UK clamps down on denial-of-service attacks

Derek Wyatt MP, chairman of the All Party Internet Group (APIG), has filed notice of a 10 Minute Rule Bill calling for amendments to the Computer Misuse Act (CMA) to address the threat from denial-of-service (DoS) attacks.

Wyatt's Computer Misuse Act 1990 (Amendment) Bill tackles the key recommendations of the APIG inquiry into a revision of the CMA calling on the government to add a specific DoS offence and increase the maximum custodial penalty for CMA Section 1 (Hacking) offences from six months to two years.

A two-year penalty would make hacking an extraditable offence and bring it in line with the requirements of the European Convention on Cybercrime.

"APIG was hoping that an MP would have picked this up as part of the Private Members' allocation for bills," said Wyatt. "But sadly no-one did so it seemed sensible, given the work we undertook last year, to at least place on record what we think the Bill should look like in the hope that the government will come back to it after the general election."

The APIG report recommends that, although the CMA already makes many distributed DoS attacks illegal, there is "significant value" in adding an explicit offence to the legislation.

"In particular, this would send a clear signal to the police, the Crown Prosecution Service and the courts that these attacks should be taken seriously. Also, publicity about the new offence may deter potential attackers by making it explicit that their actions are clearly criminal," APIG stated.

Mark Sunner, chief technology officer at security firm MessageLabs, gave evidence to the APIG committee at the original inquiry in April 2004.

"Criminals operating online have realised the potential commercial value of internet-related crimes and are always looking for new ways to exploit malware to line their pockets," he said.

"As the current provision in the CMA surrounding DoS attacks is ambiguous, companies are left wide open to attack. It is vital that a tighter legal framework is implemented to make it more difficult for computer criminals to operate, but easier for law enforcement agencies to prosecute successfully."

Botnets, in particular, pose a significant potential threat to online commercial activities in the 21st century, crossing international jurisdictions.

A common, co-operative approach to investigating and prosecuting cyber-criminals is, therefore, going to be the most effective way of challenging threats that transcend country borders, Sunner added.

The motion to move the Bill is scheduled to take place on 5 April 2005.