The A to Z of security

CMA

The Computer Misuse Act 1990 (CMA) is, as its date stamp suggests, a 16-year-old UK government law dealing with malicious use of computers.

It started life as a Private Member's Bill, introduced by Tory MP Michael Colvin after the prosecution of two men - for hacking into British Telecom's Prestel video text system in the mid-80s - foundered under the Forgery and Counterfeiting Act. The men were able to successfully argue this Act had been misapplied to their conduct. Their case led to a review by the English Law Commission which recommended bringing in new legislature to specifically deal with computer hacking.

The CMA made it a criminal offence to intentionally gain unauthorised access to, or to modify, data or any program held in a computer.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Back in 2004, the All Party Internet Group made a series of recommendations for updating the CMA - to address a loophole around DoS and related fraud attacks, and to increase the prison term that can be meted out to hackers. APIG also recommended making hacking an extraditable offence.

The denial of service loophole was particularly problematic. DoS attacks, while undoubtedly disruptive, do not involve data modification so perpetrators were exempt from prosecution under the CMA. In 2005, the prosecution of a UK teen for launching an email bomb attack against his ex-employer failed for this reason.

Writing about the loophole in a silicon.com column last year, computer crime guru Neil Barrett called for "a specific alteration to the Computer Misuse Act so as to make denial of service - whether a 'simple' or an 'aggravated' offence - a criminal act".

The Police and Justice Bill passed onto the statute books on 8 November 2006, replacing section three of the Computer Misuse Act with new wording that tackles "unauthorised acts with intent to impair operation of a computer". The long-awaited CMA revamp means DoS attackers now face up to 10 years in jail.

Hackers can also expect more jail time - the update increases the maximum sentence for hacking a computer from six months to two years. The new law also makes it an offence to supply or make available software or tools that could be used to commit hacking or DoS attacks. Those found guilty under this section of the law face up to two years in jail.