Computer Law & Security Report Vol. 19 no. 2 2003 ISSN 0267 3649/03 © 2003 Elsevier Science Ltd. All rights reserved

2002 saw a

renewed sense of

urgency about

the need to

tackle cybercrime

131

This article examines the changes proposed by EUand international initiatives to improve systemsecurity. It further considers the theme of public-private partnership underpinning emergingstrategies for tackling IT security threats.

Keywords – Cybercrime, Cybercrime Convention,Computer Misuse Act 1990, EU Proposal for aCouncil Framework Decision on attacks againstinformation systems

A. Introduction2002 saw a renewed sense of urgency about theneed to tackle cybercrime - possibly a response toalarming statistics on the rate of increase insecurity incidents and resulting costs tobusinesses. The global focus on anti-terrorismfollowing September 11 has also been a factor inbringing to the fore the ever increasingvulnerability to attack of our criticalinfrastructures. More than ever the need isapparent for a law enforcement regime which candeal effectively with crimes committed in anetworked environment crossing nationalboundaries. However it is also clear thatimprovements in cybercrime laws andenforcement alone will not be enough –organizations need to identify systemvulnerabilities and implement protectivemeasures. In the US, the Bush administration hasrecently launched a draft National Strategy toSecure Cyberspace 1and introduced legislationproviding $900 m for an IT security research andeducation to protect against hackers andterrorists. An International Cyber-crime Treaty2

has been put in place and new informationsecurity initiatives are emerging from the EUinstitutions. At last proposals are in place foraddressing issues which have long been recognisedbut, perhaps due their complexity and the needfor a co-ordinated and international approach,have not been addressed.

B. Threats and vulnerabilitiesOver the last decade businesses and Governmentsworld-wide have shifted the control of essentialprocesses to networked systems without a great

deal of consideration of the securityimplications. Governments are now rightlyconcerned that critical infrastructures, (e.g.energy, transport, banking and finance, andemergency services) fundamental to economicand national security and to public health andsafety increasingly rely on electronic informationsystems. This reliance on information systems isan uncomfortable one in a climate where anattack by terrorists on critical infrastructures isan ever present threat. Also, after a decade offocus on encouraging the use of informationsystems and the Internet in order to attractinvestment and build national economies,governments and business are facing the fact thatsecuring trust is key to achieving those goals -and proving more of a challenge than ever. ITsecurity is said to be the single biggest inhibitorto the expansion of e-commerce.3

The trend towards greater use of networkedsystems continues. However, as the number ofusers and dependence on information systemsgrows, so too does the sophistication andexpertise of the hackers and the number ofserious security breaches. It is also clear thatsystem vulnerabilities are on the increase and thathardware and software advances over the yearshave often been at the expense of security. Arecent survey found that two thirds of companieshad suffered an IT security breach in the lastyear.4 High profile viruses and denial of serviceattacks5 are on the increase - Lloyds estimated theglobal cost of the “I Love You” virus to be £10Bn6 (not to mention Code Red and NIMDA).Gartner Group predict that financial damagecaused by cybercrime will increase between 1,000and 10 000 per cent by 2004.7

C. The UK Computer Misuse Act1990 – time for an overhaul?UK cybercrime laws - in the form of the ComputerMisuse Act 1990 – (“CMA”) have been subject tocriticism over recent years and there have beenrepeated calls from industry for a rethink. TheCMA created three offences: (i) unauthorizedaccess to computer material,8 (ii) unauthorized

Cyberspace security

Securing cyberspace – new laws and developing strategiesClaire Coleman, Denton Wilde Sapte, London

CLSR 1902.qxd 07/03/2003 12:16 Page 131

132

access with intent to commit or facilitatecommission of further offences9 and (iii)unauthorized modification of computermaterial.10 Criticisms of the Act include that:

■ It has been an insufficient deterrent withremarkably few successful prosecutions andlenient sentencing.11 One view is that thenumber of successful prosecutions is lowbecause of the difficulties of meeting therequirement to prove intent on the offender’spart. (The first offence of “unauthorizedaccess” does not require proof of intent butpenalties are low.12) However anotherexplanation is the perceived lack of investmentin training the police and judiciary tounderstand and deal with cybercrime;13

■ It is out of date, being based on the concept ofunauthorized access which is increasingly hardto prove in a networked world - and does notcover new forms of computer crime such asdenial of service attacks;

■ It lacks a framework for international co-operation in investigating and prosecuting e-crime. Also there may be jurisdictionalproblems with pursuing a cyber-criminal whohacks into systems from another country as isoften the case.

