Stronger criminal penalties for serious cyber-attacks in the UK?

Mel Shefford

With the awareness that future cyber-attacks could have very serious consequences, the Government has proposed amendments to the Computer Misuse Act 1990. In this post we look at the current offences under the Act as well as recent amendments proposed by the Serious Crime Bill.

In August 2013, the outgoing US Secretary of Homeland Security Janet Napolitano gave a farewell speech in which she warned: “Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.”

Her message vocalised what governments, businesses and organisations around the world are well aware of: as we become increasingly reliant on technology, and as systems become even more interconnected and complex, the risk of a serious cyber-attack increases. And whilst we currently associate cyber-attacks with access to personal data and damage to commercial interests, in the future the impact could be even more serious. For example, future attacks could result in major damage to the economy, national security, the environment and/or human welfare.

With this in mind, the British Government has been ramping up efforts over the past few years to tackle cyber-crime. For example, in 2011 it launched the National Cyber Security Strategy; in 2013 the National Cyber Crime Unit started operations; and £860 million has been committed until 2016 to boost the UK’s cyber capabilities. More recently, BIS announced the Cyber Essentials scheme to help businesses protect themselves against cyber-attacks.

Most Datonomy readers will be well aware of how important it is for organisations to be proactive about preventing data breaches, and how devastating the consequences can be if a breach does occur. But what are the consequences for hackers who are caught?

Offences under the Computer Misuse Act 1990

In the UK, the hacker might be guilty of  one or more of the following offences under the Computer Misuse Act 1990:

  • Obtaining unauthorised access to computer material (for example, using another person’s ID and password to log onto a computer and access data). The maximum penalty is a 2 year prison sentence and/or an uncapped fine (Section 1).
  • Obtaining such access in order to commit or facilitate the commission of another offence, such as theft of funds or data. The maximum penalty here is a 5 year prison sentence and/or an uncapped fine (Section 2).
  • Obtaining such access in order to intentionally or recklessly impair the operation of any computer, a program or the reliability of data held on a computer; prevent or hinder access to any program or such data; or enable such impairment, prevention or hindrance. This offence carries a maximum penalty of 10 years in prison and/or an uncapped fine (Section 3).
  • Making, supplying or obtaining articles for use in any of the above offences. This carries a maximum 2 year prison sentence and/or an uncapped fine (Section 3A).

The Serious Crime Bill

In June, the Queen announced the Serious Crime Bill which (among other aims) seeks to amend the Computer Misuse Act so that serious cyber-attacks are properly punished. In particular, there is a concern that the current custodial penalties – which have been described as “woefully inadequate” by a member of the House of Lords – are not sufficient for serious cyber-attacks. The two main changes proposed by the Bill are as follows:

(1)   The creation of a new offence to cover serious cyber-attacks

This new offence would be committed where a person knowingly, and intentionally or recklessly, commits any unauthorised act in relation to a computer which causes or creates a significant risk of serious damage to human welfare, the economy, the environment or national security in any country.

An act causing damage to “human welfare” would be something causing loss to human life; human illness or injury; disruption of a supply of money, food, water, energy or fuel; disruption of a system of communication; disruption of facilities for transport; or disruption of facilities relating to health.

Commission of this offence would be punishable by up to 14 years’ imprisonment and/or a fine, except where the act causes loss to human life, human illness or injury, or serious damage to national security, in which case the penalty is life imprisonment and/or a fine.

The Home Office has acknowledged that no cyber-attack has occurred to date which would engage this new offence. However, the idea is to ensure that there are substantive penalties if a serious attack were to occur in the future. Indeed, the Home Office anticipates – and no doubt hopes – that the number of prosecutions for this offence will be minimal.

(2)   Implementation of the EU Directive on Attacks Against Information Systems (2013/40/EU)

This Directive is designed to ensure that the EU has minimum rules on cyber offences and sanctions, and to ensure co-operation between EU member states in relation to cyber-attacks. The UK is already compliant with the Directive, except for the following two aspects:

  • Tools for the commission of an offence

The existing Section 3A offence of making, supplying or obtaining articles for use in another offence under the Act requires the prosecution to prove that the defendant obtained the tool with a view to it being supplied for use to commit or assist in the commission of the other offence. The Bill seeks to amend this offence so that it covers circumstances where an individual obtained a tool with the intention to use it themselves to commit or assist in the commission of a separate offence. Given the increasing ease with which individuals can now obtain malware, the Home Office hopes that this amendment will be instrumental in helping to avoid cyber-attacks in the first place.

  •  Extension of the extra-territorial jurisdiction of the Act

The Directive requires EU member states to establish their jurisdiction over cyber offences which are committed by their nationals. The Act currently requires the prosecution to demonstrate a “significant link” to the UK for the section 1 and 3 offences, essentially being that the defendant or computer was in the UK at the time of the offence. To conform to the Directive, the Bill extends the list of possible significant links to the UK to include the defendant’s nationality. This would mean that a UK national could be prosecuted for an offence where the only link to the UK is her/her nationality, provided that the offence is also an offence in the jurisdiction where it took place.

The legislative timetable and process

The Bill started in the House of Lords, and at the time of writing, the House of Lords report stage – where the Bill will be examined in more detail and the Lords will vote on proposed amendments – is scheduled to commence on 14 October. After a third reading at the House of Lords, it will then be considered by the House of Commons. The EU implementation aspects will need to be in force on or before 4 September 2015 in order to meet the EU transposition deadline, but the rest of the Bill will no doubt be subject to more scrutiny.

Leave a Reply

Your email address will not be published. Required fields are marked *