Computer Misuse (Amendment) Bill [HL]

– in the House of Lords at 8:24 pm on 20th June 2002.

Alert me about debates like this

Photo of The Earl of Northesk The Earl of Northesk Conservative 8:24 pm, 20th June 2002

My Lords, I beg to move that this Bill be now read a second time.

I begin by thanking and paying tribute to those who have assisted me in the drafting of the Bill, the staff in the Public Bill Office and a number of IT professionals. It is fair to say that without their help the Bill would be a much sorrier animal than it is. Accordingly, I am hugely grateful to them for turning the germ of an idea into something of substance.

That substance, the Bill's purpose, is, I hope, entirely straightforward. It is encapsulated in the Long Title—that is,

"to protect computerised systems against denial-of-service attacks".

Your Lordships may wish me to flesh this out a little. Broadly speaking, denial-of-service attacks can be defined as hacking or, more correctly, cracking into computer systems. The most common forms, be they inspired by individuals or larger groups of people, target a network's connectivity or bandwidth by flooding it with such a large volume of traffic that it crashes. Trojan horse or worm programs such as the recent "I Love You" or the klez-h viruses are particular examples.

It is curious that, at this time, this kind of activity appears not to be illegal in the UK. As I understand it, there are provisions on the face of the Terrorism Act 2000 that make denial-of-service attacks conducted for the purposes of terrorism prosecutable, but there is no equivalent statutory sanction against attacks that are criminally or maliciously inspired.

It is perhaps worth making the point that a wide body of opinion acknowledges that the Computer Misuse Act has this lacuna and that it is a loophole that needs to be plugged. The National High-Tech Crime Unit has called upon the Government to amend the law to give police clearer powers to prosecute denial-of-service attacks. Indeed, if my information is correct, it has asked the Home Office to review and update the Computer Misuse Act in its entirety.

Peter Scargill, IT chairman at the Federation of Small Businesses, has observed:

"There is currently nothing remotely approaching adequate legal recourse against hackers".

The European Information Society Group, EURIM, in its briefing of April this year argued that the Computer Misuse Act,

"needs updating urgently, for example to ensure effective prosecution of those initiating denial-of-service attacks that prevent legitimate access to information systems".

Across the political divide, Greg Pope, a former Whip at the Department of Trade and Industry and Labour MP for Hyndburn, has said:

"This is a serious problem. The UK is a major business centre and a leader in e-commerce. We cannot afford to let a loophole in the law damage that position".

The publication Computer Weekly has been running its "Lock Down the Law" campaign, which is aimed specifically at this issue. All in all, the support for the Bill's proposition is overwhelming.

It is sensible to try to get a feel for the nature and scope of the problem. There are essentially two elements to this. First, the current vulnerability of computer systems to denial-of-service attacks; and, secondly, their cost to UK business, both monetary and in terms of denting public confidence in IT.

To deal with the first element, it would seem that cracking activity is increasing exponentially. In February of last year, a technique called "backscatter analysis", used over a three-week period by researchers at the University of California in San Diego, detected more than 12,000 denial-of-service attacks against more than 5,000 distinct targets, including sites such as Amazon and Hotmail, even computers with dial-up connections.

The Honeypot project, reported by the Observer in July of last year, reveals truly staggering, if not chilling, statistics. Researchers involved in the project suggest that,

"any computer with a persistent internet connection is scanned for weaknesses on average 17 times a day. The life expectancy of a default installation of Red Hat 6.2 server—the time before someone successfully hacks into it—is less than 72 hours".

In this country, MessageLabs, the IT security company, published a report only this week revealing that it has intercepted more than 2 million infected messages in the first six months of this year, double what it encountered in the same period last year. The report makes the additional point that viruses also appear to be getting more malicious.

As to the second element, the cost to UK business, a recent investigation by the Department of Trade and Industry has estimated that cracking activity, together with cyber fraud and software bugs, is costing Britain as much as £10 billion a year. Coincidentally, Lloyds of London estimates the global cost of the "I Love You" virus to have been an equivalent £10 billion. According to EURIM, a recent US survey has estimated the global cost of e-crime to be some £1 trillion annually.

As an aside, the same DTI report suggests that attacks by crackers have more than tripled in the past two years, with Government Ministers suggesting that cyber crime is the world's fastest growing criminal activity.

