Criminal sanctions for the conduct of cyber crime were updated in the Serious Crime Act 2015, which came into effect on 3 March 2015. Its provisions include amendments to the Computer Misuse Act 1990 to create criminal penalties of life imprisonment for unauthorised acts that cause serious damage to welfare or security, and 14 years’ imprisonment for acts that cause serious damage to the economy or to the environment.
This is not the first time that laws relating to cyber crime have been amended; the Computer Misuse Act has been updated on at least 11 previous occasions over the past 25 years.
As a result, there are a broad range of sanctions available to deal with criminal activity, including unauthorised access to computer systems and unauthorised acts with the intent of disrupting the use of a computer system under the Computer Misuse Act, protection against cyber bullying under the Protection from Harassment Act 1997 and protection against the interception and disclosure of messages under the Wireless Telegraphy Act 2006.
The purpose of the criminal law is to punish and rehabilitate criminals and to deter others from offending, but, despite this, published reports, such as the Ponemon Institute report on cyber crime, indicate that the number of attacks are continuing to increase.
One deduction to be drawn from these reports is that the criminal law does not effectively deter criminals and that a better legal solution is required to prevent further rises.
Crime is generally perpetrated by people who feel comfortable with breaking the law, intentionally recklessly or, in some instances, merely in ignorance of the law and the criminal consequences of their acts. Ignoring crimes motivated by moral or religious fundamentalism and inter-state conflict, the anonymous nature of the internet, its lack of borders and the opportunity to industrialise the process of committing crime makes cyber crime an efficient, low-risk activity. The pervasive use of technology further encourages its adoption.
The Serious Crime Act extends the international reach of the Computer Misuse Act to capture the activities of UK residents committing crimes abroad, and foreign nationals committing crimes within the UK. Enforcing these sanctions will not be so easy. It will rely on international conventions, such as the Budapest Convention on Cybercrime 2001, that provide for co-operation between member states and their national law enforcement agencies. However, the sanctions are typically diluted by the need to achieve consensus between the participants, which reduces the impact of the convention.
There is currently no real consensus on the cost of cyber crime, despite the large number of studies that have been conducted on behalf of governments and businesses. Taking preventative measures can be seen as an unnecessary cost, business distraction and barrier to business when balanced against the risk of cyber crime occurring and its remedial costs. The availability of cyber insurance can also strengthen the credibility of such a strategy, which is further reinforced when large corporations seem to escape significant or lasting reputational harm or significant regulatory fines.
Public sympathy for such companies will eventually wane, particularly where theft of personal data leads to identity fraud, and regulators will take an increasingly stringent view of the measures that companies take to protect confidential information. If brand image is damaged and share values affected because of cyber attacks then shareholder pressure will eventually force companies to take action, but legislation could be used to drive good corporate behaviour sooner.
An alternative approach is to give companies and citizens the legal right to retaliate in kind. Thedesire to strike back is understandable, but to do so would currently give rise to the same criminal sanctions; for example, the Computer Misuse Act does not take account of the motive behind an illegal activity and the police have to be granted special powers to conduct investigations. While the law could be changed, it could not deal with the practical problems caused, such as preventing disruption to innocent users when the control servers used by hackers (known as botnets) are disabled, for example.
Consequently, a more effective approach to collective security would be for government to encourage good corporate behaviour through the use of tax credits or similar schemes. The UK government’s Cyber Essentials initiative aims to achieve these objectives by requiring all suppliers to the public sector to meet certain technological standards. This operates like a kite mark, but it does not go far enough to encourage wide-scale adoption beyond this community.
Governments of all political persuasions have previously used financial incentives to generate regional growth. Scotland, the north-east and Northern Ireland have all benefited from such policies. Tax credits or similar financial incentives could be used to encourage the adoption of stronger cyber security measures. There is also a wider community benefit because awareness training and support given to employees as part of such a scheme would naturally disseminate into the community.
The internet is driven by the commercial needs of businesses, which are guided by the drive to be profitable. Public and shareholder demand will eventually drive business to adopt more stringent cyber security measures, but this will take time. The creation of more criminal sanctions will not change criminal behaviour, but providing financial incentives would encourage businesses to become more secure by addressing the cost-risk balance. Getting businesses to operate more securely also has the collateral benefit of making the wider community more secure.
Stewart James is a partner at Ashfords LLP.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK
This was first published in April 2015