IT illiteracy and government: how legislators never understood computers

Andras Kirkman-Kovacs, runner-up in the BARBRI International Cyber Crime Blogging Prize Competition, says the government has its work cut out

It’s safe to say that governments don’t get the internet. Still, between trying to ban porn and failing to deliver the oldest joke on the web, we still rely on them to protect us from criminals, in whatever shape or form they come. And with 2017 shaping up to be yet another busy year for cyber crimes, our current government has its job cut out for it.

Unfortunately, much like our grandparents, our legislators have been displaying tragic amounts of ignorance and confusion when having to deal with computers.

A simpler time

In 1983 the movie WarGames introduced us to the fascinating phenomenon of computer hacking and fuelled our Cold War paranoia with stories of bored teenagers stumbling upon nuclear launch codes by playing on their desktops.

It took the UK seven more years to outlaw hacking with the Computer Misuse Act 1990 (CMA). As the story goes, parliament didn’t pass the CMA until two hobbyists broke into Prince Phillip’s BT messaging box by looking over someone’s shoulder. While it hardly satisfies our modern conception of ‘hacking’ (it was what we would call ‘shoulder surfing’ today), it was enough to stump the courts long enough for new legislation to emerge to provide an answer to these new-fangled ‘computer crimes’.

Now it was illegal to:

  • Access a computer system without authorisation (s1)
  • Access a computer system with intent to commit or facilitate further offences (s2)
  • Access a computer system in order to impair the operation of any programme, or to modify any data that doesn’t belong to you (s3)

It didn’t say much, but even in its barebone form judges had difficulty adopting the CMA; issues ranged from not finding a satisfactory measure of ‘intent’ (R v Bedworth), to judges simply lacking the IT knowledge to effectively judge cases (R v Cropp).

But the biggest issue with the CMA was that it didn’t even do a great job criminalising computer crimes. There is plenty of damage one can cause to a system without ever “accessing it”, as per the CMA’s requirement. Anyone with a Playstation Network account would be frustratingly familiar with DDoS attacks, whereby a system is crashed by flooding it with nonsensical requests, basically overloading it with spam.

DDoS attacks were not criminalised in the UK until the Police and Justice Act 2006 amended the CMA. Again, the amendment was only passed after yet another case confounded the court in failing to find sufficient legislation in dealing with a cyber crime.

To this day the legal system fails to effectively deter criminals, despite the Serious Crime Act 2015 giving the CMA more teeth. It can now impose life sentences on serious offences and even extended its international reach to be able to capture UK residents committing crimes abroad, or foreign nationals committing crimes within the UK.

How we can improve

There are no easy solutions for a complex issue such as cyber crime. If you ask corporations and banks (i.e. the criminals’ most common targets), their answer is shoot first and ask questions later. There is a growing sentiment amongst corporations to employ more active defences against cyber criminals. Corporate lobbyists continue to push for a relaxation on hacking laws, arguing that companies would be justified to counter-hack their hackers in self-defence (known as a ‘hackback’, or ‘strikeback’). If allowed, they argue, they could electronically tag stolen data for later deletion, or even remotely damage the computers where the hacks originated from.

However, that would achieve little, apart from satisfying the bloodlust of a vengeful CTO. Attribution remains a big problem in cyber law enforcement. The kind of hackers who break banks and steal from multinationals know how to cover their tracks in cyberspace and might not even be using their own hardware to perpetrate the act. They are often able to infect hundreds of thousands of internet-connected devices (i.e. webcams, digital recorders, and the like) and use their combined computing power (a so-called ‘botnet’) to launch their attacks. Allowing corporations to start their own strikeback operations could catch a lot of innocent users in the crossfire.

Over in the public sector, governments have begun to aggressively pursue information sharing as the magic bullet to fight cyber crime. While the idea is not without merit, i.e. that companies should share their security data with government security forces, to more effectively prevent and counter cyber attacks, it forces governments to address the politically-charged question of whether to sacrifice privacy in the name of security. While USA privacy watchdogs have been fighting this uphill battle for years, the UK’s Investigatory Powers Act 2016 (IPA) has recently sent the UN’s Human Rights Office reaching for its smelling salts.

The IPA (or ‘Snoopers’ Charter’ as it is known by its street name) is yet more proof that our legislators have learned little from their fumbling ways during the 1990s. While the privacy concerns are entirely justified (the IPA provides security services with the most wide-ranging surveillance powers in the Western world), it paradoxically also creates more security risks than it prevents.

For example, section 217 outright gives the government powers to bypass any encryption: it obliges internet services providers (‘ISP’s) to inform the government about their new products and allows the state to request changes to their software and systems. This raises red flags to many, as it could potentially allow security services to demand ‘backdoor access’ (a confidential method to bypass normal authentication procedures) to ISP data. And a thing about backdoors in cyberspace, they rarely stay closed for long.

From a historical perspective, it becomes clear that the government is not equipped to meet the technological challenges of the future, because no government has ever been able to do so.

At best, it will provide reactionary legislation for an already outdated problem. At worst, much like our grandparents, it will cause more harm than good when it ‘tries to fix an issue with computers’.

Andras Kirkman-Kovacs is a legal review specialist. He has a degree and an LPC from BPP Law School, and has also studied law in Budapest. He is the runner-up of the BARBRI International Cyber Crime Blogging Prize. You can read the winning entry here.

BARBRI International will be hosting a 4 July Independence Day party at its London office. Register to attend here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

4 Comments

Lord Harley of Council

One other thing to consider would be setting standards for security on items now falling within the internet of things rather than just focusing on hacking.

For instance, baby monitors, fridges etc. are now often sold connected to the internet and they are routinely hacked and used as part of botnets to launch DDoS attacks. As it stands, there is no legislative or regulatory framework to enforce a minimum standard of security and so there is often no incentive for manufacturers to take any measures at all to increase security.

An interesting take on this is last week’s Sam Harris podcast talking to a cybersecurity expert.

(1)(0)
Reply Report comment
Pantman

The legislatures and the courts are largely ignorant of technology, but stuff like this doesn’t help:

Anyone with a Playstation Network account would be frustratingly familiar with DDoS attacks, whereby a system is crashed by flooding it with nonsensical requests, basically overloading it with spam.

‘Spam’ is email, it’s nothing other than email (unless you want something to eat). DDoS attacks, just like DoS attacks, use data, in various forms, to compromise a particular service or device – they effectively exceed the capacity of the device, or network conection, so that it cannot deal with the requests at hand. It would be unusual to use email as the payload – primarily because the usual course of things for mail servers is a bit of a handshake (very small bits of data) to establish whether the devices concerned even want to talk to each other.

A fairly recent exploit used the DNS system to send large amounts of data to target machines. Not to overwhelm the DNS services, but to flood the network connections of targeted services/devices. Precisely because the handshake used for mail services doesn’t exist for DNS.

It seems to me that no new laws were required to deal with this problem, just a sensible argument, because it is clear that the purpose of a DoS/DDoS attack is “to impair the operation of [a program]”, ie anything that the particular device is running, so s3 of the CMA would work.

(0)(0)
Reply Report comment

Leave a comment

Your email address will not be published.