At various times over the last few years, we’ve posted comments on different aspects of UK computer crime legislation, and the policing of cybercrime, on our weblog (4 November 2005; 12 May 2006; 26 January 2006; 28 July 2006; 15 September 2006). This article is designed to provide an overview of UK computer crime legislation.
It’s more than 20 years since the first PC viruses appeared. Since then, the nature of the threat has altered markedly, in response to changes in technology, the spread of computers into more and more areas of society and their use by ever-increasing numbers of people. In any field of human activity, one generation stands squarely on the shoulders of those who went before, learning from what has been done before, re-applying techniques which have proved successful and also trying to break new ground. This also applies to those who create malicious code and successive generations of malware authors have re-defined the threat landscape.
Until a few years ago, viruses and other malicious programs were used to conduct isolated acts of computer vandalism, anti-social self-expression using hi-tech means. Most viruses confined themselves to infecting other disks or programs. And ‘damage’ was largely defined in terms of loss of data as a virus erased or (less often) corrupted data stored on affected disks.
This has changed. Today cybercrime is a major concern, with malware being designed to make money illegally. The evolution of the World Wide Web has been one of the key factors driving this change. Businesses and individuals now rely heavily on the Internet; and the number of web-based financial transactions continues to rise. The criminal underground has realized the huge opportunities for making money from malicious code and many of today’s threats are either written to order or developed expressly for sale to other criminals.
Crime is an inherent part of modern society and touches almost every aspect of life. It’s hardly surprising, therefore, that the use of computer technology is mirrored by abuse: they have developed in parallel. Moreover, as more and more areas of our lives become dependent on computers, there is more scope for criminals to use technology.
In response to any type of crime, society always attempts to find ways to prevent the crime and punish the perpetrators. In the first instance, this means creating legislation which makes specific activities illegal.
Computer crimes fall into two main categories. First, there are traditional crimes, where the use of a computer is not intrinsic to the crime itself, but is simply a tool used to commit an offence. This could include blackmail, for example, if an email message is sent to a victim rather than a letter. Second, there are computer-specific crimes.
The case of the Aids Information Trojan illustrates this point. In late 1989 this Trojan was distributed via floppy disk by a company calling itself ‘PC Cyborg’. The Trojan encrypted the contents of the victim’s hard disk after 90 re-boots, leaving just a README file containing a bill and a PO Box address in Panama to which payment was to be sent. Dr Joseph Popp, the alleged author of the Trojan, was later extradited to the UK to stand trial on charges of blackmail and damaging computer systems (he was ultimately deemed unfit to stand trial following his behaviour in court and was released).
The first piece of UK legislation designed to specifically address computer misuse was the Computer Misuse Act 1990. The act was a response to growing concern that existing legislation was inadequate for dealing with hackers. The issue was thrown into sharp relief by the failure to convict Stephen Gold and Robert Schifreen who gained unauthorized access to BT’s Prestel service in 1984 and were charged under the Forgery and Counterfeiting Act 1981. However, they were acquitted by the Court of Appeal and the acquittal decision was later upheld by the House of Lords.
The Computer Misuse Act 1990, ‘an Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes’, set out three computer misuse offences.
The maximum prison sentences specified by the act for each offence were six months, five years and five years respectively (Amendments to the Computer Misuse Act, introduced in the Police and Justice Act 2006, are discussed below).
The first prosecution of an individual for distributing a computer virus came in 1995. Christopher Pile, aka ‘the Black Baron’ pleaded guilty to eleven charges under sections 2 and 3 of the Computer Misuse Act and received an 18 month prison sentence. Pile created the viruses Pathogen and Queeg. Both pieces of malware implemented his SMEG (Simulated Metamorphic Encryption Generator) polymorphic engine, making them hard to detect, and both were designed to trash substantial portions of a victim’s hard drive. He planted the viruses on bulletin boards disguised as games and, in one case, as an anti-virus program. It was estimated that the viruses caused damage amounting to £1 million (The Independent, 16 November 1995).
Another significant conviction under the act was that of Simon Vallor. He pleaded guilty to creating and distributing the mass-mailing worms Gokar, Redesi and Admirer, offences covered by section 3 of the Computer Misuse Act. In January 2003 he received a two year prison sentence. It was estimated that his worms spread to 27,000 computers in 42 countries (The Register, 21 January 2003).
