Denial of service attackers face 10 years in prison

Denial-of-service attackers now face up to ten years in prison under the new Police and Justice Act 2006, which came into force last week.

Section 34 of the act replaces Section three of the Computer Misuse Act (CMA) 1990 and clearly covers denial-of-service attacks as "unauthorised acts with intent to impair the operation of a computer".

The legislation includes broader and more precise language and says that a person is guilty of an offence if they have the intent to impair the operation of any computer, prevent or hinder access to any program or data held on a computer, or impair the operation of a program or the reliability of data.

The old law didn't specifically address denial-of-service attacks and the new legislation aims to clarify this. The CMA criminalised someone for doing anything "which causes an unauthorised modification of the contents of any computer", as long as this was carried out with intent.

Confusion had arisen over whether denial-of-service attacks were covered in this section of the act, particularly in the case of David Lennon, who sent five million emails to a former employer and crashed his email server in 2005.

The existing law didn't cover this form of attack and the court cleared the teenager. However, earlier this year the judge overturned this ruling and found Lennon guilty under the CMA and sentenced him to a two month curfew.

The new act also increases the sentence for hacking into a computer from a maximum six months to two years in jail and makes it an offence to supply or make available any software or tools that could be used to commit hacking or denial-of-service attacks, with those found guilty under this section facing up to two years in prison.

Moreover, as part of the Police and Justice Act, the IT organisation Pito will be abolished and its functions taken over by the new National Policing Improvement Agency.

Sign up to our newsletters