A new law that criminalises denial-of-service (DoS) attacks and the supply of hacking tools has been brought into force in England and Wales.


DoS attacks involve the simultaneous sending of millions of messages or page requests to an organisation's servers where a sudden, massive deluge of information can render both a website and email servers inoperable.


The changes now make it a criminal offence to conduct DoS attacks. Where the original legislation included offences of unauthorised access to computer material and of unauthorised modification of computer material, there is now a new offence of doing anything without authorisation with intent to impair, or with recklessness as to impairing, the operation of a computer.


The new offence carries a maximum penalty of ten years' imprisonment and a fine and replaces the more limited offence of unauthorised modification, which carried a five-year maximum sentence.


The changes also increase the maximum penalty for unauthorised access to computer material from six months' imprisonment and a fine to two years' imprisonment and a fine.


The 1990 Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is ‘likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification or DoS] offence'. It is also an offence to supply an article – any program or data - ‘believing that it is likely' to be used to commit such an offence.


The first attempt to amend the Computer Misuse Act, to put the illegality of DoS attacks beyond doubt, dates back six years. A Private Member's Bill to amend the Act was introduced by the Earl of Northesk in 2002 but it failed to become law.


Changes were made to the Computer Misuse Act in 2006 but they were not made live at the time. In October 2007 they were adopted in Scotland, but not in England and Wales.