Last Thursday, APIG, which is an organisation that attempts to bridge the gap between the technology industry and MPs, held the first of three hearings at the House of Commons to discuss how well the 14-year-old Computer Misuse Act (CMA) has stood the test of time.
The group will be publishing a report of its findings in June but is expected to recommend minor changes to the law rather than a major overhaul.
Derek Wyatt, MP and APIG chairman, said that while APIG has yet to reach final conclusions, it appears that the law will require only an amendment, rather than major reworking. He said that the real issue was actually a serious lack of police resources to fight high-tech crime.
"In evidence, the Metropolitan Police said it only has around 250 people for this, which is not enough," Wyatt said.
Nick Ray, chief executive of software security firm Prevx, and a participant in the hearing agrees that the CMA has stood the test of time very well, especially as it was written in the pre-Internet era. He also said the real problem lies in the lack of funds dedicated to fighting cybercrime -- as well as in the government's inability to measure its impact.
"The problem is not with the law; it is with resources to catch the criminals and prosecute them. The scale of damage caused by these threats is massive and we want to make sure cybercrime figures are properly measured. You get front page headlines that violent crimes have risen, because violent crime is measured. Cybercrime is just not on the government's radar. It's about time it was," said Ray.
Wyatt agreed that the Home Office should include cybercrime incidents in its national crime statistics.
"All cybercrime should be audited by the national audit office. I expect it isn't already part of the stats because much of it originates overseas. We need to extradite those people but we do not have the resources yet," said Wyatt.
Even with more resources, ISPs will also have to take more responsibility for what's happening on their networks, according to Mark Sunner, chief technology officer at email security firm Messagelabs, who also gave evidence at the hearing. He said he would like to see ISPs made more accountable for protecting their customers, many of whom are inadvertently responsible for spreading the majority of viruses and spam from infected or "zombie" PCs.
"ISPs are not really taking any responsibility about what type of data they are transferring around their network -- whether it's viruses or the subsequent traffic of a DDoS attack. You wouldn't expect to have to boil your own water before you use it because the water authority makes sure you get a clean feed. In the world of ISPs, business and home users alike are boiling their own water, with varying levels of success," he said.
The next APIG hearing is scheduled for Thursday and the final one will be held next week. The APIG report will be published towards the end of June.