However, all the time that UK business has no adequate recourse in law, there is no incentive for businesses to bear down on the problem. In this context, it is generally acknowledged that a significant number of denial-of-service attacks go unreported simply because businesses are fearful of compromising their on-line activities by revealing how often these occur and how vulnerable their systems are to cracking attacks. In effect, the case for legislating in this area is made in spades. I shall return to this point shortly, but this makes it all the more extraordinary that, if reports are to be believed, the Home Office attaches such a low priority to this issue.

The Government may seek to defend their position by suggesting that progress can only be made on the issue by international agreement, that it would be inappropriate for the UK to legislate unilaterally. It is, of course, true to say that the Internet is global and, to that extent, the argument could be said to have some currency. However, as Art Coviello, chief executive of RSA Security, has observed,

"If Tony Blair wants to make the UK the place to do e-business by 2005, the Government has to be a model, an example for companies to follow".

Quite apart from that, the proposition in the Bill is in keeping with policy that has already been developed at European level, although I would be the first to concede that that drafting is rather more precise than that before your Lordships tonight.

I should not let your Lordships run away with the idea that either the Bill or its central proposition enjoys universal approbation. There are those who argue that the premise on which it is based is flawed, because it fails to take due account of the way in which the Internet now operates. For example, it may have the consequence—unintended so far as I am concerned—of criminalising what could be termed "electronic civil disobedience".

I am bound to say that I have some sympathy with this view. I have no difficulty in arguing that the drafting of the Bill sits relatively seamlessly with the existing Computer Misuse Act. Unfortunately, that Act was passed, in IT terms, aeons ago. In a nutshell, its difficulty is that it relies on "trespass" as the concept by which to define computer crime, which, given that the Internet is now a medium that relies upon universal access—as it were, its "ownership" belongs to the public—is now wholly inappropriate.

In terms, I agree wholeheartedly with those who argue for a wholesale updating of the Computer Misuse Act as a means to address the problem. Indeed, that is the main part of my motivation in bringing this Bill before your Lordships tonight: to implore the Government to acknowledge and understand the urgency attached to this particular task.

What is important above all else is that legislation establishes what I like to think of as an ethical base-line for computer crime. Much as I may have wanted to take on that task, I am only too well aware that the mechanism of a Private Member's Bill would be inappropriate to that purpose.

I actually have no idea what the Government's attitude towards my Bill is. I await the Minister's response with interest. What I am conscious of is that, in reality, it does little more than put a temporary sticking-plaster over a problem of major significance. Here, I return to the issue of the Home Office's perception of its priorities. Computer Weekly has observed:

"The Government has a poor track record in developing IT-related legislation".

I assume that that is a particular reference to their determination to get the Regulation of Investigatory Powers Act—the Minister will remember it well—and the data retention elements of the anti-terrorism Act on to the statute book.

In truth, in recent days and weeks, if not months, the Home Office's priorities have been a source of bemusement to many. Rather than addressing the real concerns of whether the law deals with computer crime adequately, the apparent obsession with trying to impose unwarranted degrees of control on our citizens via the so-called "Snoopers' Charter" embodied in the Regulation of Investigatory Powers Act orders has held sway. As I say, to many this is indicative of an odd sense of priorities, the more so because of the Government's stated ambition to make the UK the best place in the world for e-commerce by 2005.

To this extent, I am grateful that sense has prevailed in the mind of the Home Secretary. Quite rightly, he has recognised that those proposals were an occasion when it was entirely appropriate to stop digging the hole deeper. I congratulate him on his decision. None the less, it is my fervent plea—I make no apology for repeating it—that this translates as speedily as possible into a desire to update the Computer Misuse Act in its entirety. That, much more than anything else, is required in order to create some sort of order out of the current chaos—and seeming incoherence—of the Government's attempts at IT legislation to date. I merely note in passing that a spokeswoman for the Home Office recently commented:

"It is confusing and a bit of a minefield"

I conclude with this thought. In a sense, computer and/or IT related issues tend not to burn fiercely in the minds of your Lordships. But we underestimate the significance of the problems that I have sought to outline at our peril. I merely hope that the Minister will be able to offer me some comfort that the Home Office in particular and the Government more generally are entirely seized of this. I commend the Bill to the House.

Moved, That the Bill be now read a Second Time.—(The Earl of Northesk.)

