The Cybercrime Convention

The DoS attack has been a more common offence since the introduction of networks; this attack causes a loss of services to users. Susan Brenner and Marc Goodman analysed the 2001 survey and found "that denial of service attacks are increasing"42; they also found that these attacks are not reported, as "victims may not realize that the conduct involved is a crime, or may decide not to complain for reasons of embarrassment or corporate credibility. "43 MacEwan also looks at the procedural difficulties; he finds that "Computer crime is substantially under-reported"44.

He gives a number of reasons for this; firstly, he feels that the corporate victims would want to avoid bringing proceedings against their attackers, since this would bring unwanted publicity in relation to the companies' security system. This is to reduce further loss to the company. Another reason for not bringing proceedings against a hacker is the deterrence that the "distinct possibility that the perpetrator would not be convicted"45; the hacker would be difficult to track down due to the global extent of the use of the internet.

Even if this hacker could be tracked down, the computer evidence could be disputed as it could be destroyed "leaving no admissible trace behind"46. There has been more criticism in relation to the police response to computer crime; "Lack of funding, manpower and expertise remain weaknesses, notwithstanding the establishment of the National High Tech Crime Unit in April 2001"47. MacEwan also considered the Distributed Denial of Service (DDoS) attack, which he states, "posed more a potent threat"48.

A DDoS attack involves a wide range of remote computers, infected by a virus of malware, to attack a recognised target at the same time. MacEwan looks the judgement of Lennon49; he feels that it offered up as proof of the real need for reform of the CMA in this respect. 50 He believes criticism from the media derived from this flaw in the act. Therefore, this contributed towards the Government's "decision to legislate further on the issue of DoS attacks"51. Reforms had been brought in under the Police and Justice Act52 bringing about changes to ss.

1 and 3 of the CMA53. The key changes to this act are the new offences of impairment and supply of "hacking" tools. Section 36 of the PJA replaces unauthorised modification of computer material with a "broader prohibition tackling unauthorised acts which impair the operation of a computer"54. Section 37 creates a new offence of "making, adapting or supplying hacking tools… with the intent, or belief that such material would be used to commit a hacking offence"55. A closer look at these reforms shows that they also contain flaws.

Section 3656 makes the offence of DoS attacks unlawful, therefore prosecutable. MacEwan discusses this section in relation to the Cybercrime convention57; the convention refers to the "serious hindering" of computer systems,58 and the Framework Decision to the "serious hindering or interruption" of information systems. 59"60 However, in the PJA, "serious" is not included; this broadens the legislation in this area. Moreover, the mens rea element has been altered to include that the offence must be committed with "a reckless state of mind"61, thus broadening the offence further.

MacEwan feels that these changes "could prove to be a costly example of legislative overkill"62. He criticises the maximum term of imprisonment which has been increased to 10 years imprisonment; an increase of 5 years. Section 3763 deals with the supply of materials that could be used for hacking-related offences; this complies with the requirements of the Cybercrime Convention64. This, however, caused heavy criticism; "The main problem stems from the fact that 'researchers in information security, penetration testers and other professionals in the field …

May develop and make available such tools in the course of their study or business'65. "66 Therefore, this highlighted the flaws within the mens rea element of this offence. The mere belief that the articles in question are sufficient to commit this offence. This is more problematic when it is put in context; a password recovery program could be used for unlawful purposes even though it may have been developed for innocent purposes. It was noted that the legislature were determined to "have these less stringent mens rea requirements for this offence"67.

When addressing the concerns about the "interpretation of the word 'likely' within the newly changed section,68 [Hazel Blears] merely stated that 'the word 'likely' is pretty well known in our legal system'69. "70 This reasoning, however, has been argued to be inadequate, as it causes problems to the courts when applying the terms. In a later case, when applying this section, Lord Bassam of Brighton advised that "[the word] 'likely' reflects a belief that there is a strong possibility"71 This vagueness has also caused a lot of criticism in relation to this cause.

In conclusion, the CMA has been heavily criticised with the way it deals with computer-related offences. It can be said that the CMA was introduced prematurely, as there was a need to create an act to deal with computer-related offences, in relation to hacking crimes. However, this act was brought into force too early without giving much thought into other crimes, which can arise from the internet. This is visible from the cases of Bow Street72, Bignall73, and Lennon74 et al. Bow Street made visible the flaws within the legislation in relation to "unauthorised access".

Lennon, however, brought across a new offence of DoS attacks, making apparent a much greater offence of DDoS attacks. These offences have been addressed by the PJA, stated under s. 35-38. This, however, has also come under heavy criticism as it deals with DDoS attacks; the words used in s. 36 are wide in their meaning, therefore it makes the definition of the offence wide. Moreover, the s. 37 offence in relation to the supply of materials to be used for hacking-related offences.

This section also covers materials, which can be used for innocent purposes to be illegal under this new section; on of which being a password recovery system. These two sections are compliant with the Cybercrime Convention, however, they do cause controversy, therefore, it can be said that the reform that has been brought in would need to be address in relation the problems it raises. Overall, it is my view that the CMA would need a full reform to address the criticisms it has raised since it has been brought into force.