Think what the world of IT was like in 1990. A few lucky researchers, military personnel, government workers and assorted hangers-on would have been able to enjoy the novelty of fledgling email and internet services. If you were a forward-thinking large corporate, you might well have a mainframe or a minicomputer network storing and processing crucial data and, although dial-up modems could connect systems to each other and enable remote terminal access, viruses and hack-attacks were minor worries. The occasional infected floppy disc might contain some malware that could potentially compromise the contents of your expensive 40mb hard drive, but a relatively up-to-date antivirus programme would probably protect you. Hackers and virus writers were mostly a minority sub-culture of cyber-kids operating from their bedrooms bragging and swapping war stories on underground bulletin boards.
As technology quickly became fundamental to both businesses and governments it began to dawn that cyber-crime could present a real risk. Legislation was sought that would protect the public and the plc alike from these new types of criminal who exploited the emerging digital age with the idea of causing disruption and damage. Hacking, which was only seemingly comparable to breaking and entering under existing laws, seemed the most common crime that needed addressing, however law enforcement agencies found it increasingly difficult to successfully prosecute hackers, as existing laws were inadequate.
This is when the original Computer Misuse Act was passed. In an attempt to future proof the act it was based around the existing legal concept of trespass, essentially creating three new offences based on legal principles that were already hundreds of years old. The CMA was as good as the law could get for the time - however it was drafted at a time when there was no clear notion of how IT would develop. The very fact that it was drafted before the Internet even became mainstream ensured its obsolescence.
Fourteen years on the Computer Misuse Act has remained largely unchanged. Those seeking to abuse the fast-developing connected digital era are mediated by archaic laws based on out-of-date concepts. One of the major downfalls is that the CMA does not cover any type of data theft, no matter how large a scale it is on, which instead is covered by general theft legislation. This leaves a gaping loop-hole for hackers to exploit because, by definition, theft laws act against those 'taking with the intention to permanently deprive' and, seeing as the majority of data theft involves copying, rather than permanently removal, the law falls down. Specific legislation is the only way to close such loop-holes.
The fight to bring the law up-to-date and stop cyber criminals running riot is severely hampered by the lack of understanding of the scope of the problem. A perception that the police are powerless, coupled with the fact that a large majority of malicious attacks go unreported, means it is impossible for the Government to quantify, and therefore recognize, the real scale of the problem and only when it does will sufficient resources, both political and financial, be allocated. Raising this awareness is vital if cyber crime is to be included in key categories of crime, rather than existing on the periphery.
The Government needs to upgrade the importance of cybercrime if enforcement is ever going to be efficient. Not only is there a lack of statistics pertaining to the scope of the problem but a severe lack of legal clout for those trying to prosecute such criminals. Hackers and virus writers operate in an environment which could at best be described as comfortable and at worst as lawless.
This lack of recognition means there is a severe lack of resources amongst domestic law enforcement agencies. The UK's Hi-Tech Crime Squad, which has had some notable successes, is snowed under with a huge amount of internet crime. Although they have had notable successes dealing with internet-related crimes against children, there are simply not the resources to deal with the sheer volume of complaints about malicious attacks, which are essentially ignored even though there are potentially millions of victims.
A lack of domestic resources is not the only problem. With the internet existing in a space that transcends traditional notions of boundaries enforcement is problematic, and there is an obvious need for stronger co-operation with foreign and international law enforcement agencies. Regions such as Russia, Eastern Europe and China, where law-enforcement of cyber crime is of even less importance, have become a hideout for hackers and virus writers. Any new legislation must take into account a need for multi-national co-operation between relevant agencies.
Lawmakers today, in the form of the All Party Internet Group (APIG), are soon to review the CMA and consider what updates it needs. The inquiry will investigate all areas of the act in order to formulate recommendations about how the laws can address the problems highlighted. If the CMA is ever going to keep up with the transient and constantly developing world of cybercrime it needs to be suitably fluid legislation, designed to be adaptable to keep abreast of these developments. Most importantly though what is really needed in order to push through changes in this outdated law is for people to wake up to the true scale of the issue because, if the law stays in 1990 whilst cybercriminals continue to advance daily, it could have disastrous effects, not only on the economy but on the country as a whole.
Nick Ray is CEO at Prevx