Photo of Lord Lucas Lord Lucas Conservative 8:35 pm, 20th June 2002

My Lords, I like this Bill. I like the fact that it is drafted in a reasonably wide way, which means that the concept will not go out of date too quickly. The hackers and those who seek to disrupt the Internet move at an ever-increasing pace and it is ever more difficult to keep in touch with their ingenuity.

Denial-of-service attacks are a real pain if you are trying to operate a computer system. There is no defence against them once someone has found a way to operate them, because they are coming in down legitimate avenues by the time they reach you. They use faults in other people's computer systems just to flood yours out. It is rather like a flood. It is like suddenly waking up in the morning and finding that you are six feet under water; and it takes just as long to get rid of the problem—it takes a long time for the enormous queue to drain away, and all kinds of people have to be involved in cleaning up afterwards. You lose business while you are flooded, and it costs you a great deal to set matters right. By any standards, it is an attack; and, by any standards, you have suffered damage. Therefore, in principle, like other forms of attack, denial-of-service attacks ought to be considered a crime.

There are, of course, occasions when people wish to do things that are on the edge of crime. As an act of civil disobedience, you might want to go down the street making holes in people's motor cars. By and large, the question of whether an individual has committed a crime or has acted reasonably in a particular set of circumstances ought to be left to the courts. But, in principle, doing things that harm people in a significant way ought to be a crime.

I therefore strongly support the thrust of the Bill. I have a few arguments with the detailed drafting. I should like to consider, for instance, how the phrasing would apply to people who created or used the system that holds the 1901 census. It could be said that those who had put that system together had done so in a way that caused it to crash and caused it to fall apart under use. It could be said that those who might be judged to have used it too enthusiastically, when they should have known that it was delicate, caused it to crash. We are perhaps going a little too far in terms of the precise in not allowing a word like "substantial" to be included in the concept before a crime is considered to have been committed, and a little too far in Clause 1(2)(2) as regards the guilt of someone who does not know that he is doing something illegal and the idea that he is guilty of an offence if someone could have anticipated the effect of his action. There is perhaps sometimes too much power in hindsight. One should not put ordinary people and ordinarily incompetent computer technicians at risk of committing a crime merely because they design or do something which in the end causes computer systems to crash. On the other hand, perhaps we could put Mr Gates in gaol for a long time, given the number of times that my system goes down every day due to the bugs that he has built into his system. But, sadly, that is a case of someone who is not a British citizen and it is not yet a realistic hope.

Given a "warm wind" from the Government, and with some attention to how we actually make this a usable piece of legislation, it would be a very good piece of legislation to have in place, pending the Europeans coming up with proposals to which we can all agree as a continent. This is one of those cases where individual Acts are important. There is no reason to wait for others. It will not cost us anything to make this a crime in our country. It will make Britain a slightly more attractive place to do business if it is known that we have some rules against domestic attacks against companies in this way. It is one brick in what eventually may become an effective dam. At least it shows the way constructively and gives some impetus to doing something that the civilised world will eventually have to get around to.

Photo of Lord Avebury Lord Avebury Liberal Democrat 8:40 pm, 20th June 2002

My Lords, I congratulate the noble Earl, Lord Northesk, on introducing the Bill and on the support that he has had from such authorities as Computer Weekly and many others that he mentioned. I am only sorry that he has drawn such a thin audience, although I am not altogether surprised, because I asked the British Computer Society, the Office of the e-Envoy and the National Computing Centre for comments before the debate and all three had nothing to say about the Bill.

Everybody agrees that cyber crime is a growing menace to government, to industry, to NGOs and to private individuals, as the noble Earl has outlined. The only question is whether the Bill identifies harmful activity that is not already covered by the Computer Misuse Act 1990. I am told that for every expert—computer scientist or lawyer—who argues that technological developments over the past 12 years have exposed gaps in the CMA, there is another who argues that the CMA already covers all kinds of harmful activity, including those at which the Bill is aimed. If gaps exist, the aim of the Bill is to close one of them.

The Carnegie Mellon Software Engineering Centre's CERT co-ordination centre has produced a helpful overview of denial-of-service attacks. It divides them into three modes: consumption of scarce, limited or non-renewable resources; destruction or alteration of configuration information; and physical disruption or alteration of network components.