D. The Cybercrime Conventionand EU proposal for a Councilframework decision on attacksagainst information systems –what changes willimplementation bring in the UK? The need for updating and harmonising laws andadopting an international approach to cybercrimewas highlighted by the “I love you “virus. In May2000 the virus infected nearly 60 million computersand caused billions of pounds worth of damageyet the perpetrator (a student in the Philippines)was not charged with breaking any law. At thetime there was no provision of the Philippinecriminal code that explicitly outlawed his actions.Following four years of work the Council ofEurope Convention on Cybercrime was concludedon 23 November 2001. From the beginning non-Council of Europe members, including the UnitedStates, Canada, South Africa and Japanparticipated in drafting the convention, which willcome into force once it has been ratified by fiveStates, including at least three States of theCouncil of Europe. (The UK has not yet ratifiedthe convention).

The Convention aims to:■ Harmonize domestic laws setting out

cybercrime offences; ■ Provide for domestic criminal procedural

powers necessary for the investigation andprosecution of those offences; and

■ Set up a regime for international co-operation.

The EU Commission Proposal for a CouncilFramework Decision on attacks againstinformation systems 14 already sets out proposalsfor EU harmonisation of many of the offences setout in the convention. The proposed offences areintended to be consistent with the equivalentoffences in the convention but also aim for agreater degree of harmonization across EUMember States than was possible under theconvention. Once implemented (followingadoption by the Council of Ministers) EU MemberStates will be obliged to implement the FrameworkDecision before December 2003. The Council ofMinisters may require changes to the approach inthe proposed Framework Decision. If adopted inits current form what changes will implementationbring - and will they address the current perceiveddeficiencies in UK legislation?

1. Illegal access to informationsystemsThe proposed Framework Decision creates anoffence of “Illegal access to InformationSystems”.15 This is essentially the hacking offence- aimed at the same type of activity as the offenceof “unauthorized access” under the CMA.16 Itrequires Member States to “ensure that intentionalaccess without right to the whole or part of aninformation system” is an offence where it iscommitted:

(a) against any part of an information system

which is subject to specific protection measures; or

(b) with the intent to cause damage to a natural

or legal person; or

(c) with the intent to result in economic benefit.17

In some respects the CMA offences are wider.Access “without right” will most likely allowbroader defences than “unauthorized access”excluding not only conduct by authorized personsbut any other conduct recognised as lawful underdomestic law e.g. where access is necessary forlegitimate business purposes (such as maintenanceof a network). Also – there is no criminalizationof access to systems that permit free and openaccess by the public as such access is “with right”.

Cyberspace security

CLSR 1902.qxd 07/03/2003 12:16 Page 132

The Convention

created a number

of new offences

which are not yet

dealt with by any

EU initiative

133

The convention gave member states the optionof providing that the hacking offence would becommitted only where there has also been“infringement of security measures, with the intentof obtaining computer data or other dishonestintent”. This raises two questions: (i) shouldprotection afforded under cyber-crime laws besubject to the systems accessed having someminimum level of security in place (not currently arequirement under the CMA)? and (ii) should theoffence of illegal access be subject to dishonestintent on the part of the perpetrator? The currentdraft of the proposed Framework Decision doesnot to make the offence dependent on whether aspecific level of security is in place (in line with thecurrent approach under the CMA). However, itdoes make the offence subject to intent on the partof the perpetrator – except in a situation wherespecific security measures have been breached.This represents a lesser level of protection thancurrently available under section 1 of the CMAwhich does not require proof of intent to causeharm. On the whole the proposed new offence ofIllegal Access to Information Systems provisionswill if anything lift the bar for the application ofcriminal sanctions in the UK.

