Below we consider the recent toughening of cybercrime legislation in the UK through the passing of the Serious Crime Act 2015 (the “Act”) and examine the ways in which the Act will assist the Government in achieving the objectives set out in the National Cyber Security Strategy.
With effect from 3 May 2015, sections 41 - 44 of the Act, which amend the Computer Misuse Act 1990, will come into effect. As a result, offenders will face much tougher penalties for committing certain cyber acts intended to cause serious damage. The legislative updates are an attempt by the Government to provide further powers to assist in the achievement of the objective of “tackling cyber-crime and making the UK one of the most secure places in the world to do business in cyberspace”.
One of the key updates is the creation of a new offence of committing “unauthorised acts causing, or creating risk of, serious damage” in relation to a computer.
The provisions defining “serious damage” which has to be “of a material kind” are drafted widely and include damage to human welfare, the economy of a country, the national security of a country and also interestingly, the environment. “Human welfare” is itself widely defined and includes loss or injury to human life as well as disruption to communication, power, food distribution and transport systems as well as health services. The introduction of this criminal offence strengthens a previously relatively weak area of the UK’s net of cybercrime legislation for dealing with major cyber-attacks with the potential to cause serious loss of life or disruption to the country’s economic and civilian systems. A person guilty of the new offence is liable to: (i) a prison sentence of up to 14 years (or life imprisonment in certain serious circumstances) (ii) a fine; or (iii) both a sentence and a fine. The offender must only have a “significant link” to the UK in order to be caught by the legislation. This stretches the jurisdiction of the Act to cover acts committed by UK nationals abroad, provided that the relevant act constituted an offence under the law of the country in which it occurred. This is an extension to the jurisdictional reach of the previous legislation in addition to the increase to the maximum punishment for serious computer misuse offences which was previously 10 years imprisonment.
In practice, it will be interesting to see how the police harness new powers under the Act to intervene against a suspect before a cyber-attack occurs and also whether the extra territorial jurisdiction of the Act will result in the extradition of British citizens. We may also see the Act being used to prosecute foreign citizens who use the UK as a base to attack non-UK targets. In this regard, the Act removes the borders from cybercrime in a way which is more reflective of the fact that the internet operates across jurisdictions.
The aim of the Act is to reduce the threat and impact of cybercrime by ensuring UK legislation is up to date with the fast evolving methods utilised by cybercriminals. Studies have long since indicated that the number of cyber-attacks have continued to rise with the UK now (according to some data) the second most targeted nation in the world. The UK government recognises that a more effective legal solution is required to stem or reverse this trend.
The additional protection offered by the Act is drafted very widely and it will be interesting to see how prosecutors use the breadth of the provisions. An unintended consequence of this may be that provisions devised to extradite individuals committing acts of cyber terrorism or aggression abroad, could equally be used in targeting other, arguably less serious cyber acts, still falling within the scope of the Act.
Further, with the extra-territorial jurisdiction accompanying the new offence, prosecutors may find that much of the difficulty in enforcing the new laws to extradite individuals will not arise from a legal basis, but rather from a political one. It seems likely that effective application of the Act will rely on the co-operation with other states in relation to the relevant local laws which may apply to a particular “cyber act”.
It is therefore arguable that whilst the development of the new offence may provide a deterrent against some individuals targeting the UK or aspects of it on a smaller scale, it is unlikely to be the solution against the global threat of cybercrime; rather simply a new “reactive” recourse for UK prosecutors. Addressing the bigger and more dangerous forms of cybercrime will require an approach on a considerably larger, pan-European or global scale, based on much greater co-operation in the field and with the backing of international conventions. The problem remains that as many forms of cybercrimes are relatively new, both the law and its enforcers will struggle to apply an effective framework. However, the passing of the computer misuse provisions in the Act are certainly a promising indicator of the seriousness with which the UK government treats cybersecurity and a signal that the use of jurisdictions with lax cybersecurity enforcement will no longer put a cybercriminal with a link to the UK beyond the reach of the law.
The ongoing development of new technology will certainly have an impact on the Government’s ability to target offenders. The ways in which individuals and consumers interact with the internet and communicate with one another has changed enormously over recent years and continues to do so. Whilst it may be difficult to argue that a tablet or even a phablet falls outside the realms of the term “computer” (as used in the legislation), new wearable technologies are moving further and further away from our traditional conception of computer-based objects or tools as set out under the Computer Misuse Act 1990. It is likely that this trend will continue, and any effective approach to tackling cybercrime needs to accommodate this.