The authorities have been warning about the risk of cybercrime in the current pandemic. Syedur Rahman of business crime solicitors Rahman Ravelli considers the strengths and weaknesses of the Computer Misuse Act; under which cybercrime prosecutions are brought.
The UK government has stated its intention to combat those who look to the Covid-19 pandemic as an opportunity for cybercrime. The UK’s National Cyber Security Centre [NCSC] and the US’ Cybersecurity and Infrastructure Security Agency have published a joint warning about groups looking to target organisations involved in the response to coronavirus.
If prosecutions for such activity are brought in the UK, they will be brought under the Computer Misuse Act 1990 (CMA).
As the CMA does not provide a definition of a computer this has been left to the courts. In DPP v McKeown, DPP v Jones  Lord Hoffman defined a computer as "a device for storing, processing and retrieving information."
It is worth stating here that the Council of Europe Cybercrime Convention 2001 defined a computer system as any device or a group of interconnected or related devices, one or more of which, pursuant to a programme, performs automatic processing of data. The Convention defined computer data as any representation of facts, information or concepts in a form suitable for processing in a computer system, including a programme suitable to cause a computer system to perform a function. The Data Protection Act 2918 classes any information relating to an identified or identifiable living individual as personal data.
The CMA details a range of offences.
Section 1, Unauthorised access to computer material: This offence, which carries a maximum of two years’ imprisonment, is carried out when an individual has caused a computer (which could even be their own) to perform a function with intent to secure access. Physical contact with a computer and the scrutiny of data without any interaction with the computer are not offences under Section 1. There must be knowledge that the intended access was unauthorised – recklessness is not enough - and an intention to secure access to any programme or data held on the computer. Section 1(2) makes it clear that the intent of the accused does not have to be aimed at a particular programme or data. This section does not only relate to hackers as it also covers employees who deliberately exceed their authority and access areas of a computer system to which they are formally denied access.
Section 2, Unauthorised access with intent to commit or facilitate commission of further offences: This offence, which carries a maximum penalty on indictment of five years’ imprisonment, involves committing the unauthorised access offence under Section 1 with intent to commit or facilitate the commission of a more serious 'further' offence. It does not have to be proved that the further offence intended was committed. Such further offences could be theft by diverting electronic funds or gaining sensitive information for use in blackmail. Anyone cleared of the Section 2 offence could be convicted of the Section 1 offence.
Section 3, Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer: The maximum sentence on indictment is 10 years' imprisonment for a Section 3 offence. A person commits the offence if they perform an unauthorised act in relation to a computer, knowing it to be unauthorised, and either intend to or are reckless regarding whether by doing so they:
- impair the operation of any computer.
- prevent or hinder access to any programme or data held in any computer.
- impair the operation of any such program or the reliability of any such data.
- enable any of the three things above to be done.
The offender must know that the act was unauthorised. DPP v Lennon (2006) established that Section 3 is relevant to distributed denial of service attacks (DDoS); where users are unable to use a service because it has been temporarily or indefinitely disrupted by a huge volume of incoming traffic.
Section 3ZA, Unauthorised acts causing, or creating risk of, serious damage: This was inserted, with effect from 3 May 2015, by Section 41(2) of the Serious Crime Act 2015. It was introduced to cover computer misuse which causes damage to, for example, critical national infrastructure; where the maximum penalty of ten years under Section 3 may be inadequate. The maximum sentence on indictment is 14 years. But if the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in Section 3 (a) and (b), a person found guilty of the offence can be imprisoned for life.
Section 3A, Making, supplying or obtaining articles for use in offence under Section 1, 3 or 3ZA: The maximum sentence on indictment is two years' imprisonment. Section 3A(2) of the CMA covers the supplying or offering to supply an article 'likely' to be used to commit, or assist in the commission of an offence, contrary to Sections 1 or 3.
Under section 4 of the CMA, liability for offences under sections 1, 3 or 3ZA requires proof of at least one significant link with the home country concerned.
A significant link could include:
- The accused being in the home country at the time of the offence.
- The target of the offence being in the home country. Technological activity that has facilitated the offending passing through a server based in the home country.
CRITICISM OF THE CMA
While the CMA is the main legislation for anti-hacking and cybercrime, it has not been without its critics; especially in recent years. It has been called outdated and ambiguous by the Criminal Law Reform Now Network (CLRNN). Many in industry have also called for its reform.
CLRNN highlighted what it saw as the Act preventing cyber security experts from carrying out threat intelligence research which, it claimed, leaves the UK's critical national infrastructure at increased risk. It wants public interest defences to be introduced for information security professionals, academics and journalists and specific guidance for prosecutors and sentencing judges.
CLRNN is also calling for the introduction of civil penalties for computer misuse, with the Investigatory Powers Commissioner having been suggested as a civil regulator. CLRNN also wants:
- A narrowing of Section 1’s scope so that it goes beyond simple unauthorised access and specifies “required harms’’.
- Sections 3 and 3ZA narrowed to require an intention to commit a criminal act or to enable another person to do so.
- The creation of a corporate failure to prevent offence - meaning companies could be held criminally liable for employees committing computer misuse crimes.
- Creating a defence of assumed consent to accessing someone else's computers - relating to the other person knowing about the access, the circumstances surrounding it and the reasons for seeking it.
- A defence to be created, which would enable hackers to show their actions were either necessary for the detection or prevention of crime or justified in the public interest.