The CMA provides that a person secures access to any program or data if he alters or erases the programme or data, copies or moves it, uses it or outputs it from the computer where it is stored. That is a slight paraphrase. The access is deemed to be unauthorised if the person is not entitled to control access of the kind and he does not have consent to such access from a person who is entitled to it. If the hacker against whom the Bill is directed alters or destroys any program or data to which he has not been given access by the proprietor of the data, he is committing an offence that attracts a six-month prison sentence and a level 5 fine under Section 1 of the 1990 Act. That test is easier for the prosecution to surmount than that proposed in the Bill. They do not have to prove that the hacker causes or intends to cause any degradation or impairment of the computer where the information is stored. Harmless unauthorised access would constitute an offence, although no doubt it would attract a lower penalty.

If the hacker does not alter or delete information to which he has obtained unauthorised access, the position may not be so clear. That is what the Bill is aimed at. Denial-of-service attacks may concentrate on network connectivity, for example by establishing half-opened connections to the victim machine or by consuming bandwidth and other resources. Examples of such attacks are given on the CERT co-ordination centre's website. In its cyber crime survey last year, the CBI called for an extension of the CMA to all attacks that cause IT systems to fail.

However, the National High-Tech Crime Unit tells me that there has not yet been a case before the courts—and nor has it yet been given details of one—in which it has not been feasible to prosecute because of the apparent gap in the 1990 Act. The unit says that denial-of-service attacks are often associated with some other offence such as blackmail or fraud, to which the computer misuse is incidental. The British Crime Survey does not identify computer crime under a separate heading. The Home Office may wish to address that. I should like to know whether the Minister has any thoughts on it. Should we collect information about offences in which computer misuse is not the substantive charge but is a necessary ingredient of some other offence?

The NHTCU also tells me that it is about to roll out an Extranet link to local force computer crime units which will enable it to collect anecdotal evidence of these crimes. It says that before April 2001, only a few forces had fully functioning high-tech crime units. That is one reason why there were not many prosecutions or cautions. I know of no way of ascertaining how many cases were abandoned before charge because there was no realistic chance of securing a conviction. Nor is there any means of recording the high-tech element of the crimes that were not pure CMA offences. For that reason, any figures have to be treated with extreme caution.

There is no doubt, as the CBI survey shows, that there has been considerable under-reporting of DOS attacks, as well as of other types of cyber crime, not only, as the noble Earl has said, because firms were reluctant to expose themselves to possible criticism for having taken inadequate precautions, but also because until recently they may have had insufficient confidence in the capacity of the police to respond effectively to the reported offences. In the eight months since it became operational, the NHTCU has been developing its relationships with industry and gathering strategic business intelligence about the nature of the offences being committed and the modus operandi of the criminals. The unit would not say so itself, but it seems premature to introduce the Bill when a little patience might enable the Government, with advice from the NHTCU and industry, to produce a more effective solution to any gaps that may be identified in the CMA. The noble Earl partly answered that when he said that he was introducing the Bill primarily to get an answer from the Government to his demand for a wider review of the CMA. I warmly echo that.

Computer Weekly suggests that the Government have already initiated such a review. That may be what the noble Lord, Lord Rooker, meant in answer to a Written Question the other day when he said:

"The Government are considering whether changes are needed to the Computer Misuse Act 1990 in the light of the United Kingdom's obligations as a signatory state of the Council of Europe Convention on Cybercrime".—[Official Report, 25/3/02; col. WA 10.]

I hope that the Minister will be able to say this evening that the Government are going to cast their net wider—that was not intended as a pun. I should like them to announce a comprehensive review along the lines demanded by the noble Earl, which will not be limited simply to complying with the Council of Europe convention. I think that that is what the police and the CPS would like.

The convention would already require us to make unauthorised access under Section 1 an arrestable offence. That is one amendment that the police think would be useful. In this connection, I draw attention to the difference between the definitions of unauthorised access in the Bill and the CMA, which might lead to problems in court if the Bill were passed unamended. In the Bill, the access is an offence only if it causes or is intended to cause an impairment of function of the "computerised system", which is not further defined. Presumably, the noble Earl wishes to include any devices that are used to input data to a computer, as well as the computer itself. If that is the intention, it needs to be spelt out.

