computer misuse: fact or invention
TRANSCRIPT
UPDATE on Computer Audit, Control and Security
COMPUTER MISUSE: FACT OR INVENTION by Emma Nicholson
Computer misuse, and in particular computer hacking, has gripped the public imagination of late. A rash of US media reports crossed the Atlantic late last Autumn and gained briefer reprints in the British national press alongside tantalisingly short excerpts from European Community national dailies commenting on and report- ing incidents in Belgium, France and Scandinavia. At the same time The Sunday Times identified computer por- nography and children as an area of social concern while the computer security trade journals continued to high- light in some detail industrial and commercial vulnerabil- ity from disaffected computer staff or malicious or naive Outsiders. As winter wore on stories of computer hacking surfaced, with The Observer's Victor Smart taking the lead in charting the largeness of the threat that hackers posed not just to industry and the financial world but to the Government (and to any Government irrespective of Party colouring) and to the private citizen whose visage, warts and all, is now so finely-documented on a variety of computer systems. I wrote an article in The Times giving examples without company or individual names, and a riposte in The Guardian to a challenger supporting hack- ing. The television and radio came alive in April and sub- sequently, with Channel 4~and ITN leading 'The Money Programme' by a nose. The 'Today' programme, 'The World Tonight' and BBC World Service each treated the topic with ingenuity and responsibility. Channel 4 and three days later 'The Money Programme' took hacking in the round, talking to mainframe manufacturers, users and to hackers while ITN boldly eavesdropped electroni- cally, tO the dismay of their legal advisers. As a commen- tator, I pointed out their action was wholly within the law, but even knowing this did not make the scrutiny of others' personal data seem a healthy or a socially accepta- ble pastime.
I became involved in the wide topic of computer misuse during my service on the new Copyright legislation. Working on a new clause designed to foil hackers from copying protected software with members of the British Computer Society Intellectual Property Committee (Bob Hart and the late John Appleton) and DTI Civil Servants and lawyers, brought home to me the vulnerability of modern computer systems since the introduction of Open Systems Interconnection and the widespread pur- chasing of low-cost personal computers. These two inno- vations, combined with the dramatic lowering of the purchase price of mainframes so that computerisation growth in the UK has been speedy (we spend more GDP
on computerisation than our EC competitors), have re- suited in an uprush of activities which, were they com- mitted outside the computer environment, would surely be unacceptable to society.
Planting of worms and viruses, Trojan horses and time- bombs, corruption of data within computer records and the unauthorised entry of an insider or outsider into a computer system; all theSe activities and plenty more are wholly within the law. And yet, given the personal and fi- nancial value and the volume ofcomputer-held data and, even more importantly, the reliance society now places upon computer systems, great harm can be caused by these activities, both to individuals and groups and even to nations and international country blocks such as NATO or the European Community itself. In The Philosophers, the newest novel by Alex Comfort (Duckworth, 1989) a philosophy lecturer and his stu- dents attempt to destroy the British economy by planting a virus into the Government's computer system. Alex Comfort displays society's most inexplicable, albeit en- dearing, belief that computer systems are all-embracing and error-free. The concept that a single, perfect Govern- ment computer system could ever exist belongs to James Bond and not to the real, all-human world of suppliers, Government departments and contract agencies wrestl- ing with different variables and each under differing stresses and constraints. The Government, for example, is reprimanded by The Select Committee on Trade and Industry for honouring our European commitment to fair and not national tendering and purchasing. The Op- position chases Government for contracting out at all. Suppliers and manufacturers welcome both fair tender- ing and contracting out as ways of getting Government computer work up and running to an acceptable standard and within a reasonable timescale, neither of which goals could be reached at all were the Departments to recruit or train and retain the large numbers of highly paid new skills the work requires. Since no Department has the same priorities of timescale or data needed or compatible processing requirements either, the fiction of a single Government system belongs after all to Cartland at her most inconsequential and resistible. James Bond's fan- tasies, nice or nasty, sometimes turn to fact; Miss Cart- land's never do.
