Can UK law stop criminal hackers?

MPs are preparing to get tough on hackers as the law on computer misuse and hacking is up for a revamp.

For some years now, critics of the Computer Misuse Act (CMA) 1990 have said that gaps in the legislation have made it very hard to prosecute anyone.

As a result, this summer the CMA will be updated by the new Police and Justice Bill, which will increase the scope and strengthen the sanctions available against hackers.

Jon Fell, from law firm Pinsent Masons, explained: "The main change to the CMA that the bill recommends is the revision of the wording of Section Three, so that an offence is committed if any unauthorised act is done in relation to a computer.

"The term 'unauthorised act' is not defined and is left intentionally wide to catch all forms of attack. There is no longer any requirement for the data on a computer to have been modified."

The main changes to the law are more jail time for hackers and some new wording that now makes denial-of-service attacks an offence, which was previously not the case.

But how likely is it that they will be effective? Garry Sidaway, senior consultant at Cybertrust, believes the law still needs more work to make it effective.

"These changes may barely make a dent in overall criminal hacking," he said. "The longer sentences may have some deterrent effect, but not much until they really start getting applied."

"I would say parliament is not too slow to react. The CMA is meant to define a specific set of crimes and covers access, use, and modification, which covers just about anything the various law enforcement agencies want it to. Denial of service is a worthwhile addition since it may be accomplished without access or modification."

But Ben Jefferson, chief technical officer for Sense Internet, likes the amendments to the legislation because the wording is vague. "I'm quite impressed with it, especially with the wording around unauthorised access or unauthorised interference. The fact that it is phrased in general terms means that it isn't tied to any specific technology, and so to a good degree is well future proofed."

But the bill also brings controversial measures to limit the type of hacking and security tools that can be used legitimately. According to Peter Sommer, a security specialist at the London School of Economics the Home Office realised this was a problem.

"One person's hacking technology is another's admin tool. This creates a significant problem for system administrators and pen[etration] testers.

"It's the same as going to a DIY or kitchen store - there are all sorts of lethal items there that can be used. We have the classic 'dual use technology' problem."

After consultations, the government made an alteration to the bill to shift the focus from specific hacking tools to the intent behind their use.

A Home Office spokesman told silicon.com: "The amendment widens the idea of intent for when a person uses an article with the intent to commit an offence. It makes a differentiation and protects those who supply tools for legal use."

But Fell believes the bill still fails to clarify whether security testing of systems could be deemed illegal.

"Whilst the existing offences require the criminal to have knowledge that their access or modification was unauthorised, this may be insufficient to protect the information security specialist who develops software to try to penetrate his clients' systems, he said.

He added: "A better interpretation would be that the software tool in question has to have been designed or adapted specifically with a view to the commission of an offence."