Police in the UK lack the tools to prosecute cybercriminals

Last week, a 36-year-old man from the Greater Manchester area in the UK was given a two-year prison sentence for unlawfully accessing and deleting information found on servers belonging to his former employer.

Steffan Needham, an IT consultant who had been fired from the software company Voova, was found guilty under sections 1 and 3 of the Computer Misuse Act for costing the business an approximate £500,000 ($660,000) in damages.

The police investigation said that there was no question of Needham’s intentions – he had wanted revenge after being fired from his workplace.

“His actions, although just a matter of clicks on a computer, resulted in major financial loss to the company concerned, and people lost their jobs,” said investigating officer Detective Constable Giles Murphy of the Loddon Valley police cybercrime team.

DC Murphy said he hoped the case would serve “as a warning to those who may be involved in cybercrime”.

However, despite the surge in major data breaches that have enveloped the news headlines of late, convictions under the Computer Misuse Act are actually becoming less common in the UK – a disconnect that has prompted some security experts to call for reform.

Hacking crimes on the decline? Not likely

According to the UK’s Office for National Statistics (ONS), an approximate 4.5 million cybercrimes were committed in England and Wales last year – 3.2 million of which were reported as fraud, and an approximate 1.2 million related to computer misuse.

The volume of CMA-related offenses in the 2018 ONS report, however, marks a 30% decrease in hacking crimes recorded in the previous year, a change that’s thought to have been driven by a sharp drop in the use of ‘computer viruses’ to facilitate digital misdemeanors.

“Does anyone really believe that cybercrime is on the decline? I don’t think so,” Mark Nicholls, director of cybersecurity at Redscan, told The Daily Swig.

“We also can’t overlook the fact that, for a variety of reasons, many digital crimes go underreported,” he said, adding how massive breaches like those seen at Facebook and British Airways do not fall under the ONS remit of what defines a cyber offence.

“In many cases, criminal activities such as phishing are difficult to identify – people can be unaware that they have been victimized.”

Keeping pace

Most agree with Nicholls in that the ONS results only illustrate the ongoing difficulties of determining long-term cybercrime trends, where a lack of data may be contributing to an ineffective response by police forces on the ground.

Although the British government has invested heavily in upskilling its law enforcement at all levels with education surrounding digital forensics evidence-gathering, the lack of prosecution tools available continues to mean a low risk for criminals and shortage of justice for their victims.

“The law hasn’t kept pace,” Aaron Duggan, cybercrime lead for the North West of England, told The Daily Swig.

“It hasn’t kept up with the type of offending, the way offences are committed, because as soon as they put a sticky plaster on the internet over one particular crime, part of it just evolves, and we are never really ahead of the game.”

FOI request

First enacted in 1990, the Computer Misuse Act is one of the few mechanisms that law enforcement has to hold cybercriminals to account.

According to Freedom of Information requests obtained by The Daily Swig, there were a total of 169 convictions under the CMA between 2010 and 2015.

While the CMA has undergone amendments throughout the years, such as adding denial-of-service (DoS) attacks as a clear offence, the law has been controversial for its failure to protect legitimate security research through its loose definition of “unauthorized access” and potential criminalization of certain hacking tools.

Many, including the European Network and Information Security Agency (ENISA), have said that legislation like the CMA prevents security researchers from finding vulnerabilities through responsible disclosure.

“There are many problems with this area,” said Naomi Colvin, a representative from the whistleblower protection charity Blueprint for Free Speech.

“It [the CMA] creates a presumption that unauthorized access should be a crime and that there isn’t a need to institute defenses into it,” she said.

“So if you’re looking at a system and want to report that it’s not secure, that would also be unauthorized access.”

Speaking to The Daily Swig, Colvin explained how the CMA and its US counterpart the Computer Fraud and Abuse Act (CFAA) have served as models for computer crime laws around the world, and that both deter hackers from disclosing bugs in the public interest.
Covlin thinks the legislation needs reform for the additional repercussions it could have on journalism.

“There aren’t that many CMA prosecutions per year and if you have a look at who actually gets prosecuted at least a third of them tend to be police officers,” she said.

“But I think there’s a blind spot in the degree to which criminal offenses based around computers are also a threat to journalists and their sources.

RELATED UK Data Protection Bill amended to protect ethical hackers