Cyber Security in the U.K. since the Introduction of the Serious Crime Act 2015

The third of May 2015 was when the Serious Crime Act 2015 first came into force. It was required to give effect to the UK’s obligations under article 12 of the Cyber-crime Directive 2013/40/EU on attacks against information systems. The fundamental goal of the act was to bring the legislature at the time, the Computer Misuse Act 1990, up to date with the recent technological advances. It also looked to give credence to the fact that cyber-crime had become an international crisis which knew no borders and that this spelled difficulties for the government, businesses and private individuals alike.

The pre-existing act contained offences such as unauthorised access to a computer or unauthorised acts intending to impair the operation of a computer. There were many shortcomings highlighted with these offences and as a result the Serious Crime Act 2015 amended the act creating the new offence under section 3ZA. This section set out the offence requirements - an act causing, or creating a significant risk of, serious damage to human welfare in any place, to the environment in any place, to the economy of any country or to the national security of any country. The maximum penalty is life imprisonment if a significant risk of serious damage to human welfare or national security exists.

So after explaining what the change is the next question is does it meet the policy objectives outlined in the government’s national cyber security strategy. With a mild degree of uncertainty I believe it has. A positive point to acknowledge is the U.K. government’s commitment to spending  £1.9bn in its national cyber security strategy for the years 2016–21. The program looks to protect the U.K. government, businesses and individuals from cyber attacks as well as create a knowledge base for those less informed of the dangers. A new body called the National Cyber Security Centre was set up to deter and gather information on attacks as well as coordinate official responses to them. Although the act is not specifically mentioned in the strategy, there are strong defense and deterrence aspects of the strategy which are facilitated by having robustly defined criminal offences. The act also extended the bounds of the jurisdiction in relation to foreign nationals with regards to the new aggravated section 3ZA offence.

So the final question I pose is in the interim years are the authorities using the legislation and if so have they been successful? To be honest from my research it appears to early to assess definitively. There are few reported cases and the centre’s website doesn’t report any successful investigations or prosecutions of the new section 3ZA offence. However, this could be down to the fact that prosecutions like these take a significant investigate due to the difficulty of identification. A worrying trend seems to be the under-reporting for these cyber-crime incidents, in 2016 cyber-dependent crime reports totaled at 15246. However, the Office of National Statistics released in a statement that there were two million victims of computer misuse offences.