What is the Computer Misuse Act?
If your computer systems are attacked, is the law effective enough to put those criminals behind bars?
The Computer Misuse Act 1990 is a piece of law that deals specifically with the crime of accessing or modifying data stored on a computer system without being authorised to do so.
The law was introduced following the 1987 case of Regina v Gold and Schifreen, which saw two hackers Robert Schifreen and Stephen Gold remotely access the BT's Prestel service using credentials gleaned from a BT engineer at a trade show via a technique known as shoulder surfing. Once inside Prestel, the pair rooted around and were eventually able to find their way to the email account of the Duke of Edinburgh, Prince Philip.
BT had noticed the odd behaviour on the account they were using, however, and began monitoring it, which it passed to the police, leading to their arrest.
They were charged and convicted under the Forgery and Counterfeiting Act 1981, however their conviction was overturned on appeal when they were able to successfully demonstrate they hadn't attempted to profit from their antics.
The outcome of this case made it plain that in just a few years, the tech and communications landscape had changed so dramatically that a new law was required to deal with its consequences.
In the intervening decades since the act was created, it has been updated multiple times to reflect new changes in computing, most recently in 2015.
Computer Misuse Act penalties
There are three levels of penalty if you are prosecuted under the Computer Misuse Act and they are applied according to the crime and severity of the act.
The lowest-level of penalty is applied if you are found guilty of gaining access to a computer without permission (or officially known as "unauthorised access to a computer"). This crime holds a penalty of up to two years in prison and a 5,000 fine.
If you gain access to a computer without permission in order to steal data or take part in another crime, such as using that data to commit fraud, you will receive a sentence of up to 10 years in prison and can receive a fine of unlimited amounts, depending on the severity of the crime and damaged caused although it can be difficult to prove intent in this case.
If you modify the content of a computer or provide the tools so others can do so for example, if you distribute malware with the intent to destroy or change the contents of a computer you can receive a prison sentence of up to ten years alongside an unlimited fine.
If this potential damage extends to causing harm to human welfare or puts national security at risk, the sentence could be up to life imprisonment.
Computer Misuse Act expansion and controversy
The idea of a Computer Misuse Act was first proposed at a time when computers were a rarity in public life. Under its initial iteration, what was considered a malicious act was quite narrowly defined, largely because the ways in which you could cause harm were also fairly limited.
However, the rise of the digital age over the past 20 years has meant the act has been reshaped to respond to a growing variety of threats and potential avenues for harm. That not only includes the various attack methods that criminals can now deploy, but also the act of preparing for an attack is now considered malicious.
For example, section 37 of the Police and Justice Act of 2006 is one of a number of provisions to be inserted into the Computer Misuse Act over the years. This particular section, known as 3A, stipulates that making, supplying or obtaining any articles for use in a malicious act using a computer is classified as criminal activity.
That means that ownership of any hacking tools or exploit kits could be considered illegal under the act, even if they are used by legitimate white hat hackers to support organisations although it's likely a judge would take into account how the tools were being used.
In 2015, the Computer Misuse Act was amended again, thanks to the newly minted Serious Crime Act. Part 2 of the new act focused specifically on computer misuse and introduced three changes to the 1990 law in the form of Section 3ZA. Specifically, the amendments created a new offence of unauthorised acts causing serious damage, brought the EU Directive on Attacks against Information Systems into law in the UK, and clarified the "savings" provision that protects law enforcement from prosecution if they broke into or modified a computer in the course of a criminal investigation.
In a fact sheet, the government stated that the new offence of unauthorised acts causing serious damage "addresses the most serious cyber attacks, for example those on essential systems controlling power supply, communications, food or fuel distribution". This is the kind of attack that might more colloquially fall under the heading of cyber warfare or cyber terrorism.
The rationale given for the inclusion of this provision is that the most serious crime previously covered by the act was a section 3 offence unauthorised access to impair the operation of a computer which carried a maximum penalty of 10 years. This, the government said, " did not sufficiently reflect the level of personal and economic harm that a major cyber attack on critical systems could cause".
The changes made in regard to the EU Directive on Attacks against Information Systems were primarily focused on extending extraterritorial jurisdiction, making it easier to prosecute a cyber criminal using the UK as a base -- even if they weren't physically located here and also allowing the police and Crown Prosecution Service to pursue and prosecute UK residents for cyber crimes committed abroad.
The final provision was far more controversial. In the words of the government, the changes were made "to remove any ambiguity for the lawful use of powers to investigate crime (for example under Part 3 of the Police Act 1997) and the interaction of those powers with the offences in the 1990 Act".
"The changes do not extend law enforcement agencies' powers but merely clarify the use of existing powers (derived from other enactments, wherever exercised) in the context of the offences in the 1990 Act," is added.
However, civil rights groups, including Privacy International, have contended that the changes are too broad, as they give complete exemption under the law to police and spy agencies such as GCHQ. A case in the European Court of Human Rights brought by Privacy International and five other applicants against the UK is ongoing.
How effective is the Computer Misuse Act?
Although the Computer Misuse Act aims to crack down on the number of computer-related crimes, authorities have found it difficult to bring a case against those charged.
The number of individuals prosecuted under the terms of the Computer Misuse Act fell by 18% between 2016 and 2017, down from 57 convictions to 47 in 12 months. However, law firm RPC said the threat of cybercrimes is actually growing and estimates there were 1.7 million cyber-related crimes in the same period.
This is because although the law exists to prosecute individuals committing such crimes, police resources have become too stretched to effectively investigate each case.
"Police forces are doing their best with the resources they have but the scale of the problem means businesses cannot necessarily rely on the police to really help them when there is a cybercrime," said Richard Breavington, partner at RPC.
"There will have to be some radical changes before businesses can start depending on the law enforcement agencies rather than private industry, including insurance, to help them if they have suffered from a cybercrime."
Digitally perfecting the supply chain
How new technologies are being leveraged to transform the manufacturing supply chainDownload now
Three keys to maximise application migration and modernisation success
Harness the benefits that modernised applications can offerDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
The 3 approaches of Breach and Attack Simulation technologies
A guide to the nuances of BAS, helping you stay one step ahead of cyber criminalsDownload now