The Response to a Public Consultation on Reform of The Computer Misuse Act  

A Contribution by CD

Section 1. Context 

Q1. How would you describe the understanding that your organisation/business has of the Computer Misuse Act?

Our understanding of the CMA is better than most organisations because the Act forms the legal basis of security architecture and cyber response processes that are routinely prepared for clients, and which tend to specialise in the treatment (i.e. reduction) of cyber security risk.

Q2. How does your organisation use the CMA, or how is it affected by it?

The CMA has direct application in the preparation of security solutions that mitigate the risk of unauthorised access or modification of data and forensically establishing the presence and possible intent of such miscreants. We have provided expertise to assist in preparing the technology based arguments underpinning cases going to litigation. (We are not part of the Expert Witness Programme, nor do we provide legal advice in any manner or form.) 

Section 2. Offences

Q3. Do the offences set out in the CMA adequately cover cyber-dependent harms?

The CMA does not adequately cover cyber dependent harms. The three principal offences don't adequately reflect the range of harm nor indeed the asymmetry of resources necessary to engineer adequate response to such harm. By the very nature of the problem space, cyber-miscreants are able to invert computational resources against the lawful owners/operators of installation, and it is this outcome that should be the basis of a more meaningful set of offences under the Act. This is an area that cannot merely be left to a public consultation on this important issue and warrants analysis by legal specialists, with reference to aligning the severity of impact of such crimes with both an appropriate range of punishments and deterrents.

Q4. Are there any gaps in the legislation, and if so, what are they?

The CMA does seem to have certain gaps which lead to a failure to adequately reflect the seriousness of computer crimes. For instance, if cyber-miscreants gain unauthorised access to a computer system (such as a formally constituted, accredited HMG classified installation), they may have been properly warned by the very system they have hacked, and therefore their activities could not be an accident and intent is clear. Similarly, the unauthorised data access that has arisen may give rise to offences under the Copyright Designs And Patent Act or even the OSA. The authorised holder of the data may indeed be guilty of offences under the Data Protection Act (or EU-GDPR, not to mention transgressions of EU Network Information Security Directives). 

This is an area that cannot merely be left to a public consultation on this important issue and warrants a deeper technical understanding of the motives of cyber-miscreants and the capabilities they have brought to bare in the pursuit of such crime. This then needs to be suitably generalised to be properly encompassed by the legislation and incorporated into the law. This process should start with vector and vulnerability exploitation analytics and progression to consideration of modis operandi, technical impact and consequence analysis of the criminals' actions. 

Q5. What are the potential future areas where the CMA may not adequately cover the harms? 

The CMA seems deficient in reflecting the complex nature of certain orchestrated vectors involved in some types of advanced cyberattack. These vectors interplay at different levels in the ISO stack and within different domains, and thus, where the resources of a number of computing environments are used to facilitate an attack on others, this must be properly reflected in the offences under the Act. 

A suitable framework for harms arising from offences might encompass miscreants achieving initial systems access, credential subversion and privilege escalation, lateral movement in systems, evasion techniques employed, attack persistence and command & control approaches, advanced reconnaissance and systems discovery, data exfiltration and decipherment and even advanced, fully optimized cyber attack (such as may involve proxy attack groups working for Nation States or highly resourced corporate bodies such as Tech-Giants). Such stylisation could form a methodology for establishing the capability of cyber attackers and hence, the severity of the crime. However, this is an area that cannot merely be left to a public consultation on this important issue and warrants a deeper treatment. Cyber attacks may encompass more sophisticated scenarios such as those involving machine learning or human cognitive support (i.e. AI) involving the maladjustment of data that underpins complex training or decision making. Deliberately inducing bias into such critical data sets underpinning advanced technologies supporting critical decision is difficult to detect and should be very a serious offence. 

Q6. What changes could we make now to meet those challenges?

The CMA might be expanded to include specific offences in the combined adverse impact of a systems confidentiality, integrity, availability and/or non-repudiation including:

  1. Impeding the operations of any/all aspects of UK Critical National Infrastructure (such as BT IP Core, Energy Transmission, Nuclear Trigger)
  2. Interference with non-CNI computer systems dedicated to Defence (including NATO Alliance), Diplomatic, Health, Policing, Revenue, Energy, Telecommunications or Space-based functions and/or their interoperability
  3. Impeding the computer systems used in banking, finance, international funds transfer or other critical trading operations likely to adversely impact market confidence in the UK industry and commerce or related transnational interests
  4. Impeding the function of computer systems dedicated to intelligence operations supporting DIO, MI5, GCHQ, MI6, NCA(+ Constabularies), Special Forces
  5. Impeding the onward connectivity to other national and international computer systems interconnectivity and interoperability that is critical to the conduct of government, commercial, research or educational related functions on which they depend.
  6. Unauthorised adjustment, including abuse of cryptographic protections and methods, of or relating to advanced data set administration to impede systems operations or the functions of human cognition augmentation and machine learning, that could/will have direct adverse impact on the ensuing decision making and especially that effects lives and natural environments.