But Alex Comfort's The Philosophers underscores one point: computer systems now hold the integrity and workings of our society in thrall. Companies are being
2 Volume 2 Number 1.1989
UPDATE on Computer Audit, Control and Security
CHACKING: A PARLIAMENTARY VIEW ) criticised for withholding evidence of hacking and other computer misuse from public gaze. I've received letters from overly-inquisitive, self-styled computer security ex- perts (unidentifiable as such by my computer industry eminences), rudely demanding knowledge of company break-ins that have been passed to me in confidence for subsequent use only in briefing the English Law Com- mission and Government Ministers. Yet public custom is so fickle that in France, where since their Anti-Hacking Law was passed in 1985 a substantial body of knowledge is now held by the police, firms report a haemorrhage of customers when electronic break-ins are reported in the media. All praise, therefore, to those public-spirited co .mpanies who've stood up to be counted pour encourager les autres. (One ex-Cabinet Minister sought my assistance on an hysterical letter from a constituent demanding that he should receive all my research immediately. I wrote back a suggestion that a soothing reply would suffice as the correspondent had written too many pages of incon- sequential material for a logical reply. The ex-Minister mailed in error my own letter to him to his correspondent and the torrential outburst subsequently nearly drenched us both - a Parliamentary lesson).
In recent months industry and the financial world, strengthened by knowledge that competitors have those problems too, have pulled together to elicit some of the many subterranean instances of computer misuse. Hac- kers and their backers of course say either all stories are apocryphal or that abuses can be dealt with by current laws. In fact, neither is true. Perhaps the reason hackers say their actions are innocent by intent or, in effect, is be- cause those who speak loudly (and there are few) are not in touch with those of malicious or criminal intent. Or, in at least one case, because the hacker concerned earns his own living through both promoting and foiling hacking and finds it an agreeable and effective life-style. Most thinking computer professionals who have been hackers now agree the activity should be outlawed (ref. the July survey in Computer Weekly) as do the majority of bulletin board users (such as The British Association of Compu- ter Clubs, with 20,000 members, albeit seeking the proper safeguards for their work); and industry (see my Hotline Questionnaire, the recent Butler Cox telephone survey and other published data). This still leaves out of the debate the ordinary citizen, whose details now form records on the computer systems of his bank, insurance company, local shops and mail order firms, his building society, general practitioner and soon his hospital, the In- land Revenue, the local District Council and perhaps (most probably) the Social Security Department. While framing legislation to protect the integrity of computer systems his needs are paramount. It will be crucial to strike the balance between Government disclosure on an on-going basis of knowledge collected from citizens and organisations in pursuit of or in the course of executing Government responsibilities and duties and the mainte- nance of personal dignity through privacy.
Surely this central element of the debate has been all but overlooked. In all societies everywhere, even the most primitive man's need for personal privacy in some areas
�9 of life is known and honoured. Medicine is a good exam- ple; when we go to the doctor we expect our medical de- tails to be kept confidential between the patient and the medical profession, and only used or disclosed in the best interests of the patient. Money is another, naturally-sen- sitive area. Few people wish the bank manager to publish details of their clients' personal wealth, or lack of it. Pri- vacy is an accepted practice in these and other areas of private life.
Computerisation on the modern scale changes the land- scape, with few outside the computer industry under- standing the scale, rapidity and irreversability of the change. The new scenery needs urgent and most public debate, so that the course for the achievement of the greatest good for the greatest number of people can be finely charted.
The forcing-ground for such a debate in our system is Parliament. Perhaps the process can be compared to the baking of a loaf of bread. The ground flour represents the people; single grains are of little use and scarcely visible but combined and processed become all-powerful. The yeast is the opinion-forming section of society; here, indi- viduals and groups with knowledge and powerful voices. Combined, the yeast and flour work together, the prov- ing process, knocking down and kneading again for final proving taking our legislative loaf through Parliament's slow procedures. The baking - right at the end of all the work - should give a product of good quality, consistent and lasting, ready for use by all; the final Act. Modern legislation is rarely simple, and a Bill dealing with technical issues such as computer misuse will be more complex than most, not necessarily in drafting but in the explanation of its clauses necessary to gain public views. Highlighting the problems of computer misuse in a non-dramatic but attention-seeking way is difficult. It is much to the credit of those in the media who have made reports or programmes on computer misuse that public awareness has grown so fast recently with few unsup- ported scare-stories. It's easy to focus on sex or security with banner headlines and harder by far to engage in- terest in a new and serious matter without drama. Yet the Parliamentary process to be truly successful (a test of democracy is surely broad interest and subsequent agree- ment of the direction to be taken and the measures to be adopted) public interest must be caught and focussed more closely and for some time to come. The English Law Commission Report on 'Computer Misuse' is due to be published in early autumn. This major piece of work, coming out sooner than originally scheduled because of public interest, will deserve keen scrutiny. Industry and individual response must be harnessed; so much good thinking generally goes to Parliamentary waste because of late arrival (people often start to comment on major legislation long after a Bill has reached t]~e Statute Book). I've convened a large and largely representative Compu- ter Misuse Challenge Group to give a broad-brush re- sponse to the Government. The British Computer Soci- ety are holding a major debate which will encompass the Law Commission findings in late November. Others will hold meetings too.
