The Computer Misuse Act

The Computer Misuse Act (CMA) is the main legislation in the UK which covers computer-related crime.

It was originally introduced in 1990 and has been used as a basis for similar legislation across the world. A number of updates have followed in recent years in order to reflect new technologies, developments in cyberspace and new forms of criminal activities.

Punishments for offences under the CMA vary depending on the severity of the crime, so let’s take a quick detour into some legal terminology to support our understanding.

A summary offence is usually one which is considered less serious. The case will only be looked by a magistrate and normally carries smaller penalties and shorter prison terms. An indictment is used for more serious offences and carries penalties up to the maximum and may involve a prison term. These cases will be decided by both a judge and a jury.

Back to the law itself, the CMA currently has five main offences:

Unauthorised access to computer material

  • It must be proved that the suspect knew their access was not authorised
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

Unauthorised access with intent to commit or facilitate the commission of further offences

  • It must be proved that the suspect carried out the hacking to further some other criminal intention, such as theft
  • The maximum prison sentence is 12 months (summary) or five years (indictment) and/or an unlimited fine

Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer

  • This covers damage to computer systems or data, including Denial of Service (DoS) attacks
  • The maximum prison sentence is 12 months (summary) or 10 years (indictment) and/or an unlimited fine

Unauthorised acts causing or creating a risk of serious damage

  • This aims to protect human welfare, UK critical infrastructure, national security and the economy, in particular in relation to cyber-physical systems
  • The maximum prison sentence is 14 years or a life sentence in the case of damage to human welfare (eg loss of life, illness or injury, or threat to national security) and/or an unlimited fine

Making, supplying or obtaining articles for use in an offence under the above sections

  • This section also covers developers and distributors of any form of malware, botnets or any other hacking tools
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

A common part of the criteria for the main offences under the CMA is that the prosecution has to prove that the suspect knew that they were not authorised and had acted intentionally. This affects the ethical hacker if they accidentally go out of scope.

For example, if they attack a system for which they have not been authorised, they are not yet automatically guilty under the CMA as they did not intend to commit that crime. However, if they intentionally attack a system which is out of scope (ie they are not authorised) they could be liable under the CMA.

Development of the CMA

In 2006, the CMA was amended by the Police and Justice Act in order to comply with the European Convention on Cyber Crime. The amendment increased the maximum penalties and also made it explicit that DoS is a crime.

The 2006 amendment also made the development, distribution or use of hacking tools illegal if there is an intent to commit or assist in the commission of a crime. This covers virtually every tool that an ethical hacker will have, with the only difference being that an ethical hacker does not have the intent to commit or assist in the commission of a crime.

In 2015, the CMA was amended again, this time by the Serious Crime Act, which introduced a new section protecting the UK national infrastructure, national security and human welfare.

The CMA continues to be updated with new developments focusing on covering smart mobile devices, as well as making the disclosure of stolen information illegal (eg publishing passwords).

The CMA has been used in convicting cybercriminals in many cases – see the Computer Misuse Act in action link under ‘Further reading’ for some examples.

Your task

Identify the equivalent to the UK’s CMA legislation in your own country. If you are based in the UK, choose another country to look at.

Work out what the main offences are (what people could be prosecuted for) and the criteria for each.

Post a summary in the comments outlining what you consider to be the legislation’s strong and weak points. For example, are there any types of cybercrime which aren’t fully covered?

Look at what other learners have posted. Can you see any gaps that they haven’t identified?


References

Computer Misuse Act (1990) available from https://www.legislation.gov.uk/ukpga/1990/18/contents [11 April 2019]

Police and Justice Act (2006) available from https://www.legislation.gov.uk/ukpga/2006/48/contents [11 April 2019]

Serious Crime Act (2015) available from https://www.legislation.gov.uk/ukpga/2015/9/contents [11 April 2019]

Further reading

Computer Misuse Act Factsheet

Computer Misuse Act in action

Share this article:

This article is from the free online course:

Ethical Hacking: An Introduction

Coventry University