2. Illegal interference withinformation systemsThe proposed Framework Decision also creates anoffence of “Illegal Interference with InformationSystems”.18 This covers interference “withoutright” with information systems or data held on aninformation system and broadly covers the sametypes of activity as the “unauthorizedmodification” offence under the CMA.19 Howeverthe drafting more clearly covers the mail bombingand denial of service attack scenarios which arisein a networked environment and were notcontemplated by the drafters of the CMA. Aswith the CMA intent must be shown. In terms ofproof however the bar will again, if anything, belifted in the UK with a requirement to show“serious hindering or interruption”.

3. SanctionsSignatories to the convention are required to adopta penalty scheme that is “effective, proportionateand dissuasive” and includes custodial sentences.The convention did not seek to set any level ofsanction – something which has been perceived asa weakness.20 The proposed Framework Decisiondoes require some level of harmonisation on this

point: - a custodial sentence with a maximum termof imprisonment of no less than one year inserious cases21 and a maximum term ofimprisonment of no less then four years wherethere are aggravated circumstances.22

Implementation of these requirements may gosome way to addressing the perceived leniency ofsentencing under the UK provisions.

4. Corporate liabilityAnother noteworthy aspect of the convention isthat it requires signatory States to provide forcorporate liability for commission of the offencesestablished in accordance with the convention.Proposals for implementation in the FrameworkDecision require criminal or non-criminal fines asmandatory. Other possible sanctions are alsoindicated such as disqualification from the practiceof commercial activities or a judicial winding uporder.

5. Other new offenceThe Convention created a number of new offencesthe implementation of which is not yet dealt withby any EU initiative. These include:

■ Offences of using electronic means to commitforgery23 or fraud.24 The forgery offencecovers activities such as the manipulation ofdigital signatures or other electronic messages– with intent that they be acted upon as ifauthentic. The fraud offence will coveractivities such as credit card fraud;

■ Offence relating to distribution and possessionof child pornography in a computer system.25

There is also to be an additional protocolcreating an offence of publication of racist andxenophobic propaganda via computernetworks;

■ Offence of infringement of copyright andrelated rights where the infringement iscommitted intentionally on a commercial scaleby means of a computer system. 26

These activities will already constitute offencesunder the domestic laws of many countries,whether or not committed by electronic means.However their inclusion in the convention makesthem subject to the investigatory powers andregime for international co-operation set out in theconvention. When committed by electronic means.

In line with convention requirements theproposed Framework Decision sets out jurisdictionrules and signatories are required to co-operate to

Cyberspace security

CLSR 1902.qxd 07/03/2003 12:16 Page 133

134

centralise, if possible, the proceedings in a singlejurisdiction.27 The Convention also requiressignatory states to have quite broad powers ofsurveillance and interception, as well as powers torequire the assistance of service providers ininvestigations. While international co-operation isdependent on the domestic authorities having thenecessary surveillance and interception powers andthe co-operation of service providers, the UKexperience in implementing the Regulation ofInvestigatory Powers Act 2000 shows how complexand controversial the introduction of those powerscan be. Issues include concerns about unnecessaryinterference with privacy and human rights andthe costs to Internet service providers of collectingand maintaining information. These issues,together with the requirement to permitinternational access to information bygovernmental authorities in other jurisdictionsmake the conventions requirements very ambitiousindeed. There are also concerns that requiringextradition other than under the terms of existingextradition treaties could weaken processes thathave been developed over many years.28

It therefore comes as no surprise that the proposedFramework Decision has not sought to deal in anydetail with the conventions investigatory powersand international co-operation requirements. TheFramework Decision includes only generalprovisions on exchange of information and anobligation to establish operation points of contactavailable on a 24/7 basis, as required by theconvention.

