British computer hackers who severely damage the national security of any country could face life in prison under a new criminal offence proposed in the Serious Crime Bill, however the plan has been attacked for lacking legal certainty by MPs and peers.
The Joint Committee on Human Rights raised the alarm last Friday, after the Bill reached the report stage in the House of Lords on 14 October.
Amendments were tabled by Baroness Williams of Trafford to apparently make computer misuse clauses in the proposed legislation clearer. She told the second chamber:
The tentacles of cybercrime can now stretch across the globe. A perpetrator, sitting in their bedroom in London, could be hacking into a computer anywhere in the world, or, located outside the UK, a British national could be causing serious damage to their host country or in our own.
The new offence provided for in Clause 40 [PDF: "Unauthorised acts causing, or creating risk of, serious damage", page 30] acknowledges this reality and captures the serious damage that cybercriminals can cause in any country.
Clause 40 goes on to define a reference to country as including a reference to: a territory; any place in, or part or region of, a country or territory; and the territorial sea adjacent to any country or territory. My noble friend Lady Hamwee moved an amendment in Committee to seek further clarity on the last of these three points, which gave rise to an interesting debate on how best to capture damage caused outside territorial waters.
The peer said that the debate led to the government rethinking some of the wording in the Bill. She added that sites based outside of the territorial waters of any country, such as on oil rigs or ships*, needed to be taken into account.
"It is not clear that the offence as currently drafted would capture an attack that caused serious damage to the human welfare of those living and working on such an installation, or to the surrounding environment," she said.
Baroness Williams told the House:
To provide greater clarity on this point, therefore, Amendment 17 replaces the reference to damage to human welfare in any country with a reference to damage to human welfare in any place. Amendment 18 similarly replaces the reference to damage to the environment in any country with a reference to damage to the environment of any place.
She claimed that the amendment would clarify that the meaning of "country" no longer needed to include its territorial seas.
"References to damage to the economy or national security of any country will remain, as either the economy or national security of a country has been damaged or it has not. In these cases, it is not necessary to include territorial seas within the definition of a country, so Amendment 19 removes this reference," the peer said.
The amendments to the draft Bill were agreed and a second day of report stage scrutiny is scheduled in the House of Lords on 28 October.
Late last week, the Joint Committee on Human Rights expressed concerns about what it said was "the over-broad definition of 'computer misuse' in the Bill".
The MPs and peers recommended that certain elements of the definition be scrapped to remove legal uncertainty. They said:
We regard as highly significant the fact that the government is not aware of any other criminal offences which have "damage to the environment", "damage to the economy" or "damage to national security" as an ingredient of the offence.
The use of such broad concepts without further definition in other statutory contexts is one thing but, as the government itself acknowledges, it is quite another in the context of criminal sanctions.
Legal certainty requires that criminal offences are precisely defined so that individuals know how to avoid such sanctions. Vagueness is not permissible in the definition of criminal offences.
The committee added that a 2013 European Union directive (PDF) required member states to dish out criminal penalties to computer hackers, with the most serious offences leading to a maximum penalty of five years in the slammer. It said:
We do not doubt the need to ensure that the criminal law provides adequate protection against cyber-attacks on critical infrastructure. We doubt, however, whether the concepts of "damage to the environment", "damage to the economy" or "damage to national security" are sufficiently certain in their meaning to justify their inclusion as an ingredient of a criminal offence carrying maximum sentences of 14 years and life imprisonment.
The broad and vague definition of the new offence of computer misuse appears to be without precedent, and the Bill therefore appears to cross a significant line by using these unsatisfactory concepts in the definition of a serious criminal offence carrying a lengthy sentence. We recommend that the Bill be amended to remove these particular elements of the new computer hacking offence.
Whitehall said in March this year that it had not yet fully complied with the directive (PDF) and added that it was necessary to overhaul the Computer Misuse Act 1990 so as the British government could fall in line with the EU.
It said at the time that the current law fails to "prevent individuals from obtaining tools such as malware with the intention to personally commit a cyber crime. It also does not enable UK law enforcement agencies to take action against UK citizens committing cyber crime offences whilst physically outside the UK on the basis of their nationality alone."
At present, Blighty-based hackers convicted under the Computer Misuse Act serve a maximum sentence of five years.
The Register asked the Home Office to comment on this story.
However, a spokesman at Theresa May's department declined to be drawn on specifics when asked how the proposed new criminal offence could be applied to someone like master spy blabbermouth Edward Snowden, an American who arguably caused serious damage to the national security of Britain.
We were told, more generally, that – as would be expected – extradition arrangements might be applied in such cases.
But it would seem that the planned legislative overhaul could prove problematic for wannabe British whistleblowers who flee to another country before exposing documents they obtained from computer systems by nefarious means. ®
* Who can forget The Pirate Bay's (unsuccessful) attempt to float drone proxy servers over international waters?