Section 3. Protections 

Q7. Do the protections in the CMA for legitimate cyber security activity provide adequate cover? 

No, the are few meaningful direct areas of the law to guide compliance. 

Q7b. If not, what changes would you wish to see made? 

The CMA does not specify investigatory or legitimate interventional functions that might otherwise be considered infringement, even by a fair-minded judiciary such as the UK possesses. Such fine judgements may arise in situations where, in extremis, remedial intervention may require several attempted techniques to resolve an urgent cyber related matter. 

To remedy this apparent oversight, a register of legitimate organisations might be instituted with identified personnel having the professional and personal integrity as well as technical competence to intervene in accordance with the measures stated in a lawful warrant under the CMA, and undertake investigatory functions and deploy similar interventional powers. It might be said that these capabilities are already with the Police and Intelligence & Security Committee using the Investigatory Powers Act, however, such a modification to the CMA, exercised by a senior police officer, would be more in line with a broader policing function, where the skills necessary to investigate and intervene need to be exercised with much more deftness and brevity, thus achieving a rapid and satisfactory conclusion prior to being brought forward for prosecution in the courts.

This is another area of the legislation that cannot merely be left to a public consultation on this important issue and warrants a deeper treatment in order to understand the possible adverse impact of such powers, including their possible misuse and the necessary controls required. 

Q9. What risks do you see from any changes to protections?

Adjusting protections under the law is always a complex matter due to unintended consequences and/or inappropriate invocation. However, the main risks arise from inappropriate judgements being applied in the issuing of a warrant to investigate or intervene in some way, which may give rise to evidential material that is beyond the scope of the initial criteria supporting the decision. 

Such controls are likely to necessitate input from a panel of senior judiciary whom are appropriately trained and cleared for such decision making, but in any event, this is an important area that cannot merely be left to a public consultation and warrants a deeper treatment. 

Section 4. Powers

Q10. Do you believe that law enforcement agencies have adequate powers to tackle cybercrime?

Law enforcement authorities do have certain necessary powers, but suffer from a woeful lack of resources to deploy them. Mere sufficiency is not a satisfactory gauge with which to measure legislative efficacy, indeed, what where the desired or intended results of the law and have they ever been achieved in any jurisdiction? This is surely an area that cannot merely be left to a public consultation and immediately warrants a deeper analysis of LEA requirements before any legislative adjustments are proposed, perhaps staring with the US Computer Fraud and Abuse Act (1986).

Q11. Do you think the CMA should include any new powers (such as providing law enforcement agencies with powers to seize domain and IP seizure from criminals or criminalising data commoditisation)?

I believe the CMA needs to be closely aligned with the Proceeds of Crime Act and the Interception of Communications (i.e. Sched.7 – Investigatory Powers Act – covering Targeted Interception Warrants), but with a view to the special definition or assessment of the value of data; more particularly, unlawfully held data that may exhibit exploitable value that can be realised many times. 

The CMA should carry new powers to compel those directors of ISPs to register the domains and be accountable for illicit content that arises as the result of CMA breaches. While it is understood that not all internet users are criminals, it is widely believed that the vast majority of criminals rely heavily upon internet access. Therefore the CMA should also carry new powers to monitor ISP accounts of those suspected of breaking the law, including the ISP's operations themselves. (Technical approaches have already been proposed, in the form of criminal intelligence gathering and exchange mechanisms for accessing information from high density data streams (i.e. DWDM), and merely requires development budgets, teams and lawful implementation of such interception capability.)

The CMA should carry powers to deny access to the internet of cyber-miscreants across the globe, but this is likely to give rise to very complex areas of enforcement. Most importantly, it should be recognised that enforcing the CMA requires the police to legally exercise specialist skills that are difficult to accumulate, retain, maintain and meaningfully apply in a very fluid arena. However, if (as per Q.7a&b) the police were to have their resources bolstered by teams of specialists with the right combination of technical and legal skills, this should be possible to enforce the law in a meaningful way. But this is an area that cannot merely be left to a public consultation and warrants a deeper technical treatment.
 