In the Bill, the act that impairs the function of the computer constitutes the offence if it is "without authorisation". That means that the person carrying out that act is not the owner of the relevant computer system, nor does he have the permission of the owner. Under the CMA, there is an offence of unauthorised access, in which the person is not entitled to control access of the kind in question and does not have consent to such access from any person who is so entitled. That approach may be preferable, because nobody owns the Internet, as the noble Earl pointed out. A great deal of the software used on the Internet is open source and the ownership of it may not be defined.

Another problem that the police would like dealt with—which could be done only as a result of a comprehensive review of the CMA—is the theft of data, which is treated as a criminal offence in the US, but not in this country if there is no physical material involved such as a floppy disk or a zip disk. So, for example, the disgruntled employee who e-mails the company's information to his own address is not committing a crime unless it can be proved that he intends to use it in the commission of another offence such as blackmail.

It has been said that the use of the Internet has expanded enormously since 1990, and so has the scope for malicious or criminal interference over the net with other people's computer systems. It is big business. We should remind small and medium-sized enterprises and private individuals who are vulnerable that all users need to look at their security and not rely entirely on the law to protect them.

The fact that the CMA has been used so rarely means that, as Michael Gubbins of Computing points out, arguments about its current weaknesses are largely theoretical. Only 33 cases have been prosecuted and seven people gaoled over the 10 years in which the CMA has been in force. On the other hand, some weaponry is available to computer users. There is a British Standard for information security management—BS 7799—and for the individual user or SME there are anti-virus programs and firewalls, some of which are free. So the 75 per cent of firms that have no security policy, according to the DTI, should look to their own defences rather than rely on Parliament to enact further legislation that may well be unnecessary and is not easy to enforce.

Considering the difficulty of tracing and identifying attackers, it is perhaps surprising that hackers ever get caught. In a recent high-profile case, the author of the "Melissa" virus caused 80 million dollars worth of damage and was given a 20-month prison sentence in a US federal court. The criminal had used a stolen AOL account to jam up corporate e-mail systems in the UK as well as in the US. It is reported that he was tracked down electronically, although I think that he might have got away with it if he had used a public terminal to launch his attack.

Another interesting recent case in the US was that of Robert Lyttle, who was arrested in May while on probation for 200 attacks committed while he was still under 18. He had penetrated high-profile sites, including Gartner, the US Geological Survey, Sandia National Labs and the Department of Defense's Defense Logistics Agency. It seems that victims in the US are readier to identify themselves. If law enforcement agencies here are to become effective against cyber crime, there must be a similar willingness by industry and commerce to own up when they are being attacked.

Since DOS attacks and other cyber crimes have global effects and can be launched from any place connected to the Internet, there should be an international database for recording attacks, and the criminal justice system should respond to them in every country where they occur. In this country, perhaps the Information Assurance Advisory Council might begin by sounding out equivalent bodies in other EU countries and in north America on how such a project might be designed.

This Bill seeks to deal with a very large problem, to which a part of the answer may well be improved legislation. I welcome the opportunity which the noble Earl has given us of discussing DOS attacks, and I hope that the Government will tell us more about the review of the CMA. Beyond all that, however, it would be good to have an assurance that the Government are fully aware of the burden on us all as consumers and taxpayers of this form of crime, and that in collaboration with industry, computer professionals and law enforcement agencies they are developing a comprehensive strategy for dealing with it.

Photo of Lord Astor of Hever Lord Astor of Hever Conservative 8:54 pm, 20th June 2002

My Lords, the House will be grateful to my noble friend Lord Northesk for introducing this Private Member's Bill and for so clearly explaining its objectives. My noble friend pointed out the need to update the CMA. As he said, in IT terms, the Act was passed aeons ago, certainly long before the Internet became a reality. In 1990, no account was taken of e-commerce or trading over the world-wide web. The Act hinged on the concept of unauthorised access, whereas the invention of the world-wide web and the Internet is all about companies inviting people into their computer systems to buy and sell and to obtain information.

There is of course a passage in the Terrorism Act 2000 that refers to this issue. Indeed, amendments made in this House, following considerable pressure by the Opposition, changed the definition of terrorism to include "cyber terrorism" or action which,

"is designed seriously to interfere with, or seriously to disrupt, an electronic system".

However, this applies only where the use or threat is designed to influence the Government or intimidate the public or a section of the public or is made for the purpose of advancing a political, religious or ideological cause.

