Home Secretary Theresa May's legislative programme was announced in the Queen's Speech on Wednesday, with the Serious Crime Bill one of the changes being introduced with an eye on tackling corrupt accountants, solicitors and even cyber-criminals by giving courts tougher judicial powers.
In particular, the changes will allow police to seize assets from convicted gang bosses and will widen the punishment for so-called ‘Mr Big' criminals who often partake in criminal activity without hands-on involvement. This crime-by-association offence will carry up to five years' imprisonment.
The bill, the full details of which can be found on the gov.uk website, details further sanctions for those possessing paedophile 'manuals' and extra reach for the Female Genital Mutilation Act 2003, and also grants extra powers on cyber policing.
One of the changes, for instance, stipulates that the government would amend the Computer Misuse Act 1990 to “ensure sentences for attacks on computer systems fully reflect the damage they cause.” This would ensure maximum jail sentences of up to 14 years for serious cyber-attacks.
Simon Placks, head of EY cybercrime investigations, said that the Serious Crime Bill is yet another sign that cyber-crime is high on the agenda of things to do for the British government, which is spending £650 million on its National Cyber Security Programme.
“It's good to see cyber security featuring high on the government's legislative agenda. Any move towards tougher sentencing for cybercriminals is a move in the right direction, and will be welcomed by business” he said in an email.
“It will play an important role in helping to reduce the rates of cyber-attacks and deter criminal activity in this space. However, attribution continues to be one of the major difficulties when it comes to prosecuting cyber-criminals, as it is often extremely difficult to identify the origin of an attack.
“Therefore companies should not become complacent around cyber security. First and foremost businesses should be focusing on prevention over prosecution. Specifically, they need to ensure they have robust defences in place and work ever harder towards attack prevention by identifying, classifying and monitoring access to key information. They also need to ensure they have the ability and the processes in place to be able to act quickly if a breach occurs."
Greg Day, CTO for FireEye in the EMEA, is also encouraged by the changes. “It's very encouraging that the government is taking cyber-attacks more seriously; amending the Computer Misuse Act 1990 on computer systems fully reflect the damage is a big step forward. However getting the sentencing right is hard, as most companies are unable to qualify the extent of the attack or the commercial damage it has on their business, meaning that it will continue to be hard to implement and get the sentencing right. In other countries sentencing on cyber-attacks appears to be lighter than other more physical crimes too but the punishment must match the crime.”
Adrian Culley, independent security consultant and a former Met Police Computer Crime Unit detective, told SCMagazineUK.com that the update of the Computer Misuse Act 1990 was a sign that crimes increasingly have a cyber element.
“The Computer Misuse Act has served us well since its inception, indeed the Prestel message board system that led to the Acts creation quietly retired some years ago now,” he said via email.
“It is important to remember that many, if not most, criminal acts now contain a cyber element. Many criminals now have some cyber skills and knowledge. Seeing the Computer Misuse Act have its sentencing provisions updated sends an important message to the criminal community.”