The Queen''s speech on Wednesday, 4 June set out the government''s legislative programme for its remaining term in office. One of the bills introduced is the Serious Crime Bill, which will provide new measures primarily intended to disrupt serious and organised crime. However, the bill will also introduce an amendment to the Computer Misuse Act 1990, and it will be used to Implement Directive 2013/40/EU regarding attacks against information systems, which must be implemented by September 2015.
Information published by the Home Office regarding the contents of the Bill indicates that the amendments to the Computer Misuse Act will:
- Strengthen sentences for attacks on computer systems so that they fully reflect the damage caused.
- Create a new offence relating to attacks that result in or create a significant risk of causing serious damage to the economy, the environment, national security or human welfare.
- Extend existing extra-territorial powers to prosecute a UK national who commits an offence whilst abroad even if the effect of the offence is not felt in the UK, provided the offence is also an offence in the territory in which it takes place.
The new offence relating to attacks on human welfare is concerned with attacks that disrupt health, transport or communications services, causes loss of life or injury, or disrupt the supply of utilities, food or money. This is clearly aimed at disruption of the Critical National Infrastructure ("CNI") and the related penalty of life imprisonment is intended to reflect this (the penalty for the remaining provisions is a 14 year tariff).
The principle purpose of the EU Directive is to bring the national laws of Member States into alignment and to give effect to measures for the sharing of information and assistance between law enforcement agencies. The Computer Misuse Act and related legislation in the UK already achieves and exceeds most of these requirements.
Consequently, these amendments are unlikely to have any material or noticeable impact on the current level of cybercrime or prevent future increases. This is because:
- It is the nature of crime that criminals ignore the law and act outside of it. Notwithstanding the success this month of the National Crime Agency to disrupt the GOZeuS and CryptoLocker malware, the agency also had to accept that the criminals would find a workaround within a period of just two weeks.
- Criminal law provides a sanction for illegal action provided that the criminals can be caught and successfully prosecuted. The multi-jurisdictional nature of cybercrime and the time required to investigate an offence make it difficult to achieve prosecutions.
- The changes that have been introduced as part of the Serious Crime Bill are targeted at disrupting attacks on the CNI and attacks that impact on national security. The changes will have little effect on "ordinary" criminal activity, which are equally damaging and disruptive, particularly when considered collectively.
- The changes do not place any positive obligation on or produce any incentive for organisations to take preventative action.
Organisations (and individuals) taking preventative action remains the best approach to reducing the level of cybercrime. However, like insurance, hardening information systems introduces performance and cost overheads and neither save money (for public authorities still faced with saving costs) or improve the bottom line (for commercial organisations seeking to improve profit margins).
Organisations are currently able to justify their inactivity on the basis of balancing the risks of cybercrime against the cost of resolving the consequences. This fails to consider the true cost of cybercrime and does nothing to improve collective security. The Serious Crime Bill will be of assistance to the law enforcement agencies, but ultimately for any new legislation to have a material impact on cybercrime it also needs to provide a positive incentive for organisations to take preventative action.