversial--I doubt whether many people would argue that DoS attacks are a good thing," Sommer added. "It's just a question of willpower at the Home Office," said Sommer.

The defence solicitor at this week's e-mail bomber trial believes his client should not have been charged under the CMA.

"In my opinion, and borrowing words from the House of Lords in a previous case, this case was a "procrustean attempt to force the facts... into the language of an Act not designed to fit them," said Jim Meyer, solicitor acting for the defence and partner at Tuckers Solicitors.

Meyer said that had the case gone against the defendant, certain forms of email would have been outlawed.

"An adverse ruling would have led to uncertainty, and in some circumstances outlawing of unsolicited and/or multiple e-mail. It would have also meant that anyone sending an e-mail in anything else but their own name may have been liable to prosecution. [The outcome of Wednesday's trial] was a good example of sound judicial reasoning and sensible judgement," Meyer said.

Robertson also underlined the need for caution in amending the act, so as not to criminalize mistakes when sending e-mails.

"Obviously the amendment would have to be balanced so that if I send you a 10MB attachment by mistake and make someone's e-mail server fall over, it wouldn't be a criminal act. Legislation would have to focus on intent," said Robertson.

"Meantime, it is possible that 'plain vanilla' DoS attacks could be prosecuted in England and Wales as an offence under the Criminal Damage Act, although this has never been tested. In Scotland, such an attack could possibly be prosecuted as malicious mischief," Robertson added.