international computer security legislation: what should the uk consider next?
TRANSCRIPT
October 1990 Computer Fraud 8; Security Bulletin
Soviet computer viruses
Finally, a note on computer viruses in the Soviet Union. According to Vladimir Bakulin of the Interbranch Commercial Bank for the Development of Wholesale Trade, there are fifty-one microcomputer viruses rampant in the USSR at the present time. These include the well-known Jerusalem virus (and its variants), Datacrime, Brain as well as some that originated in Hungary and Bulgaria. Some of the viruses in the Soviet Union are local, home-grown varieties. There is nothing particularly sophisticated about them. They, like their Western cousins, mainly alter the File Allocation Tables (FATS) and boot sectors of disks and only differ from the well-known Western viruses in
their program size. One Soviet anti-virus program, called ‘STRAG’ is already being marketed in the West. It scans MS-DOS compatible programs for the presence of viral
code that is between 534 and 3168 bytes in length.
The future
President Gorbachev has announced that he wants 20 million PCs in use in the Soviet Union by 1992. That is a real feat when one
considers that there are only about a quarter of a million PCs in use in the Soviet Union today. However, some parts of the Soviet Union are aggressively pursuing computerization on their own without taking cues from Moscow.
For example, Byelorussia (which is closer to Poland geographically and culturally than it is to Russia), is actively promoting the full use of information technology. This includes the procurement of audit and security software even if they have to do it on their own and procure it from non-COCOM sources (read that as South Korea, Taiwan, Singapore, Finland or the eastern part of the soon-to-be reunited Germany). Leningrad businesses, too, will strike their own deals with Western firms. In the Soviet Union, computer security will soon mean economic survival rather than military competitiveness with the West.
INTERNATIONAL COMPUTER SECURITY LEGISLATION
What should the UK consider next?
Emma Nicholson, MP
Hackers beware! At the beginning of September, Michael Colvin’s Computer Misuse Bill (now Act) came into force following Royal Assent - received 29 June - and a smooth passage through Parliament where it received strong cross-party support, achieving a major
step forward in the fight against computer misuse.
Internationally, the UK was somewhat late in producing legislation. Sweden, for example, legislated in 1973 stating that “a person who unlawfully procures access to computer-stored data” commits an offence. In most areas, the UK law matches up well to others internationally, although there are some important innovations elsewhere. The US legislated first in 1984, criminalizing unauthorized access to computer systems. The law was amended in 1986 and expanded to include special provision for ‘Federal interest computers’ (that is those used by financial institutions or the government). This is an important move due to the very high standards of information help on public sector computer systems.
Medical records for example, which are becoming computerized in UK, are a major source of concern. There is already a case of a cancer victim being blackmailed after deciding to spare her family the dreadful truth of her illness, and in France blackmail has occurred when AIDS records have been discovered. The US also has an innovative punishment of banning hackers from using computers for a probationary period, which should certainly be considered elsewhere to slam the door in the face of many who seek to return to hacking. Furthermore, the 1987 Computer Security Act established new programmes in computer security awareness
01990 Elsevier Science Publishers Ltd 9
Computer Fraud & Security Bulletin October 1990
training, security planning and other activities to protect sensitive government information, after various surveys lamented the lack of security applied by individuals and companies.
West Germany has no automatic prosecution for unauthorized access, modification of data, and computer sabotage, but prosecutes on request of the victim. The
unauthorized access offence states that an offence occurs only if the system is “especially protected agai;(rst unauthorized access”, which is also the case in Norway. There is concern
about the strength of German law which has not really been tested. Even the KGB data spies, convicted last February, were prosecuted with reference to activities for a foreign intelligence service rather than under the hacking law.
France has a useful additional crime of
accidental damage during unauthorized access. Denmark has increased punishment for unauthorized access with intent to look at trade secrets, but is broadly similar to UK law. Others
fare less well: in Austria and Greece laws cover computer-related fraud and damage to computer systems and programs, but they have no simple hacking offence. Finland, Italy, the Netherlands,
Switzerland and Turkey are only considering legislation.
With the exceptions mentioned, the new UK legislation stands up to scrutiny alongside other laws internationally. However, all is not well: most computer misuse laws worldwide overlook
the matter of procedural law, that is enforcement. Last September, the Council of Europe reported on computer-related crime, raising this concern with respect to computer law in Europe, something of which we are now guilty.
