Effectiveness In The Light Of Evolving And Increasing Cyber Attacks
TOC o “1-3” h z u HYPERLINK l “_Toc377556241” CMA EFFECTIVENESS AMID EVOLVING CYBER ATTACKS PAGEREF _Toc377556241 h 1
HYPERLINK l “_Toc377556242” Cyber Crime Nature and Extent PAGEREF _Toc377556242 h 2
HYPERLINK l “_Toc377556243” R v Gold Overview PAGEREF _Toc377556243 h 3
HYPERLINK l “_Toc377556244” Reasons of Enactment of Computer Misuse Act of 1990 PAGEREF _Toc377556244 h 4
HYPERLINK l “_Toc377556245” Examples of the Crimes the Computer Misuse Act Covers PAGEREF _Toc377556245 h 6
HYPERLINK l “_Toc377556246” CMA and the Requirements of Council of Europe’s Convention on Cybercrime PAGEREF _Toc377556246 h 8
HYPERLINK l “_Toc377556247” CMA Case Law- Successful Application in Court PAGEREF _Toc377556247 h 10
HYPERLINK l “_Toc377556248” CMA Critique PAGEREF _Toc377556248 h 10
HYPERLINK l “_Toc377556249” Conclusion PAGEREF _Toc377556249 h 11
CMA EFFECTIVENESS AMID EVOLVING CYBER ATTACKSIntroduction
From the 18th century, the world is apparently moving from one civilization revolution to another, presenting massive changes that carry along beneficial and sometimes harmful impacts. Evidently so, the Agrarian Revolution and the Industrial Revolution set up the ground for the current Information Age which has computers as the main theme. Among the commonest harmful sides of the Information Age is cyber crime that revolves around internet and computer crimes. Cyber crime involves a spectrum of illegal activities through the computer that infringe on various rights ranging from personal privacy to financial safety. Cybercrime has evolved over the years as technological advancement paves way for possibility of complex unauthorized access routes through the internet. Some of the threats of computer systems during the initial days of the information revolution included data loss due to system failures but that is not the main threat anymore. More potent threat presented by the access of data and information that compromises on various aspects of security are now presented by the information age.
In light of the role of the law to protect the public from illegal activities of whichever nature, cyber crime has since entered on the list of concerns that the law has to deal with. Although the stage of the common law concept of every dog is allowed one bite is now past in as far as the definition of cyber crimes goes, it is still a complex area that needs constant review for the law to keep on top of the rapid changes. At the rate in which these changes happen, cyber crime is a risky area that requires better legal preparedness and definition as highlighted in the loopholes in current law. In this discourse, various perspectives are highlighted to illustrate the missing link between adequate legal capacity and the elusive topic of cyber crime.
Cyber Crime Nature and Extent
Cyber crimes today are not the same with what they were a few decades ago as the innovation and technological aspects of the information revolution continue to be rolled out. The definition of crime is a dynamic aspect in criminal law therefore implying that the existing laws may not be sufficient to tackle certain aspects of the rapidly evolving nature of cyber crimes. In recent developments in online data fronts, virtually every transaction that involves personal to national security as well as financial information have been incorporated into the online platform thanks to continued computer systems research and the internet. Business data and transactions thereon have also literally been transformed within a short span of time to fit into the computer systems designed for integration of the industry into the information communication and technology platform that opens unmatched opportunities. This integration implies that the more shift there is towards a completely computerized system of operation for personal, corporate and government data handling, the risk of compromise to threats such as cyber attacks is ever on the increase.
In the modern day threats, personal safety is highly compromised at the hands of cyber criminals, with advanced crime levels taking the shape of terrorism. Cyber crimes at this level are at the extreme end of assault by threat in a world that is facing one of the most serious safety issues with terrorists. Besides personal and national security, the corporate world is faced with worse times of protection of confidential information and financial data on which performance is based. Such threats on corporate performance today as posed by cyber crime include cyber fraud, cyber theft, cyber laundering and cyber contraband. The seriousness with which the cases of a cyber attack presents to the attacked party depends on a number of factors such as the legal definitions employed in the criminal justice systems. Apparently, archaic laws can be ruled out of sufficiency in adequately dealing with cyber crime due to their rigidity when compared with the evolution potency attached to cyber crimes. In the following section, specific legal definitions of cyber crime are discussed with an assessment of the effectiveness of the legal regime in handling the ever changing nature of cyber crime included.