We on these Benches express sympathy for the severity of this problem for businesses, and note the scope that the Internet offers those who wish to interfere maliciously with individuals or companies in this way. Two years ago, the BBC estimated that more than 50,000 computer viruses have been created and that up to 400 are active at any one time. More than 10 new viruses are released every day. Research by Computer Economics found that virus attacks cost business more than 12.1 billion dollars in 1999.

Eric Chien, head of Symantec's anti-virus research centre, has said that technology will never stamp out viruses completely. He said:

"No-one is ever going to win—we create technology to beat the virus writer. He tests those technologies and tries to get round them. It's an arms race and it's always going to be that way".

That is why it is vital that we take this matter seriously. Denial-of-service attacks, whether they take the form of numerous spurious web submissions or worm-type virus interference, are one of the most effective means of disrupting business and personal computing services. Widespread concern has been expressed by the industry at the lenient sentences for hacking offences under the Act. I wonder whether the Minister can confirm that there have been very few prosecutions for denial-of-service attacks under the CMA?

My noble friend Lord Northesk mentioned that the National High-Tech Crime Unit has called on the Government to amend the law to give police clearer powers to prosecute denial-of-service attacks. I firmly believe that crime fighters must be given the means to fight modern crime in the modern age.

The definitions used in the Bill, however, are quite different from those currently in place under the Terrorism Act and therefore deserve some scrutiny. My first thought is regarding the provision which states that,

"a person is guilty of the offence . . . even if the act was not intended to cause such an effect".

I note that the offence includes actions which only "indirectly" cause a system failure. How might these two statements work in practice? Might it not prove difficult for someone who did not act with any intention of harming a server or other computer system to defend himself if charged under this provision? Equally, how practical would it be to prove that a "reasonable person" could have predicted that their actions would lead to a denial-of-service attack?

The infamous "Love Bug" relied on a person opening an e-mail attachment. While many people were alerted to the dangers of this virus, some still mistakenly opened the attachment, exposing themselves to the virus and triggering many e-mails to other people, potentially infecting them. Would these people be regarded as guilty under the Bill? Would human error be an acceptable defence where they perhaps should have anticipated that their actions would lead to the further transmission of the virus to other machines?

Following on from this, I wonder whether the ongoing and rapid progress being made in technology, which my noble friend Lord Lucas mentioned, might not cause difficulties with this provision. I understand that there is scope for criminals to take advantage of unsuspecting people and companies who do not have adequate firewalls in place, and effectively to use these machines as "virtual hosts" for material and communications. Such actions would inevitably lead to problems in tracing and proving the identity of those behind any denial-of-service attack. I ask my noble friend whether someone whose computer has been abused in this way by a third person could be caught by the offence as proposed.

It is important that we do not forget that there are occasions on which legitimate use can be made of mass e-mailing. One example relevant to this House is that of lobbying. With this Bill are we saying that people should not use electronic methods of communication to express their views to government departments? Or are we, in effect, placing an obligation on departments to maintain sufficient system capacity to handle mass protests or registering of views?

There is a read-across to the issue of spam mail. Commercial advertising or "spamming" can generate thousands of unwanted messages—junk mail—targeted indiscriminately at any "working" e-mail address. Users often find that certain e-mail addresses are rendered virtually unusable due to the volume of unwanted, unsolicited and, in many cases, offensive mail that is notoriously difficult to block. This mass of messaging can involve offers of credit, university degrees which can be bought, and links to porn websites. What is most worrying is that this spam makes no reference to the user of the e-mail address, and children, including my own I fear, are opening obscene messages, often, I hope, by mistake. There has been an industry built up recently of scouring the Internet for people's e-mail addresses which are then sold by marketing companies as "working e-mail addresses". It is possible to establish whether any e-mail address is in use simply by sending a test message to any address. If the message rejects this, it does not exist, and if there is no rejection message, the address can be sold as "in use". Certainly, ISPs must become much more involved in ridding the Internet of this nuisance, which is damaging the efficiency of industry as well as costing the nation in wasted time and money.

In conclusion, while some of these queries and applications are in themselves not necessarily a bad thing, I do think that they raise a need for widespread review and consultation on this issue. I hope that the Government will tackle this area of crime with the priority it deserves and will take the opportunity to review this area of legislation.

