Prosecutions under the UK's Computer Misuse Act (CMA) dropped by a fifth in 2020 even as conviction rates soared to 95 per cent during the year of the pandemic, new statistics have revealed.
This week's conviction statistics also showed that the most common CMA crime taken to court was the offence of "unauthorised access to computer material", accounting for 33 of the year's total of 45 prosecutions under the Act. Just 5 per cent of court prosecutions during 2020 resulted in a not guilty verdict.
A spokesperson for the CyberUp campaign to reform the CMA told The Register: "How can it possibly be that Computer Misuse Act prosecutions have gone down during the last year?
"We are all aware of the way cyber criminals have sought to capitalise on people's spending more time online during the pandemic, with incidents of cyber crime and fraud going through the roof."
Many prosecutions for mischief with computers go through the courts as fraud rather than under the CMA. Government splits offences into what it calls "cyber dependent" crimes, where the crime targets digital devices and networks, and other crimes where digital devices were not central to the offence. Tricking someone into transferring money under false pretences is fraud, no matter if it's a dodgy salesman knocking on the door or a Nigerian 419 scammer of old.
Of the people charged with CMA crimes 40 were male (89 per cent) and five were female. One was a boy aged 15-17 and three were young adults (as defined by the Ministry of Justice) aged 18-20. The most common age bracket for men charged under the CMA was 30-39, accounting for 28 per cent of defendants.
- The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law
- UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs
- Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge
- Average convicted British computer criminal is young, male, not highly skilled, researcher finds
- Prince Philip, inadvertent father of the Computer Misuse Act, dies aged 99
Guilty? Odds are still against prison
During 2020, seven CMA criminals were jailed (16 per cent of the total) with the average custodial sentence being 15.7 months. That figure is skewed by the 4.5-year sentence handed down to Simon Finch, the ex-BAE Systems missile system leaker who emailed details of secret weapon systems to foreign countries. Ignoring Finch, the average (mean) sentence was somewhere closer to one year.
Of the non-jailbirds among CMA convicts, 15 (a third) received suspended sentences. Another seven offenders were fined while eight (18 per cent) were handed community service terms.
Click here (zip file containing ODS spreadsheet) if you want to check out the whole thing
For those who are wondering, the number of outcomes is more than those found guilty in 2020 because some sentencings took place the year after a guilty verdict was reached.
In the last decade, only one person, a woman aged 40-49 during 2017, has been given an absolute discharge (walking completely free from court) after a CMA conviction.
The average fine for a CMA conviction was £1,203 exactly, according to the Ministry of Justice, with that figure including one fine of up to £2,500 and one fine of between £5,000 and £10,000.
2020's overall convictions data recorded that one CMA case was brought against a teenage child and three against young adults aged 18-20. The child and two of the young adults were found not guilty at court.
The data did not include information on cautions as in previous years, which the Ministry of Justice said was because the pandemic disrupted normal statistics gathering.
Light touch? No bad thing
The low number of charges and convictions brought in 2020 is consistent with previous years. IT professionals' fears of being smacked with CMA charges appear to be unfounded based on the tens of thousands of infosec workers in the UK alone versus the number of cases seen in court.
Even when an NHS-aligned open-source software company made an allegation of a CMA crime after a vulnerability disclosure turned into an argument over data extraction and retention, police shrugged their shoulders and left the two sides to it.
CyberUp's spokesman concluded: "This data shows the increase in crime over the last year clearly isn't leading to more prosecutions, and speaks to the fact there is something very wrong with the Computer Misuse Act. We would urge anyone who cares about the UK's cyber crime laws to respond to the government's review into this outdated Act, which closes on the 8th June."
The TechUK industry campaign group is hosting a meeting next week for infosec firms to thrash out their collective response to the government's review of the Act. ®