R v Gold OverviewPerhaps one of the introductory moments in legal definitions of cyber crime in the United Kingdom was in the R v Gold case that involved a difficult determination of every dog is allowed one bite. In the case, it was ostensibly assumed in the closing determination of the case that the magnitude of the cyber attack that the accused had committed was not weighty enough to the dismay of many cyber analysts. Stephen Gold and Robert Schifreen were found guilty of accessing British Telecom accounts without authorization, having applied an engineer’s login details without his knowledge. Before being caught, the pair had accessed confidential information of BT’s clients including that of distinguished British personalities such as Prince Phillip. Under the legal circumstances at the time of their arrest, it was not clear which legal crime they were implicated of besides through other non-specific laws on cyber crimes.
The most applicable law that thee offenders could be charged for violation was Forgery and Counterfeiting Act 1981. Initial court decision at Southwark Crown Court found the accused guilty of specimen charges for using false instrument to gain access to the BT privileged clients’ confidential information and they were subsequently fined; Schifreen was fined £750 and Gold £600. An appeal in the Court of Appeal led to quashing of the previous verdict and dismissal of the charges, on grounds of insufficient prove that the information obtained was intended for any material gains. Citing the legal position of the Forgery and Counterfeiting Act, the appellants were able to convince the court that the elements of criminality driving such application of law were missing and they were subsequently acquitted. An appeal by the prosecution to the House of Lords was unsuccessful as the Lords found no ground to avert the ruling of the Court of Appeal citing lack of criminal offence in mere application of a trick after the dishonest access. The ensuing debate provoked the British legal fraternity to arrest cyber crime through formulation and enactment of the Computer Misuse Act, mainly backed by the English Law Commission.
Reasons of Enactment of Computer Misuse Act of 1990Under the considerations of the fact that the use of the internet was widely going to make direct contact with criminals into at least in to several the decades ahead during the R v Gold ruling, the English Law Commission had to ensure that the law was more specific on this topic. The realization that the criminal offences that the cyber space was likely to be exposed to amid the unprepared legal system appeared to have presented a bid loophole in law and it was upon the ELC to set the record straight. As observed in the unammended structure of the statute, the criteria to criminalize any illegal access of computer information had to be formulated. It was clear that the compromising situation that the BT found itself to an extent that the Prince’s account was accessed without authorization yet deemed not criminal presented a challenge to privacy at its worse and insecurity to persons and the nations at its worst. The timing of this assumption was correct in law as the developments in technology were so rapid that almost every cyber crime tool was soon to be becoming almost obsolete in as much time due the rapid evolution of the internet.
Despite the general feeling from the Scottish Law Commission that there was adequate cover over the spectrum of criminal malpractices under which such crimes fall, there was enough evidence that something was amiss on future cyber attacks. In the ruling by the House of Lords, Lord Brennan observed that hacking was not a crime as at that time but challenged the legislature to consider making a clearer definition if it was deemed fit to include it in the British law system. The English Law Commission had reasons to believe that the features of the cases through which cyber attacks happen can be used to diagnose a criminal offence. Firstly, the element of unauthorized access to confidential information on computers amounts to illegal offence which was acknowledged by the statute. Secondly, when the unauthorized access is followed by intentions to apply the data thereby obtained for illegal activities, it constitutes another offence punishable by law. Thirdly, any act of tampering with and altering the material on the computer upon the illegal access is a separate offence.
Commenting on the applicability of the Computer Misuse Act of 1990 in the R v Gold case, it is possible to single out the criminality of the offenders based on the three incriminating circumstances. Unauthorized access on its own is incriminating to some extent which could further be approached from the other charges of illegal actions upon access of the information. Whether further criminal activities were contemplated or carried out and if modifications were committed to the BT account would have been addressed from the definitions of the Act to determine the criminal liability of the offenders. Apparently, the decision of the Southwark Crown Court would have been upheld under the Computer Misuse Act Section 1 and probably the fines thereon revised upwards to match the provisions of the Act which was set at £5000. In the modern day changes that have been experienced on the use of computer data by various stakeholders, unauthorized access may have different punishable liabilities depending on the nature of sensitivity thereon. With continued changes that are experienced in the information age, more changes in the legal protection against infringement must be availed.
Examples of the Crimes the Computer Misuse Act CoversComputer misuse crimes can be any crime that is directly involved in the violation of the three criteria outlined in section 1 to 3 of the Act. The first criterion is the unauthorized entry into a computer and accessing the information saved in the computer. Examples of such crimes include hacking and cyber trespass where the offender merely accesses computers to explore their contents usually remotely and for fun. Hackers have become criminals under the Computer Misuse Act for the unauthorized tag of entry into the computer which was not criminal before the enactment of the law in the UK. The other forms of cyber crimes handled by the Act include any other incidental to unauthorized access of such information such as using the hacked information to defraud the owner of the information and companies. The use of such information obtained through unauthorized access for some criminal intent extends the crimes category to include such crimes as tax evasion, use of customer information such as contacts to commit other crimes on them. Programs and data of any type that the offender may find in any computer to carry out other crimes also fall under this definition of crimes upon unauthorized access. The crimes committed after the obtaining of such information are charged separately for instance fraud, blackmail and theft. The failure to commit other crimes does not translate to waiver of the crime to attempt to use such information for criminal intentions. Thirdly, the alteration or modification of the information found on the computer on which unauthorized access has been used to gain entry constitutes a different class of offences. Intentions to commit crimes from the information alterations thereon such as causing impairment and deny service to other users also define the crimes under this category. As an illustration, crimes committed to bring a system down such as through distribution of a worm or virus fall under this category.
