The Computer Misuse Act

The Computer Misuse Act 1990 (CMA) created a number of offences to address the growing incidence of unauthorised access to computer systems. This paper describes the provisions of the Act and examines the experience of the 15 years that it has been in force. The Act was based on a report from the law commission which provides good insight into the intentions behind the various provisions, and against which the success of the Act can be measured. Unfortunately there are few authoritative statistics available and much of the evidence is anecdotal. However, it is possible to draw some conclusions. The picture that emerges is that prosecutions are rare, convictions can be difficult to obtain and sentences tend to be light. At the same time the incidence of hacking has increased substantially and is still increasing. The damage caused by computer misuse is significant and also increasing and the vulnerabilities that can be exploited by the criminally minded are also growing in number and severity. Some specific cases have shown up gaps in the law, for example in prosecuting certain Denial of Service attacks. There has been an attempt to amend the law to plug that particular gap, but as yet the Government has not allocated sufficient priority to it. The report concludes that while the CMA was a great step forward when it was introduced, its success has been limited. There is a need to review the Act, going somewhat further than existing proposals to address, not only specific shortcomings of the Act but also to address recent changes in technology and software practices that affect some of the notions of what actions are authorised and under what circumstances. Furthermore there is a need to review sentencing policy to reflect the seriousness of the damage that hacking attacks can inflict.