New Amendments to the Computer Misuse Act (CMA) 1990 clarifying the position regarding the supply of hacking tools and denial-of-service attacks have now come into force, making them criminal offences.

The principal piece of legislation that governs computer crime is the CMA, which is assisted by the Police and Justice Act 2006 (PJA) and the Serious Crime Act 2007 (SCA).

Unfortunately the 1990 Act did not create a specific offence for denial-of-service attacks, which with the rapid advances in IT and the world wide web that we have witnessed over the last 2 decades, has lead to increasing levels of judicial and industry confusion.

The All Party Internet Group (APIG) had been at the forefront of highlighting the flaws of the CMA, however their Private Member's Bill, which proposed to amend the Act, failed in 2005.

England & Wales

It was the PJA which proposed the amendments, but the changes to the CMA were not brought into force until 1st October 2008 having themselves been amended by the SCA in England and Wales. These changes mean that it is now a criminal offence to supply hacking tools or carry out denial-of-service attacks.

Scotland  

It should be noted that while computer misuse is a devolved matter. The Scottish Parliament applied a Sewell motion to the England and Wales' PJA and SCA to ensure the legislation covered both jurisdictions. This meant the PJA amendments were brought into force back on 1 October 2007 in Scotland. The position in the UK is now consistent.

Changes

Section 3  

Section 3 of the CMA made it an offence to carry out any act, with the requisite intent and knowledge, which caused an unauthorised modification of the contents of any computer. It was this restrictive scope that had been at the heart of the criticism levelled at the CMA, as denial-of-service attacks, have the effect of overloading a system by sending vast numbers of messages/page request/data to a particular address. These attacks are becoming increasingly destructive as technologies advance and as more and more organisations conduct their business online. The PJA widened the range of activities covered by the old section 3 offence by replacing it with a new section 3 which includes the wording "any unauthorised act in relation to a computer…". The range of activities covered now includes the supply of hacking tools, which contain malicious code and the use of denial-of-service attacks. The new section 3 offence now includes reckless actions, which have the above effect, whereas with the old section 3 knowledge and intent in relation to "unauthorised acts" was required. The penalties for a section 3 offence include up to one year imprisonment or a fine, or both (if summary conviction) or up to ten years' imprisonment, a fine or both (if on indictment).

Section 3A

This section introduces a new offence for making, adopting, supplying or offering to supply any article (any program/data held in electronic form) intending it to be used for committing or assisting with the commission of an offence, under section 1 or 3 of CMA. The penalties are up to one year imprisonment, fine, statutory maximum or both (summary conviction) or up to two years' imprisonment, fine or both (on indictment).

Conclusion

The new section 3 has removed confusion and created a much needed offence for the present day, but the new section 3A has been deemed too broad by sections of the IT industry, as on the face of it the CMA now criminalises the legitimate supply of security software tools. However, it is felt that police and prosecutors will take a common sense approach when applying the law.