- Email: [email protected]
Computer misuse
UPDATE o n Computer Audit, Control and Security
COMPUTER MISUSE by Chris Amery
T h e appeal court judges in the case o f R v Gold and Schifteen rejected very robustly the idea that obtaining unauthorised access to computers by using a false password amounts to forgery. T h e y said that if Parliament wants it to l~e an offence it must say so. Computers, in other words, are a special case and need special legal provision. T h e government's response was to ask the Law Commission to report. T h e Law Commission's response was to con~ult as widely as possible. Hence the emergence of the public 'issue', since, quite rightly, no one in Whitehall or Westminster likes creating new offences unless there is a real mischief which needs to be outlawed. Few would deny, I think, that deliberate alteration or erasure of computer programs or data, without authority, is such a mischief. T h e question of whether it is currently covered by the Criminal Damage Act is a difficult and technical one, and logically there should be no objection to the proposal that it be clarified. Similarly in dealing with 'computer fraud' there is wide acceptance that the concept of 'deception' should encompass deception of a machine as well as a person. But what about ' m e r e ' hacking, without any resulting fraud or corruption of data or programs? Is that also a mischief?. Well, it is certainly anti-social. In an age when we are trying, in laws such as the Data Protection Act, to legislate for a certain amount of privacy, it seems odd to look favourably on a group of people whose hobby is the extremely unlovely one of prying into other people's affairs. However is it not nessarily an offence to be anti-social, so what is the real mischief?. My answer, and that of the CBI, is that from the point of view of the computer user a hacking incident can be a major disaster. T h e problem is that no system owner who discovers that his system has been hacked into can afford to take the slightest chance. It may be almost impossibl e to assess the extent of the penetration - since someone has been clever enough to break through the system's security barriers the okvner must assume that he may have made changes, or planted a virus or logic b o m b , or perhaps have left an easy way in for future use, or committed a fraud. As a result, the system owner must spend large amounts of time and skilled manpower on investigation and re-constitution of his system. Its integrity has been compromised, and restoration must take top priority. VoTume 2 Number 1,1989
It is as if an intruder managed to get to a commercial aircraft and remove a cover from one of the engines. Even if at the end of the day it is discovered that he did nothing more than that, the cost to the airline is huge: the aircraft has to be grounded until exhaustive checks have been carried out to ensure the engine has not been tampered with. Similarlya hacking incident, even if no damage is done to programs or data, can cost hundreds of thousands of pounds to clear u p , Or even more where multiple systems are penetrated on a n e t w o r k . T h e r e are other threats as weU of course: the supposedly 'innocent' hacker may be being used by organised crime, or espionage, or he may have quite accidentally caused changes in finding his way round an unfamiliar system. T h e system owner must assume the worst, and the more critical the system, the more necessary it is to check it out exhaustively. Hacking is a menace, as anyone who is familiar with hackers' bulletin boards well knows. O f course computer suppliers and users have a duty to try to stop it by implementing proper security measures and enforcing the disciplines necessary to m a k e them work. But to throw all the responsibility onto system owners, whilst leaving hackers with a free hand to try everything they know to break through those security measures, would seem to me perverse indeed. T h e U K should join the growing world-wide club (France, West Germany, D e n m a r k , USA, Canada, etc.) of countries with specific laws against computer misuse. Parliament should act as soon as the Law Commission report is published.
Chris Amery is Technical Relations Programme Manager, IBM (UK) and Chairman of the CBI Computer Security Working Group.
(NEWS) Electronic transaction system for unit trusts Istel are, from October, to introduce an online system for buying and selling unit trusts along the lines of their insurance broking system. 25
COMPUTER MISUSE by Chris Amery
T h e appeal court judges in the case o f R v Gold and Schifteen rejected very robustly the idea that obtaining unauthorised access to computers by using a false password amounts to forgery. T h e y said that if Parliament wants it to l~e an offence it must say so. Computers, in other words, are a special case and need special legal provision. T h e government's response was to ask the Law Commission to report. T h e Law Commission's response was to con~ult as widely as possible. Hence the emergence of the public 'issue', since, quite rightly, no one in Whitehall or Westminster likes creating new offences unless there is a real mischief which needs to be outlawed. Few would deny, I think, that deliberate alteration or erasure of computer programs or data, without authority, is such a mischief. T h e question of whether it is currently covered by the Criminal Damage Act is a difficult and technical one, and logically there should be no objection to the proposal that it be clarified. Similarly in dealing with 'computer fraud' there is wide acceptance that the concept of 'deception' should encompass deception of a machine as well as a person. But what about ' m e r e ' hacking, without any resulting fraud or corruption of data or programs? Is that also a mischief?. Well, it is certainly anti-social. In an age when we are trying, in laws such as the Data Protection Act, to legislate for a certain amount of privacy, it seems odd to look favourably on a group of people whose hobby is the extremely unlovely one of prying into other people's affairs. However is it not nessarily an offence to be anti-social, so what is the real mischief?. My answer, and that of the CBI, is that from the point of view of the computer user a hacking incident can be a major disaster. T h e problem is that no system owner who discovers that his system has been hacked into can afford to take the slightest chance. It may be almost impossibl e to assess the extent of the penetration - since someone has been clever enough to break through the system's security barriers the okvner must assume that he may have made changes, or planted a virus or logic b o m b , or perhaps have left an easy way in for future use, or committed a fraud. As a result, the system owner must spend large amounts of time and skilled manpower on investigation and re-constitution of his system. Its integrity has been compromised, and restoration must take top priority. VoTume 2 Number 1,1989
It is as if an intruder managed to get to a commercial aircraft and remove a cover from one of the engines. Even if at the end of the day it is discovered that he did nothing more than that, the cost to the airline is huge: the aircraft has to be grounded until exhaustive checks have been carried out to ensure the engine has not been tampered with. Similarlya hacking incident, even if no damage is done to programs or data, can cost hundreds of thousands of pounds to clear u p , Or even more where multiple systems are penetrated on a n e t w o r k . T h e r e are other threats as weU of course: the supposedly 'innocent' hacker may be being used by organised crime, or espionage, or he may have quite accidentally caused changes in finding his way round an unfamiliar system. T h e system owner must assume the worst, and the more critical the system, the more necessary it is to check it out exhaustively. Hacking is a menace, as anyone who is familiar with hackers' bulletin boards well knows. O f course computer suppliers and users have a duty to try to stop it by implementing proper security measures and enforcing the disciplines necessary to m a k e them work. But to throw all the responsibility onto system owners, whilst leaving hackers with a free hand to try everything they know to break through those security measures, would seem to me perverse indeed. T h e U K should join the growing world-wide club (France, West Germany, D e n m a r k , USA, Canada, etc.) of countries with specific laws against computer misuse. Parliament should act as soon as the Law Commission report is published.
Chris Amery is Technical Relations Programme Manager, IBM (UK) and Chairman of the CBI Computer Security Working Group.
(NEWS) Electronic transaction system for unit trusts Istel are, from October, to introduce an online system for buying and selling unit trusts along the lines of their insurance broking system. 25