UK Seeks Hacking Life SentencesSerious Crimes Bill Targets 'Cyber Terrorism'
The U.K. government wants to give judges the ability to sentence hackers to life imprisonment for launching attacks that result in serious damage to the economy, environment, national security or human welfare.
That was one of a number of computer crime plans outlined Wednesday during the Queen's speech. The ceremony, which dates from 1852 and marks the opening of a new Parliamentary session, involves the reigning monarch reading a government-prepared list of priorities for the 2014 legislative session.
Among the government's proposals is a new "serious crimes" bill that would, in part, "amend the Computer Misuse Act of 1990 to ensure sentences for attacks on computer systems fully reflect the damage they cause," according to the U.K. Home Office, which is the government agency responsible for immigration, security, and law and order.
Stronger Maximum Sentences
The Home Office says the amendments include creating a new type of offense, with a maximum sentence of life imprisonment, "for cyber-attacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof." The bill would also extend, from 10 to 14 years, the current maximum sentence for cyber-attacks that cause or create "a significant risk of, severe economic or environmental damage or social disruption."
Government officials argue these measures are needed to prosecute these types of attacks, should they ever occur. "Our reliance on computer systems and the degree to which they are interlinked is ever increasing and a major cyber attack on our critical infrastructure would have grave consequences," says Karen Bradley, the UK minister for modern slavery and organized crime, in a statement. "This bill would ensure that in the event of such a serious attack those responsible would face the justice they deserve."
Targeting Organized Crime
The government also proposed creating a new offense for "participation in an organized crime group" that's meant to target a gang's white-collar associates. While no specific computer crime angle was emphasized in that proposal, in the United States last year, prosecutors used the similar mob-busting Racketeer Influenced and Corrupt Organizations Act to secure a guilty conviction against a user of a "carder" site that sold fake IDs and counterfeit credit cards.
The new serious crimes bill is scheduled to be presented to the U.K. parliament June 16. That's no guarantee, of course, that it would pass in its current form - if at all.
The proposals also beg the question of whether the U.K. needs tougher computer crime laws or should be legislating against types of attacks not yet seen in real life. "The cynical view is that this is a very low-cost way for a government to show how much it cares about cyber security - pushing laws through Parliament is far cheaper than spending serious money on law enforcement resources," says London-based cybercrime expert and public policy analyst Peter Sommers. "This is largely an opportunity for politicians to make speeches."
Mustafa Al-Bassam, a 19-year-old computer science student who was convicted under the Computer Misuse Act of participating in attacks organized under the banner of LulzSec, accused the government of attempting to combat "a threat that so far has only been seen in Hollywood movies."
"The government should be reviewing its existing computer misuse laws, which have overreaching implications even more problematic than the CFAA in the USA before creating even more laws," Al-Bassam said in a statement posted to Pastebin, referring to the U.S. Computer Fraud and Abuse Act, which some information security experts have criticized as being vague, over-broad, excessive, and too often applied in a draconian manner.
Missing: "Cyber Terrorism" Definition
U.K. legislators will face similar challenges when crafting the serious crimes bill, in part by trying to criminalize types of attacks that haven't happened yet. "One of the problems of our entire counter-terrorism legislation is the lack of an agreed definition of what terrorism amounts to," says Sommers, who has served as an expert witness in numerous computer crime cases.
As a practical matter, furthermore, meeting the proposed legislation's threshold for hacking crimes that produce "severe economic or environmental damage or social disruption" would likely be difficult. "My experience of many of these cases is the claims of damage are often exaggerated, often because the system administrator whose facilities had been hacked is anxious to deflect attention from their own failings by suggesting unworldly skills on the part of the perpetrator," Sommers says.
Accordingly, even if the legislation passes, "I don't expect it is going to get used very much," he says.
But Ifrah Law white collar crime attorney David B. Deitch, who's based in Washington, says that given the potential fallout from attacks of a cyberterrorism nature, "there are legitimate reasons to have statutes in place that provide for significant penalties for violations."
He warns, however, that any overly broad laws crafted by the U.K. government may be used in unexpected ways. "There have been instances in the United States in which statutes relating to serious crimes have been used in ways that were not intended, including statutes relating to unauthorized use of computers," Deitch says. "The key is for governments to craft statutes that provide careful protections against over-broad application."