The issue of criminal liability for Denial of Service (DoS) attacks separately made the news twice in February 2005. First, the All Party Internet Group called for a Bill to be introduced into Parliament specifically to add a DoS offence to the Computer Misuse Act. Secondly, almost conversely, criminal charges were brought against a person for offences under the Computer Misuse Act in respect of a DoS attack.
A DoS attack is an attack against a computer system which overloads the system with data or information requests causing it to crash, or which significantly degrades the service provided by the system. DoS attacks rarely present a security threat, but they can cause huge inconvenience and can cost the target company a large amount in IT costs and/or lost revenues.
It is unclear whether the current wording of the CMA covers DoS attacks. The wording of Section 3(1) of the CMA states that it is an offence to cause an “unauthorised modification of the contents of any computer”. There are valid arguments to suggest that unauthorised modifications are made to a computer when it is subject to a DoS attack, but there are also equally valid arguments that the opposite is true. It is generally agreed that the wording probably covers some DoS attacks, but this is only because third party computers are used without permission to launch the DoS attack; the DoS attack itself may not be an offence.
Unfortunately, APIG’s proposed bill was given just 10 minutes of Parliament’s time and taken no further. However, the Police and Justice Bill, due to be published in early 2006 is likely to include amendments to the CMA which take account of the APIG’s recommendations.
Also in February 2005 the press reported that charges had been brought against a man in Scotland in relation to a number of DoS attacks, allegedly made against the owners of a number of online operations both in Scotland and the USA. The man was released on bail pending further inquiries by the police.
It was only the second time that charges have been brought under the CMA for the launch of a DoS attack. In 2003, similar charges were brought against a teenager from Dorset who was accused of launching a DoS attack. In that case the jury acquitted the accused because he successfully argued that a third party with access to his computer had carried out the attack, via the use of a trojan virus. The case did not therefore address whether the offences under the CMA could apply to a DoS attack.
Until the issue is decided at trial, it will remain unclear as to whether the CMA could apply to DoS attacks. Clarification by Parliament is much needed and would be welcomed by industry. It is hoped that the 2006 Police and Justice Bill will provide such clarification.
This article first appeared in our Technology Annual Review, March 2006. To view this publication, please click here to open a new window.
