UK National Crime Agency Head Calls For Hacking Law Updates – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime
,
Legislation & Litigation

Graeme Biggar Says Law Stymies Prosecutions of Foreign Hackers

Akshaya Asokan (asokan_akshaya) •
June 19, 2023    

A British cyber law that criminalizes hacking and other intrusion activities is outdated, often hindering law enforcement action against cyber crooks, U.K. lawmakers heard during a parliamentary hearing on cybercrime.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

The Computer Misuse Act of 1990 criminalizes unauthorized access to computer systems and data, as well as damaging or destroying data.

The 32-year-old law does not categorize data theft as a criminal offense, testified Graeme Biggar, the director general of the U.K’s National Crime Agency before a Monday session of the U.K. Parliament’s Joint Committee on National Security Strategy.

“It is currently not an offense, or at least not an offense in a way that we can use effectively, to steal data. Nor is it an offense to handle stolen property, if it is data,” Biggar said. “Those are major impediments for us in being able to investigate and disrupt the crime.”

Biggar also called for an expansion of British authority to criminally prosecute foreign cyber criminals. Current law limits jurisdiction to U.K. persons or someone using U.K. infrastructure. As an example of the limitation that creates, Biggar cited February sanctions imposed against seven Russian nationals accused of developing and managing TrickBot malware (see: US and UK Sanction Members of Russian TrickBot Gang).

“What we’re not in a position to do, because they are based overseas, they are not U.K. citizens and they weren’t using U.K. infrastructure, is to have arrest warrants out against them.”

Such a change would allow the NCA and other federal British agencies to obtain criminal warrants against crooks, which would further put the person of interest in the Interpol’s wanted list, facilitating the criminal’s potential extradition to the United Kingdom for criminal trial.

The U.K government in February opened public consultation to introduce changes to the law.(see: Computer Crime: Britain Plans to Overhaul 32-Year-Old Law).

Security researchers are calling for changes to the act as the law to ensure that bug-bounty and pen testing aren’t criminal offenses under the statute prohibiting unauthorized access to a computer system. The U.K. Ministry of Defense in 2020 affirmed that it will not prosecute researchers who comply with its disclosure policy. The civilian government contracts with HackerOne for vulnerability reports pertaining to official websites.