Section 5. Jurisdiction

Q12. Does the CMA provide adequate criminalisation of offences under the Act carried out against the UK from overseas? 

No, and the principal problems are expressed in legal jurisdiction and the discharge of responsibilities by nation states as they combine the problems of connecting countries to the global internet and discharging their responsibilities for refoulement of cyber-miscreants. 

Q12b. If not, what changes would you like to see made? 

The CMA is woefully inadequate in its application to trans-national criminality. 

While 65 states and signed and ratified the Budapest Convention, what is less clear are those countries that have a sufficiently robust law-enforcement mechanisms to counter what is becoming and increasing menace to commerce and civil society across the globe. This is an area of the CMA that cannot merely be left to a public consultation and warrants a deeper analytical treatment by specialists in international criminal law, extradition and deportation. 

Section 6. Sentences 

Q13. Do you believe that the sentences relating to the offences in the CMA are adequate?

While the CMA will reflect normal sentencing policy, this surely bares no relation to the level of harm that can result from transgressions in this area of law. For example, the disruption of critical national infrastructure systems may result in loss of life and invoke immense social impact; it is difficult to see how tests of intent can find in favour of cyber-miscreants and should be punished accordingly with suitable deterrent.

Q13b. If not, how would you see sentencing guidelines changed in proportion to the harms these offences cause?

In relation to answer 13, the sentencing guidelines need to reflect the adverse impact and severity of the longer term consequences that can arise from unconstrained and wilful cyberattack. It should be noted that these events don't usually occur by accident and cyber-miscreants (irrespective of their legal jurisdiction) are fully aware of the impact of the vulnerability exploitation they are engineering in their computer misuse and cyber attacks.


 

Section 7. General 

Q14. Are there any other areas where you believe improvements to legislation could be made to enhance our response to cyber-dependent threats?

The CMA could include proactive measures required to be engineered by telecommunications service providers in line with the specialist engineering requirements demanded within the Telecommunications (Security) Bill currently progressing through parliament. The Interception of Communications would require ISPs and telecommunications service providers to have the necessary infrastructure to fully implement ETSI standards on Lawful Interception of Communications and it is only a similar requirement under CMA strictures.

These measures must reflect detailed requirements analysis and achieve an ACPO compliant forensic response in order to ensure that legislative changes can be properly structured and engineered with appropriate control structures. This is an area of complexity in the CMA that cannot merely be left to a public consultation and warrants a deeper technical analytical treatment in the art of the possible by telecommunications specialists (with a background in the field of forensic response) and lawyers (with a specialist appreciation of the composition and merits of a potentially successful CMA prosecution); such skills that may not currently exist in the Crown Prosecution Service.

Q15. Are there are opportunities for improvements to the UK response to the threat from criminals operating online now we have greater flexibility to set our own laws outside of the European Union'?

There are opportunities for improvement in the UK response to the threat from cyber-miscreants and international criminal groups. It should be noted that these are very different threat actors and require an appropriate level of granularity of control in effecting any response. 

The principal challenge for legislators and lawyers is that our telecommunications laws need to be considerably strengthened and yet paradoxically, greatly simplified. Clarity in the legislation and the capabilities required of law enforcement authorities inculcated in such legislation need to be clear and their implementation needs to be centrally funded through a dedicated department incorporating telecommunications security engineering for the purposes of protecting functions in defence, policing, health, cabinet government, education, transport, energy to mention a few.

The National Cyber Security Centre model (under Lindy Cameron and Ian Levy) might be a useful paradigm, or indeed, be bolstered to accommodate the new legislative functions if there is sufficient capacity and capability within the team.
 

Section 8. International Best Practice

Q16. Are there examples of legislation in other countries that the UK should consider? 

These are questions that are rather beyond the scope of the initial problem space, but should probably focus initially upon the Federal Computer Fraud and Abuse Act(1986). 

Q17. If so, how has this legislation empowered governments to better investigate and prosecute cyber-dependent crimes?

Some 65 states have so far signed and ratified the Budapest Convention (and another four have only signed the convention), which reflects a considerable corpus of approval for the aspirations therein; might this list be a good place to start the analysis? While this is an area that cannot merely be left to a public consultation on these important issues, it clearly warrants a far deeper treatment by specialists in international law and linguistics starting with the EU directive on commonality in cyber security across the Union, our closest trading block.


 

 

All rights reserved. CyberDefenceDynamics 

© 2021