The Computer Misuse Act – a new era
Jun 9, 2015
Information security professionals everywhere will be interested to hear that from the 3rd May 2015, the amended Computer Misuse Act 1990 (“the Act”), came into effect as a result of the changes made by sections 41 – 44 of the Serious Crime Act 2015.
This means that offenders may be subject to harsher penalties for carrying out cyber acts intended to cause ‘serious harm’. The amendments are an attempt by the Government to provide more strength to fight cyber-crime.
One of the key updates is the creation of a new offence of committing “unauthorised acts causing, or creating risk of, serious damage” in relation to a computer.
The provisions defining ‘serious damage’ … ‘of a material kind’ are drafted widely and include ‘damage to human welfare, the economy of a country, the national security of a country and the environment’.
The definition of “human welfare” includes ‘loss or injury to human life’ as well as ‘disruption to communication, power, food distribution and transport systems as well as health services’. Previously the cybercrime legislation was perceived to be fairly weak in countering major cyber-attacks with the potential to cause serious loss of life or disruption to the country’s economic and civilian systems.
A person who is now found guilty of the new offence is liable to: (i) a prison sentence of up to 14 years (or life imprisonment in certain serious circumstances) (ii) a fine; or (iii) both a sentence and a fine. The offender must only have a ‘significant link’ to the UK in order to be caught by the legislation.
The purpose behind the changes to the jurisdictional elements of the Act is clearly to cover acts committed by UK nationals abroad, provided the relevant act constituted an offence under the law of the country in which it occurred. Previously the maximum punishment for serious computer misuse offences was 10 years imprisonment but in practice punishments with these sorts of terms were few.
It will be interesting to see how the police use these new powers to intervene against a suspect before a cyber-attack occurs and also whether the jurisdictional additions of the Act will result in the extradition of British citizens. It will also be interesting to see whether the courts feel the pressure to issue lengthier sentences with these changes.
The aim of the Act is to reduce the threat and impact of cybercrime by ensuring UK legislation is up to date with the fast evolving methods used by cybercriminals.
An unintended consequence of these changes may be that provisions devised to extradite individuals committing acts of cyber terrorism or aggression abroad, could equally be used to target certain countries more than others.
These changes show that government both in the UK and abroad are taking the threat of cyberwar far more seriously now than before. There is an acceptance by government that most people these days are online, but we should ask ourselves if these changes are a reactive response to an area that is becoming more complex with new hacking tools being created daily and that are being made opensource without a second’s thought.
There are a variety of methods that we should use to counter cybercrime – education, training, legislation, technical countermeasures and many more. These should be used in conjunction with one another to reduce the threat of cyber attacks rather than be used in silos. Once this is done, we will be in a stronger position not to eliminate altogether the arrival of cyber attacks but certainly to control them.
From a practical and legal point of view, cyber security companies that send their consultants to provide cyber security advice to their clients should always ensure that they obtain their clients’ prior express consent before carrying out any services that may be deemed to be in contravention of the Act.
If you have any questions on this area, please contact Punam Tiwari.