Practically everyone with an email account is forced to deal with spam. However, the problem of spam isn’t limited to nuisance value, wasted bandwidth or inappropriate content. Spam is also used to deliver malicious code; spam messages are often a springboard for ‘drive-by downloads’ as they can contain links to web sites which cybercriminals have infected with malicious code. Spam is also the primary mechanism used by phishers to direct their victims to fake web sites from which confidential data is then harvested.
To try and address the problem of spam, the Department for Trade and Industry introduced the (Privacy and Electronic Regulations (EC Directive) 2003). These regulations, the UK implementation of EU directive 2002/58/EC (each member state of the EU is left to implement this directive for themselves), are enforced by the Information Commissioner’s Office, the UK's independent authority set up to promote access to official information and to protect personal information (Guidelines relating to the regulations can be found on the web site of the Information Commissioner’s Office).
According to the regulations, companies must get an individual’s permission before sending email or SMS messages (the law applies also to telephone calls and faxes). On the subject of email, the law states that ‘a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.’
However, there are significant limitations. In the first place, the regulations only apply to messages sent to individuals’ email addresses, not business addresses. The penalties are also limited, when compared to penalties for offences covered by the Computer Misuse Act. Breaches of the regulations must be reported to the Information Commissioner’s Office, which is responsible for deciding whether or not to take the offending organization to court. The offending organization may be fined up to £5,000 in a magistrates’ court, or up to an unlimited amount if the case is referred to trial by jury.
There is also a more serious limitation. The legislation only applies to senders within the UK. Most spam originates from beyond the UK (Russia and the United States are currently the top sources of spam) (Source: Kaspersky Security Bulletin: Spam Evolution 2008), so UK legislation will have little, if any impact, on spammers. This highlights a key problem with all measures designed to deal with cybercriminals: geo-political restrictions on legislation and law enforcement bodies mean they are unable to operate across boundaries and legal jurisdictions, in contrast to cybercriminals.
As mentioned in the introduction, the nature of the threat which malware poses to businesses and individuals has changed dramatically since PC viruses first appeared in 1986. There has been massive technological change, and technology has come to infiltrate almost every area of our lives. The evolution of online markets has led to a change in the motivation of malware authors and the emergence of a ‘dark economy’ where malicious programs and personal data are bought and sold for profit
In spite of the fact that laws are framed in general terms in order to cover as many current and future offences possible, legislation tends to lag behind due to the speed at which technologies evolve. Legislation developed to deal with cyber vandals intent on installing viruses or breaking into computer systems is not necessarily appropriate when dealing with today’s more sophisticated malware designed to steal data, send spam or bring down systems.
In November 2004, a magistrate ruled that a teenager accused of bringing down a server by sending millions of emails had not breached the Computer Misuse Act, since the activity had not involved making unauthorised changes to a computer as defined in the Act (viruslist.com, 4 November 2005). Although the Court of Appeal later overturned this ruling (viruslist.com, 12 May 2006), this case brought additional support for those questioning the effectiveness of a law that had been created in an era dominated by now outmoded technologies such as DOS, floppy disks and bulletin boards.
The Earl of Northesk, a member of the All-Party Parliamentary Internet Group, tabled a Private Members’ Bill in 2002 to amend the Computer Misuse Act; in particular, it sought to clarify the law on DoS (Denial-of-Service) attacks. This attempt failed, but it added further weight to the calls for an update to existing legislation.
The Police and Justice Act 2006 [PDF 748Кb] (which covers broader issues than computer crime alone) included amendments to the Computer Misuse Act. The maximum prison sentence under section 1 of the original Act was increased from six months to two years. Section 3 of the Act (‘unauthorised modification of computer material’) was amended to read ‘unauthorised acts with intent to impair or with recklessness as to impairing, operation of computer, etc.’ and carries a maximum sentence of ten years.
The Act also added another section, ‘Making, supplying or obtaining articles for use in computer misuse offences’, carrying a maximum sentence of two years. This section states:
This section has drawn a lot of criticism. It is clearly intended to make use of hacking tools illegal. However, it could equally be applied to the use of legitimate tools that could be misused to conduct hacking, or ‘riskware’ programs that could be used either legitimately or for illegal activities. There are many people, including some in the All-Party Parliamentary Internet Group, who hope that this section of the Act will be amended.