The impact of the crimes covered by the CMA touches on all fronts of socioeconomic and political security of the nation as they may be used by offenders to cause havoc on social, economic and political institutions. As has been illustrated above, personal privacy and safety issues can be compromised in the retrieval of confidential information from computer systems as observed in the R v Gold case involving a public figure among others. When applied in economic crimes, it is obvious that serious ramifications can occur to the integrity of corporations and businesses whose information lands in the hands of scrupulous offenders. Alternatively, cyber crimes have in the recent past been applied to cause threats to national and international security when terrorists perpetrate terror activities through the internet. With the ever changing environment in terms of innovation and technological advancements, it remains a speculative topic on the extent to which the security of the various levels of personal, corporate and national interests can be affected.
The role of the law in the detection and prevention of the ever changing cyber crimes for public safety is in contention than ever before since the deterrence factor must be sufficient to ward off the negative potential impact currently and into the uncertain future. In terms of the effectiveness of the national and international law to update the preparedness in recognition of the changing nature of cyber crimes, there is a huge gap that needs to be reduced. Legal systems are faced with the daunting task of keeping at pace with the evolution of cyber crimes as the information age unfolds its surprises to the global civilization. Legal fraternity must keep in touch with the developments in the information and communication technology threats of the modern day whereas remaining flexible and on the lookout for the eventualities that it brings along.
CMA and the Requirements of Council of Europe’s Convention on CybercrimeThe CMA has had several amendments since its enactment in 1990, in an attempt to make it as adaptable as possible. However, between one amendment and the other, there is enough duration of time for the crime world to flex its muscle on the unsuspecting world amid the infinity of opportunities that the information age presents to everyone on the internet including the criminals. In recognition of the major loopholes that the domestic legal systems have, more versatile regional legal machineries such as the Council of Europe’s Convention on Cybercrime offers more guidelines on dealing with the threats of cyber crimes. Pulling resources together from across Europe and beyond has enabled the Convention to set remarkable progress from which future preparedness against cyber attacks will be formulated.
The Council of Europe’s Convention on Cybercrime outlines the steps that must be taken for sufficient legal preparedness in tackling cyber attacks within the domestic jurisdictions which include the following. Defining every cyber attack threat into the four main categories of its classification must be followed by the enactment of laws against computer threats namely economic crimes, child pornography, intellectual property infringement and other breaches of security. Specific laws touching on these categories must be set enacted which implies that the design of the CMA is not clearly in compliance with the Convention’s requirements on several fronts. Secondly, the signatories to the Convention are required to have operational detection, investigation, forensic evidence collection on cyber attacks and prosecution processes. Although there may be other laws in the UK that are in compliance with this requirement, there are certainly out of the scope of the CMA and if it is supposed to have such element, it must be materially altered or overhauled in entirety. Ostensibly, there is a requirement that international cooperation on cyber attack must be based on rapid procedures of the law which is conspicuously out of the scope of the CMA.
CMA Case Law- Successful Application in Court
Whiteley (1991) 93 Cr App R 25- the offender hacked and altered damaged computer systems of a number of universities and found guilty of Section 3 of the CMA.
Bedworth case- Paul Bedworth hacked Financial Times site making alterations that cost losses to the newspaper and was found guilty of violation of Section 1 CMA.
Strickland and Woods case- the defendants hacked into NASA and ITN databases and caused damages and loss and were found guilty of violation of CMA.
Goulden case- the defendant hacked and installed security changes in Ampersand’s database and pleaded guilty of causing losses that led to liquidation of the company.
Whitaker case- the offender hacked and damaged an application he had developed of his employer after failure to get his payment but was found guilty of violation of CMA.
CMA CritiqueIn terms of the provisions of the CMA with regard to unauthorized access, misuse of information and data from illegal access to computers and the modification of computer data or programs in such circumstances, the law sets the ground for the definition of the criminal offenses falling under cyber threats. Further to this definition of the offenses, it appears that the amendment added by the Police and Justice Act of 2006 facilitates in the clarifications of the offenses to that end by virtue of adding damaging modifications and alterations. Addition of Sec 35 of the Police and Justice Act of 2006 only rectifies penalty issues and does not introduce other important elements of cyber crime preparedness as recommended by the Council of Europe’s Convention on Cybercrimes. Whereas it is possible for the British law to substantially apply other legislations to comply with one of the requirements of the Convention, it is clear that harmonization needs to be done for a single comprehensive legislation that complies with the Convention’s standards. As it is on its own, the CMA is inadequate to tackle all issues of this topic.
