Professional Documents
Culture Documents
In response to any type of crime, society always attempts to find ways to prevent the crime
and punish the perpetrators. In the first instance, this means creating legislation which
makes specific activities illegal.
Computer crime
Computer crimes fall into two main categories. First, there are traditional crimes, where the
use of a computer is not intrinsic to the crime itself, but is simply a tool used to commit an
offence. This could include blackmail, for example, if an email message is sent to a victim
rather than a letter. Second, there are computer-specific crimes.
The case of the Aids Information Trojan illustrates this point. In late 1989 this Trojan was
distributed via floppy disk by a company calling itself PC Cyborg. The Trojan encrypted the
contents of the victims hard disk after 90 re-boots, leaving just a README file containing a
bill and a PO Box address in Panama to which payment was to be sent. Dr Joseph Popp,
the alleged author of the Trojan, was later extradited to the UK to stand trial on charges of
blackmail and damaging computer systems (he was ultimately deemed unfit to stand trial
following his behaviour in court and was released).
2.
3.
The maximum prison sentences specified by the act for each offence were six months, five
years and five years respectively (Amendments to the Computer Misuse Act, introduced in
the Police and Justice Act 2006, are discussed below).
The first prosecution of an individual for distributing a computer virus came in 1995.
Christopher Pile, aka the Black Baron pleaded guilty to eleven charges under sections 2
and 3 of the Computer Misuse Act and received an 18 month prison sentence. Pile created
the viruses Pathogen and Queeg. Both pieces of malware implemented his SMEG
(Simulated Metamorphic Encryption Generator) polymorphic engine, making them hard to
detect, and both were designed to trash substantial portions of a victims hard drive. He
planted the viruses on bulletin boards disguised as games and, in one case, as an antivirus program. It was estimated that the viruses caused damage amounting to 1 million
(The Independent, 16 November 1995).
Another significant conviction under the act was that of Simon Vallor. He pleaded guilty to
creating and distributing the mass-mailing worms Gokar, Redesi and Admirer, offences
covered by section 3 of the Computer Misuse Act. In January 2003 he received a two year
prison sentence. It was estimated that his worms spread to 27,000 computers in 42
countries (The Register, 21 January 2003).
However, there are significant limitations. In the first place, the regulations only apply to
messages sent to individuals email addresses, not business addresses. The penalties are
also limited, when compared to penalties for offences covered by the Computer Misuse Act.
Breaches of the regulations must be reported to the Information Commissioners Office,
which is responsible for deciding whether or not to take the offending organization to court.
The offending organization may be fined up to 5,000 in a magistrates court, or up to an
unlimited amount if the case is referred to trial by jury.
There is also a more serious limitation. The legislation only applies to senders within the
UK. Most spam originates from beyond the UK (Russia and the United States are currently
the top sources of spam) (Source: Kaspersky Security Bulletin: Spam Evolution 2008), so
UK legislation will have little, if any impact, on spammers. This highlights a key problem
with all measures designed to deal with cybercriminals: geo-political restrictions on
legislation and law enforcement bodies mean they are unable to operate across boundaries
and legal jurisdictions, in contrast to cybercriminals.
clarify the law on DoS (Denial-of-Service) attacks. This attempt failed, but it added further
weight to the calls for an update to existing legislation.
The Police and Justice Act 2006 [PDF 748 b] (which covers broader issues than computer
crime alone) included amendments to the Computer Misuse Act. The maximum prison
sentence under section 1 of the original Act was increased from six months to two years.
Section 3 of the Act (unauthorised modification of computer material) was amended to
read unauthorised acts with intent to impair or with recklessness as to impairing, operation
of computer, etc. and carries a maximum sentence of ten years.
The Act also added another section, Making, supplying or obtaining articles for use in
computer misuse offences, carrying a maximum sentence of two years. This section
states:
1.
2.
3.
A person is guilty of an offence if he obtains any article with a view to its being
supplied for use to commit, or to assist in the commission of, an offence under section
1 or 3.
4.
In this section article includes any program or data held in electronic form.
This section has drawn a lot of criticism. It is clearly intended to make use of hacking tools
illegal. However, it could equally be applied to the use of legitimate tools that could be
misused to conduct hacking, or riskware programs that could be used either legitimately or
for illegal activities. There are many people, including some in the All-Party Parliamentary
Internet Group, who hope that this section of the Act will be amended.
The treaty is wide-ranging and covers all aspects of cybercrime, including illegal access,
illegal interception of data, data interference, system interference, misuse of devices,
computer-related forgery, computer-related fraud, offences related to child pornography
and offences related to infringements of copyright and related rights. The treaty is also
designed to provide a common law enforcement framework for dealing with cybercriminals
and to foster the sharing of information among all signatories.
So far, 46 countries have signed the treaty (Convention on Cybercrime CETS No. 185,
status as of : 26/3/2009). However, so far only 24 countries have actually ratified it. There
are also some notable absentees among the signatories, including China, several Latin
American countries and Russia all of which rank as the biggest sources of malicious code.
The UK has not yet ratified the treaty, but it is expected to do so in 2009 Hansard [House of
Commons debates], 27 January 2009).
Of course, even where theres a well-developed legal framework and dedicated law
enforcement agencies designed to tackle cybercrime, criminals can only be arrested and
prosecuted if there is sufficient evidence to bring a case. This is not always straightforward.
Unfortunately, not everyone wants to admit they have fallen victim to cybercriminal activity.
This is especially true of businesses as such an admission could damage the companys
reputation.
Has acted in a way which facilitated or was likely to facilitate the commissioning of
serious crime
That the terms of the order are necessary and proportionate to prevent such harms
in future.
The UK is not alone in grappling with the problem of balancing personal freedom with
security, as the debate surrounding the so-called BundesTrojan In Germany shows
(viruslist.com, 27 February 2008), but so far, no resolution to this dilemma has been made
public.
Future prospects
Its clear that cybercrime is not going to disappear. This shouldnt surprise us. While
cybercrime is an unwanted side effect of the Internet age, its also part of a broader crime
landscape. If theres a use for something, someone will always find a way to abuse it, and
this includes computer technology and the connectivity provided by the Internet. Crime can
never be eliminated, so tackling cybercrime is less about winning the war than about
mitigating the risks associated with using the Internet.
To manage the risk, the global society clearly needs a legal framework, together with
appropriate and effective law enforcement agencies. Theres little question that law
enforcement agencies have developed increasing expertise in dealing with hi-tech crime
during the last decade, including joint policing operations across national borders. This
must be further developed if we are to deal effectively with cybercrime. In particular, the
extension of international legislation beyond developed countries, and the development of a
cyber-Interpol to pursue criminals across geo-political borders would contribute greatly to
the fight against cybercrime.
Law enforcement, however, is only part of the solution. We also need to ensure that
individuals and businesses understand the risks and have the knowledge and tools to
minimise their exposure to cybercrime. This is particularly important for individuals who are
often technically inexperienced and have little understanding of the potential problems
associated with online shopping, Internet banking and social networking. This problem is
exacerbated by the growing number of people accessing the Internet for the first time.
Society must find imaginative and varied ways of raising public awareness about
cybercrime and about methods which can be used to mitigate the risks.
The information super-highway is no different to any other public road. We need welldesigned roads, safe cars, clear signs and competent drivers. In other words, we need a
blend of appropriate legislation, effective policing and public awareness.
Disclaimer
This paper has been prepared by Kaspersky Lab for information purposes only and is not,
nor is it intended to be, legal advice. This information is not intended to constitute, and
receipt of it does not constitute, a contract for legal advice or the establishment of a
solicitor-client relationship.