As mentioned earlier, one of the most serious limitations of computer crime legislation is the fact that it is limited in its ability to tackle the global phenomenon of cybercrime. The European Convention on Cybercrime, designed to provide a common international framework for dealing with cybercrime, was adopted by the EU Committee of Ministers of the Council of Europe in November 2001.
The treaty is wide-ranging and covers all aspects of cybercrime, including illegal access, illegal interception of data, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to infringements of copyright and related rights. The treaty is also designed to provide a common law enforcement framework for dealing with cybercriminals and to foster the sharing of information among all signatories.
So far, 46 countries have signed the treaty (Convention on Cybercrime CETS No. 185, status as of : 26/3/2009). However, so far only 24 countries have actually ratified it. There are also some notable absentees among the signatories, including China, several Latin American countries and Russia all of which rank as the biggest sources of malicious code. The UK has not yet ratified the treaty, but it is expected to do so in 2009 Hansard [House of Commons debates], 27 January 2009).
Debate on the measures necessary to tackle cybercrime was further fuelled by the publication of the House of Lords Science and Technology Committee report on Personal Internet Safety [PDF 2,78Мb] in August 2007. This report criticized the UK government for placing the main responsibility for Internet security on individuals: a view, they insisted, that ‘compounds the perception that the Internet is a lawless “wild west”’. They described the Internet as ‘the playground for criminals’ and suggested that ‘many organizations with a stake in the Internet could do more to promote personal Internet security’, including hardware and software vendors, ISPs, online businesses, banks, police and government.
The committee suggested that all parties should take responsibility for Internet security. Companies should be obliged to notify anyone affected by a data breach (for example, if one of the company’s servers is hacked). ISPs should take action to deal with compromised machines used to connect to the Internet via the ISP. Software vendors should be held liable for security loopholes in their software; and the government should develop a kite-mark system for applications and online content. Banks should, the committee argued, be liable for losses incurred due to online fraud. The committee also urged the government to follow through on its commitment to ratify the European Convention on Cybercrime.
The government’s response [PDF 89,7Кb], published in October 2007 rejected many of the committee’s recommendations. As a result, the House of Lords Science and Technology Committee published a follow-up report [PDF 713Кb] in July 2008. This reiterated many of the previous recommendations, but did note the ‘slightly more positive view of how the Committee’s recommendations were to be taken forward’ by government ministers and the acknowledgement that ‘the Committee’s report “helped to drive the agenda forward”’.
It’s clear that the existence of legislation which addresses specific types of criminal activity is not, in itself, sufficient to tackle the problem of cybercrime. It’s also essential to ensure that the police understand the problem and have the resources to deal with it. Unfortunately, in the years following the introduction of the Computer Misuse Act, few UK police authorities outside the Metropolitan Police area had the knowledge and expertise to deal with computer crime; and it was only when it became clear that cybercrime was an issue that wasn’t going to go away that resources were put into creating a dedicated agency to address the problem
In April 2001, the government established the National Hi-Tech Crime Unit. Designed to provide a co-ordinated response to cybercrime, it worked closely with specialists from a range of agencies, including the National Crime Squad, HM Revenue and Customs and the National Criminal Intelligence Service.
The NHTCU had some notable successes. These included the arrest of Russian hackers responsible for threatening online bookmakers with Distributed-Denial-of-Service (DDoS) attacks (The Register, 21 July 2004) in a joint operation with Russian law enforcement agencies; and the arrest of those responsible for trying to steal money from the London branch of the Japanese Sumitomo Mitsui bank in October 2004 (The Register, 19 March 2009).
In April 2006 the NHTCU’s responsibilities were taken over by the Serious Organised Crime Agency (SOCA). This resulted in growing concern that there would be fewer resources dedicated to tackling cybercrime as this would only be a small part of SOCA’s remit (SOCA aims).
In April 2007, the rules on reporting bank fraud were changed. Following the introduction of the Fraud Act 2006, banks and financial institutions were made the first point of contact for reporting card, cheque and online banking fraud. The stated aim of this change was to reduce bureaucracy, but some expressed concern that fraud may be under-reported.
