Tightening up existing legislation will help UK authorities to prosecute hackers better and put them in prison longer – but analysts question whether the moves will constrict an explosive growth in costly cybercrime.
The UK has sought to tighten the CMA (Computer Misuse Act) of 1990 to more precisely target DoS (denial of service) attacks, which have been used to extort operators of online gambling sites.
Other legal cases in recent years have also brought into question whether the law, composed of three sections, was keeping up with rapid changes in technology.
The amendments to the CMA are currently being considered in the House of Lords as part of the Police and Justice Bill, a comprehensive law enforcement package.
The changes would increase the maximum penalty for unauthorised modification of a computer, under which DoS attacks could be included, from five to 10 years. The maximum penalty for unauthorised access would be raised to two years, up from six months.
An expanded third section is intended to more thoroughly cover DoS attacks, including new language making it an offence to supply hacking tools knowing the programs might be used to break the law.
In November, a judge threw out a case against David Lennon, who allegedly crashed his former employer's email server in a DoS attack in early 2004 using an automated program to send five million messages.
Lennon, who was 16 years old at the time of the attack, told authorities after his arrest he wanted to cause "a bit of a mess up" in the company, court documents said.
The judge said the company's website invited users to send email. He ruled the section of the CMA under which Lennon was charged was intended to deal with Trojans, worms and viruses that corrupt or change data, not email.
Last month an appeals court judge sent Lennon's case back to trial, ruling the volume of email was unwarranted, even if the website solicited email. Lennon's case is pending in Wimbledon Magistrates Court.
But observers view the changes to the CMA as unnecessary. Graham Smith, a partner at law firm Bird and Bird in London and author of Internet Law and Regulation, said the act is broad enough to cover most breaches. Further, Lennon's case has added clarity to prosecution of DoS attacks, Smith said.
"We already have what is probably the most broadly drafted and all-encompassing antihacking legislation in the entire world," Smith said. "I've always been of the view that what is required is a willingness on the part of the prosecution to bring cases."
The CPS (Crown Prosecution Service) can't comment on pending legislation, a spokesman said. But on Tuesday, the CPS issued a statement saying its lawyers are undergoing special cybercrime training in areas such as Trojan programs, viruses and IRC (Internet Relay Chat).
CPS also addressed its ability to bring cases, saying it would use legislation "creatively" to disrupt organised crime. The CPS, which has upward of 150 prosecutors trained in dealing with high-tech crime, does not keep specific statistics on how many people have been prosecuted under the CMA.
Cybercrime cases are notoriously difficult to investigate since criminals have found complex, technical ways to avoid detection. Hackers are increasingly commandeering vulnerable computers in other countries, using them to send spam messages containing programs that can record keystrokes.
If those programs are run by a user, credit card data and login credentials could be sent back to the hacker.
A former British hacker, Robert Schifreen, said police generally have no idea what to do if someone called and said they have a virus on their computer.
Schifreen's hacking of an online system from BT in the mid-1980s spurred legislative moves for a UK computer crime law.
"At the end of the day, the police don't have the manpower or the skills to prosecute the hackers anyway, so having better legislation I don't think is going to do any good," said Schifreen, author of Defeating the Hacker. "Most computer crime doesn't get prosecuted.
"The problem with all legislation is that times change and technology moves on, and however you frame legislation, it's going to be irrelevant fairly quickly and confusing fairly quickly."
The UK recently folded its national computer crime unit, the National Hi-Tech Crime Unit, into a new agency, the Serious Organized Crime Agency. The consolidation, authorities said, would not affect high-tech investigations, despite concerns resources might be diverted.
A survey commissioned by the Department of Trade and Industry this year found security incidents and breaches cost UK businesses up to £10bn annually, twice the amount two years ago.
The penalties for computer abuse may matter less than how the courts manage parole, said Phillip Hallam-Baker, a computer security expert and principal scientist for VeriSign. A continuing ban on those who have been prosecuted from using computers could blunt future malicious activity, he said.
"After being withdrawn from the hacker fraternity for about five years, very, very few hackers can make a return," Hallam-Baker said. "To be anyone in the hacker world, you have to have current skills."