E. Developing strategies forsystem protection — public privatepartnership versus regulation As a result of the above initiatives we should hopeto see harmonized and updated criminal laws (atleast throughout the EU) by the end of 2003 aswell as some moves towards international co-operation in investigations and prosecutingoffenders. While this is a positive step forward it isclear that it is only one aspect of tackling thesecurity crisis and addressing the threats andvulnerabilities that exist. The most urgent need isto remove some of the inherent vulnerabilities inour systems and in particular to adopt protectivemeasures to secure our critical infrastructures.This is not something which can be addressed byGovernment alone, given that many criticalinfrastructures are to a large extent in the controlof the private sector. In this situation Government

has the options whether to develop a strategybased on public/private co-operation withvoluntary input from the private sector or toregulate to require the private sector to implementthe necessary security measures – or perhaps acombination of both. The US Government haschosen the former and stated a strong preferencefor voluntary action from the private sector. Theframework for co-ordination of this voluntaryaction is set out in the draft National Strategy toSecure Cyberspace, which states that regulationwill be a last resort only if the strategy forvoluntary co-operation fails. This approach isbased on a belief that the potential economicdamage that can be caused by serious attacks onsystems will be sufficient incentive to ensure co-operation form the private sector. The EU (in itsCouncil Resolution on a common approach andspecific actions in the area of network andinformation security) 29 has asked member statesto encourage private sector-led initiatives but doesnot indicate an intention to pursue this as its onlyroute to achieving greater security.

1. US Government strategy forsecuring cyberspaceThe US draft National Strategy to SecureCyberspace identifies a number goals including:

■ Creating awareness among users and systemowners of threats and vulnerabilities;

■ Encouraging the IT industry to produce newand more secure technologies;

■ Education and Training to ensure cyber-security workforce can meet the needs ofindustry and government;

■ Public/Private partnerships through whichindividuals, organizations and sectors will takeresponsibility for identifying security issuesand formulating and implementing plans todeal with them;

■ Improving security within government makingit a model for other sectors;

■ Developing information sharing mechanismsand planning to ensure serious attacks aredetected quickly and responded to efficiently.

Recommendations on actions that can be taken toachieve those goals as well as details of programsthat are already underway are described in thedraft National Strategy to Secure Cyberspace.Lead (government) agencies and sectorrepresentatives have been involved in detailedanalysis of sector specific issues and dependenciesand the formulation of sector specific action plans.

Cyberspace security

CLSR 1902.qxd 07/03/2003 12:16 Page 134

action is needed

to protect our

critical

infrastructures

and to secure the

trust in electronic

systems

135

Many sectors have also set up information sharingand analysis centres (ISAC’s) at their own cost tofacilitate the dissemination of security relatedinformation. The Office of Science andTechnology is co-ordinating research anddevelopment to support critical infrastructureprotection.

The US strategy emphasises that withinenterprises it has become critical to address cyber-security as a management issue. This reflects achanging approach to an issue which until recently(mainly to due a lack of awareness of the risks)has been treated by some organizations a technicalissue only. Organizations should be prepared togive satisfactory answers to specific questions fromcompany boards, financial analysts and investorsabout technical and organizational measures inplace to ensure security. They should also be ableto identify board members with specificresponsibility for security. The US strategyencourages adoption of best practices e.g.implementation of processes such as PKI toauthenticate (or verify) users of the network;fostering a culture of security through employeetraining and information security policies;maintaining adequate and up to date businesscontinuity and disaster recovery plans. Regular ITsecurity audits and reviews of best practices arealso recommended as well as participation inindustry- wide programs.

2. System protection in the EU What types of initiatives can we expect to see inthe EU to encourage or mandate business toimprove system security? Will the EU like the USrely on market forces and the idea that the risk ofsecurity breaches and the financial damages thatwill otherwise ensue is sufficient inventive for theprivate sector to take appropriate action? Are EUindustry groups likely to set up and operateinformation sharing and analysis centres (ISAC’s)and implement best practices in terms of technicaland organizational security at their own cost,without any legal obligation to do so? What otherincentives might be needed?

The EU in its proposed implementation of theoffences under the cyber-crime convention hastaken the position that the applicability ofcriminal sanctions should not be subject to thesystems having minimum protection in place.However this is something which no doubt will befurther debated prior to approval of theFramework Decision by the Council of Ministers.

