Stefan Fafinski CEng FBCS CITP looks at the problem that perfectly legitimate software tools can be used as hacker tools, and how difficult the differentiation would be to prove in law.

One of the primary pieces of legislation controlling the field of IT is the Computer Misuse Act 1990 (CMA). This was introduced as a consequence of the increasing commercial and social concerns surrounding the emergence of hacking.

However, the rapid pace of  technological change over the past 16 years, coupled with the ever-expanding reach and availability of the internet, has led to a situation where the Act has struggled to keep up with the new varieties of computer misuse which have been made possible. 

There have been many attempts to update the CMA over the last few years. Of central significance to IT professionals are the most recent amendments proposed in the Police and Justice Bill 2006, which was introduced into the House of Commons on 25 January 2006 and received its Second Reading on 6 March.

Two of the proposed amendments are relatively uncontroversial. They increase the penalty for the basic hacking offence and attempt to ensure that  denial of service attacks are criminalised.

However, the new clause (clause 41 as before the House of Lords; formerly clause 35) which introduces an offence of making, supplying or offering to supply articles for computer misuse offences or obtaining such tools with the intention to use them to facilitate the commission of such an offence is much more problematic. 

Clause 41 inserts a new section 3A into the CMA as follows: 3A  Making, supplying or obtaining articles for use in offence under section 1 or 3. 

  1. A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article - (a) intending it to be used to commit, or to assist in the commission of, [a CMA offence]; or (b) believing that it is likely to be so used. 
  2. A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, [a CMA offence]. 
  3. In this section 'article' includes any program or data held in electronic form. 
  4. [Deals with penalties]. 

This clause firstly satisfies the requirement of the Council of Europe Convention on Cybercrime (2001) that the distribution or publication of passwords, or other such 'keys' to access a system with the ulterior intent to commit a CMA offence is criminalised. It also intends to criminalise the development and supply of hacker tools'.

This is where the real problems arise, since most tools which are used by systems administrators and computer forensic investigators are commercially available products which are used in the course of load and resilience testing.

In the March 2006 issue of ITNOW, Stephen Bishop described how penetration testing - an audit of a computer's security defences - is a relatively commonplace activity for many businesses: yet the tools used in perfectly legitimate penetration testing can also be misused in the context of the CMA. Password recovery tools to a systems administrator are password crackers to a computer criminal.

In the extreme, it has been suggested that web browsers could fall foul of this clause since they can be used to gain unauthorised access to insecure systems.  

It is not just in the realm of IT that the same tools can be used for fair means or foul. Analogies have been drawn between software tools and everyday physical articles.

Section 25(1) of the Theft Act 1968 defines the offence of 'going equipped for stealing, etc' as being committed if a person 'when not at his place of abode...has with him any article for use in the course of or in connection with any burglary, theft or cheat'.

This wording would not be able to be immediately transferred verbatim into clause 41 such that test tools only become hacker tools outside the user's place of abode. With a broadband connection and suitable hardware and software, all manner of computer misuse can be carried out from home.

However it has been suggested by EURIM that a similar technology-appropriate form of words be found in order to 'disrupt the growing trade’ in producing and distributing tools that have limited legitimate use and are more commonly intended to support computer-assisted extortion and fraud'.

The additional difficulty presented by clause 41, as drafted, is that of proving the  requisite degree of intention. Given the dual-usability of such software tools, it would always be open to the defendant to claim that the prohibited result was not his aim, purpose or goal, or that he did not know that the result was a virtually certain consequence of his actions.   

Moreover, it is unclear where liability would lie in the supply chain. Since supplying a tool with belief that it is likely be used in the commission of a CMA offence would become an offence, then could liability attach to manufacturer, wholesaler and retailer?

How would suppliers be able to establish that they were confident in their belief that the purchaser's intentions were honourable? 

It is clear, then, that despite some amendments at the Standing Committee stage instigated by Lynne Featherstone MP, the proposed new section 3A to the CMA remains beset with problematic drafting which is causing information security professionals to sit up and take notice.

However, given the increasing propensity for legislation that some consider to be ill-conceived coming into force without much debate, it is likely that at least a close variation on the clause 41 theme will become law sometime later this year. 

However, will this drive software testers underground or cripple the legitimate information security profession? This will depend on how the law is policed and enforced.

Legislation is but one tier of the necessarily multi-layered system of governance required by the complex trans-jurisdictional nature of cybercrime. 

This 'digital realist' approach recognises that while the law of itself can only have a limited impact on behaviour, it does have the ability to shape the environment in which such behaviour takes place.  

Is history repeating itself? A large part of the original CMA debate in 1990 was based around the impact of computer misuse on industry and commerce, the inadequacy of the pre-existing criminal law and the prevailing media reporting of the dangers posed by hackers at the time. It also considered the practical difficulties associated with prosecuting computer misuse.

It was certainly envisaged at the time that the 1990 Act would ease the difficulties associated with bringing a successful prosecution. However, in actual fact, very few prosecutions have been brought under the CMA since it came into force. 

According to the DTI very few affected companies have taken any form of legal action. For virus infections, there was a general, yet incorrect, perception that  no-one had broken the law. When staff caused security breaches, internal disciplinary measures were normally considered sufficient.

This may be because there is no prospect of damages or compensation for loss in a criminal prosecution under the CMA. For most organisations, the prospect of adverse publicity resulting from a security breach seemed to outweigh the benefits of prosecution. 

The notion of the police going through the information systems security professional's toolkit, finding a dual-use tool and proving the required nefarious intent is both highly unlikely and practically unworkable.  

The intention to criminalise hacker tools is clearly a positive one, although the CMA amendments in this respect are far from perfect. 

Proper expert consultation with  security professionals should take place to frame the law correctly, although, with the pace that the Bill is proceeding through Parliament, with the CMA amendments winning precious little debating time, this may be a utopian ideal.  

However, even if the wording of clause 41 is not tightened up, its practical significance will remain to be seen - both from the standpoint of policing and enforcement and the attitude of the courts when the new law is put to the test.