The main role of the criminal legislation must be adequate and constant prevention of all forms of crime. Cybercrime is a very potent threat to not only personal privacy but also corporate and national security that changes everyday as the information age unfolds. The difficulties observed in the detection and prevention of new threats due to rapid technological advancements present legal challenges in dealing with cybercrime. Countries with legal frameworks today to handle cybercrimes have a challenge of make them as adequate as possible and the challenge poses future threats of being obsolete as more crimes emerge. Using the CMA jurisdiction in the discussion above illustrates the nature of the threat posed by cybercrime and underscores the need for a comprehensive legislation with constant updating o ensure that the law stays at pace with technological advancements and the risks thereon.
Keyser, Mike “The Council of Europe Convention on Cybercrime.” 2003. HYPERLINK “http://www.law.fsu.edu/journals/…/vol12_2/keyser.pdf” www.law.fsu.edu/journals/…/vol12_2/keyser.pdf (accessed January 24 2012)
Dog Law “Dog Owner Liability” n.d. HYPERLINK “http://doglaw.hugpug.com/doglaw_081.html” http://doglaw.hugpug.com/doglaw_081.html (accessed January 24 2012)
Kristin Archick. “Cybercrime: The Council of Europe Convention” Updated July 22, 2004 HYPERLINK “http://www.fpc.state.gov/documents/organization/36076.pdf” www.fpc.state.gov/documents/organization/36076.pdf (accessed January 24 2012)
William New. “Privacy Agenda in 2002 has International Flavor.” National Journal Technology Daily, January 23, 2002
McIntyre T. J. “Computer Crime in Ireland: A Critical Assessment of the Substantive Law,” (2005) 15(1) Irish Criminal Law Journal. 1-10
Burden K. & Palmer C. “Cyber Crime- A New Breed of Criminal?” (2003) 19 Computer Law and Security Report 222-223
Orin Kerr, “Cybercrime’s Scope: Interpreting Access and Authorization in Computer Misuse Statutes.” (2003) New York University Law Review 1596, 1602-1607
Kelleher Dennis & Murray Karen Information technology law in Ireland 2nd edn. Dublin, Ireland: Butterworths, 1997.
Carr Indira & Stone, Peter International trade law, Oxon, England: Routledge-Cavendish 2010.
McIntyre-O’Brien “The Current Status of Computer Hacking Offenses in Ireland and their Application to the Internet” (2004) Cork Online Law Review 7
Clough Jonathan, Principles of cybercrime. Cambridge, UK: Cambridge University Press 2010.
Emm David “Cybercrime and the Law: A Review of UK Computer Crime Legislation” (Last Updated May 29, 2009) HYPERLINK “http://www.securelist.com/en/analysis/204792064/Cybercrime_and_the_law_a_review_of_UK_computer_crime_legislation” http://www.securelist.com/en/analysis/204792064/Cybercrime_and_the_law_a_review_of_UK_computer_crime_legislation (accessed January 24 2012)
Saskia Hufnagel. “Recent Developments: Harmonization of Criminal Law and Organized Crime.” (2011) 1 Journal of Commonwealth Criminal Law pp.132-150
McConnell International “Cybercrime and Punishment? Archaic Laws Threaten Global Information.” (2000) HYPERLINK “http://www.witsa.org/papers/McConnell-cybercrime.pdf” www.witsa.org/papers/McConnell-cybercrime.pdf (accessed January 24, 2012)
Weston, C. A. R. “Suing in Tort for Loss of Computer Data.” (1999) 58 Cambridge Law Journal 1 pp.67-77
Wible Brent “A Site where Hackers are Welcome: Using Hack-In Contents to Shape Preferences and Deter Computer Crime.” (2003) 6 The Yale Law Journal, 112
Greeley Theodore J. “The Plight of Indigent Defendants in a Computer-Based Age: Maintaining the Adversarial System by Granting Indigent Defendants Access to Computer Experts” (2011) 3 Virginia Journal of Law & Technology 16 pp.400-429
Walden Ian Computer crimes and digital investigations Chapter (2008) HYPERLINK “http://www.fds.oup.com/www.oup.co.uk/pdf/0-19-929098-9.pdf” www.fds.oup.com/www.oup.co.uk/pdf/0-19-929098-9.pdf (Accessed January 24 2012)
Y Akdeniz “Section 3 of the Computer Misuse Act 1990: An Antidote for Computer Viruses!” (1996) Journal of Current Legal Issues