Photo of Lord Bassam of Brighton Lord Bassam of Brighton Government Whip, Government Whip 9:03 pm, 20th June 2002

My Lords, I, too, join in the general thanks to the noble Earl, Lord Northesk, for introducing the Bill and raising the issue in the House. As ever, the noble Earl was thoughtful in his approach and introduced the Bill in a constructive way. Like all of us, he recognises that this is an important part of a much wider and deeper debate. I place on record my thanks for the courtesy he has shown in informing my noble friend Lord Rooker, when the latter was in his previous incarnation, of his intentions.

Although only a small number of noble Lords have participated in the debate, an interesting breadth of detail and views have been expressed. Usually noble Lords say that they will read with interest what the Minister says. However, in this case, the Minister will read with great interest what noble Lords have said. In particular, I was interested in the remarks of the noble Lord, Lord Avebury, not having heard him say so much in the past on this subject.

I wish to place on record that the Government recognise and share the concern of the Internet industry and users, expressed so eloquently by noble Lords, in relation to denial-of-service attacks. Noble Lords have made reference to such figures as exist on the incidence of denial-of-service attacks. However, we argue that there are no reliable figures in that regard. That is probably an assertion that most would be happy to share. However, we recognise that there is a growing problem. It is clear that the number of attacks against computer systems and the consequent costs to businesses, be they large or small—the noble Lord, Lord Avebury, referred to small and medium-sized enterprises—and to individuals grow exponentially year on year as the whole system, particularly the Internet, expands. This is something which the Government take very seriously.

I believe that the noble Earl, Lord Northesk, suggested that the Government do not take cyber crime seriously. I do not think that he actually believes that. This debate has a ring of nostalgia. Over the past two or three years several of us have been involved in discussion and debate on various aspects of cyber crime, the Internet, the regulation thereof and so on. Last April the Government established the National High-Tech Crime Unit. Several references were made to that during the course of the debate. We placed that quite rightly within the National Crime Squad. Much praise has been heaped on the unit for its work, not least as regards its efforts to combat cyber crime such as Internet pornography, particularly child pornography.

The unit is staffed by IT specialists and law enforcement officers and undertakes the most technically complex investigations as well as providing technical support to local investigations and acting as a centre of excellence in developing new techniques, material and good practice with local forces. I believe that that is terribly important. We need to have that centrally provided expertise. We have provided an additional £25 million over three years to fund this new unit and fully trained computer crime teams in every force in England and Wales. That is a very significant commitment.

To be genuinely effective in combating denial of service attacks and other high-tech crimes, we must work with other countries. The noble Earl anticipated that line of argument, but it makes plain sense; this is a global technology with global applications and we need to work, act and interact globally. We must also ensure that there is effective legislation and enforcement internationally to deal with offenders. The "Wonderland" prosecutions proved that point wonderfully and underline its importance. The Government have focused their efforts on tackling the problems that were highlighted by noble Lords internationally, within Europe and through the G8. Last November, the UK signed the Council of Europe convention on cyber crime.

In relation to denial-of-service attacks, the convention commits all member states to legislate to ensure that,

"the serious hindering without right of the functioning of a computer system", is a criminal offence. In addition, a new draft Council framework decision has been tabled that would require all EU member states to legislate to ensure,

"the serious hindering or interruption of the functioning of an information system . . . following intentional conduct, without right", is a criminal offence. Similarly, we are actively working with the other G8 nations, through the high-tech crime sub-group, to ensure that all our legal systems appropriately criminalise all abuses of telecommunications and computer systems and promote the investigation of high-tech crime. Legislation to implement the Council of Europe convention on cyber crime and the Council framework decision, once it has been agreed, will be brought forward when the legislative programme allows. We always have to enter that caveat. Much of that should be achievable through secondary legislation.

The need to increase penalties in some areas has been referred to. We generally agree on that. If primary legislation is required, we will obviously need to identify a suitable vehicle. The noble Earl believes that primary legislation is needed in the denial-of-service area.

I put on record the fact that the Government are working closely with industry and law enforcement agencies to determine to what extent the Computer Misuse Act requires reviewing in order to meet the UK's commitments under the Council of Europe convention on cyber crime and the needs of law enforcement. That is where we are at with regard to that Act.

