The Queen''s speech on Wednesday, 4 June set out the government''s legislative programme for its remaining term in office. One of the bills introduced is the Serious Crime Bill, which will provide new measures primarily intended to disrupt serious and organised crime. However, the bill will also introduce an amendment to the Computer Misuse Act 1990, and it will be used to Implement Directive 2013/40/EU regarding attacks against information systems, which must be implemented by September 2015.
Information published by the Home Office regarding the contents of the Bill indicates that the amendments to the Computer Misuse Act will:
The new offence relating to attacks on human welfare is concerned with attacks that disrupt health, transport or communications services, causes loss of life or injury, or disrupt the supply of utilities, food or money. This is clearly aimed at disruption of the Critical National Infrastructure ("CNI") and the related penalty of life imprisonment is intended to reflect this (the penalty for the remaining provisions is a 14 year tariff).
The principle purpose of the EU Directive is to bring the national laws of Member States into alignment and to give effect to measures for the sharing of information and assistance between law enforcement agencies. The Computer Misuse Act and related legislation in the UK already achieves and exceeds most of these requirements.
Consequently, these amendments are unlikely to have any material or noticeable impact on the current level of cybercrime or prevent future increases. This is because:
Organisations (and individuals) taking preventative action remains the best approach to reducing the level of cybercrime. However, like insurance, hardening information systems introduces performance and cost overheads and neither save money (for public authorities still faced with saving costs) or improve the bottom line (for commercial organisations seeking to improve profit margins).
Organisations are currently able to justify their inactivity on the basis of balancing the risks of cybercrime against the cost of resolving the consequences. This fails to consider the true cost of cybercrime and does nothing to improve collective security. The Serious Crime Bill will be of assistance to the law enforcement agencies, but ultimately for any new legislation to have a material impact on cybercrime it also needs to provide a positive incentive for organisations to take preventative action.