Uncertain law leaves penetration testers in limbo – Part 2/4
Latest Blogs by Author
The computer misuse hacking offences are broad enough to catch offences that, at fist glance, do not appear to be “hacking” at all.
This is the second part of a series of articles. The first part can be found here.
At that time, there was no “hacking” offence and so it was eventually decided that a charge of “making a false instrument” (under the Forgery and Counterfeiting Act 1981) was the most appropriate offence.
This statute is most often used for forgery type offences, in which the instrument is a means of proving purchase and then obtaining something. The “instrument” in question for Schifreen and Gold was explained to be “the user segment” part of the protocol. The intellectual dishonesty is rather clear and it was always apparent that this was a manipulation of the statute.
The defendants admitted what they had done but it was argued that their activities did not fit the charge. Nevertheless, the pair were convicted, with Gold receiving a £600 fine and Schifreen, a £900 fine. Although these were, arguably, not very harsh penalties, the pair still took the matter to the Court of Appeal who agreed with the technical challenge that the hacking activities were not the same as the making of a false instrument.
The case didn’t end here though, with the prosecution then appealing to the House of Lords, on a public policy basis that Schifreen and Gold should not be able to get away unscathed. The House of Lords agreed with the Court of Appeal – no offence fitted the acts. Effectively, the House of Lords told the House of Commons that they had not made a law that covered this wrongdoing and that the law was not open for manipulation.
Computer Misuse Offences
Given the clear gap in the law, Parliament was then left with no choice, and, within two years, the Computer Misuse Act had been passed. This introduced three new offences into UK law:
- Unauthorised access to computer material;
- Unauthorised access to computer material with intent to commit, or facilitate the commission of, a further offence;
- Unauthorised modification of computer material.
The Computer Misuse Act was drafted to be purposefully vague, in an attempt to be future-proof, and has actually weathered fairly well. “Computer material” is not defined. Even the word “computer” is kept slightly broad – “any device for storing and processing information”. There is also no requirement in the Act for the intent to be directed at a specific program or file – it is enough to prove that the access was unauthorised.
It will be noted that a criminal intent is not necessary. It does not matter if a person accessed a computer solely to show the vulnerability, perhaps as part of penetration testing. If it was unauthorised, it is unlawful.
The first type of offence, the simple “unauthorised access”, carries a maximum penalty of six months imprisonment and a £2,000 fine. The other two offences carry a more severe 5 years imprisonment and a £5,000 fine as the maximum sentences.
It must be agreed that these potential sentences are relatively small – the five year custodial sentence being reserved for the most damaging act and persistent of offenders. Somebody gaining control of the UK nuclear missiles probably won’t happen again, but still, serious harm (in a financial sense) could easily be the result of a prolonged cyber attack. However, it has been acknowledged by al-Qaeda that cyber warfare against Western Governments is also a legitimate aim. A five year custodial sentence will obviously not suffice in that instance, which in-turn brought about the Terrorism Act 2000. This allowed for any action meant to seriously interfere with or disrupt an electronic system to be categorised as a terrorist action if both of the following conditions are satisfied:
- It is designed to influence the government or to intimidate the public or a section of the public; and
- It is made for the purpose of advancing a political, religious or ideological cause.
Clearly, potential sentences would depend on the actions of that hacker or hacking group but, as you can imagine, the potential sentences that the actions of a “terrorist” group would attract are far higher than that for the innocuous vandalism and protesting that such groups may think that they are perpetrating.
Prosecutors are well aware of the situation and the hacking laws are in their consciousness in a way that they have never been before. Their use is now increasing such that those outside of the traditional “hacker” communities are being prosecuted for offences.
This is the second part of an article that first appeared in PenTest magazine. The remaining parts will be published on this blog on a weekly basis.