An amendment to the Computer Misuse Act could see life sentences given to anyone found guilty of a cyber attack that has a catastrophic effect.
According to a report by the Guardian, the amendment to the Computer Misuse Act 1990, part of the Queen’s speech at the State opening of Parliament yesterday, will see hackers face a full life sentence for any “cyber attacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof”.
There will be a maximum sentence of 14 years for attacks that create “a significant risk of severe economic or environmental damage or social disruption”, which currently only carries a ten year sentence.
President of the National Association of Data Protection Officers, barrister and solicitor, Stewart Room, told IT Security Guru that he could see the cyber security problem getting worse, not better, so it was not surprising that the Government is taking a stronger stance within the criminal aide of the law.
He said: “This is also consistent with the huge effort that the Government has made on cyber security over the past year. It’s also consistent with the run up to a General Election. Being tough on crime plays well with traditional Conservative voters.”
Greg Day, EMEA CTO at FireEye, said: “It’s very encouraging that the Government is taking cyber-attacks more seriously; amending the Computer Misuse Act 1990 on computer systems fully reflect the damage is a big step forward. However getting the sentencing right is hard, as most companies are unable to qualify the extent of the attack or the commercial damage it has on their business, meaning that it will continue to be hard to implement and get the sentencing right. In other countries sentencing on cyber attacks appear to be lighter than other more physical crimes too but the crime must match the punishment.”
TK Keanini, CTO of Lancope, agreed that the challenge with any legal issue is differentiating between physical damage and informational damages. “Care must be taken when the outcome is to fully reflect something purely in the information space,” he said. “Certainly if there are financial losses, the sentences can reflect that, but there are many scenarios of computer misuse that are damaging but may not be directly tied to financial losses.
“The other very complicated issue is the person doing the theft of the data is not always the one monetising that data in some criminal manner. The supply chain of the attackers have gotten very specialised and modularised as each of them sell capabilities on anonymous marketplaces via crypto currency. With all this said, this amendment is necessary as our lives and business all move to a world that is one click away from every criminal mastermind.”