As the noble Earl said, denial-of-service attacks can take a number of forms. The common theme is that of disrupting users' legitimate access to material or resources. Most forms of denial-of-service attack are covered by the Computer Misuse Act. The noble Lord, Lord Avebury, made the point very well that there is a debate about whether that legislation is robust. That debate is important and needs to be had, and we have detected the fact that opinions vary sharply within the industry.

There is a specific issue about whether all denial-of-service attacks necessarily require the unauthorised modification of the contents of a computer, which would comprise an offence under Section 3 of the Act. The terms of the Act were deliberately undefined to provide flexibility for the courts in constructing them widely, and the courts have rightly shown willingness to do so. The issue is one of interpretation and the courts have not yet had a suitable opportunity to consider that. However, we are not complacent about the lack of clarity, particularly if it discourages enforcement authorities from proceeding against the perpetrators of those attacks.

We are looking with criminal justice practitioners at the Act's provisions on the denial-of-service. We are also very happy to meet noble Lords and industry representatives to share our thinking as it develops. That is a genuine and open-ended invitation. However, we are not yet convinced that legislation is needed. That must be understood to be a starting point; our minds are not closed.

Prosecutions can proceed only with evidence, and the identity of those attacking computer systems is, as noble Lords said, notoriously hard to determine. As the noble Earl, Lord Northesk, said, the Bill is intended to stimulate debate. He and the noble Lord, Lord Lucas, would probably accept that as it is drafted, it is not perfectly correct. My reading of it leaves me with questions about whether it is as well drafted as it might be to achieve the intentions that the noble Earl honourably seeks for it. The Government welcome this opportunity for debate. I will not detain the House with our concerns over the detail of the drafting, particularly in relation to intent, attempts and penalties.

In summary, the Government are working with industry and law enforcement specialists to make the UK the best and safest place in which to work and trade online. We will continue to do that by ensuring that the criminal law deals effectively with new threats in that regard, through international negotiation and rigorous domestic legislation and enforcement.

We welcome the debate. The contributions that I have heard this evening have been most constructive. As I said, we are not as yet convinced that extra legislation is needed. We do not have a closed mind on that. And we are happy to meet, and learn from, all those who are actively working in this field to ensure that we have the most robust defence against such matters as denial-of-service attacks.

Photo of The Earl of Northesk The Earl of Northesk Conservative 9:14 pm, 20th June 2002

My Lords, I am grateful to all noble Lords who have contributed to tonight's debate. I particularly want to thank my noble friends Lord Astor of Hever and Lord Lucas.

In the context of the Bill, I had feared that I might have to resort to a recollection of a week or so ago. It seemed then that there was a perception abroad that I might have been indulging myself and wasting the time of your Lordships. Happily, noble Lords have been charitable in explaining their respective positions towards my purpose and generous in their general support for my proposition.

I should respond to the specific query of my noble friend Lord Astor of Hever; namely, whether someone whose computer had been degraded by a third party could be caught by the offence contained in the Bill. Certainly that is not my intent. But I have to confess that the constraints imposed by the structure of the Computer Misuse Act may make that a possibility. To my mind, that makes the case for updating the Act, as argued both perceptively and persuasively by a number of noble Lords tonight.

As to the wider issues raised by my noble friend, I can only point out that there is growing currency for the view—the noble Lord, Lord Avebury, referred to this—that there may be merit in subjecting computers and their users to a "web-worthiness" test, in much the same way as motor vehicles are subject to MOTs. That may also be relevant to some of the observations of my noble friend Lord Lucas. I do not intend to speculate on the point—it is outside the scope of the Bill—except to say, yet again, that an updating of the Computer Misuse Act would be an appropriate vehicle for such a debate.

I am also grateful to the Minister for his explanation of the current consultation process in respect of the CMA. I say genuinely that I draw both comfort and some encouragement from his comments. I should also say that I have no doubt about the Government's commitment to tackling cyber-crime. What I do carp about is the way in which their priorities here have been arranged thus far.

I believe that the debate has been a very useful exercise. No doubt, as of need, we can iron out some of the Bill's deficiencies during its later stages. But, for the moment, I merely hope that your Lordships are content to give the Bill a Second Reading.

On Question, Bill read a second time, and committed to a Committee of the Whole House.

House adjourned at seventeen minutes past nine o'clock.