short lines

IT Security - Part 1

Tackling cyber-crime: Is the law (and your business) up to it?

October 2003

Sobig, Bugbear, the Love Bug and even Anna Kournikova, are names that have recently sent chills down the spines of many IT managers. Malicious viruses and worms are increasing exponentially and evolving sophisticated and complex variants, yet this increase in attacks comes with press revelations of complacency regarding IT security systems within many UK companies and financial institutions. These concerns have fuelled calls for reform of UK IT security laws, in particular the Computer Misuse Act 1990, yet as MSN's recent decision to close its chat rooms illustrates, the problem of Cyber crime is of wider and unfortunately often more grave concern than disruptive attacks on computer systems.

This article, the first of two on the subject of IT security, focuses on the adequacy of current UK "cyber-laws" in protecting today's businesses from security attacks, and considers what more could be done. The second part next month, will discuss some of the wider issues of computer misuse.

Existing UK IT security laws

The Computer Misuse Act 1990 ("the Act") is currently the only significant piece of UK IT security legislation. It is a relatively short statute, which introduced three computer-related criminal offences:

Accessing a computer system without authorisation (section 1);
Accessing a computer system with intent to commit or facilitate the commission of further offences (section 2); and
Unauthorised modification of computer data (section 3).

The first offence carries a maximum sentence of six months, each of the second and third, five years, and indeed one of the main criticisms of the Act is that its penalties are not harsh enough or proportionate to the damage often suffered. The Act has also led to few convictions, despite the high incidence of attacks.

Fundamentally, the Act is today out of touch with technology, particularly the advent of the Internet. It was drafted on the assumption that computer systems are designed to keep people out with some kind of "authority gate" which controls entry to "the system". The Internet has changed this: people are actively encouraged to access websites and send emails, so making the Internet a predominantly open access computer system, and therefore largely impossible to police under the inappropriate principles of the Act. One only has to consider the all too frequent "denial of service" attacks (those that attempt to disable a server by sending a multitude of data messages, e.g. spam emails) to illustrate this problem, as such attacks will usually fall outside the Act. They do not necessarily involve gaining unauthorised access to a computer system, or modifying its data, and as there is as yet no offence in the UK of sending spam emails to corporate recipients, [1] none of the three offences are committed.

Even where the Act can be applied, proving the necessary intent and satisfying rules relating to the admissibility of computer generated evidence are onerous tasks for the prosecution[2]. For example, a person is guilty under section 1 of the Act, if he causes a computer to perform any function with intent to secure access to any program or data held in any computer which is unauthorised, and he knows at the time that the access is unauthorised. Both limbs are difficult to prove, although especially the second, particularly where the defendant already has some limited authority, for example where he is an employee of the business running the computer system.

Proving "modification" under section 3 is also problematical, as viruses are often spread by people other than those who created them, and it is therefore usually hard to establish the source of the virus. However, in R v Pile[3], the prosecution was able to rely on evidence obtained from the defendant's own computer, and the defendant received an 18 months custodial sentence under sections 2 and 3 of the Act.

Outside the Computer Misuse Act, some other laws have been passed which in part aim to increase security over the Internet. These include the Electronic Communications Act 2000, which provides that electronic signatures are admissible evidence to determine the authenticity of a communication; the Regulation of Investigatory Powers Act 2000 (RIPA), which gives authorities such as the police, powers to intercept electronic communications; and Principle 7 of the Data Protection Act 1998, which obliges "data controllers" to ensure the security and integrity of the data they process.

What more is needed?

UK laws desperately need to take account of recent technological developments, most notably the Internet. However on the other hand, care is needed to ensure that legitimate activities do not become criminalised. With an inherently open system such as the Internet a fine balance is needed, and considerable technical input will be required. Further, laws in this area should be "modular", allowing regular changes to account for Moore 's Law.[4] Cyber crime also is often a multi-national phenomenon, perpetrated from jurisdictions with weaker controls. This has led to calls for harmonisation of the substantive and procedural security laws of EU Member Sates, and for the UK to ratify the European Cybercrime Convention [5] and the European Commission's proposal for a Council Framework Decision on attacks against computer systems [6] . However, critics of these proposals say they threaten civil liberties by allowing states to monitor the use of the Internet by individuals or groups, in order to track use by criminals and hackers [7] .

What's being done?

The UK Government has announced it will be carrying out reforms and in particular, will be updating the Act, to make penalties harsher and to bring denial of service attacks within section 3. It will also consult on a new "E-Crime Strategy" to ensure more cyber-criminals are caught and prosecuted. The Home Office has also asked IT industry parliamentary group Eurim to identify key priorities, which are thought to include the introduction of "special IT constables" with the relevant IT security expertise; specialist education and training in IT security; tackling identity theft over the Internet; and increased funding to the National High-Tec Crime Unit and regional police computer crime units. Whether reforms materialise in the near future, and whether they will be enough to meet the challenge of effectively tackling cyber crime, remains to be seen.

Conclusion

Reform of UK IT security laws is long overdue, but it is important to remember there is only so much the law can ultimately do to deter the attackers. Businesses must therefore consider the practical steps they themselves can take to ensure they are adequately protected, including having carefully thought out corporate IT security policies, which are actually implemented. The standard security code of practice, BS7799, has been followed by few to date, with many directors unaware of its existence. Many UK< businesses also still view IT security as a technical rather than a business concern, yet mistrust of Internet security is still a foremost restrictive factor in the growth of electronic business.

Tellingly, the lack of convictions under the Act is not solely attributable to weaknesses in the law, but also to the failure by businesses to report attacks on their systems for fear of adverse publicity. While the law does of course have a significant part to play in fighting cyber crime, there remains a great deal of re-thinking to be done by businesses, which must first learn to join the fight on the frontline.

Nooreen Ajmal & David Meredith

[1] however, direct marketing spam to personal email accounts will be an offence from 11 December 2003 by virtue of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

[2]s69 of the Police and Criminal Evidence Act 1984 will only admit computer evidence if it satisfies certain requirements. There must be no reasonable grounds for believing the statement is inaccurate because of improper use of the computer and the computer must have been operating properly at all material times.

[3]May 1995 (unreported).

[4] Moore 's Law (named after the Intel co-founder) is the observation that the amount of information storable on a given amount of silicon has roughly doubled every year since the technology was invented

[5]Adopted in November 2001 by the Council of Europe .

[6]Adopted in April 2002 and awaiting final signature. It provides a general framework to approximate and increase judicial and police cooperation in relation to attacks against information systems. Member states have until 31 December 2003 to implement the proposed framework.

[7]Similar concerns have arisen in relation to RIPA 2000.

USEFUL URLS

http://www.europa.eu.int/eur-lex/en/com/pdf/2002/com2002_0173en01.pdf
EU council Framework Decision

http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185
European Convention on Cybercrime

http://www.dti.gov.uk/industries/information_security/
DTI's guidance on Information Security

http://www.ukonlineforbusiness.gov.uk/cms/template/infor-security.jsp?id=212908
UK Online for Business Guidance on Information Security