Volume 2 Number 1, 1989 3
UPDATE on Computer Audit, Control and Security
(HACKING: A PARLIAMENTARY VIEW ,) One thing is clear; computer misuse is real and will not go away. In my own and many others ' view, the time for har- nessing public concern in a debate is now, and the Gov- ernment should act.
' . . . . .
/ , /
Emma Nicholson is the Member of Parliament for Torridge attd West Devon. She entered the House of Commons in June 1987. Her career path followed an un- usual pattern. She trained first as a musi- cian and qualified at The Royal Academy of Music (LRAM, A R CM). She then applied successfully to Interna-
tional Computers (then I CT) and johted the company it= 1962 as a trainee software programnter workhzg in machine code on operating routhzes and high-level language creation, and on a broad variety of large industrial, commercial and Govern- ment contracts in Britain and Africa as systems analyst and progratmning team manager. She spent ten years in the com- puter industry before joining The Save The Children Fund where, as Fund-Raishzg Director, she initiated and ran large scale computerised mailings to external lists among other re- sponsibilities.
In Parliament, she worked as a Standing Committee member on The Copyright, Designs and Patet/ts Act in 1988 and was responsible for a number of ameudments and a new clause to protect computer software. She spomored a Private Members Bill on Computer Misuse (The anti-Hacking Bill) in April 1989 and is urging the Government to take the concepts of that Bill into early, Government legislation in The Queen's Speech this autumn.
SUMMARY OF 'THE ANTI-HACKING BILL 1989' AS ORIGINALLY PROPOSED BY EMMA NICHOLSON
The Bill would have created 'offences ofunauthorised ac- cess to elecironically stored data and its transmission, to confer powers of monitoring, search seizure and destruc- tion of such data and for related purposes ' .
Clause 1(1) defines the offence of effecting unauthorised access to a computer or computer system either to the of- fenders or to another 's advantage, or to another 's pre- judice. Unauthorised access which is "reckless" as to whether advantage is caused to the hacker or prejudice to another is also covered.
Clause 1(2) outlaws the possession of anything intended to be used to gain unauthorised access to a computer as defined in clause 1.
Clause 1(3) outlaws the transmission or reccption by wire or electromagnetic waves any writing, signals, signs, pic- tures or sounds with the intention of committ ing an act beneficial to the perpetrator or prejudicial to a third party.
Clause 1(4) creates the specific act of unlawful access to another 's computer for an unauthorised purpose.
Clause 2(1)-(2) sets out penalties for offences under Clause 1(1)-(3). These range up to ten years imprison-
ment for acts committed with intent, and up to five years for acts committed recklessly.
Clause 2(3) sets out penalties for offences under Clause 1(4) - a fine up to s
Clause 3 provides for the issue of warrants to permit the seizure, confiscation and destruction of other disposal of equipment , documentation or anything else used to com- mit offences under the Act (acts committed before the Act came into force would also have been covered). Where another person's equipment has been used, he would have the right to be heard by the court before the order to destroy or otherwise dispose of it were made. It also provides for monitoring by electronic means or other forms of surveillance of equipment which, the police have reasonable cause to believe may be used to obtain unauthorised access to a computer .
Clause 4 gives definitions of terms used.
Clause 5 states that the English courts shall'have jurisdic- tion if at the time the offence was committed, the accused was in England and Wales, the computer was in England or Wales, a communications link used was in England or Wales, or the proceeds of the offences were 'deposited, processed or transferred from within England or Wales'. (The Act does not extend to Scotland or Northern Ire- land.)
4 Volume 2 Number 1, 1989