Industry News

UK government proposes life sentences for catastrophic cyber attacks

Last week, the UK government set out its new plans to tackle internet crime in the Queen’s Speech.

For those who live outside the UK, it’s worth explaining that the Queen’s Speech is a ceremonial state occasion, full of pomp, crowns and tradition, where Her Majesty the Queen reads a speech kindly written for her by the government about its legislative agenda.

What is of interest to readers of Hot for Security is that the UK government is proposing changes to the serious crime bill, which would see hackers who instigate “cyberattacks which result in loss of life, serious illness or injury or serious damage to national security, or a significant risk thereof” facing a full life sentence.

What’s concerning politicians is that the punishment meted out to hackers doesn’t necessarily reflect the potential damage which could be done to the British economy, or the risk of life being endangered, if civil unrest followed the disruption of telephone networks, food or power supplies being disrupted through sabotage of computer networks.

In short – if your internet attack is considered a threat to national security, you could be sentenced to life imprisonment under the proposed legislation.

Serious stuff indeed.

Furthermore, a proposed update to the 1990 Computer Misuse Act would see attacks that result in “a significant risk of severe economic or environmental damage or social disruption” carry a 14-year sentence, up from the current ten year maximum.

In addition, the changes made would see hackers engaged in industrial espionage hit with harsher sentences in future, in an attempt to better protect British businesses.

Are life sentences for hacking attacks an appropriate punishment?

I decided to ask two people with an interesting view on the topic.

Back in the 1980s, Robert Schifreen and Steve Gold were the first people in Britain charged with illegally accessing a computer system. The pair had discovered that anyone who entered the username “22222222” and the password “1234” on BT’s Prestel system could access accounts without authorisation.

Most famously, the pair managed to access the personal message box of Prince Philip, the Duke of Edinburgh.

Schifreen and Gold were eventually acquitted, and the British authorities felt it needed specific computer crime laws and hastily introducing the Computer Misuse Act.

Almost 30 years later, and now respected pillars of the security wold, what do Schifreen and Gold think of the government’s plans to toughen up sentencing?

Steve Gold, now a veteran computer security journalist, believes that the real problem is not being addressed:

“I think that, whilst handing down a life sentence for a serious cybercrime is an understandable reaction, it is a knee-jerk reaction, and one that does not tackle the root cause of cybersecurity issues, namely a profound lack of effective cybersecurity education in schools, and the fact that many hackers that have hit the headlines – both in the UK and abroad – have clear mental illness issues.

“The classic case here is, of course, Gary McKinnon, the so-called UFO hacker, who was accused of hacking into 97 United States military and NASA computers more than a decade ago and was almost extradited to the US, despite the fact that he has Asperger’s syndrome.

“Is it right and proper that a civilised nation such as the UK seeks to impose a life sentence on an immature kid or a young man with clear mental illness issues – when murderers and other serious criminals are given much shorter sentences?

“Two wrongs do not, of curse, make a right, but in my 25 years-plus of observing and reporting on IT security matters, I have yet to see any UK government tackling the hacking problem effectively.

“The Internet has become as pervasive as water, gas and energy services in modern life. Education about the moral issues and criminal aspects of its usage in schools and young people is something the UK government ignores as its peril.”

Meanwhile, Robert Schifreen believes that the authorities are “waking up” to the damage that can be done by cybercriminal activity:

“There would be justifiable outcry if someone received a life sentence for a relatively minor hacking offence. But the so-called Internet Of Things is nothing new. Facilities such as the electricity grid, water distribution networks, nuclear power stations, traffic lights, train signals, skyscraper ventilation systems etc have all been operated via computer networks for years, and deliberate misuse of these systems could cause havoc.”

What do you think? Is a life sentence the right punishment for some internet attacks? Do you have concerns that the legislation could be used inappropriately? Leave a comment below.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.