The Computer Misuse Act 1990 is to be amended to make sure that hackers that launch serious attacks, such as those on critical infrastructure, could face life imprisonment.
The Act sits under the Serious Crime Bill. In general, it outlines offences associated with hacking and associated tools (malware) that let computer systems be breached.
At the moment the offences outlines do not really account for a type of cyberattack that might be life threatening or pose a risk to national security. Section 1 of the act makes unauthorised access to computer material or a person's user ID and password an offence. A Section 2 offence -- which is slightly more serious -- relates to committing further crimes after gaining unauthorised access to someone's computer, for example stealing their money or using information found on their system to blackmail them. Section 3 offences include spreading viruses, deleting files, using Trojans to steal data or mounting a denial of service attack. The maximum sentence for these offences is ten years for Section 3 offences.
The proposed Serious Crime Bill, which was announced in the Queen's Speech this week, includes the addition of a new offence under the Computer Misuse Act, which is "unauthorised acts causing serious damage".
The new offence relates to the most serious cyber attacks, such as those targeting essential systems such as power supply, communications, food or fuel distribution. These attacks are ones that could result in loss of life, serious injury, social disruption or damage to the economy, environment or national security. A "significant link to the UK" is required -- so either the accused or the target computer at the time of the offence or the damage cause has to be in the UK, and the accused must have intended to cause serious damage.
This new offence is more serious than section 3 offences and the sentencing reflects this: if the attack results in a loss of life, serious illness or injury or serious damage to national security then the accused faces life imprisonment. If the attack results in serious economic or environmental damage or social disruption, the maximum sentence is 14 years.
The Bill also features a couple of changes to make sure that UK law is brought in line with European law, following the adoption of a directive relating to cybersecurity in August 2013.
In implementing the EU Directive on Attacks Against Information Systems, the bill now makes it an offence for individuals to obtain tools such as malware with the intention to commit cybercrime personally. Furthermore there is a provision to extend the jurisdiction of UK law enforcement to allow it to take action against UK citizens committing cybercrime offences while physically outside of the UK on nationality alone.
Changes to the Serious Crime Act will also see the possession and creation of "paedophile manuals" become a criminal offence. It's currently against the law to possess indecent images of children, but there is no existing offence of owning manuals that offer advice on how to groom or abuse children sexually.
The amendments should be introduced through the Serious Crime Bill in June 2014.http://www.wired.co.uk/news/archive/2014-06/06/cybercrime-bill-life-sentence