Fighting e-crime

Security experts are now calling on the government to rewrite the law to cope with the harsh realities of the internet age. The Act is based on the concept of trespass, which is increasingly hard to prove in a networked world.

Neil Barrett, technical director at security consultancy Information Risk Management, explained that current legislation should be replaced with a law based on the concept of fraud. The crime would then become defrauding the computer, by tricking it into giving the hacker access.

‘The CMA was written with the assumption that there would always be an authority gate which allows you to get to the computer. But anyone can access a website,’ he said.

High-profile viruses and new threats such as denial of service attacks are on the increase. Yet the low level of convictions under the Act shows the need for a change of thinking.

Crime goes unreported
One of the major reasons for so few convictions is that companies fail to report crime for fear of admitting that their IT security is lacking. They don’t see the police as being able to help, but the formation of the National High Tech Crime Unit in April last year should help to change opinions, said Barrett.

‘You have a determined set of experts at the NHTCU. Now we have something that we can use to prove to businesses that the police can cope,’ he maintained.

But even if victims do report an attack, there are still problems. ‘Juries are still horrendously lacking in awareness when it comes to computer crime,’ said Barrett. ‘I’ve been an expert witness and the first thing I’m asked is “what is a computer?” and ‘what is the internet?”‘

New laws for old
Cross-party lobby group Eurim insisted that the Act needs to be replaced. ‘New law is clearly required. The CMA was a first attempt to address this issue,’ it explained in a draft report on e-crime.

Eurim added that the Crown Prosecution Service and the judiciary fail to recognise the serious nature of IT crimes. The Police and Criminal Evidence Act may also need updating to take account of e-crime, it suggested.

The Eurim report pointed out that legislation needs to be adapted so that committing crime by electronic means is punished in a way consistent with its physical equivalent. And it maintained that industry, especially small businesses, and users must be educated on the need to take e-crime seriously.

IT and law enforcement
The draft briefing calls for the basic ability to handle IT systems to be a skill required in law enforcement. ‘It is vital that the investigation and prosecution of e-crime is not seen as a specialist subject,’ it continued.

The NHTCU has a budget of £25m, but this is dwarfed by the sums spent by business, especially in the financial sector, to combat cyber-crime.

‘The formation of the NHTCU to provide common standards and practices, and to provide expert back-up to the local police forces, is an excellent start, but it will only make a material difference if adequate investment is made in the training of local police forces, the CPS and the judiciary,’ said the report.

Eurim has argued that industry should be given a bigger role, but acknowledges that too much legislation can have adverse consequences.

‘More thought needs to be given to sharing with industry the burden for the investigation and prosecution of crime,’ it concluded. ‘Care needs to be taken to ensure that legislation drawn up in good faith is constructed in a way that does not unintentionally prevent legitimate use.’

Related reading

HMRC banknotes