We have several problems. The first relates
to the powers of police searching. These are insufficient since the police powers are limited only to physical search - evidence in computer-related crime is invariably not of a physical form. There is also a problem with confidentiality. At present, to secure information to investigate banking fraud, police must apply for special permission to access bank accounts.
10 01990 Elsevier Science Publishers Ltd
The vast majority of computerized material is confidential, and the police need the power to access that material to avoid committing the offence of a breach of contract. This is not available under the new Act.
There is also a problem with electronic surveillance. To gain evidence of hacking offences, the police will occasionally require the power to analyse the communications activity of a suspected hacker. This can only be obtained if permission to conduct ‘wire-tapping’, to use an old-fashioned phrase, is available to investigators. At present only the Home Secretary can grant a warrant for such surveillance. Without a change in the current legislation, he will be bombarded with applications for such warrants, greatly slowing police work in tracking hackers.
During the passage of the Computer Misuse Bill, I proposed that powerto grant such warrants should lie with a Justice of the Peace which would greatly improve the efficiency of police
work in this area. Unfortunately, this was not adopted, but I look to the possibility of further legislation when the unworkability of the present law becomes truly apparent.
There are also difficulties in relation to the admissibility of computer evidence in court. The Police and Criminal Evidence Act, which governs admission of computer evidence in court, makes a qualification that the computer from which the evidence was obtained must be properly functioning. In relation to acts of computer misuse, it is by no means possible to be certain that this is so, due to the very misuse which has brought the case to court. This whole issue must be cleared up.
Finally, there is a problem in relation to tracing hackers by means of the telephone network, which is necessary to aid with identification. Cooperation in this from the telecommunications industry is vital, but at present is only voluntary. Both Mercury and BT are on occasion reluctant to cooperate with the police. Such cooperation must become mandatory to ensure adequate powers of tracing.
October 1990 Computer Fraud & Security Bulletin
There are also some points in relation to practicalities to make conviction possible. The police must obviously be adequately trained to enforce this new law. Although the Metropolitan Police have considerable expertise, some forces elsewhere are a little baffled on how to carry out their new duties. Unfortunately not all hackers are considerate enough to confine their work to the capital city. However, I am glad to say that work in this area is taking place. Hampshire
Constabulary are interested in looking at means of pooling the overall knowledge of our police forces. They are planning a conference next Easter for this purpose, also drawing on the knowledge of a panel of advisors with technical and legal expertise. We can also take on board the excellent example of the US: the FBI, since 1976, has offered specialized training for computer misuse investigators in addition to consulting experts from other government agencies, private sector companies, and educational institutes.
Companies must use the law. One major advantage which will aid police work is that there
is now an incentive to report cases of computer crime, allowing a clearer picture of the situation to be built up, which beforehand was a great problem. (Last year’s Computer Week/y survey showed that 93% of those attacked did not report it to the police.) Prompt detection and reporting will both aid police work and allow companies’ contingency plans to be rapidly implemented,
reducing losses. Companies must therefore have adequate security for detection purposes, and aware staff to deal with a situation if it arises. I am glad to say that many companies in this country take the threat of computer crime seriously and are taking action in this area.
Finally, there is the whole issue of international crime, the extent of which has been shown by the Computer Chaos Club. The dangers of computer misuse on this scale are
comparable with those of the drugs trade and international terrorism (especially when terrorists start using computers to further their cause). It is essential to secure harmonization of laws, inter-force cooperation for the purpose of investigation, and efficient extradition
procedures. Work is taking place in these areas within the UN, the Council of Europe, and OECD - but we need to see rapid progress in these areas.
It appears that I am painting a gloomy picture
of the continuing legal problems relating to
computer misuse, but I believe all the
improvements mentioned above are achievable
both in this country and internationally. Computer
misuse will always be a major concern and we
should spare no amount of effort in securing
completely enforcable and loophole-free legal
safeguards. I warmly welcome the Computer
Misuse Act as the cornerstone of that goal.
COMPUTER ASSISTED INVESTIGATIONS
Off-the-shelf investigatory tools
Philip M. Stanley
Ems t & Young, 83 Clarence St.,
Sydney, NS W Australia
The likely trend of computer crime is that it will increase both in the number of cases and the amount of money and/or valuable data involved. It would not be unreasonable to make the following assumptions about computer crime trends; ’
1. Computer crime will tend to increase proportion to the number of computers
use.
2. Computer crime will tend to increase proportion to the number of people literate in the use of computers.
3. Computer crime will tend to increase in proportion to the number of input/output terminals available to users.
01990 Elsevier Science Publishers Ltd 11