In the EU we already have legal requirements onsystem operators to maintain certain levels ofsecurity – e.g. the directive on privacy andelectronic communications,30 and the directiverelating to conditional access services.31 There arealso instances of legal protection being subject tohaving a specific level of technical security in place- for example under the electronic signaturesdirective.32 What other obligations might beplaced on business to implement specific levels ofsecurity?

The EU (in its Council Resolution on aCommon Approach and Specific Actions in thearea of Network and Information Security) askedmember states to take certain actions. Theseincluded launching information campaigns toincrease awareness of network security issues andpromoting best practices in enterprises, whereappropriate through use of international standardssuch as ISO 17799. The resolution also called onprivate sector suppliers and service providers andtheir representative groups to organise themselvesinto appropriate fora to contribute to theobjectives of the resolution. However we have notseen as yet at EU or national level a more detailedstrategy and framework for pubic privatepartnership. Is encouraging voluntary co-operation by the private sector in accordance witha government led strategy the way forward – or dowe need more regulation? Perhaps the ultimateanswer will lie somewhere in between. However, itis to be hoped that in line with the US approach,regulation will be used only as a last resort.Whatever the approach one thing is certain –urgent action is needed to protect our criticalinfrastructures and to secure the trust in electronicsystems which has become so essential to businessand the economy as a whole.

Claire Coleman, Solicitor Technology Department,Denton Wilde SapteFive Chancery Lane, Clifford’s Inn, London.EC4A 1BUTel: +44 (0) 20 7242 1212

FOOTNOTES1 September 2002 www.whitehouse.gov/pcipb/.2 Council of Europe – Convention on Cybercrime (ETS No.185) signed at Budapest 23/11/01.3 Ernst and Young Information Security Survey 2001.4 Global Information Security Survey carried out byPriceWaterHouseCoopers for Computing – Computing20/9/02.

Cyberspace security

CLSR 1902.qxd 07/03/2003 12:16 Page 135

136

5 Attacks which attempt to overload web servers or ISPswith automatically generated messages.6 EURIM briefing No 34 – April 2002.7 www.gartner.com.8 section 1.9 section 2.10 section 3.11 According to figures from the Home Office there wereonly 33 prosecutions for offences under the ComputerMisuse Act in 1999 and 2000 – the latest years for whichfigure are available. Most offenders receive fines orcommunity service. Only seven received custodialsentences.12 The maximum imprisonment possible is no more than6 months and the maximum fine £5,000.13 EURIM Briefing No 34 April 2002.14 COM (2002) 173 final 2002/0086 (CNS).15 Article 3.16 Sections 1 and 2.17 Article 3.18 Article 4.19 Section 3.20 Draft Cybercrime Convention – Indira Carr andKatherine S Williams, CLSR Vol 18 no.2 2002.21 To exclude cases where the activity did not result indamage or economic benefit. 22 Article 7 (aggravated circumstances) applies where theoffence (a) has been committed within the framework ofa criminal organization, (b) caused or resultedinsubstantial direct or indirect economic loss orsubstantial damage to critical infrastructure, or (c)resulted in substantial proceeds. 23 Title 2, Article 7. 24 Title 2, Article 8. 25 Title 3.26 Title 4. Note that this does not include patent or trademark violations. The creation of this offence is optional,provided that domestic laws already have effectiveremedies.27 Article 11, paragraph 5 of Framework Decision, Article22, paragraph 5 of the Convention. 28 Opinion divided over new Cybercrime Treaty – LisaNaylor – European Lawyer October 2001.29 28 January 2002 2002/C43/02.30 Directive 2002/58/EC of the European Parliament andof the Council 12 July 2002 concerning the processing ofpersonal data in the electronic communications sector.31 Directive 98/84/EC.32 Directive 1999/93/EC of the European Parliament andof the Council of 13 December 1999 on a CommunityFramework for Electronic Signatures.

Cyberspace security

CLSR 1902.qxd 07/03/2003 12:16 Page 136