In response to these concerns, changes are underway that will, it is hoped, result in a greater focus on cybercrime. The first is the creation in 2009 of the Police Central ecrime Unit (PCeU). This body is not designed to replace SOCA or other police agencies, but to co-ordinate the response to cybercrime and to provide ‘a national investigative capability for the most serious e-crime incidents’ (PCeU mission statement). Second is the introduction, also planned for late in 2009 (Hansard [House of Commons debates], 26 February 2009), of the National Fraud Reporting Centre, to provide the public and small businesses with a way to report non-urgent fraud, online or by telephone.
Of course, even where there’s a well-developed legal framework and dedicated law enforcement agencies designed to tackle cybercrime, criminals can only be arrested and prosecuted if there is sufficient evidence to bring a case. This is not always straightforward. Unfortunately, not everyone wants to admit they have fallen victim to cybercriminal activity. This is especially true of businesses as such an admission could damage the company’s reputation.
In July 2006, we commented (viruslist.com, 28 July 2006 on a green paper (a consultation document on proposed legislation) published by the Home Office, New Powers Against Organised and Financial Crime [PDF 1Мb]. In this paper the government proposed to fill ‘a gap in the criminal law for catching those involved at the edges of organised crime’ using the civil courts, including the use of Organised Crime Prevention Orders:
The courts would be able to impose an order if they believe on the balance of probability that the subject
Failure to observe the terms of the order would be a criminal offence.
The proposals took final shape in the (Serious Crime Act 2007 [PDF 607Кб]), designed to provide ‘the best possible tools for our law enforcement agencies to ensure they stay one step ahead of those who commit serious crime’ and to ‘strengthen their ability to crack down on criminals and disrupt their operations.’ (Home Office press release, 30 October 2009)
On the face of it, the Serious Crime Act can only been seen as a good thing, providing the police with powers ‘to detect, disrupt and prevent serious crime’ (Home Office press release, 30 October 2009). However, some people have raised concerns about the implications for civil liberties, not least because the burden of proof required in a civil court is lower than that required in a criminal court and there is consequently more scope for potential miscarriages of justice.
This debate was brought into sharper relief earlier this year following reports in the press that the police had the power to hack into the computers of suspects without a warrant (The Sunday Times, 4 January 2009; The Independent, 5 January 2009).The UK is not alone in grappling with the problem of balancing personal freedom with security, as the debate surrounding the so-called ‘BundesTrojan’ In Germany shows (viruslist.com, 27 February 2008), but so far, no resolution to this dilemma has been made public.
It’s clear that cybercrime is not going to disappear. This shouldn’t surprise us. While cybercrime is an unwanted side effect of the Internet age, it’s also part of a broader crime landscape. If there’s a use for something, someone will always find a way to abuse it, and this includes computer technology and the connectivity provided by the Internet. Crime can never be eliminated, so tackling cybercrime is less about ‘winning the war’ than about mitigating the risks associated with using the Internet.
To manage the risk, the global society clearly needs a legal framework, together with appropriate and effective law enforcement agencies. There’s little question that law enforcement agencies have developed increasing expertise in dealing with hi-tech crime during the last decade, including joint policing operations across national borders. This must be further developed if we are to deal effectively with cybercrime. In particular, the extension of international legislation beyond developed countries, and the development of a ‘cyber-Interpol’ to pursue criminals across geo-political borders would contribute greatly to the fight against cybercrime.
Law enforcement, however, is only part of the solution. We also need to ensure that individuals and businesses understand the risks and have the knowledge and tools to minimise their exposure to cybercrime. This is particularly important for individuals who are often technically inexperienced and have little understanding of the potential problems associated with online shopping, Internet banking and social networking. This problem is exacerbated by the growing number of people accessing the Internet for the first time. Society must find imaginative and varied ways of raising public awareness about cybercrime and about methods which can be used to mitigate the risks.
The ‘information super-highway’ is no different to any other public road. We need well-designed roads, safe cars, clear signs and competent drivers. In other words, we need a blend of appropriate legislation, effective policing and public awareness.
This paper has been prepared by Kaspersky Lab for information purposes only and is not, nor is it intended to be, legal advice. This information is not intended to constitute, and receipt of it does not constitute, a contract for legal advice or the establishment of a solicitor-client relationship.