Police and Justice Bill and its Impact on Denial of Service attacks 

May, 2006 -

The Police and Justice Bill was put before the House of Commons on 25 January 2006. The main aim of the Bill is to improve the powers and scope of the police force but there are a number of sections which look to update the Computer Misuse Act 1990 (CMA) and in particular to make Denial of Service (DOS) Attacks illegal.

DOS attacks can take many forms but are essentially an attempt to disrupt the use of a computer, server or website. Such attacks include: attempts to flood a server with e-mails or data so that it fails; attempts to disrupt the connection between computers; and a distributed denial of service (DDOS) attack when a large number of unconnected computers all attack a particular target simultaneously. In a DDOS attack the hacker will infect a target computer with a virus and the hacker will then command these computers to flood the targeted server of website with information or requests for data.

DOS and DDOS attacks have become an increasing problem for businesses. According to a parliamentary inquiry in 2001 there were over 4,000 DOS or DDOS attacks each week in the UK causing varying levels of disruption. Other commentators have suggested that as many as 50% of businesses in the UK have suffered from DOS or DDOS attacks.

In preventing DOS or DDOS attacks one of the biggest considerations for businesses is cost. In 2003 the Internet payment system Nochex, received an e-mail threatening an attack on their website unless $10,000 was sent to an offshore bank account.

Mr Malik,the founder of NoChex, initially ignored the threat. However when the website went down an hour later the situation was taken more seriously. The website had been attacked by 115 Mb of data. Mr Malik decided to contact the attackers and requested they give NoChex one hour to come up with the money. In this time Mr Malik arranged for his service provider to protect the system and this upgrade was immediately successful.

Nochex has since introduced a permanent network based solution designed by Cisco Systems to safeguard its network and prevent further attacks. Nochex estimate the initial cost of the system was ?20,000 with a further ?3,000 per month required. However, the problem with protective measures is they may sometimes discard genuine traffic.

There has been a considerable amount of speculation surrounding the CMA and whether it made DOS attacks illegal.

At the end of last year this was tested in court with a case involving a teenager who flooded his former employer with over 5 million e-mails. The District Judge acquitted the teenager saying that although the sending of the e-mails was a modification of his former employers computer system, it was an authorised modification of the system, which took the attack outside the scope of the CMA.

The Police and Justice Bill largely means that instead of an "unauthorised modification" of a computer system the required crime is now an "unauthorised act" and this "act" must have the relevant intent and knowledge.

This alteration should encompass a wider meaning and should mean that a computer system does not have to suffer any adverse effects before charges can be brought against the perpetrator. For example, even if the network solution prevents the attack, it may be possible to press charges against the attackers.

It is unfortunate that as currently drafted "unauthorised" is not being removed as this was the reason that the case above failed. But it is clear the intention of the revised Act is to prevent DOS attacks. Hopefully a Judge may be more comfortable in finding against an attacker, as the sending of 5 million e-mail in order to crash a website is clearly not an authorised use of a system or website.

While the biggest challenge for businesses is the cost of dealing with the attacks, or at least having sufficient IT systems in place to avoid them, it is to be hoped that this amendment to the CMA will make prosecution for such attacks easier.



WSG Member: Please login to add your comment.