The in office. One of the bills introduced is the Serious Crime Bill 2014-15, which will provide new measures primarily intended to disrupt serious and organised crime.
The Bill will also introduce an amendment to the Computer Misuse Act 1990 and it will be used to Implement Directive 2013/40/EU regarding attacks against information systems, which must be implemented by September 2015.
Stewart James, Partner at Ashfords LLP, considers the implications of the Bill on combatting cybercrime.
Information published by the Home Office regarding the contents of the Bill indicates that the amendments to the Computer Misuse Act 1990 will:
- Strengthen sentences for attacks on computer systems so that they fully reflect the damage caused.
- Create a new offence relating to attacks that result, or create a significant risk of causing serious damage to the economy, the environment, national security or human welfare.
- Extend existing extra-territorial powers to prosecute a UK national who commits an offence whilst abroad even if the effect of the offence is not felt in the UK, provided the offence is also an offence in the territory in which it takes place.
The new offence relating to attacks on human welfare is concerned with attacks that disrupt health, transport or communications services, cause loss of life or injury, or disrupt the supply of utilities, food or money. This is clearly aimed at disruption of the Critical National Infrastructure (CNI) and the related penalty of life imprisonment is intended to reflect this (the penalty for the remaining provisions is a 14 year tariff).
What impact will the Bill have on cybercrime?
The principle purpose of the EU Directive is to bring the national laws of member states into alignment and to give effect to measures for the sharing of information and assistance between law enforcement agencies. The Computer Misuse Act 1990 and related legislation in the UK already achieves and exceeds most of these requirements.
Consequently, amendments made by the Bill are unlikely to have any material or noticeable impact on the current level of cybercrime or prevent future increases. This is because:
- It is the nature of crime that criminals ignore the law and act outside of it. Notwithstanding the success this month of the National Crime Agency to disrupt the GOZeuS and CryptoLocker malware, the agency also had to accept that the criminals would find a workaround within a period of just two weeks.
- Criminal law provides a sanction for illegal action provided that the criminals can be caught and successfully prosecuted. The multi-jurisdictional nature of cybercrime and the time required to investigate an offence make it difficult to achieve prosecutions.
- The changes that have been introduced as part of the Serious Crime Bill 2014-15 are targeted at disrupting attacks on the CNI and attacks that impact on national security. The changes will have little effect on “ordinary” criminal activity, which are equally damaging and disruptive, particularly when considered collectively.
- The changes do not place any positive obligation on or produce any incentive for organisations to take preventative action.
Organisations (and individuals) taking preventative action remains the best approach to reducing the level of cybercrime. However, like insurance, hardening information systems introduces performance and cost overheads and neither save money (for public authorities still faced with saving costs) or improve the bottom line (for commercial organisations seeking to improve profit margins).
Organisations are currently able to justify their inactivity on the basis of balancing the risks of cybercrime against the cost of resolving the consequences. This fails to consider the true cost of cybercrime and does nothing to improve collective security. The Serious Crime Bill 2014-15 will be of assistance to the law enforcement agencies, but ultimately for any new legislation to have a material impact on cybercrime it also needs to provide a positive incentive for organisations to take preventative action.
Cybercrime: government initiatives
The government is providing an increasing amount of information to businesses on cyber security to encourage businesses to take such preventative action.
In 2011, the government published its cyber security strategy, and in September 2012, the Department for Business Innovation and Skills (BIS) published its guidance on cyber security for business.
In February 2014, BIS published a joint communique on strengthening the cyber security of essential services.
On 10 June 2014, BIS launched its Cyber Essentials certification scheme which sets out the government’s preferred standard for cyber security and enables businesses to apply for certification, following an assessment of their security systems. From 1 October 2014, all suppliers bidding for certain personal and sensitive information-handling contracts must be Cyber Essentials certified.