There are two kinds of cybercrime, cyber-enabled and cyber-dependent. A cyber-enabled crime is one that can be committed without the use of computer-technology, but which is amplified in speed, scale or significance by technology. Think about stalking: a person can stalk their victim without using any technologies, but if they start to do this through cyberspace, we’ll treat it as cyberstalking and a cyber-enabled crime. Another example is fraud, which doesn’t need computers, but if a criminal sends emails to phish sensitive information for use in fraud, we’ll consider that to be a cyber-enabled crime.
In contrast, a cyber-dependent crime is one that doesn’t have a “traditional” or “analogue” equivalent. Cyber-dependent crimes cannot be committed without the use of computers. An example is malware distribution. Another is distributed denial of service attacks that use botnets (DDoS).
In between these two extremes we have hybrid crimes that are both cyber-dependent and cyber-enabled. Consider a ransomware attack. It is cyber-dependent because it is conditional on the use of crypto virology. However, its purpose is to extort a ransom payment, which can constitute blackmail, a crime that can be committed without computers. So, in a ransomware attack, a cyber-dependent crime facilitates a cyber-enabled crime.
So, please meet the Computer Misuse Act 1990, which has been amended a number of times over the years to keep pace with (or, rather, not to fall too far behind) developments in cybercrime (see most recent government consultation here). The CMA is our principal “anti-hacking” legislation and it gives effect to the UK’s treaty obligations under the Council of Europe’s Budapest Convention.
And here’s another interesting fact: the CMA doesn’t define what a computer is! What do you make of that? Is that bad legislation or good? Well, conventional thinking is that it is a good thing, because it has enabled the legislation to be adaptable to changes in technologies over the years.
Section 1 contains what’s commonly referred to as “the basic offence”, which is the offence of unauthorised access to computer material. Plainly, this is a cyber-dependent crime. The crime is committed when a person knowingly causes a computer to perform any function with intent to achieve unauthorised access to any program or data held in any computer, or to enable such access. For these purposes, gaining access can be as simple as causing a program to be executed. If you think about that for a moment, you’ll be able to envisage how easy it is to commit the basic offence. For example, if you have policies in the workplace prohibiting you from using a colleague’s computer you could commit a crime simply by turning it on without permission.
Section 2 builds upon the basic offence, to prohibit unauthorised access with intent to commit another offence, or to facilitate the commission of another offence. The other offence has to be one for which a prison sentence of at least five years can be imposed on a first-time adult offender, which captures fraud by false representation, theft and blackmail, for example. Therefore, ransomware attacks, CEO frauds, invoice frauds and credential stealing malware can fall within this offence.
Section 3 covers sabotage, integrity and availability offences, where an unauthorised act is knowingly performed in relation to a computer with intent or recklessness to impair the operation of a computer, or prevent or hinder access to a program or data, or impair the operation of a program, or impair the reliability of data, or to enable these detriments. This covers malware attacks, denial of service attacks, ransomware attacks, wiper attacks etc.
Section 3Z is aimed at cyber warfare, cyber terrorism and similar, highly impactful attacks. The offence is committed if a person performs an unauthorised act in relation to a computer with intent, or recklessness, to cause serious material damage, i.e., damage to human welfare, the environment, the economy or national security.
Section 3A is aimed at the creation of cyber-attack tools. It covers the making, adaptation, supply of and offers to supply any articles that can be used as part of, or to assist with, the commission of section 1, 3 and 3Z offences. Intent is needed for these offences, or belief that the article will be used in the offence. This will cover many aspects of the Crime as a Service criminal model, such as the sale or rental of malware on the dark web, access credentials and “hacking guides”.
A person can be prosecuted under the CMA if their crime displays a significant link with the jurisdiction, which can include the target computer, or other computers that are used in the crime, being in this country. This means that cybercriminals operating from abroad can be prosecuted under our law, but, of course, that brings into play many other complicated issues such as identification, attribution, evidence gathering and preservation, mutual legal assistance, extradition and so on.
Finally, a few words about security researchers. Some White Hat researchers are seeking updates to the law, so that they can be immune from prosecution when they are engaged in ethical hacking and legitimate research in the public interest (see Parliamentary debate here). In contrast, there are some Grey Hat researchers who regularly breach the CMA, to acquire evidence to pressure organisations into paying bounties. In some respects, these Grey Hats are no different to fully fledged Black Hats, where their engagement model implies a threat to go public and “dump” data online if they do not get paid.