Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Denial of service attacks and the Computer Misuse Act

05 Apr 2005 United Kingdom 6 min read

The issue of criminal liability for Denial of Service (DoS) attacks has separately made the news for two reasons over the recent months. First, the Chairman of the All Party Internet Group, Derek Wyatt MP, has announced that he will introduce a Bill to Parliament to amend the Computer Misuse Act. If adopted, the Bill will increase the existing penalties for hackers and add a specific DoS offence to the Computer Misuse Act. Secondly, and almost conversely, for only the second time in history criminal charges were brought against a person for offences under the Computer Misuse Act in respect of a DoS attack.

What is a DoS attack?

A DoS attack is an attack against a computer system which overloads the system with data or information requests causing it to crash, or which significantly degrades the service provided by the system. In some instances, the attackers use third party servers (known as "zombies" or "zombie machines"), often in a different jurisdiction, to launch the DoS attack on the target company. These DoS attacks are known as distributed denial of service (DDoS) attacks and, where used, it makes it much harder to identify the original source of the attack.

DoS attacks rarely present a security threat, but they can cause huge inconvenience and can cost the target company a large amount in IT costs and/or lost revenues. For example, during the 2004 FIFA World Cup, online "gangs" were reported to have blackmailed a number of online betting companies by threatening to issue DoS attacks during the companies' busiest periods. The threatened DoS attack would have been unlikely to harm the online gambling companies' computer systems, but it would have cost the companies a huge amount in lost revenues.

Amendments to the Computer Misuse Act

In July 2004 we published a Law-Now article on the recommendations made by the All Party Internet Group (APIG) to Parliament in its report on the Computer Misuse Act 1990 (CMA) and on the issue of cybercrime generally.

Earlier this month (March 2005), Derek Wyatt MP, Chairman of the APIG, announced that he would introduce a bill in order to persuade Parliament that the CMA requires updating. The proposed bill, which is being brought under the Ten Minute Rule, is currently scheduled to be heard on 5 April 2005.

The proposed bill includes two of the main recommendations from IPIG's July 2004 report: that the CMA should be amended to include a specific DoS offence; and that the maximum sentence for hacking would be increased from 6 months to 2 years imprisonment. The maximum sentence for serious hacking offences, where there is an unauthorised modification of data on a computer or where a further crime takes place, would remain at 5 years.

It is unclear whether the current wording of the CMA covers DoS attacks. The wording states that it is an offence to cause "an unauthorised modification of the contents of any computer". There are valid arguments to suggest that modifications are made to a computer that is subject to a DoS attack, but unfortunately there are also equally valid arguments that the opposite is true. It is generally agreed that the wording probably covers some DoS attacks, but this is only because third party computers are used without permission to launch the DoS attack; the actual DoS attack from the zombie computers may not be an offence.

To ensure that DoS attacks are covered by the CMA, the proposed bill would make it an offence to do something which causes or which is intended to cause "directly or indirectly, an impairment of access to any program or data held in any computer".

In 2002, Lord Northesk introduced a similar private members bill to update the CMA. Unfortunately, this ran out of parliamentary time and no update was made. Lord Northesk's bill was criticised for being too wide because it did not link the DoS offences to the intent of the party making the attack. The proposed bill addresses this by specifying that there must be "intent to damage the performance of an activity for which the relevant computer, or any program or data held on that computer is used".

It is unfortunate that Parliament's only consideration of the APIG recommendations, made almost 9 months ago, will be limited to hearing just 10 minutes of debate about the proposed bill. This is despite assurances from the Home Office shortly after the APIG report was published that the matter would be given full consideration. It is very unlikely that the proposed bill will be converted into statute, at least during this term, but it is commendable that the APIG has continued in its attempts to reform the CMA and that it has placed the issue on the agenda during the election period.

Charges brought under the Computer Misuse Act for a DoS attack

According to news reports (BBC News, Man accused of "zombie" web blitz, Jan 2005) a man charged with offences under the CMA appeared before Elgin Sheriff Court in Scotland on 17 January 2005. The charges were brought in relation to a number of DoS attacks allegedly made by the accused. The attacks were made in order to extort money from the owners of a number of online operations in both Scotland and the USA. The man was released on bail pending further inquiries by the police. If there is a trial it is likely to take place later this year.

This is only the second time that charges have been brought under the CMA for the launch of a DoS attack. In 2003, similar charges were brought against a teenager from Dorset who was accused of launching a DoS attack. In that case the jury acquitted the accused because he successfully argued that the attack was carried out by a third party with access to his computer, via the use of a virus known as a trojan. The case did not therefore address whether the offences under the CMA could apply to a DoS attack.

Until the issue is decided at trial, it will always be unclear as to whether the CMA can keep pace with changing technology, as it was designed to do, and therefore apply to DoS attacks. What is clear is that clarification of the point by Parliament, whether or not through making the proposed bill law, is much needed and would be welcomed by industry.

More insights
Banking & Finance Financial Services Professionals Pension Professionals Financial Institutions Accountants & Actuaries Defendant Personal Injury Consumer Products Manufacturing Food & Drink Retail Energy & Climate Change Oil & Gas Power Projects Mining and Minerals Water Healthcare Healthcare, Social Care and Life Sciences Life Sciences & Healthcare Hospitality, Travel & Leisure Infrastructure & Projects Cyber Insurance Brokers Solicitors Surveyors Technology Reinsurance Warranty & Indemnity Liability Other Classes Fine Art, Specie and Jewellers' Block Trade Credit and Political Risk Practice Title Indemnity Aviation Construction & Energy Construction CAR/EAR Energy Property Directors’ & Officers’ Liability Marine Professional Negligence Construction PI Insurance Education Private Equity Real Estate Construction & Engineering TMT - Technology, Media & Telecommunications Communications Dispute Resolution Media Technology

Explore more

Publication United Kingdom

Security Action for Europe: legal architecture, implementation and private capital’s opening

23 Mar 2026 5 min read
Event United Kingdom

Cross-Border Financial Services 2026 webinar series

05 May 2026
Expert Guide International

CMS Expert Guide for taking security in England and Wales

25 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.