Inside Dark Networks

One of the most common questions I get asked when in England regards the Law of Computer Crime. The most relevant statute is the Computer Misuse Act 1990. Although many complain it is out of date, it is very generic and therefore adaptable.

I have placed a handy guide to it here

http://www.darknetworks.org/uploads/ComputerMisuseAct.pdf

The law itself is under review and will likely be substantially changed by the Police and Justice Bill 2006. The finalised bill will become law in Autumn 2006.

A summary of the changes are here:

Clause 39 doubles the maximum jail sentence for hacking into computer systems from five years to ten years.

Clause 40 the intent of this clause is to make Denial-of-Service (DoS) attacks illegal. This was needed as the old law did not make clear whether DoS attacks were an offence. The new clause clarifies this grey area and makes it clear that they are an offence. It’s possibly too broad but better than the law as it was where you could perform a DOS attack and get away with it. Lord Northesk is trying to introduce the issue of recklessness into the clause during the Lords Committee stage.

Clause 41 is a bad piece of legislation and it should be removed. This clause intends to ban the development, ownership and distribution of so-called “hacker tools”, which is troubling as it does not make allowances for security personnel who must have ways of testing the security of systems. Its technical equivalent of some one who does not know any thing about the building industry but knows sledge hammers are being used to break down doors banning the production, owning and selling of sledgehammers. Lord Northesk is the current hope for this clause being fixed in the Lords Committee stage.

Clause 42 the only problem with this clause is that attacks, probes, etc that started before the commencement of this bill but are still on going are not covered by this bill.

 The new Bill is extensively covered at
 http://www.openrightsgroup.org/orgwiki/index.php/Police_and_Justice_Bill_2006. This Bill creates many problems as it stands, as many penetration testing tools would be ruled illegal, and it is likely to put Certified Ethical Hackers and other Penetration Testers out of business. This has caught the attention of the House of Lords, who will hopefully amend it.

If they fail however, then UK businesses may be open to a host of problems. Security admins may not be able to test their own networks. It gets even worse, what happens to the Vulnerability Management vendors (Qualys, Foundstone etc) , and their customers, who may not be able to comply with Sarbanes Oxley and other relevant legislation?

 Hopefully this mess will be averted and common sense will rule. Otherwise, we will have to wait for decided cases to pave the way of common sense.